Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Scanning:
  • NFS - Find and Enum
  • Stylesheet
  • NSE Scripts
  • grep for ports
  • NMAP PrivEsc

Was this helpful?

  1. 02 Scan

Nmap

Scanning:

Ping Scan:
>> nmap -v -sn 192.168.50.0/24
>> nmap -v -sn 192.168.50.102

Favs:
nmap -A -oA nmap 10.x.x.x
nmap -sC -sV -oA nmap 10.x.x.x   ..same! A = -sC -sV

nmap -p0-65535 -Pn -sT 10.x.x.x  ..All TCP ports No Ping
nmap -p0-65535 -Pn -sU 10.x.x.x  ..All UDP ports No Ping
nmap -A -sT -T4 10.x.x.x -oA target -Pn   ..NSE/Def, TCP, Fast, AllOuts, Avoid ping
nmap -Pn --script vuln 10.x.x.x           ..Find VULNS, No Pings

---------------------------------------------------------------
---------------------------------------------------------------
nmap
nmap -p 445 10.10.10.10 10.10.10.20

-T3 .. Normal, default
-T4 .. Aggressive, is fine for most any network
-T5 .. Insane. Too fast, dont use.

---------------------------------------------------------------
---------------------------------------------------------------
nmap -p 445 10.10.10.10 10.10.10.20 ..two targets
nmap -p0-65535 -Pn 192.168.17.154   ..all ports
nmap -n -sS -T4 -p 80 10.0.3.0/24   ..stealthScan 80
nmap -P 10.0.0.0-3   ..4 subnets
nmap -sV --script=banner 192.168.1.50  ..svc-ver and banners
nmap -sS -O -p 80-443 145.18.24.7      ..stealthScan os ports
nmap -sn 10.0.128.0/24  ..ping scan
nmap -sL 10.0.128.0/24  ..List scan ns-resolution
nmap -sn 10.0.128.0/24 --packet-trace  ..show onscreen
nmap -sT 10.x.x.x -oA tartet -Pn       ..TCP, output, avoid ping
---------------------------------------------------------------
---------------------------------------------------------------

sneaky
Avoid IDS detection
nmap -sT skillsetlocal.com -p 21,80 -T sneaky

Insane 'FAST'
nmap -sT skillsetlocal.com -p 21,80 -T insane

Speeds: 
paranoid, sneaky, polite, normal, aggressive, insane

Scan Delay:
nmap -sT skillsetlocal.com -p 21,80 --scan-delay 5s

Syn Scan:
Half-open scan (stealthy)
nmap -sS skillsetlocal.com

nmap 192.168.1.1 -p-       ..all ports but Zero
nmap 192.168.1.* -sL       ..list targets
nmap -A -T4 cloudflare.com           ..os/svc and fast
nmap --top-ports 20 192.168.1.106    ..top 20 ports
nmap -Pn 1.1.1.1,2,3,7               ..Disable host discovery. Port scan only.
nmap -p 8.8.8.* --exclude 8.8.8.1
nmap 8.8.8.1-14
nmap -p 1-65535 localhost

NFS - Find and Enum

nmap -v -p 111 10.11.1.0/24 -oG nfs.nmap
cat nfs.nmap | grep 111 | grep -v "Nmap" | awk '{print $2}' > nfs.ip 
nmap -sV -p111 --script=rpcinfo -iL nfs.ip
ls -l /usr/share/nmap/scripts/nfs*
nmap -p111 --script nfs* -iL nfs.ip nfs.enum

Stylesheet

nmap -sC -sV -oA myscan --stylesheet nmap-bootstrap.xsl
firefox poison.xml

NSE Scripts

Default NSE Scripts: 
nmap -sC x.x.x.x
nmap -A  x.x.x.x

--script=Discovery
--script=Exploit
--script=Intrusive
--script=Vuln         ..Checks common vulns
--script=http-enum    ..Enum dirs in webapps/servs
--script dos          ..test for vuln of DOS attack
--script=banner.nse   ..simple banner pull

---------------------------------------------------------------
---------------------------------------------------------------
Good ones:
nmap -Pn --script vuln 192.168.1.105  ..vul/cve detection, No Pings
nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/vulnscript.sh 10.x.x.x
nmap -p 443 --script ssl-heartbleed 10.x.x.x
nmap -p 3306 --script mysql-brute 10.x.x.x
nmap -p 21 --script ftp-brute 10.x.x.x
nmap -sV -script=nfs-showmount 10.x.x.x
---------------------------------------------------------------
---------------------------------------------------------------
Enumerate shares
Will catch users with 'quick-shares' setup
or find OS, or even usernames

nmap --script smb-enum-users -p 139 10.10.10.10

/usr/local/share/nmap/scripts/smb-enum-shares.nse
/usr/local/share/nmap/scripts/smb-os-discovery.nse
/usr/local/share/nmap/scripts/smb-enum-users.nse
/usr/local/share/nmap/scripts/sshv1.nse

grep for ports

grep -oP '\d{1,5}/open' allports.gmap | sort -u > ports.list
22/open
80/open
119/open
4555/open

vim
%s/\/ope//g
%s/n\n/,/g
nmap -p 110,119,22,25,4555,80 -sC -sV -oA output --script vuln $IP

NMAP PrivEsc

Older Version of nmap has 'interactive mode' If you are allowed sudo, this could be PrivEsc

>> nmap --version        ...nmap version 3.81
>> nmap --interactive

nmap> !sh
# whoami
root 
PreviousFuzzingNextOpen Port Checks OneLiner

Last updated 2 years ago

Was this helpful?

https://github.com/honze-net/nmap-bootstrap-xsl