- Nmap scripts will cause nmap to do a port scan so they can find out which ports are open but nmap scipts without a version scan may not properly measure the target's configuration and vulnerabilities specially for services on non-configuration.
By default nmap will check the top 100 most used ports for TCP/and or UDP
# nmap -PN -sS target_ip_address -p 1-1024 --packet-trace
[ PN = indicates that we dont want to ping the target system, just scan it ;
sS = do a SYN scan also known as stealth scan or half open scan ;
-p = list of the ports to scan ;
--packet-trace = makes nmap display the status and packet summary information
-PB = same as default; use ICMP Echo Request; SYN to TCP 433; ACK to TCP 80, and ICMP Timestamp request (if UID 0)
-PE = formerly -PI; send ICMP echo request (ICMP type 8)
-F = fast; will scan the top 100 most popular ports of TCP/UDP
--top-ports [N] = to scan the N most popular ports from teh nmap service file
-sT = regular TCP Connect Scan, full three way handshake
-n = shouldnt resolve the domain names
-sP = ping sweep but no ICMP or TCP will be sent for the ping sweep. only ARPs. used when on the same subnet
--scanflags = to generate flags with ur own desired TCP control bits use this
-sA =
-sF =
-sN =
-sX =
-sM =
]
>> shift p turns on and off packet traking
>> shift v increase or decrease the verbosity
>> shift d increase or decrease the debugging level
# nmap -T [timing_options] [other_options]
>>[timing_options] ==> 0=Paranoid ; 1=sneaky; 2=polite ; 3=normal ; 4=aggressive ; 5=insane ;
>>[other_options] ==> --host_timeout;--max_rtt_timeout;--min_rtt_timeout;--initial_rtt_timeour; --max_parallellsm ; --scan_delay;
# nmap -n -sP 10.10.10.1-255 [-n = does not resolve the name ; -sP = do ping sweep but no ICMP or TCP packets will be sent for the ping sweep; you are sending only ARP since all hosts are on the same subnet as the nmap scan host ;
# nmap -n -sT 10.10.10.50 -p 0 [T=TCP ; U=UDP ; -p= ports; --reason = this tell us why nmap classifies a given ports open/close/filtered state as it does ; --badsum=running nmap with badsum which will take longer to run and will not return any results back. all ports are filtered b/c the end system is ignorning these packets and sending nothing back ]
# gedit /usr/share/nmap/map-services [nmap services file from which nmap gets its list of most frequent ports to scan]
# tcpdump -nn host your_IP_address and net 10.10.10
# nmap -n -O -sT -p 1-1024 10.10.10.1-255
[not resolve names, display ip address, o/s fingerprinting, tcp connect scan with 3 way handshake for each open port, scan the the target network 10.10.10.1-255
[more info on NMap Switches and Techniques
The predominant switches available in NMap as they correspond to the scans covered earlier are
as follows::
• -sT —TCP Connect() scan
• -sS —SYN scan
• -sF —FIN scan
• -sX —Xmas-Tree scan
• -sN —NULL scan
• -sI —Dumb scan (also called an idle scan)
• -sA —ACK scan
• -P0 —Do not try to ping hosts before scanning them.
• -PP —Uses the ICMP timestamp request (ICMP type 1 3) packet to find listening hosts. Normally,
NMap attempts to ping the hosts using ICMP echo request (ICMP type 1 ) packets to see if the
host is there. Some firewalls and routers block echo requests yet still allow other traffic to penetrate. This switch also uses ICMP to determine if the host is live, but it uses a different ICMP
packet for this purpose.
• —Enables IPv6 support. You can perform a port scan against a host name through DNS
(assuming the DNS server has the IPv6 AAAA records) or through the IP address.
• -6 —Enables IPv6 support. You can perform a port scan against a host name through DNS
(assuming the DNS server has the IPv6 AAAA records) or through the IP address.
• -oN logfilename —Sends the output in human-readable format to the file of your choosing.
•-oX logfilename —Same as -oN, but this time send it to the logfile in XML format.
• -oG logfilename —Same as -oN , but stores all the results on a single line for querying through
the Grep program.
• -append_output —Appends the output to your existing log files instead of overwriting them.
• -p —Specifies the port number(s) to scan. TCP and UDP ports total 65,536. This switch lets you
specify single ports, ranges, or lists of ports to scan. You can also specify whether you want to
ping UDP or TCP ports only. For example, to scan TCP ports 23 (Telnet), 25 (SMTP), and 80
(HTTP), you can type this:
NMAP -p T:2325,80
• -v —Verbose mode.
• -vv —Very verbose mode. Enable this to see the most detailed output.
• -M maxsockets—Sets the maximum number of sockets used by NMap. Limiting this value decreases the scan rate, which is helpful when scanning some hosts that have been known to
crash when being scanned. Of course, discovering that these hosts crash is a vulnerability that
you should document in your penetration report.
