Nmap


HOST DISCOVERY

  • sL: List Scan -simply list targets to scan
  • sn: Ping Scan -disable port scan-Pn: Treat all hosts as online —skip host discovery
  • PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  • PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  • PO[protocol list]: IP Protocol Ping

Most used scan types

  • -sT performs a TCP connect scan*
  • -sS performs a SYN scan* (stealth)
  • -sV performs a version detection scan
  • -O Os printing

Firewall evasion

  • -f fragment packet
  • -T0 paranoid mode (T0 … T5)
  • –badsum
  • -randomize

It’s not uncommon to come across a server that does not respond to pings but has many TCP or UDP ports open.

When using nmap, you can use the -Pn switch to force the scan on such a server.
(skip ping scanning and treat it as alive)


Cool oneliner


export ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.215 | grep ^[0-9] | cut -d'/' -f 1 | tr '\n'',' | sed s/,$//)
nmap -sC -sV -A -p$ports 10.10.10.150 --open
sudo nmap -p- <target> -oA nmap.txt; cat nmap.txt | grep open | awk -F/ '{print $1}' ORS=','; echo

List nmap scripts (in Kali)


Search for scripts

ls -l /usr/share/nmap/scripts/*ftp*
grep "ftp" /usr/share/nmap/scripts/script.db

Common nmap scripts


# Get help for a script
sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

nmap --script-help=ssl-heartbleed

nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 10.10.10.14

nmap -Pn --script "smb-vuln*" 10.10.10.4

nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.11.1.5

nmap -vv --reason -Pn -T4 -sV -p 445 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" 10.10.10.10

nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" 172.31.1.16

nmap -p445 --script smb-vuln-ms17-010 192.168.220.40


nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='management'

nmap -sV --script mongodb-brute -n -p 27017 192.168.229.69

nmap --script redis-info -sV -p 6379 192.168.229.69

nmap -Pn -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods

nmap -Pn -sV -p 25 "--script=banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)"

nmap -vv --reason -Pn -T4 -sV -p 3389 192.168.220.40 "--script=banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)"


# Show mac address
sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace



## RDP
## detecting RDP servers that do not require RDP Network Level Authentication (NLA) which means an attacker can establish an RDP session with the server without having to authenticate themselves to the server. 
nmap --script 'rdp-enum-encryption' -p3389 10.11.1.0/24 


## FTP
nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.11.1.115

nmap --script=ftp-* -p 21 10.11.1.115
nmap -sU -p 69 --script tftp-enum.nse $ip

## SMTP

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.115

### MSSL


nmap -n -v -sV -Pn -p 1433 –script ms-sql-brute –script-args userdb=users.txt,passdb=passwords.txt IP

nmap -n -v -sV -Pn -p 1433 –script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password IP

nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306


## MYSQL

nmap -n -v -sV -Pn -p 3306 –script=mysql-info,mysql-audit,mysql-enum,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-users,mysql-query,mysql-variables,mysql-vuln-cve2012-2122 IP


Scan network


nmap binary https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap?raw=true

Ping sweep

fping -a -g 10.142.111.0/24 2> /dev/null

List all live hosts on the network / Ping scan

nmap -sn 192.168.1.4-254 | grep for | cut -f 5 -d " "
nmap -sn -n 10.142.111.*  | grep for | cut -f 5 -d " "
netdiscover -P -i eth1 -r 192.168.4.0/24

# Use ARP scanning
nmap -sn -PR 10.10.1.2-23
for i in $(seq 1 254); do
ping -c1 "$1.$i" | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1
done  
for i in $(seq 200 210); do ping -c1 10.11.1.$i; done;
for x in {1..254..1}; do ping -c1 192.168.0.$x|grep "64 b"|cut -d " " -f4|tee -a ips.txt; done
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done
import sys 
import subprocess

arg1=sys.argv[1]
arg2=int(sys.argv[2])
arg3=int(sys.argv[3])+1

for x in range(arg2, arg3):
  ip=arg1 + '.' + str(x)
  command = ['ping', '-c', '1', ip]
  result=subprocess.run(command,capture_output=True, text=True)
  if 'bytes from' in result.stdout:
      print(ip)

Port scan

Bash port scanner

#!/bin/bash
ports=(21 22 53 80 443 3306 8443 8080)
for port in ${ports[@]}; do
timeout 1 bash -c "echo \"Port Scan Test\" > /dev/tcp/1.1.1.1/$port && echo $port is open || /dev/null" 
done

Python port scanner

#!/usr/bin/python3
import socket
host = "1.1.1.1"
portList = [21,22,53,80,443,3306,8443,8080]
for port in portList:
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 try:
  s.connect((host,port))
  print("Port ", port, " is open")
 except:
  print("Port ", port, " is closed")

Manual port scanning (TCP)

nc -nvv -w 1 -z 10.11.1.220 3388-3390

Manual port scanning (UDP)

nc -nv -u -z -w 1 10.11.1.115 160-162

Manual port scanning

for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done 2>/dev/null 

manual windows ports scan

net view
for /L %i IN (1,1,254) do ping 172.16.1.%i -n 1

for /L %i IN (1 1 254) do ping 172.0.0.%i -n 1 -w 100 | find "reply"

