killchain-compendium/enumeration/docs/nmap.md

128 lines
3.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# nmap
## Scan Types
* ARP
* ICMP
* TCP
* UDP
## Port States
1. Open
2. Closed
3. Filtered
4. Unfiltered
5. Open|Filtered
6. Close|Filtered
## Usage
```sh
nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit <IP>
```
```sh
nmap -oA nmap-vuln -Pn -script vuln -p <Port,Port,Port,...> <IP>
```
### combo with searchsploit
* nmap-full scan
```sh
sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP>
searchsploit --nmap ./nmap-full.xml --verbose
```
### Wordpress Enumeration
```sh
nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80 test.com
```
### Use List of Hosts
```sh
nmap -iL <ListofHosts>
```
* Show hosts, dns resolution included
```sh
nmap -sL -n 10.10.0.0/16
```
### ARP Scan Local Network
```sh
nmap -PR -sn 192.168.0.0/24
```
### ICMP Scans
* __Type 8__ (Ping Request)
```sh
nmap -PE -sn 10.10.0.0/16
```
* __Type 13__ (Timestamp Request)
```sh
nmap -PP -sn 10.10.0.0/16
```
* __Type 17__ (Address Mask Queries)
```sh
nmap -PM -sn 10.10.0.0/16
```
### TCP Scans
* `-PS23` Syn on port 23
* `-PA80-8080` ACK on port range 80-8080
#### TCP Scan Types
* __Null Scan__ `-sN`, port is open when there is no response. Otherwise the response is `RST/ACK`
* __FIN Scan__ `-sF` , same procedure as null scan.
* __Xmas Scan__ `-sX`, `FIN/PSH/URG` is sent. `RST/ACK` when port is closed.
* __Maimon Scan__ `-sM`, sends `FIN/ACK`. Packet is dropped when port is open. Only viable on old BSD networks.
* __ACK Scan__ `-sA`, sends `ACK`. Receives `RST` regardless of the state of the port. May be used to explore firewall rules.
* __Window Scan__ `-sW`, sends `ACK`, and receives `RST` as well. Inspects the window part of the response. Used to expose firewall rules.
* __Custom Scan__ `--scanflags RSTACKFIN`, set flags randomly.
### UDP SCans
* `-PU`
* May be answered by ICMP Type 3 if the port is not reachable
### DNS Scan
* No lookup `-n`
* Reverse lookup for every host `-R`
* Host discovery only `-sn`
### Spoofing
* IP `-S <spoofed-IP>`
* MAC `--spoof-mac <spoofed-MAC>`
* Disable ping scan `-Pn`
* Decoy addresses `-D <decoy-IP>,<decoy-IP>,<decoy-IP>,RND,RND,ME`
### Service Detection
* `-sV`
* `--version-intensity <level 0-9>`
* Intensity 2 `--version-light`
* Intensity 9 `--version-all`
## Scripts
Installed at `/usr/share/nmap/scripts`
* __auth__ Authentication related scripts
* __broadcast__ Discover hosts by sending broadcast messages
* __brute__ Performs brute-force password auditing against logins
* __default__ Default scripts, same as -sC
* __discovery__ Retrieve accessible information, such as database tables and DNS names
* __dos Detects__ servers vulnerable to Denial of Service (DoS)
* __exploit__ Attempts to exploit various vulnerable services
* __external__ Checks using a third-party service, such as Geoplugin and Virustotal
* __fuzzer__ Launch fuzzing attacks
* __intrusive__ Intrusive scripts such as brute-force attacks and exploitation
* __malware__ Scans for backdoors
* __safe__ Safe scripts that wont crash the target
* __version__ Retrieve service versions
* __vuln__ Checks for vulnerabilities or exploit vulnerable services
## Tips & Tricks
* Scan the 100 most interesting ports via `-F`
* `--top-ports 100`
* One probe every 5 minutes via `-T0`
* A closed port responds with `RST/ACK` to a initial `SYN`
* Scan ports iteratively by using `-r`, not random
* Closed Port
* Control packet rate via `--min-rate` and `--max-rate`
* Control parallel probes via `--min-parallelism` and `--max-parallelism`
* Fragment packets `-f` 8 bytes, `-ff` 16 bytes or `--mtu`
* Zombie Scan `-sI <pwnd-device-IP>` via pwnd host inside the targets network
* `--reason`, `-d`, `-vv`
* `--traceroute`