•-T {paraniod | sneaky | polite | normal | aggresive | insane }—Changes the timing policies for
scanning. The default is normal, which attempts to scan as quickly as possible. Paranoid is
helpful to avoid IDS systems and waits five minutes between sending packets. sneaky sends
packets every 1 5 seconds. polite waits every 0.4 seconds and is designed to prevent host
crashing. aggresive and insane attempt to speed up the scans, but because accuracy and
stealth are important, you should avoid these unless you have a justifiable reason to use them.
• -host_timeout milliseconds—Specifies how long to wait for a response before scanning stops
for a single host. If NMap appears to hang, you might want to adjust this timer.
• -scan_deplay milliseconds—Similar to -T, this specifies how long to wait between probes. Increasing this value might let you go undetected past IDS systems.
•-O —Attempts to detect the operating system. It also attempts TCP Sequence Predictability
Classification to report how difficult it would be to forge a TCP connection again.
In addition to the switches just listed, NMap is capable of performing more advanced techniques,
such as changing the source port number, fragmenting packets, performing Identd scanning, and
doing FTP bounce scanning:
• -source_port port number—Specify the port number. Firewalls and routers might block your
attempts to scan a host if your port number is above 1 023. However, many firewalls and routers
allow DNS (port 53) or FTP-Data (port 21 ) packets through. If you are having difficulties getting
past a firewall, try changing your port number to 53 or 21 .
•
• -f —Fragment your packets. By breaking up your scans into smaller TCP fragments, you can
often go undetected by low-end security devices that do not want to process fragments to see
if a scan is taking place.
•-l —Perform an Identd scan. The Identd protocol (RFC 1 413) allows for the disclosure of the
username associated with a TCP process. This allows you to connect to web servers and find
out if it is running with root privileges (full administrator access). If so, cracking the web server
enables you full rights to the server that is hosting the site. This scan rarely works, however,
because most hosts disable the Identd service for this very reason.
•-b —Perform an FTP bounce scan. This is an older scan that, like the Identd scan, rarely works.
It relies on your having access to a proxy FTP server and performing a scan from that FTP
server. Again, most administrators have taken necessary precautions to prevent against such
scans.
http://www.nmap.org/
- Scanning a host to find out live IP address
use nmap -sP IP which will identify if the host is up even if is not pingable. If you capture the traffic like tcpdump host IP, you may see something like this which will also tell yo if the IP address is alive. This will end one ICMP echo request and a TCP ACK packet. if you capture the pkt, you would see the ICMP echo request did not generate any reply. nmap -sP 192.168.1.0/24 or nmap -sP 192.168.1.1-255
Nmap Cheat Sheet
From <https://highon.coffee/blog/nmap-cheat-sheet/>
------------------
Stage scan
- Do only a ping only on the target, no port scan.
- Nmap -sn 10.0.1.0/24 -oG nmapoutput1
- 2nd line allows to read the output and extract set of IP address
- Cat nmapoutput1 | grep Host : | cut -d " " -f 2 > ipaddress.list
- Once you have the list of ip that are up. Now we can port scan for all ports for only the specific ip.
"-A"
is quite noisy scan + identifying the target OS, services and the versions. May
take long time.
The
-A option is equivalent to applying the following options to your scan: -sC -sV
-O –traceroute
- Nmap -sS -p- t4 -iL -sS ipaddress.list (TCP ports. sS is for stealth half open scan. Could use -sT for full connect scan. Shows you the open port quickly)
- Nmap -cc -p 137 --script=all 1.2.3.4…run all NSE scripts for a single port 137 for a single IP address
Stage scan :
step 1: nmap -Pn -sS --stats-every 3m
--max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 p1-65535 -oN
filename /root/stage1_nmap_TCP_hostip_hostname 1.2.3.4
step 2. nmap -nvv -Pn -sSV -p 22,80,389
--version-intensity 9 -A -oN /root/stage2_nmap_TCP_hostip_hostname 1.2.3.4
UDP scan step 3: nmap -Pn --top-ports 1000 -sU
--stats-every 3m --max-retries 1 -T3 -oN filename 1.2.3.4-UDP
----------------
The
harvester…to get individual's name and email for the target company
----------------
enum4linux Cheat Sheet
is an alternative to
enum.exe on Windows, enum4linux is used to enumerate Windows and Samba hosts.
Unable to save text
to a file so used #enum4linux -a ip 2<&1 | tee output.txt
----------------
Smbclient…part
of enum4linux
----------------
Dnsenum&
dnsrecon……dns enumeration
----------------
foo | tee output.file
For example, if you only care
about stdout:
ls -a | tee output.file
If you want to include stderr,
do:
program [arguments...] 2>&1 | tee outfile
2>&1 redirects
channel 2 (stderr/standard error) into channel 1 (stdout/standard output), such
that both is written as stdout. It is also directed to the given output file as
of the tee command.
Furthermore, if you want to append to the log
file, use tee -a as:
program [arguments...] 2>&1 | tee -a outfile
2>&1 dumps the
stderr and stdout streams. tee outfile takes the stream it gets and writes it
to the screen and to the file "outfile".
----------------
Comments
Post a Comment