Nmap
HOST DISCOVERY
- sL: List Scan -simply list targets to scan
- sn: Ping Scan -disable port scan-Pn: Treat all hosts as online —skip host discovery
- PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
- PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
- PO[protocol list]: IP Protocol Ping
Most used scan types
- -sT performs a TCP connect scan*
- -sS performs a SYN scan* (stealth)
- -sV performs a version detection scan
- -O Os printing
Firewall evasion
- -f fragment packet
- -T0 paranoid mode (T0 … T5)
- –badsum
- -randomize
It’s not uncommon to come across a server that does not respond to pings but has many TCP or UDP ports open.
When using nmap, you can use the -Pn switch to force the scan on such a server.
(skip ping scanning and treat it as alive)
Cool oneliner
export ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.215 | grep ^[0-9] | cut -d'/' -f 1 | tr '\n'',' | sed s/,$//)
nmap -sC -sV -A -p$ports 10.10.10.150 --open
sudo nmap -p- <target> -oA nmap.txt; cat nmap.txt | grep open | awk -F/ '{print $1}' ORS=','; echo
List nmap scripts (in Kali)
Search for scripts
ls -l /usr/share/nmap/scripts/*ftp*
grep "ftp" /usr/share/nmap/scripts/script.db
Common nmap scripts
# Get help for a script
sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5
nmap --script-help=ssl-heartbleed
nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 10.10.10.14
nmap -Pn --script "smb-vuln*" 10.10.10.4
nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.11.1.5
nmap -vv --reason -Pn -T4 -sV -p 445 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" 10.10.10.10
nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" 172.31.1.16
nmap -p445 --script smb-vuln-ms17-010 192.168.220.40
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='management'
nmap -sV --script mongodb-brute -n -p 27017 192.168.229.69
nmap --script redis-info -sV -p 6379 192.168.229.69
nmap -Pn -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods
nmap -Pn -sV -p 25 "--script=banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)"
nmap -vv --reason -Pn -T4 -sV -p 3389 192.168.220.40 "--script=banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)"
# Show mac address
sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace
## RDP
## detecting RDP servers that do not require RDP Network Level Authentication (NLA) which means an attacker can establish an RDP session with the server without having to authenticate themselves to the server.
nmap --script 'rdp-enum-encryption' -p3389 10.11.1.0/24
## FTP
nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.11.1.115
nmap --script=ftp-* -p 21 10.11.1.115
nmap -sU -p 69 --script tftp-enum.nse $ip
## SMTP
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.115
### MSSL
nmap -n -v -sV -Pn -p 1433 –script ms-sql-brute –script-args userdb=users.txt,passdb=passwords.txt IP
nmap -n -v -sV -Pn -p 1433 –script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password IP
nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306
## MYSQL
nmap -n -v -sV -Pn -p 3306 –script=mysql-info,mysql-audit,mysql-enum,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-users,mysql-query,mysql-variables,mysql-vuln-cve2012-2122 IP
Scan network
nmap binary https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap?raw=true
Ping sweep
fping -a -g 10.142.111.0/24 2> /dev/null
List all live hosts on the network / Ping scan
nmap -sn 192.168.1.4-254 | grep for | cut -f 5 -d " "
nmap -sn -n 10.142.111.* | grep for | cut -f 5 -d " "
netdiscover -P -i eth1 -r 192.168.4.0/24
# Use ARP scanning
nmap -sn -PR 10.10.1.2-23
for i in $(seq 1 254); do
ping -c1 "$1.$i" | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1
done
for i in $(seq 200 210); do ping -c1 10.11.1.$i; done;
for x in {1..254..1}; do ping -c1 192.168.0.$x|grep "64 b"|cut -d " " -f4|tee -a ips.txt; done
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done
import sys
import subprocess
arg1=sys.argv[1]
arg2=int(sys.argv[2])
arg3=int(sys.argv[3])+1
for x in range(arg2, arg3):
ip=arg1 + '.' + str(x)
command = ['ping', '-c', '1', ip]
result=subprocess.run(command,capture_output=True, text=True)
if 'bytes from' in result.stdout:
print(ip)
Port scan
Bash port scanner
#!/bin/bash
ports=(21 22 53 80 443 3306 8443 8080)
for port in ${ports[@]}; do
timeout 1 bash -c "echo \"Port Scan Test\" > /dev/tcp/1.1.1.1/$port && echo $port is open || /dev/null"
done
Python port scanner
#!/usr/bin/python3
import socket
host = "1.1.1.1"
portList = [21,22,53,80,443,3306,8443,8080]
for port in portList:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
print("Port ", port, " is open")
except:
print("Port ", port, " is closed")
Manual port scanning (TCP)
nc -nvv -w 1 -z 10.11.1.220 3388-3390
