Network Enumeration

Network enumeration is the process of mapping hosts, ports, and services to understand attack surface and possible entry points.

info

Use these commands only in environments where you have explicit authorization.

For practical enumeration, two common tools are:

• Nmap for deep service/OS/script scanning
• RustScan for very fast full-port discovery

Example Usage

Nmap

sudo nmap -p- -T4 -A 10.10.10.10 -vv

RustScan

rustscan -a 10.10.10.10 --ulimit 5000
rustscan -a 192.168.1.1 -- -A -sV

tip

-- passes arguments directly to Nmap after RustScan finds open ports.

Using Nmap

# Single target
nmap 192.168.10.4

# Targets from file
nmap -iL ips.txt

# Multiple targets
nmap 192.168.10.4 192.168.10.5 192.168.10.6

# Range
nmap 192.168.10.4-7

# CIDR subnet
nmap 192.168.10.0/24

Host Discovery

# Ping sweep (host discovery only)
nmap 192.168.10.0/24 -sn

# Treat hosts as online (skip discovery)
nmap 192.168.10.0/24 -Pn

# DNS behavior
nmap 192.168.10.0/24 -n   # no DNS resolution
nmap 192.168.10.0/24 -R   # always resolve DNS

Port Scanning

# Top 10 ports
nmap 192.168.10.4 --top-ports=10

# Fast scan (top 100 ports)
nmap 192.168.10.4 -F

# Specific ports
nmap 192.168.10.4 -p 22,25,80

# Full TCP range
nmap 192.168.10.4 -p-

Service Enumeration

# Version detection
nmap 192.168.10.4 -p 80 -sV

# Default NSE scripts
nmap 192.168.10.4 -p 80 -sC

# OS detection
nmap 192.168.10.4 -O
nmap 192.168.10.4 -O --osscan-guess

Scan Methods

# SYN (stealth)
nmap -sS 192.168.1.1

# TCP connect
nmap -sT 192.168.1.1

# UDP
nmap -sU 192.168.1.1

# NULL / FIN / Xmas
nmap -sN 192.168.1.1
nmap -sF 192.168.1.1
nmap -sX 192.168.1.1

# ACK (firewall mapping)
nmap -sA 192.168.1.1

# Idle scan
nmap -sI zombie_ip 192.168.1.1

NSE Scripts

# Default script set
nmap -sC 192.168.1.1

# Category
nmap --script vuln 192.168.1.1

# Named scripts
nmap --script banner,smtp-commands 192.168.1.1

# Aggressive preset
nmap -A 192.168.1.1

Performance Tuning

Reference: Nmap Timing Templates

# Timing templates (0..5)
nmap 10.129.2.0/24 -F -T4

# RTT tuning
nmap --initial-rtt-timeout 100ms --max-rtt-timeout 500ms 192.168.1.1

# Retry tuning
nmap --max-retries 5 192.168.1.1

# Packet rates
nmap --min-rate 300 --max-rate 800 192.168.1.1

note

-T4 is a common balance between speed and reliability in lab/CTF environments.

Firewall/IDS Evasion and Spoofing

# Fragment packets
nmap -f 192.168.1.1
nmap --mtu 32 192.168.1.1

# Decoys
nmap -D RND:6 192.168.1.1

# Source spoofing / interface / source port
nmap -S 1.2.3.4 192.168.1.1
nmap -e tun0 192.168.1.1
nmap -g 53 192.168.1.1

caution

Many evasion/spoofing options can break scan accuracy if misused. Validate results with baseline scans.

Output Management

# Save all formats (normal, grepable, xml)
nmap -oA nmap_scan 192.168.1.1

# Individual formats
nmap -oN normal.txt 192.168.1.1
nmap -oG grepable.txt 192.168.1.1
nmap -oX xml.xml 192.168.1.1

# Convert XML report to HTML
xsltproc nmap_scan.xml -o nmap_scan.html

Debugging and Visibility

--packet-trace
--stats-every=8s
-v
--reason

Workflow (Recommended)

1. Discover live hosts (-sn)
2. Find open ports (-p- or RustScan)
3. Enumerate services (-sV -sC)
4. Run focused NSE scripts by protocol/service
5. Save output with -oA for reporting and later review