{"id":476,"date":"2022-11-05T08:31:32","date_gmt":"2022-11-05T08:31:32","guid":{"rendered":"https:\/\/hacking.cool\/?p=476"},"modified":"2024-03-19T17:45:59","modified_gmt":"2024-03-19T17:45:59","slug":"port-scanning-tips-nmap","status":"publish","type":"post","link":"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/","title":{"rendered":"Port Scanning Tips&#8230;nmap"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"585\" src=\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/03\/f8dbf9f6-6be7-4782-bac5-e543f52e0f3a-1024x585.webp\" alt=\"\" class=\"wp-image-926\" srcset=\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/03\/f8dbf9f6-6be7-4782-bac5-e543f52e0f3a-1024x585.webp 1024w, https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/03\/f8dbf9f6-6be7-4782-bac5-e543f52e0f3a-300x171.webp 300w, https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/03\/f8dbf9f6-6be7-4782-bac5-e543f52e0f3a-768x439.webp 768w, https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/03\/f8dbf9f6-6be7-4782-bac5-e543f52e0f3a-1536x878.webp 1536w, https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/03\/f8dbf9f6-6be7-4782-bac5-e543f52e0f3a.webp 1792w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p class=\"has-black-color has-text-color\">Often penetration testing engagements start with good old &#8211;*port scanning*&#8211;. Nmap is often the tool to use for it:<\/p>\n\n\n\n<p class=\"has-black-color has-text-color\">nmap -p- [ip-address-here] &#8211;open -T3<\/p>\n\n\n\n<p class=\"has-black-color has-text-color\">-T argument is a parameter of time, and it is an important one. Here is the table illustrating different timing modes:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"718\" height=\"257\" src=\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/index.png\" alt=\"\" class=\"wp-image-477\" srcset=\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/index.png 718w, https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/index-600x215.png 600w, https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/index-300x107.png 300w\" sizes=\"auto, (max-width: 718px) 100vw, 718px\" \/><\/figure>\n\n\n\n<p class=\"has-black-color has-text-color\">Two important details from the table above:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>scan_delay &#8211; specifies the amount of time nmap will pause between each request. For instance, T0 &#8211; the slowest scan, will pause for 5 min between each packet.<\/li>\n\n\n\n<li>max_parallelism &#8211; displays whether the scan is running in parallel (multiple probes at the same time) or in serial mode (probe is sent one after another &#8211; much slower)<\/li>\n<\/ul>\n\n\n\n<p class=\"has-black-color has-text-color\">When this can come in handy? During red-team engagements when you need to stay under the radar. Or even ordinary pentesting engagements. I had a situation where the default nmap scan (T3) turned out a strange results with numerous open ports.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"475\" height=\"586\" src=\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/portscan.png\" alt=\"\" class=\"wp-image-478\" srcset=\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/portscan.png 475w, https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/portscan-243x300.png 243w\" sizes=\"auto, (max-width: 475px) 100vw, 475px\" \/><\/figure>\n\n\n\n<p class=\"has-black-color has-text-color\">So this looked suspicious, and I was advised to look into it deeper. One thing to notice is how open ports appear one after another, almost sequentially &#8211; definitely something fishy going on.<\/p>\n\n\n\n<p class=\"has-black-color has-text-color\">Upon doing some research I realized this is the client&#8217;s firewall or IPS\/IDS (intrusion prevention\/detection systems) at work which are configured in such a way as when detecting port scanning they would respond with fake packets &#8211; creating the illusion of open ports.<\/p>\n\n\n\n<p class=\"has-black-color has-text-color\">One way I was able to bypass it was by making my scan slower. Lowering nmap to polite scan -T2 solved the problem, showing only two ports open (instead of hundreds fake open ports before).<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Often penetration testing engagements start with good old &#8211;*port scanning*&#8211;. Nmap is often the tool to use for it: nmap -p- [ip-address-here] &#8211;open -T3 -T argument is a parameter of time, and it is an important one. Here is the table illustrating different timing modes: Two important details from the table above: When this can<span class=\"post-excerpt-end\">&hellip;<\/span><\/p>\n<p class=\"more-link\"><a href=\"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/\" class=\"themebutton\">Read More<\/a><\/p>\n","protected":false},"author":3,"featured_media":866,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-476","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Port Scanning Tips...nmap - hacking.cool<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Port Scanning Tips...nmap - hacking.cool\" \/>\n<meta property=\"og:description\" content=\"Often penetration testing engagements start with good old &#8211;*port scanning*&#8211;. Nmap is often the tool to use for it: nmap -p- [ip-address-here] &#8211;open -T3 -T argument is a parameter of time, and it is an important one. Here is the table illustrating different timing modes: Two important details from the table above: When this can&hellip;Read More\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/\" \/>\n<meta