killchain-compendium/Enumeration/nmap.md

# nmap

## Scan Types
* ARP
* ICMP
* TCP
* UDP

## Port States
1. Open
2. Closed
3. Filtered
4. Unfiltered
5. Open|Filtered
6. Close|Filtered

## Usage

```sh
nmap -oA nmap-full -Pn -sS  -T4  -p- --defeat-rst-ratelimit <IP>
```
```sh
nmap  -oA  nmap-vuln -Pn  -script vuln  -p <Port,Port,Port,...> <IP>
```

### combo with searchsploit 
* nmap-full scan
```sh
sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP>
searchsploit --nmap ./nmap-full.xml --verbose
```
### Wordpress Enumeration
```sh
nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80 test.com
```

### Use List of Hosts
```sh
nmap -iL <ListofHosts>
```
* Show hosts, dns resolution included
```sh
nmap -sL -n 10.10.0.0/16
```

### ARP Scan Local Network
```sh
nmap -PR -sn 192.168.0.0/24
```
### ICMP Scans
* __Type 8__ (Ping Request)
```sh
nmap -PE -sn 10.10.0.0/16
```
* __Type 13__ (Timestamp Request)
```sh
nmap -PP -sn 10.10.0.0/16
```
* __Type 17__ (Address Mask Queries)
```sh
nmap -PM -sn 10.10.0.0/16
```

### TCP Scans
* `-PS23` Syn on port 23
* `-PA80-8080` ACK on port range 80-8080

#### TCP Scan Types
* __Null Scan__ `-sN`, port is open when there is no response. Otherwise the response is `RST/ACK`
* __FIN Scan__ `-sF` , same procedure as null scan.
* __Xmas Scan__ `-sX`, `FIN/PSH/URG` is sent. `RST/ACK` when port is closed.
* __Maimon Scan__ `-sM`, sends `FIN/ACK`. Packet is dropped when port is open. Only viable on old BSD networks.
* __ACK Scan__ `-sA`, sends `ACK`. Receives `RST` regardless of the state of the port. May be used to explore firewall rules.
* __Window Scan__ `-sW`, sends `ACK`, and receives `RST` as well. Inspects the window part of the response. Used to expose firewall rules.
* __Custom Scan__ `--scanflags RSTACKFIN`, set flags randomly.

### UDP SCans
* `-PU` 
* May be answered by ICMP Type 3 if the port is not reachable

### DNS Scan
* No lookup `-n`
* Reverse lookup for every host `-R` 
* Host discovery only `-sn`

### Spoofing
* IP `-S <spoofed-IP>`
* MAC `--spoof-mac <spoofed-MAC>`
* Disable ping scan `-Pn`
* Decoy addresses `-D <decoy-IP>,<decoy-IP>,<decoy-IP>,RND,RND,ME`

### Service Detection
* `-sV`
* `--version-intensity <level 0-9>`
* Intensity 2 `--version-light`
* Intensity 9 `--version-all`

## Scripts
Installed at `/usr/share/nmap/scripts`
* __auth__    Authentication related scripts
* __broadcast__   Discover hosts by sending broadcast messages
* __brute__   Performs brute-force password auditing against logins
* __default__ Default scripts, same as -sC
* __discovery__   Retrieve accessible information, such as database tables and DNS names
* __dos Detects__ servers vulnerable to Denial of Service (DoS)
* __exploit__ Attempts to exploit various vulnerable services
* __external__    Checks using a third-party service, such as Geoplugin and Virustotal
* __fuzzer__  Launch fuzzing attacks
* __intrusive__   Intrusive scripts such as brute-force attacks and exploitation
* __malware__ Scans for backdoors
* __safe__    Safe scripts that won’t crash the target
* __version__ Retrieve service versions
* __vuln__    Checks for vulnerabilities or exploit vulnerable services

## Tips & Tricks
* Scan the 100 most interesting ports via `-F`
* `--top-ports 100` 
* One probe every 5 minutes via `-T0`
* A closed port responds with `RST/ACK` to a initial `SYN`
* Scan ports iteratively by using `-r`, not random
* Closed Port 
* Control packet rate via `--min-rate` and `--max-rate`
* Control parallel probes via `--min-parallelism` and `--max-parallelism`
* Fragment packets `-f` 8 bytes, `-ff` 16 bytes or `--mtu`
* Zombie Scan `-sI <pwnd-device-IP>` via pwnd host inside the targets network
* `--reason`, `-d`, `-vv`
* `--traceroute`