1..254 | % {"10.11.1.$($_):$(Test-Connection -count 1 -comp 10.12.1.$($_) -quiet)"}

FOR /L %%i in (1,1,254) do @ping -n 1 -w 200 172.16.1.%%i | find "TTL" | more




FOR /L %%i in (1,1,254) do @Test-Connection -Port 445 192.168.50.151




1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null

Test-NetConnection 

Discover the machine in the network (-sn: no port scan)

nmap -sn 192.168.0.0/24 -oN nmap-init_discovery

nmap -sn -n 10.142.111.*

arp scan

arp-scan 10.10.210.6/24

nmap -sn -PR 10.10.10.10

Syn scan

nmap -sS 10.142.111.1,6,48,96,99,100,213

Syn Scan of a filtered port (evade firewall)

 sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace

Syn scan from DNS port

sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

#Connect to the filtered port
nc -nv --source-port 53 10.129.2.28 50000

Exclude specific ports

nmap --exclude-ports 1-100 192.168.5.102

Scan for every TCP + UDP ports

sudo nmap -n -PN -sT -sU -p- scanme.nmap.org

Scan without preforming a reverse DNS lookup on the IP address specified. This should speed up your results in most cases

sudo nmap -n scanme.nmap.org

Skip network discovery portion and assume the host is online

sudo nmap -PN scanme.nmap.org

Scan the top 1000 ports of a machine (fast)

rustscan -a 192.168.0.12 --top
rustscan -a 10.11.1.0/24

https://www.golinuxcloud.com/hping3-command-in-linux/

Discover hosts (not responding)

hping3 –A <IP Address> –p 80

collect all TCP sequence generated by a host

hping3 <Target IP> -Q -p 139 -s

TCP syn scan / Service enum

hping3 --scan known -S 192.185.5.1

Discover the AD


Send a DHCP broadcast then catch responder with wireshark

nmap --script broadcast-dhcp-discover

Find AD-DS through the DNS

# global catalog (LDAP)
dig -t SRV _gc._tcp.lab.ropnop.com

# LDAP servers
dig -t SRV _ldap._tcp.lab.ropnop.com

# Kerberos KDC
dig -t SRV _kerberos._tcp.lab.ropnop.com

# Kerberos password change server
dig -t SRV _kpasswd._tcp.lab.ropnop.com

# Using nmap 
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='lab.ropnop.com'"

Scan a machine


Scan the top 1000 ports of a machine (fast)

nmap -p- 192.168.0.12 -oN nmap-machine-12

rustscan -a 192.168.0.12 --top

Scan of specific ports

nmap -sC-sV -A 192.168.0.12 -p 22,80

Scan a machine for any known vulnerabilities

nmap -p- 10.10.10.40 --script vuln

Primitive ports scan

nc -v -n 8.8.8.8 1-1000

nc -v -z -w1 192.168.0.5 1-1024

nc.exe -v -z -n -w1 192.168.0.5 1-1024

Listen for pings


sudo tcpdump -i eth0 icmp and src 192.168.1.32

Routing


Add route (Linux)

sudo route add -net 10.67.0.0/16 gw 192.168.120.254

sudo ip route add 10.86.74.0/24 via 192.168.193.85

(mac)

sudo route -n add -net 10.10.10.0/24 10.10.14.30

List routes

netstat -rn
route -n

Get the subnet with your listing:

ip route
proxychains nmap -sT -sV -Pn -n -p22,80,135,139,445 --script=smb-vuln-ms08-067.nse 7.7.7.20

Using proxychains with xargs

seq 1 1000 | xargs -P 50 -I{} proxychains nmap -p {} -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output $IP

# If you want to run multiple ports or port ranges against multiple hosts you could use the following alternative:

seq 1 254 | xargs -P 50 -I{} proxychains nmap -p 80,443,3389,445,22 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output 192.168.1.{}

TTL


The TTL field determines the maximum time that a packet can remain in a network, and the TCP window size determines the length of the packet reported. These values vary among OSs, as described in the following table:

Linux (Kernel 2.4 and 2.6) / 64 (TTL) / 5840 (TCP Window size)
Google Linux / 64 / 720
FreeBSD / 64 / 65535
OpenBSD / 64 / 16384
Windows 95 / 32 / 8192
Windows 2000 / 128 / 16384
Windows XP / 128 / 65535
Windows 98, Vista, and 7 (Server 2008) / 128 / 8192
iOS 12.4 (Cisco Routers) / 255 / 4128
Solaris 7 / 255 / 8760
AIX 4.3 / 64 / 16384

TCPDump


Filtering traffic, get a better understanding of the IP addresses and ports involved

sudo tcpdump -n -r password_cracking_filtered.pcap | awk -F" " '{print $5}' | sort | uniq -c | head
sudo tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap
sudo tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap
sudo tcpdump -n port 81 -r password_cracking_filtered.pcap

Print the packet data in both HEX and ASCII1 format:

sudo tcpdump -nX -r password_cracking_filtered.pcap

Follow TCP, display packets that have the ACK or PSH flags set:

sudo tcpdump -A -n 'tcp[13] = 24' -r password_cracking_filtered.pcap