property=\"og:site_name\" content=\"hacking.cool\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-05T08:31:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-03-19T17:45:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/nmapsdad.png\" \/>\n\t<meta property=\"og:image:width\" content=\"811\" \/>\n\t<meta property=\"og:image:height\" content=\"610\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Atom\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Atom\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#website\",\"url\":\"https:\/\/hacking.cool\/atomanya\/\",\"name\":\"hacking.cool\",\"description\":\"is the hacking school \ud83d\udc69\ud83c\udffb\u200d\ud83d\udcbb\ud83e\uddd1\ud83c\udffb\u200d\ud83d\udcbb\ud83d\uddfa\ud83d\udcda\ud83d\udcd6\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/hacking.cool\/atomanya\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/#primaryimage\",\"url\":\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/nmapsdad.png\",\"contentUrl\":\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/nmapsdad.png\",\"width\":811,\"height\":610},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/\",\"url\":\"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/\",\"name\":\"Port Scanning Tips...nmap - hacking.cool\",\"isPartOf\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/#primaryimage\"},\"datePublished\":\"2022-11-05T08:31:32+00:00\",\"dateModified\":\"2024-03-19T17:45:59+00:00\",\"author\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/804a839cfa61d89d69fb2cf1d2f0adc2\"},\"breadcrumb\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/hacking.cool\/atomanya\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Port Scanning Tips&#8230;nmap\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/804a839cfa61d89d69fb2cf1d2f0adc2\",\"name\":\"Atom\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ac4d05ec7d617e7f2dee5855900a855a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ac4d05ec7d617e7f2dee5855900a855a?s=96&d=mm&r=g\",\"caption\":\"Atom\"},\"url\":\"https:\/\/hacking.cool\/atomanya\/author\/atom\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Port Scanning Tips...nmap - hacking.cool","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/","og_locale":"en_US","og_type":"article","og_title":"Port Scanning Tips...nmap - hacking.cool","og_description":"Often penetration testing engagements start with good old &#8211;*port scanning*&#8211;. Nmap is often the tool to use for it: nmap -p- [ip-address-here] &#8211;open -T3 -T argument is a parameter of time, and it is an important one. Here is the table illustrating different timing modes: Two important details from the table above: When this can&hellip;Read More","og_url":"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/","og_site_name":"hacking.cool","article_published_time":"2022-11-05T08:31:32+00:00","article_modified_time":"2024-03-19T17:45:59+00:00","og_image":[{"width":811,"height":610,"url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/nmapsdad.png","type":"image\/png"}],"author":"Atom","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Atom","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/hacking.cool\/atomanya\/#website","url":"https:\/\/hacking.cool\/atomanya\/","name":"hacking.cool","description":"is the hacking school \ud83d\udc69\ud83c\udffb\u200d\ud83d\udcbb\ud83e\uddd1\ud83c\udffb\u200d\ud83d\udcbb\ud83d\uddfa\ud83d\udcda\ud83d\udcd6","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hacking.cool\/atomanya\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/#primaryimage","url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/nmapsdad.png","contentUrl":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/nmapsdad.png","width":811,"height":610},{"@type":"WebPage","@id":"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/","url":"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/","name":"Port Scanning Tips...nmap - hacking.cool","isPartOf":{"@id":"https:\/\/hacking.cool\/atomanya\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/#primaryimage"},"datePublished":"2022-11-05T08:31:32+00:00","dateModified":"2024-03-19T17:45:59+00:00","author":{"@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/804a839cfa61d89d69fb2cf1d2f0adc2"},"breadcrumb":{"@id":"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/hacking.cool\/atomanya\/port-scanning-tips-nmap\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hacking.cool\/atomanya\/"},{"@type":"ListItem","position":2,"name":"Port Scanning Tips&#8230;nmap"}]},{"@type":"Person","@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/804a839cfa61d89d69fb2cf1d2f0adc2","name":"Atom","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/ac4d05ec7d617e7f2dee5855900a855a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ac4d05ec7d617e7f2dee5855900a855a?s=96&d=mm&r=g","caption":"Atom"},"url":"https:\/\/hacking.cool\/atomanya\/author\/atom\/"}]}},"jetpack_featured_media_url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/11\/nmapsdad.png","_links":{"self":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/476","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/comments?post=476"}],"version-history":[{"count":4,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/476\/revisions"}],"predecessor-version":[{"id":927,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/476\/revisions\/927"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/media\/866"}],"wp:attachment":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/media?parent=476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/categories?post=476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/tags?post=476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}