-o Print only the matching part (not the entire line) -P interpret as Perl-compatible regex '\d{1,5}/open' Our regex to grep for (1 to 5 occurrences of any digit followed by /open)
View the arguments of an nmap script nmap --script-help
e.g. nmap --script-help "irc-unrealircd-backdoor"
Enumerate NetBios Users
nmap -sC --script=smb-enum-users
Stealth (SYN) scans Sends the initial SYN packets and waits for the SYN/ACK packet from the server Does not respond to the SYN/ACK packet with ACK; thus does not complete the three-way handshake Called "stealth" scans because this method used to evade detection from primitive firewalls; however, this is definitely not the case with modern firewalls you will be detected doing this, so the term "stealth" can be misleading
UDP scans are often unreliable as firewalls and routers may drop ICMP packets * But it is a mistake to neglect them TCP is only half of the equation
Keep in mind that systems that have ICMP disabled will not respond to ping sweeps even though they are in fact online
this method is good/effecient but not definitive
Machines that prove to be rich in services, or otherwise interesting, would then be individually port scanned, using a more exhaustive port list
for the --script-args uri use the cgi URIs that you found using ka
e.g.
gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://10.11.1.71:80/ -s '200,204,301,307,403,500' -e | tee 'alpha/10.11.1.71/scans/10.11.1.71_80_gobuster_cgi