Manual port scanning (UDP)
nc -nv -u -z -w 1 10.11.1.115 160-162
Manual port scanning
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done 2>/dev/null
manual windows ports scan
net view
for /L %i IN (1,1,254) do ping 172.16.1.%i -n 1
for /L %i IN (1 1 254) do ping 172.0.0.%i -n 1 -w 100 | find "reply"
1..254 | % {"10.11.1.$($_):$(Test-Connection -count 1 -comp 10.12.1.$($_) -quiet)"}
FOR /L %%i in (1,1,254) do @ping -n 1 -w 200 172.16.1.%%i | find "TTL" | more
FOR /L %%i in (1,1,254) do @Test-Connection -Port 445 192.168.50.151
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null
Test-NetConnection
Discover the machine in the network (-sn: no port scan)
nmap -sn 192.168.0.0/24 -oN nmap-init_discovery
nmap -sn -n 10.142.111.*
arp scan
arp-scan 10.10.210.6/24
nmap -sn -PR 10.10.10.10
Syn scan
nmap -sS 10.142.111.1,6,48,96,99,100,213
Syn Scan of a filtered port (evade firewall)
sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace
Syn scan from DNS port
sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53
#Connect to the filtered port
nc -nv --source-port 53 10.129.2.28 50000
Exclude specific ports
nmap --exclude-ports 1-100 192.168.5.102
Scan for every TCP + UDP ports
sudo nmap -n -PN -sT -sU -p- scanme.nmap.org
Scan without preforming a reverse DNS lookup on the IP address specified. This should speed up your results in most cases
sudo nmap -n scanme.nmap.org
Skip network discovery portion and assume the host is online
sudo nmap -PN scanme.nmap.org
Scan the top 1000 ports of a machine (fast)
rustscan -a 192.168.0.12 --top
rustscan -a 10.11.1.0/24
https://www.golinuxcloud.com/hping3-command-in-linux/
Discover hosts (not responding)
hping3 –A <IP Address> –p 80
collect all TCP sequence generated by a host
hping3 <Target IP> -Q -p 139 -s
TCP syn scan / Service enum
hping3 --scan known -S 192.185.5.1
Discover the AD
Send a DHCP broadcast then catch responder with wireshark
nmap --script broadcast-dhcp-discover
Find AD-DS through the DNS
# global catalog (LDAP)
dig -t SRV _gc._tcp.lab.ropnop.com
# LDAP servers
dig -t SRV _ldap._tcp.lab.ropnop.com
# Kerberos KDC
dig -t SRV _kerberos._tcp.lab.ropnop.com
# Kerberos password change server
dig -t SRV _kpasswd._tcp.lab.ropnop.com
# Using nmap
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='lab.ropnop.com'"
Scan a machine
Scan the top 1000 ports of a machine (fast)
nmap -p- 192.168.0.12 -oN nmap-machine-12
rustscan -a 192.168.0.12 --top
Scan of specific ports
nmap -sC-sV -A 192.168.0.12 -p 22,80
Scan a machine for any known vulnerabilities
nmap -p- 10.10.10.40 --script vuln
Primitive ports scan
nc -v -n 8.8.8.8 1-1000
nc -v -z -w1 192.168.0.5 1-1024
nc.exe -v -z -n -w1 192.168.0.5 1-1024
Listen for pings
sudo tcpdump -i eth0 icmp and src 192.168.1.32
Routing
Add route (Linux)
sudo route add -net 10.67.0.0/16 gw 192.168.120.254
sudo ip route add 10.86.74.0/24 via 192.168.193.85
(mac)
sudo route -n add -net 10.10.10.0/24 10.10.14.30
List routes
netstat -rn
route -n
Get the subnet with your listing:
ip route
proxychains nmap -sT -sV -Pn -n -p22,80,135,139,445 --script=smb-vuln-ms08-067.nse 7.7.7.20
Using proxychains with xargs
seq 1 1000 | xargs -P 50 -I{} proxychains nmap -p {} -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output $IP
# If you want to run multiple ports or port ranges against multiple hosts you could use the following alternative:
seq 1 254 | xargs -P 50 -I{} proxychains nmap -p 80,443,3389,445,22 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output 192.168.1.{}
TTL
The TTL field determines the maximum time that a packet can remain in a network, and the TCP window size determines the length of the packet reported. These values vary among OSs, as described in the following table:
Linux (Kernel 2.4 and 2.6) / 64 (TTL) / 5840 (TCP Window size)
Google Linux / 64 / 720
FreeBSD / 64 / 65535
OpenBSD / 64 / 16384
Windows 95 / 32 / 8192
Windows 2000 / 128 / 16384
Windows XP / 128 / 65535
Windows 98, Vista, and 7 (Server 2008) / 128 / 8192
iOS 12.4 (Cisco Routers) / 255 / 4128
Solaris 7 / 255 / 8760
AIX 4.3 / 64 / 16384
TCPDump
Filtering traffic, get a better understanding of the IP addresses and ports involved
sudo tcpdump -n -r password_cracking_filtered.pcap | awk -F" " '{print $5}' | sort | uniq -c | head
sudo tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap
sudo tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap
sudo tcpdump -n port 81 -r password_cracking_filtered.pcap
Print the packet data in both HEX and ASCII1 format:
sudo tcpdump -nX -r password_cracking_filtered.pcap
Follow TCP, display packets that have the ACK or PSH flags set:
sudo tcpdump -A -n 'tcp[13] = 24' -r password_cracking_filtered.pcap