1. 17
    1. 9

      This is a good starting point. My list of 6 ways to “level up” would look something like this:

      • NSE scripts and LUA engine - I fully agree on this one. It’s actually crazy the amount you can do with it and I think it’s one of the underrated parts of nmap. I’ve started writing rules on the fly to try and deal with firewalls and other things that get in the way.
      • Timing options - One major thing that I think bites people when starting to get deeper into nmap is “scans taking too long”. The moment I realized that some of the defaults are a little too aggressive was the moment my options started to grow and fix some of my pain points. Reducing retries, reducing timeout to an acceptable amount for the type of network, and changing version detection intensity are all things I suggest when dealing with say a /8 and UDP scans. Also look into timing templates, I haven’t been fully happy with mine yet, but it’s a WIP that might fix some of my pain points.
      • Contextualize - Are you on link local? Use ARP/NDP/etc. Got a firewall being a jerk and telling you all ports are up? Switch to full connect scans (honestly I do this a ton now).
      • OS detection sucks - I almost always don’t do OS detection these days, so many routes and “security devices” change the results that it’s just going to slow you down. The only exception is nmap IPv6 and NDP, I am actually trying to isolate the bug, but I can’t seem to get NDP ICMP to work properly without the “OS Detection”
      • Interacting with the XML/Grep output - this is key to my survival, I don’t think I could conduct a pentest without some heavy parsing. Also this teaches you to be weary about certain unnamed script outputs.
      • Spoofing - This is much less common for the vast majority of users, but I’ve run into a few situations recently where I could ARP poison and then use nmap spoofing options to trick clients into accepting my UDP packets. It’s tricky and I still want to re-lab the stuff to write it up, but there aren’t many tools that do it as easily.
      1. 2

        You should write that up. I’d read it. I’m just someone trying to improve my networking skills in my own time, rather than a pentester (hence aiming it at casual users).

    2. 2

      The article doesn’t mention just how noisy -sV and particularly -A can be on a network. Especially if you’re in a situation where you don’t want to be lighting yourself up like a Christmas tree (e.g. a pentest, red-teaming, reading your boss’ emails).

      I’d direct anyone straight to the manpage which gives a good overview of the program’s functionality; a lot of which is often overlooked.