# Nmap

## Scanning:

```
Ping Scan:
>> nmap -v -sn 192.168.50.0/24
>> nmap -v -sn 192.168.50.102

Favs:
nmap -A -oA nmap 10.x.x.x
nmap -sC -sV -oA nmap 10.x.x.x   ..same! A = -sC -sV

nmap -p0-65535 -Pn -sT 10.x.x.x  ..All TCP ports No Ping
nmap -p0-65535 -Pn -sU 10.x.x.x  ..All UDP ports No Ping
nmap -A -sT -T4 10.x.x.x -oA target -Pn   ..NSE/Def, TCP, Fast, AllOuts, Avoid ping
nmap -Pn --script vuln 10.x.x.x           ..Find VULNS, No Pings

---------------------------------------------------------------
---------------------------------------------------------------
nmap
nmap -p 445 10.10.10.10 10.10.10.20

-T3 .. Normal, default
-T4 .. Aggressive, is fine for most any network
-T5 .. Insane. Too fast, dont use.

---------------------------------------------------------------
---------------------------------------------------------------
nmap -p 445 10.10.10.10 10.10.10.20 ..two targets
nmap -p0-65535 -Pn 192.168.17.154   ..all ports
nmap -n -sS -T4 -p 80 10.0.3.0/24   ..stealthScan 80
nmap -P 10.0.0.0-3   ..4 subnets
nmap -sV --script=banner 192.168.1.50  ..svc-ver and banners
nmap -sS -O -p 80-443 145.18.24.7      ..stealthScan os ports
nmap -sn 10.0.128.0/24  ..ping scan
nmap -sL 10.0.128.0/24  ..List scan ns-resolution
nmap -sn 10.0.128.0/24 --packet-trace  ..show onscreen
nmap -sT 10.x.x.x -oA tartet -Pn       ..TCP, output, avoid ping
---------------------------------------------------------------
---------------------------------------------------------------

sneaky
Avoid IDS detection
nmap -sT skillsetlocal.com -p 21,80 -T sneaky

Insane 'FAST'
nmap -sT skillsetlocal.com -p 21,80 -T insane

Speeds: 
paranoid, sneaky, polite, normal, aggressive, insane

Scan Delay:
nmap -sT skillsetlocal.com -p 21,80 --scan-delay 5s

Syn Scan:
Half-open scan (stealthy)
nmap -sS skillsetlocal.com

nmap 192.168.1.1 -p-       ..all ports but Zero
nmap 192.168.1.* -sL       ..list targets
nmap -A -T4 cloudflare.com           ..os/svc and fast
nmap --top-ports 20 192.168.1.106    ..top 20 ports
nmap -Pn 1.1.1.1,2,3,7               ..Disable host discovery. Port scan only.
nmap -p 8.8.8.* --exclude 8.8.8.1
nmap 8.8.8.1-14
nmap -p 1-65535 localhost

```

## NFS - Find and Enum

```
nmap -v -p 111 10.11.1.0/24 -oG nfs.nmap
cat nfs.nmap | grep 111 | grep -v "Nmap" | awk '{print $2}' > nfs.ip 
nmap -sV -p111 --script=rpcinfo -iL nfs.ip
ls -l /usr/share/nmap/scripts/nfs*
nmap -p111 --script nfs* -iL nfs.ip nfs.enum
```

## Stylesheet

* <https://github.com/honze-net/nmap-bootstrap-xsl>

```
nmap -sC -sV -oA myscan --stylesheet nmap-bootstrap.xsl
firefox poison.xml
```

## NSE Scripts

```
Default NSE Scripts: 
nmap -sC x.x.x.x
nmap -A  x.x.x.x

--script=Discovery
--script=Exploit
--script=Intrusive
--script=Vuln         ..Checks common vulns
--script=http-enum    ..Enum dirs in webapps/servs
--script dos          ..test for vuln of DOS attack
--script=banner.nse   ..simple banner pull

---------------------------------------------------------------
---------------------------------------------------------------
Good ones:
nmap -Pn --script vuln 192.168.1.105  ..vul/cve detection, No Pings
nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/vulnscript.sh 10.x.x.x
nmap -p 443 --script ssl-heartbleed 10.x.x.x
nmap -p 3306 --script mysql-brute 10.x.x.x
nmap -p 21 --script ftp-brute 10.x.x.x
nmap -sV -script=nfs-showmount 10.x.x.x
---------------------------------------------------------------
---------------------------------------------------------------
Enumerate shares
Will catch users with 'quick-shares' setup
or find OS, or even usernames

nmap --script smb-enum-users -p 139 10.10.10.10

/usr/local/share/nmap/scripts/smb-enum-shares.nse
/usr/local/share/nmap/scripts/smb-os-discovery.nse
/usr/local/share/nmap/scripts/smb-enum-users.nse
/usr/local/share/nmap/scripts/sshv1.nse
```

## grep for ports

```
grep -oP '\d{1,5}/open' allports.gmap | sort -u > ports.list
22/open
80/open
119/open
4555/open

vim
%s/\/ope//g
%s/n\n/,/g
nmap -p 110,119,22,25,4555,80 -sC -sV -oA output --script vuln $IP
```

## NMAP PrivEsc

Older Version of nmap has 'interactive mode'\
If you are allowed sudo, this could be PrivEsc

```
>> nmap --version        ...nmap version 3.81
>> nmap --interactive

nmap> !sh
# whoami
root 
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/02-scanning/02-nmap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.