Since there are many ways to use nmap and masscan for host discovery and enumeration, wish do you would recommend?
There are mine:
nmap -sC -sV -oA host ip
nmap -v --open -sC -T4 -oA host ip
nmap -T4 -sC -sV -oO --open -v host ip
I usually run:
nmap -sS -sC -sV -Pn -p- -T4 -A host ip
nmap -sV --script=smb* host ip ← pending on what port is open obviously
or
rustscan host ip
I am lazy and nearly always default to:
nmap -Pn -sC -sV -oA all_tcp -T4 --reason -vvvvvvvvvv -p- IP
Occasionally I will run a UDP scan, but normally only if I am convinced it is needed.
Type your comment> @TazWake said:
I am lazy and nearly always default to:
nmap -Pn -sC -sV -oA all_tcp -T4 --reason -vvvvvvvvvv -p- IPOccasionally I will run a UDP scan, but normally only if I am convinced it is needed.
There are moments where UDP scans spots some ports where TCP scan doesn’t show anything. It’s an good idea to run anything on the background always
@kurogai said:
Type your comment> @TazWake said:
I am lazy and nearly always default to:
nmap -Pn -sC -sV -oA all_tcp -T4 --reason -vvvvvvvvvv -p- IPOccasionally I will run a UDP scan, but normally only if I am convinced it is needed.
There are moments where UDP scans spots some ports where TCP scan doesn’t show anything. It’s an good idea to run anything on the background always
I agree it can be useful, but on 80% of HTB boxes, I’ve completed the box before the UDP scans finish.
From memory, out of the last 20 retired boxes, only Quick and Intense needed UDP enumeration.