NMAP Scans

Initial Scan

nmap -sC -sV -oA </path/to/file_to_output_to> <ip address>

-sC Default Scripts

-sV Enumerate Versions

-oA Output All Formats

Long/Background Scan

nmap -p- -T5 -oA </path/to/file_to_output_to> <ip address>

-p- All Ports: 1-65535

-T5 Very Aggressive Fast Scan (not recommended)

-oA Output All Formats

UDP scan

Quick UDP

nmap -sU -v -oA </path/to/file_to_output_to> <ip address>

Longer UDP

nmap -v -sC -sV -sU -Pn --disable-arp-ping <ip address> -oA <output file name>

Get the ports in the right format for a targeted nmap scan

a=`grep -oP '\d{1,5}/open' kioptrix2.short.gnmap |sort -u |sed -e 's/\/open//g' |tr '\n' ','`; a=${a::-1}

-o Print only the matching part (not the entire line)

-P interpret as Perl-compatible regex

'\d{1,5}/open' Our regex to grep for (1 to 5 occurrences of any digit followed by /open)

Scanning ipv6

nmap -sC -sV -oA scans/mischief-ipv6 -6 dead:beef::250:56ff:feb2:0190

Perform a targeted port scan

nmap -p $a -sC -sV -oA </path/to/file_to_output_to> --script vuln <ip address>

Webserver enumeration

nmap -p 80,443,8000,8080,8443 --script=http-enum <ip address>

Nmap Ping Sweep

nmap -sn 10.11.0.0/16 -oG ping_sweep.txt grep Up ping_sweep.txt |cut -f2 -d " "

OR

nmap -sn 10.11.1.1-254 -oG ping_sweep.txt grep Up ping_sweep.txt |cut -f2 -d " "

  • Keep in mind that systems that have ICMP disabled will not respond to ping sweeps even though they are in fact online

    • this method is good/efficient but not definitive

Find Low-Hanging Fruit

nmap -sT -A --top-ports=20 10.11.1.1-254 -oG top_port_sweep.txt grep open top_port_sweep.txt |cut -f2 -d " "

  • Machines that prove to be rich in services, or otherwise interesting, would then be individually port scanned, using a more exhaustive port list

OS Fingerprinting

nmap -O 10.0.0.19

  • will attempt to guess the underlying operating system, by inspecting the packets received from the target

kerberos (TCP 88) + LDAP (TCP 389) = Active Directory Domain Controller

Identifying NMAP Scripts

locate -r '\.nse$' | xargs grep categories |grep 'default\|version' |grep smb

Identify all nmap default scripts (-sC)

grep -r categories /usr/share/nmap/scripts/*.nse |grep default |awk -F: '{print $1}' |awk -F/ '{print $6}'

Check for Shellshock vulnerability

nmap -p 80 --script=http-shellshock --script-args uri=/cgi-bin/test.cgi --script-args uri=/cgi-bin/admin.cgi 10.11.1.71

  • for the --script-args uri use the cgi URIs that you found using ka

e.g.

gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://10.11.1.71:80/ -s '200,204,301,307,403,500' -e | tee 'alpha/10.11.1.71/scans/10.11.1.71_80_gobuster_cgi

View the arguments of an nmap script

nmap --script-help <nmap script name>

e.g.

nmap --script-help "irc-unrealircd-backdoor"

Question: My enum4linux and/or smbclient are not working. I am receiving "Protocol negotiation failed: NT_STATUS_IO_TIMEOUT". How do I resolve?

Resolution:

On Kali, edit /etc/samba/smb.conf

Add the following under global:

client min protocol = CORE

client max protocol = SMB3

ssh root@10.10.10.132

Unable to negotiate with 10.10.10.132 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

ssh 10.10.10.132 -oKexAlgorithms=+diffie-hellman-group1-sha1 255 ⨯

Unable to negotiate with 10.10.10.132 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se

ssh 10.10.10.132 -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc

Enumerate NetBios Users

nmap -sC --script=smb-enum-users <ip address>

Stealth (SYN) scans

  • Sends the initial SYN packets and waits for the SYN/ACK packet from the server

  • Does not respond to the SYN/ACK packet with ACK; thus does not complete the three-way handshake

  • Called "stealth" scans because this method used to evade detection from primitive firewalls; however, this is definitely not the case with modern firewalls

    • you will be detected doing this, so the term "stealth" can be misleading

UDP scans

  • are often unreliable as firewalls and routers may drop ICMP packets

  • *** But it is a mistake to neglect them

    • TCP is only half of the equation

#Nmap

nmap -sC -sV -O -iP

nmap -p- --min-rate 10000 -oA scans/alltcp XX.XX.XX.XX

nmap -p- -v <targetip>

nmap -sT -sV -p- XX.XX.XX.XX -oA XX.XX.XX.XX

------------------------

#TCP Top 1000

nmap -Pn -sC -sV -oA tcp -vv $ip

------------------------

#All TCP Ports:

nmap -Pn -sC -sV -oA all -vv -p- $ip

------------------------

#UDP Top 100:

nmap -Pn -sU --top-ports 100 -oA udp -vv $ip

unicornscan -mU -v -I XX.XX.XX.XX

------------------------

#No Ping

nmap -sV -sC -O -Pn XX.XX.XX.XX

------------------------

#All Ports

nmap -sV -sC -O -Pn -p 1-65535 XX.XX.XX.XX

------------------------

#Nmap Detect And Write Alive Hosts

nmap -v -sn XX.XX.XX.XX-254 -oG upHost.txt

------------------------

#UDP Scan

nmap --top-ports 200 -sU -A XX.XX.XX.XX

------------------------

#With Netcat

nc -nvv -w 1 -z XX.XX.XX.XX 3388-3390

Replace $ip with target IP

Initial scan

nmap -Pn -n -vvv -oN nmap/initial $ip

If no ports are found, scan in parts

nmap -Pn -n -vvv -p1-500 -oN nmap/partial $ip

Scan all ports

nmap -Pn -n -vvv -p- -oN nmap/allports $ip

Targeted scanning:

nmap -Pn -n -vvv -p22,80 -oN nmap/targeted $ip

UDP Scanning

sudo nmap -Pn -n -vvv -sU -oN nmap/udp $ip

Automated nmap scanning (my preference is nmapAutomator, never missed a port)

# It is recommended to scan ONE IP at a time

# Do NOT overload the network

# All scans, consecutively: Quick, Targeted, UDP, All ports, Vuln scan, CVE scan, Gobuster, Nikto

nmapAutomator ip All

PreviousPort Based ChecksNextHost Discovery

Last updated