Nmap

port scan normal -> nmap -p- --min-rate=1000 -sV -sC -oA filename IP
agressive scan -> sudo nmap IP -p 80 -A
vulnerability scan -> sudo nmap 10.129.2.28 -p 80 -sV --script vuln
decoy version scan -> sudo nmap <target_ip> -sV -D RND:5
Disable arp ping -> sudo nmap IP -sn -oA host -PE --packet-trace --disable-arp-ping

• Avoid ARP Cache Pollution: Repeated ARP requests can fill up the ARP cache of network devices, potentially leading to network issues.
• Stealth Scanning: Disabling ARP ping might be useful if you want to perform a stealth scan, avoiding ARP requests that might be monitored by network security systems.
• Non-Ethernet Networks: On networks where ARP is not used or applicable, such as certain types of VPNs or non-Ethernet environments.

List of Common Services and their port

• 20/21 FTP
• 22 SSH
• 623 - IPMI
• 143/993 IMAP and POP3
• 110/995 IMAP and POP3
• 1433 MSSQL
• 3306 MySQL
• 2049/111 NFS
• 1521 Oracle TNS
• 445 or 137/138/139 SMB
• 25/587 or 465 SMTP
• 161/162 SNMP
• 3389 RDP
• 5985/5986 WinRM
• 135 WMI
• 512/513/514 R-Services
• 873 rsync

-Pn Skip host discovery
-n disable DNS resolution
--packet-trace Shows all packets sent and received
-D RND:5 set num of random decoys
--reason show reason
-sA is much harder to filter for firewall/IDS/IPS than -sS or sT
Using --source-port 53 will make any scan silent

NSE

> sudo nmap --script-updatedb update all scripts
> find / -type f -name ftp* 2>/dev/null | grep scripts find all scripts

Bypassing Firewalls, IPS/IDS

Nmap's TCP ACK scan (-sA) method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (sT) because they only send a TCP packet with only the ACK flag. When a port is closed or open, the host must respond with an RST flag. Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls. However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.

Use VPS (Virtual Private Servers) that has several IP to pentest. Use only one of the IP to scan, and it that IP looses access to the internet, we'll know that IPS are in place.

Decoys -D can send out multiple requests from difference IPs, and our true IP is somewhere in there.