killchain-compendium/enumeration/docs/nmap.md

3.7 KiB
Raw Blame History

nmap

Scan Types

  • ARP
  • ICMP
  • TCP
  • UDP

Port States

  1. Open
  2. Closed
  3. Filtered
  4. Unfiltered
  5. Open|Filtered
  6. Close|Filtered

Usage

nmap -oA nmap-full -Pn -sS  -T4  -p- --defeat-rst-ratelimit <IP>
nmap  -oA  nmap-vuln -Pn  -script vuln  -p <Port,Port,Port,...> <IP>

combo with searchsploit

  • nmap-full scan
sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP>
searchsploit --nmap ./nmap-full.xml --verbose

Wordpress Enumeration

nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80 test.com

Use List of Hosts

nmap -iL <ListofHosts>
  • Show hosts, dns resolution included
nmap -sL -n 10.10.0.0/16

ARP Scan Local Network

nmap -PR -sn 192.168.0.0/24

ICMP Scans

  • Type 8 (Ping Request)
nmap -PE -sn 10.10.0.0/16
  • Type 13 (Timestamp Request)
nmap -PP -sn 10.10.0.0/16
  • Type 17 (Address Mask Queries)
nmap -PM -sn 10.10.0.0/16

TCP Scans

  • -PS23 Syn on port 23
  • -PA80-8080 ACK on port range 80-8080

TCP Scan Types

  • Null Scan -sN, port is open when there is no response. Otherwise the response is RST/ACK
  • FIN Scan -sF , same procedure as null scan.
  • Xmas Scan -sX, FIN/PSH/URG is sent. RST/ACK when port is closed.
  • Maimon Scan -sM, sends FIN/ACK. Packet is dropped when port is open. Only viable on old BSD networks.
  • ACK Scan -sA, sends ACK. Receives RST regardless of the state of the port. May be used to explore firewall rules.
  • Window Scan -sW, sends ACK, and receives RST as well. Inspects the window part of the response. Used to expose firewall rules.
  • Custom Scan --scanflags RSTACKFIN, set flags randomly.

UDP SCans

  • -PU
  • May be answered by ICMP Type 3 if the port is not reachable

DNS Scan

  • No lookup -n
  • Reverse lookup for every host -R
  • Host discovery only -sn

Spoofing

  • IP -S <spoofed-IP>
  • MAC --spoof-mac <spoofed-MAC>
  • Disable ping scan -Pn
  • Decoy addresses -D <decoy-IP>,<decoy-IP>,<decoy-IP>,RND,RND,ME

Service Detection

  • -sV
  • --version-intensity <level 0-9>
  • Intensity 2 --version-light
  • Intensity 9 --version-all

Scripts

Installed at /usr/share/nmap/scripts

  • auth Authentication related scripts
  • broadcast Discover hosts by sending broadcast messages
  • brute Performs brute-force password auditing against logins
  • default Default scripts, same as -sC
  • discovery Retrieve accessible information, such as database tables and DNS names
  • dos Detects servers vulnerable to Denial of Service (DoS)
  • exploit Attempts to exploit various vulnerable services
  • external Checks using a third-party service, such as Geoplugin and Virustotal
  • fuzzer Launch fuzzing attacks
  • intrusive Intrusive scripts such as brute-force attacks and exploitation
  • malware Scans for backdoors
  • safe Safe scripts that wont crash the target
  • version Retrieve service versions
  • vuln Checks for vulnerabilities or exploit vulnerable services

Tips & Tricks

  • Scan the 100 most interesting ports via -F
  • --top-ports 100
  • One probe every 5 minutes via -T0
  • A closed port responds with RST/ACK to a initial SYN
  • Scan ports iteratively by using -r, not random
  • Closed Port
  • Control packet rate via --min-rate and --max-rate
  • Control parallel probes via --min-parallelism and --max-parallelism
  • Fragment packets -f 8 bytes, -ff 16 bytes or --mtu
  • Zombie Scan -sI <pwnd-device-IP> via pwnd host inside the targets network
  • --reason, -d, -vv
  • --traceroute