Perform a SYN scan for range of ports:
hping3 -S -p <port> <target>
Specify a port range:
hping3 -S --scan 1-1000 <target>
SYN scan all ports:
hping3 -S --scan all <target>
SYN scan a list of ports:
hping3 -S --scan 80,445,53,21 <target>


Simple SYN scan:
nmap -sS <target>
Increase scan speed by disabling DNS resolution -n and treating parget as online -Pn:
nmap -sS <target> -n -Pn
Execute TCP connect scan -sT in fast mode -F which scans fewer ports than the default scan:
nmap -sT <target> -F
Scan UDP ports:
nmap -sU <target>
TCP null scan:
nmap -sN <target>
Christmas scan:
nmap -sX <target>
FIN scan:
nmap -sF <target>

Nmap NSE

NSE scripts are located in:
Execute default set of scripts:
nmap -c
Specify certain script:
nmap --script
How to update scripts:
nmap --script-updatedb
Get help for certain script catagory (example help for SMB discovery scripts):
nmap --script-help “smb*” and discovery
Lookup whois information:
nmap --script whois-domain <website> -sn
SMB OS discovery:
nmap --script smb-os-discovery -p 445 <target>
Enumerate all SMB shares:
nmap --script smb-enum-shares <target> -p 445
Execute all authentication related scripts:
nmap --script auth <target>

Idle Scan Hping Nmap

Idle scan is stealthy because the target host will never know the real attacker's ip
Probes a zombie candidate:
hping3 -S -r -p <port> <zombie_ip>
Spoofs zombie’s IP and probes target:
hping3 -a <zombie_ip> -S -p <dst_port> <target>
Determines if IP ID is incremental:
nmap --script ipidseq <target> -p <port>
Performs Idle scan. (performs previous two steps simultaneously):
nmap -Pn -sI -p <dst_port> <zombie_ip>:<src_port> <target>

Advanced Port Scanning

Fragment packets:
nmap -f <target> -n --disable-arp-ping -Pn
Fragmented SYN scan:
nmap -sS -f <target>
Performs a scan using decoys:
nmap -p <port> -D <decoy1,ME,decoy2,etc..> <target>
Use random number of decays:
nmap -D RND:10 <target> -sS -p <port> -Pn --disable-arp-ping
Port scan using DNS as source port 53:
nmap --source-port 53 <target> -sS
Port scan well known ports using DNS as source port:
hping3 -S -s 53 --scan known <target>
Spoof MAC address (useful if firewall only accepts packets from specific MAC addresses):
nmap --spoof-mac <choose vendor MAC i.e. Apple or Intel etc..> <target> -p <port> -Pn --disable-arp-ping -n
Random MAC address:
nmap --spoof-mac 0 <target> -p <port> -Pn --disable-arp-ping -n
Delayed scan with randomized hosts from a list of hosts:
nmap -iL hosts.list -sS -p <port> --randomize-hosts -T 2
Spoof IP address of alive host:
hping3 -a <alive host on network> -S -p <port> <target>
Evade firewalls that use packet size to detect port scans:
nmap -sS --data-length 10 -p 21 <target>