-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathnmap-cheat-sheet
148 lines (100 loc) · 5 KB
/
nmap-cheat-sheet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
scan pentest de base
nmap -PN -n -A -sS -p- -oN output.nmap <IP>
-Pn : no ping check (host is up),
-n no dns resolution
-A : detect systeme info
-sT : tcp connect [laisse des traces dans les logs serveurs] (moins impactant que -sS Syn, ne laisse pas de trace dans les logs par defaut)
-p- : port de 0-65535
-oN output.nmap : write utput to file
ajouter un scan udp en parallèle -sU (dns, ipsec ...)
etats :
OPEN (serveur SYN/ACK)
CLOSE (serveur RESET)
FILERED (pas de réponse; droper par un équipment)
### simple
nmap -sP 10.0.0.0/24
Ping scans the network, listing machines that respond to ping.
nmap -p- -sV -sS -T4 target
Full TCP port scan using with service version detection - usually my first scan, I find T4 more accurate than T5 and still "pretty quick".
nmap -v -sS -A -T4 target
Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services.
nmap -v -sS -A -T5 target
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services.
nmap -v -sV -O -sS -T5 target
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection.
nmap -v -p 1-65535 -sV -O -sS -T4 target
Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan.
nmap -v -p 1-65535 -sV -O -sS -T5 target
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan.
Agressive scan timings are faster, but could yeild inaccurate results!
T5 uses very aggressive scan timings and could lead to missed ports, T4 is a better compromise if you need fast results.
### Nmap scan from file
nmap -iL ip-addresses.txt
Scans a list of IP addresses, you can add options before / after.
### nmap output format
nmap -sV -p 139,445 -oG grep-output.txt 10.0.1.0/24
Outputs "grepable" output to a file, in this example Netbios servers.
E.g, The output file could be grepped for "Open".
nmap -sS -sV -T5 10.0.1.99 --webxml -oX -
| xsltproc --output file.html -
Export nmap output to HTML report.
### Netbios
nmap -sV -v -p 139,445 10.0.0.1/24
Find all Netbios servers on subnet
nmap -sU --script nbstat.nse -p 137 target
Nmap display Netbios name
nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 target
Nmap check if Netbios servers are vulnerable to MS08-067
--script-args=unsafe=1 has the potential to crash servers / services
Becareful when running this command.
### Nmap Nikto Scan
nmap -p80 10.0.1.0/24 -oG - | nikto.pl -h -
Scans for http servers on port 80 and pipes into Nikto for scanning.
nmap -p80,443 10.0.1.0/24 -oG - | nikto.pl -h -
Scans for http/https servers on port 80, 443 and pipes into Nikto for scanning.
### The following are real world examples of Nmap enumeration.
Enumerating Netbios
The following example enumerates Netbios on the target networks, the same process can be applied to other services by modifying ports / NSE scripts.
Detect all exposed Netbios servers on the subnet.
Nmap find exposed Netbios servers
root:~# nmap -sV -v -p 139,445 10.0.1.0/24
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT
Nmap scan report for nas.decepticons 10.0.1.12
Host is up (0.014s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74 seconds
Nmap find Netbios name.
Nmap find exposed Netbios servers
root:~# nmap -sU --script nbstat.nse -p 137 10.0.1.12
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT
Nmap scan report for nas.decepticons 10.0.1.12
Host is up (0.014s latency).
PORT STATE SERVICE VERSION
137/udp open netbios-ns
Host script results:
|_nbstat: NetBIOS name: STARSCREAM, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown)
Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74 seconds
Check if Netbios servers are vulnerable to MS08-067
Nmap check MS08-067
root:~# nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 10.0.0.1
Nmap scan report for ie6winxp.decepticons (10.0.1.1)
Host is up (0.00026s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: NOT VULNERABLE
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
Nmap done: 1 IP address (1 host up) scanned in 5.45 seconds
The information gathered during the enumeration indicates the target is vulnerable to MS08-067, exploitation will confirm if it’s vulnerable to MS08-067.
https://github.com/scipag/vulscan
extract commun port
nmap --top-ports 1000 -v -oG -
MS17-010
nmap -p445 --script smb-vuln-ms17-010 <target>