# Scanning

### Hping

Perform a SYN scan for range of ports**:**

```
hping3 -S -p <port> <target>
```

Specify a port range:

```
hping3 -S --scan 1-1000 <target>
```

SYN scan all ports:

```
hping3 -S --scan all <target>
```

SYN scan a list of ports:

```
hping3 -S --scan 80,445,53,21 <target>
```

### Nmap

Simple SYN scan:

```
nmap -sS <target>
```

Increase scan speed by disabling DNS resolution -n and treating parget as online -Pn:

```
nmap -sS <target> -n -Pn 
```

Execute TCP connect scan -sT in fast mode -F which scans fewer ports than the default scan:

```
nmap -sT <target> -F
```

Scan UDP ports:

```
nmap -sU <target>
```

TCP null scan:

```
nmap -sN <target>
```

Christmas scan:

```
nmap -sX <target>
```

FIN scan:

```
nmap -sF <target>
```

### Nmap NSE

**NSE scripts are located in:**

```
/usr/share/nmap/scripts/
```

**Execute default set of scripts:**

```
nmap -c
```

**Specify certain script:**

```
nmap --script 
```

**How to update scripts:**

```
nmap --script-updatedb
```

**Get help for certain script catagory (example help for SMB discovery scripts):**

```
nmap --script-help “smb*” and discovery
```

**Lookup whois information:**

```
nmap --script whois-domain <website> -sn
```

**SMB OS discovery:**

```
nmap --script smb-os-discovery -p 445 <target>
```

**Enumerate all SMB shares:**

```
nmap --script smb-enum-shares <target> -p 445
```

**Execute all authentication related scripts:**

```
nmap --script auth <target>
```

### Idle Scan Hping Nmap

**Idle scan is stealthy because the target host will never know the real attacker's ip**

**Probes a zombie candidate:**

```
hping3 -S -r -p <port> <zombie_ip>
```

**Spoofs zombie’s IP and probes target:**

```
hping3 -a <zombie_ip> -S -p <dst_port> <target>
```

**Determines if IP ID is incremental:**

```
nmap --script ipidseq <target> -p <port>
```

**Performs Idle scan. (performs previous two steps simultaneously):**

```
nmap -Pn -sI -p <dst_port> <zombie_ip>:<src_port> <target>
```

### Advanced Port Scanning

**Fragment packets:**

```
nmap -f <target> -n --disable-arp-ping -Pn
```

**Fragmented SYN scan:**

```
nmap -sS -f <target>
```

**Performs a scan using decoys:**

```
nmap -p <port> -D <decoy1,ME,decoy2,etc..> <target>
```

**Use random number of decays:**

```
nmap -D RND:10 <target> -sS -p <port> -Pn --disable-arp-ping
```

**Port scan using DNS as source port 53:**

```
nmap --source-port 53 <target> -sS
```

**Port scan well known ports using DNS as source port:**

```
hping3 -S -s 53 --scan known <target>
```

**Spoof MAC address (useful if firewall only accepts packets from specific MAC addresses):**

```
nmap --spoof-mac <choose vendor MAC i.e. Apple or Intel etc..> <target> -p <port> -Pn --disable-arp-ping -n
```

**Random MAC address:**

```
nmap --spoof-mac 0 <target> -p <port> -Pn --disable-arp-ping -n
```

**Delayed scan with randomized hosts from a list of hosts:**

```
nmap -iL hosts.list -sS -p <port> --randomize-hosts -T 2
```

**Spoof IP address of alive host:**

```
hping3 -a <alive host on network> -S -p <port> <target>
```

**Evade firewalls that use packet size to detect port scans:**

```
nmap -sS --data-length 10 -p 21 <target>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ejpt-certification.certs-study.com/ecpptv2-certified-professional-penetration-tester/commands-notes/scanning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.