Nmap

Scanning:

Ping Scan:
>> nmap -v -sn 192.168.50.0/24
>> nmap -v -sn 192.168.50.102

Favs:
nmap -A -oA nmap 10.x.x.x
nmap -sC -sV -oA nmap 10.x.x.x   ..same! A = -sC -sV

nmap -p0-65535 -Pn -sT 10.x.x.x  ..All TCP ports No Ping
nmap -p0-65535 -Pn -sU 10.x.x.x  ..All UDP ports No Ping
nmap -A -sT -T4 10.x.x.x -oA target -Pn   ..NSE/Def, TCP, Fast, AllOuts, Avoid ping
nmap -Pn --script vuln 10.x.x.x           ..Find VULNS, No Pings

---------------------------------------------------------------
---------------------------------------------------------------
nmap
nmap -p 445 10.10.10.10 10.10.10.20

-T3 .. Normal, default
-T4 .. Aggressive, is fine for most any network
-T5 .. Insane. Too fast, dont use.

---------------------------------------------------------------
---------------------------------------------------------------
nmap -p 445 10.10.10.10 10.10.10.20 ..two targets
nmap -p0-65535 -Pn 192.168.17.154   ..all ports
nmap -n -sS -T4 -p 80 10.0.3.0/24   ..stealthScan 80
nmap -P 10.0.0.0-3   ..4 subnets
nmap -sV --script=banner 192.168.1.50  ..svc-ver and banners
nmap -sS -O -p 80-443 145.18.24.7      ..stealthScan os ports
nmap -sn 10.0.128.0/24  ..ping scan
nmap -sL 10.0.128.0/24  ..List scan ns-resolution
nmap -sn 10.0.128.0/24 --packet-trace  ..show onscreen
nmap -sT 10.x.x.x -oA tartet -Pn       ..TCP, output, avoid ping
---------------------------------------------------------------
---------------------------------------------------------------

sneaky
Avoid IDS detection
nmap -sT skillsetlocal.com -p 21,80 -T sneaky

Insane 'FAST'
nmap -sT skillsetlocal.com -p 21,80 -T insane

Speeds: 
paranoid, sneaky, polite, normal, aggressive, insane

Scan Delay:
nmap -sT skillsetlocal.com -p 21,80 --scan-delay 5s

Syn Scan:
Half-open scan (stealthy)
nmap -sS skillsetlocal.com

nmap 192.168.1.1 -p-       ..all ports but Zero
nmap 192.168.1.* -sL       ..list targets
nmap -A -T4 cloudflare.com           ..os/svc and fast
nmap --top-ports 20 192.168.1.106    ..top 20 ports
nmap -Pn 1.1.1.1,2,3,7               ..Disable host discovery. Port scan only.
nmap -p 8.8.8.* --exclude 8.8.8.1
nmap 8.8.8.1-14
nmap -p 1-65535 localhost

NFS - Find and Enum

nmap -v -p 111 10.11.1.0/24 -oG nfs.nmap
cat nfs.nmap | grep 111 | grep -v "Nmap" | awk '{print $2}' > nfs.ip 
nmap -sV -p111 --script=rpcinfo -iL nfs.ip
ls -l /usr/share/nmap/scripts/nfs*
nmap -p111 --script nfs* -iL nfs.ip nfs.enum

Stylesheet

https://github.com/honze-net/nmap-bootstrap-xsl

nmap -sC -sV -oA myscan --stylesheet nmap-bootstrap.xsl
firefox poison.xml

NSE Scripts

Default NSE Scripts: 
nmap -sC x.x.x.x
nmap -A  x.x.x.x

--script=Discovery
--script=Exploit
--script=Intrusive
--script=Vuln         ..Checks common vulns
--script=http-enum    ..Enum dirs in webapps/servs
--script dos          ..test for vuln of DOS attack
--script=banner.nse   ..simple banner pull

---------------------------------------------------------------
---------------------------------------------------------------
Good ones:
nmap -Pn --script vuln 192.168.1.105  ..vul/cve detection, No Pings
nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/vulnscript.sh 10.x.x.x
nmap -p 443 --script ssl-heartbleed 10.x.x.x
nmap -p 3306 --script mysql-brute 10.x.x.x
nmap -p 21 --script ftp-brute 10.x.x.x
nmap -sV -script=nfs-showmount 10.x.x.x
---------------------------------------------------------------
---------------------------------------------------------------
Enumerate shares
Will catch users with 'quick-shares' setup
or find OS, or even usernames

nmap --script smb-enum-users -p 139 10.10.10.10

/usr/local/share/nmap/scripts/smb-enum-shares.nse
/usr/local/share/nmap/scripts/smb-os-discovery.nse
/usr/local/share/nmap/scripts/smb-enum-users.nse
/usr/local/share/nmap/scripts/sshv1.nse

grep for ports

grep -oP '\d{1,5}/open' allports.gmap | sort -u > ports.list
22/open
80/open
119/open
4555/open

vim
%s/\/ope//g
%s/n\n/,/g
nmap -p 110,119,22,25,4555,80 -sC -sV -oA output --script vuln $IP

NMAP PrivEsc

Older Version of nmap has 'interactive mode' If you are allowed sudo, this could be PrivEsc

>> nmap --version        ...nmap version 3.81
>> nmap --interactive

nmap> !sh
# whoami
root

PreviousFuzzing NextOpen Port Checks OneLiner

Last updated 2 years ago

Was this helpful?