nmap

Scan Types

• ARP
• ICMP
• TCP
• UDP

Port States

1. Open
2. Closed
3. Filtered
4. Unfiltered
5. Open|Filtered
6. Close|Filtered

Usage

nmap -oA nmap-full -Pn -sS  -T4  -p- --defeat-rst-ratelimit <IP>

nmap  -oA  nmap-vuln -Pn  -script vuln  -p <Port,Port,Port,...> <IP>

combo with searchsploit

• nmap-full scan

sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP>
searchsploit --nmap ./nmap-full.xml --verbose

Wordpress Enumeration

nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80 test.com

Use List of Hosts

nmap -iL <ListofHosts>

• Show hosts, dns resolution included

nmap -sL -n 10.10.0.0/16

ARP Scan Local Network

nmap -PR -sn 192.168.0.0/24

ICMP Scans

• Type 8 (Ping Request)

nmap -PE -sn 10.10.0.0/16

• Type 13 (Timestamp Request)

nmap -PP -sn 10.10.0.0/16

• Type 17 (Address Mask Queries)

nmap -PM -sn 10.10.0.0/16

TCP Scans

• -PS23 Syn on port 23
• -PA80-8080 ACK on port range 80-8080

TCP Scan Types

• Null Scan -sN, port is open when there is no response. Otherwise the response is RST/ACK
• FIN Scan -sF , same procedure as null scan.
• Xmas Scan -sX, FIN/PSH/URG is sent. RST/ACK when port is closed.
• Maimon Scan -sM, sends FIN/ACK. Packet is dropped when port is open. Only viable on old BSD networks.
• ACK Scan -sA, sends ACK. Receives RST regardless of the state of the port. May be used to explore firewall rules.
• Window Scan -sW, sends ACK, and receives RST as well. Inspects the window part of the response. Used to expose firewall rules.
• Custom Scan --scanflags RSTACKFIN, set flags randomly.

UDP SCans

• -PU
• May be answered by ICMP Type 3 if the port is not reachable

DNS Scan

• No lookup -n
• Reverse lookup for every host -R
• Host discovery only -sn

Spoofing

• IP -S <spoofed-IP>
• MAC --spoof-mac <spoofed-MAC>
• Disable ping scan -Pn
• Decoy addresses -D <decoy-IP>,<decoy-IP>,<decoy-IP>,RND,RND,ME

Service Detection

• -sV
• --version-intensity <level 0-9>
• Intensity 2 --version-light
• Intensity 9 --version-all

Scripts

Installed at /usr/share/nmap/scripts * auth Authentication related scripts * broadcast Discover hosts by sending broadcast messages * brute Performs brute-force password auditing against logins * default Default scripts, same as -sC * discovery Retrieve accessible information, such as database tables and DNS names * dos Detects servers vulnerable to Denial of Service (DoS) * exploit Attempts to exploit various vulnerable services * external Checks using a third-party service, such as Geoplugin and Virustotal * fuzzer Launch fuzzing attacks * intrusive Intrusive scripts such as brute-force attacks and exploitation * malware Scans for backdoors * safe Safe scripts that won’t crash the target * version Retrieve service versions * vuln Checks for vulnerabilities or exploit vulnerable services

Tips & Tricks

• Scan the 100 most interesting ports via -F
• --top-ports 100
• One probe every 5 minutes via -T0
• A closed port responds with RST/ACK to a initial SYN
• Scan ports iteratively by using -r, not random
• Closed Port
• Control packet rate via --min-rate and --max-rate
• Control parallel probes via --min-parallelism and --max-parallelism
• Fragment packets -f 8 bytes, -ff 16 bytes or --mtu
• Zombie Scan -sI <pwnd-device-IP> via pwnd host inside the targets network
• --reason, -d, -vv
• --traceroute