# NMAP Scanning

#### Full UDP Scan

```
nmap -sU -sV -vv -oA quick_udp 10.10.10.20
```

```
nmap -A -sV -sU --script=default,vuln --open -oA udp_full_scan 10.10.10.20
```

#### Full TCP Scan

```
nmap -sC -sV -p- -vv -oA full 10.10.10.20
```

```
nmap -A -sV --script=default,vuln -p- --open -oA tcp_full_scan 10.10.10.20
```

```
nmap -T4 -A -p- 10.10.10.20
```

#### Port Knock

```
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 1
```

#### **Scan all ports**

```
nmap -sS -A -T4 -p 1-65535 -oA nmapscan.txt 10.10.10.20
```

**OS Guess**

```
nmap -O -v -n 10.10.10.0/24 --osscan-guess
```

### NSE scripts

Used for:

* Service enumeration 
* Brute-force 
* Vulnerabilities 
* /usr/share/nmap/scripts/                    # Directory

```
--script=name-of-the-script
OR
--script name-of-the-script.nse
```

#### Vulnerability Scan

```
# On general
nmap --script vuln -oA nmap vulnscan 10.10.10.20

# On specific ports
nmap --script +vuln -p80,1999,8180,35316 10.10.10.20 
nmap --script +vuln -p4433 10.10.10.20
nmap --script +vuln -p2049,445,80,60666 10.10.10.20
```