Reconnaissance

Host discovery

ICMP

nmap -sn 10.10.10.0/24

ARP

arp-scan -I <interface> --localnet --ignoredups

Port scan

TCP SYN

nmap -p- -sS -n -Pn --min-rate 5000 <target>

UDP

nmap --top-ports 1000 -sU -n -Pn --min-rate 5000 <target>

Service and version detection

nmap -p <ports> -sCV -n -Pn <target>

Nmap scripts

nmap -p <ports> --script <script> <target>

Scripts usage

You can list all available Nmap scripts using the following commands:

 # List nmap nse scripts
 ls /usr/share/nmap/scripts | grep <service>
 # Get info about a script
 nmap --script-help <script>