-
-
Save synsa/22b98dc8f41e83b9a4f6f0600e2a8e84 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
scan target for pentest | |
nmap -PN -n -A -sS -p- -oN output.nmap <IP> | |
-Pn : no ping check (host is up), | |
-n no dns resolution | |
-A : detect systeme info | |
-sT : tcp connect [laisse des traces dans les logs serveurs] (moins impactant que -sS Syn, ne laisse pas de trace dans les logs par defaut) | |
-p- : port de 0-65535 | |
-oN output.nmap : write utput to file | |
ajouter un scan udp en parallèle -sU (dns, ipsec ...) | |
etats : | |
OPEN (serveur SYN/ACK) | |
CLOSE (serveur RESET) | |
FILERED (pas de réponse; droper par un équipment) | |
### simple | |
nmap -sP 10.0.0.0/24 | |
Ping scans the network, listing machines that respond to ping. | |
nmap -p- -sV -sS -T4 target | |
Full TCP port scan using with service version detection - usually my first scan, I find T4 more accurate than T5 and still "pretty quick". | |
nmap -v -sS -A -T4 target | |
Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services. | |
nmap -v -sS -A -T5 target | |
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services. | |
nmap -v -sV -O -sS -T5 target | |
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection. | |
nmap -v -p 1-65535 -sV -O -sS -T4 target | |
Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan. | |
nmap -v -p 1-65535 -sV -O -sS -T5 target | |
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan. | |
Agressive scan timings are faster, but could yeild inaccurate results! | |
T5 uses very aggressive scan timings and could lead to missed ports, T4 is a better compromise if you need fast results. | |
### Nmap scan from file | |
nmap -iL ip-addresses.txt | |
Scans a list of IP addresses, you can add options before / after. | |
### nmap output format | |
nmap -sV -p 139,445 -oG grep-output.txt 10.0.1.0/24 | |
Outputs "grepable" output to a file, in this example Netbios servers. | |
E.g, The output file could be grepped for "Open". | |
nmap -sS -sV -T5 10.0.1.99 --webxml -oX - | |
| xsltproc --output file.html - | |
Export nmap output to HTML report. | |
### Netbios | |
nmap -sV -v -p 139,445 10.0.0.1/24 | |
Find all Netbios servers on subnet | |
nmap -sU --script nbstat.nse -p 137 target | |
Nmap display Netbios name | |
nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 target | |
Nmap check if Netbios servers are vulnerable to MS08-067 | |
--script-args=unsafe=1 has the potential to crash servers / services | |
Becareful when running this command. | |
### Nmap Nikto Scan | |
nmap -p80 10.0.1.0/24 -oG - | nikto.pl -h - | |
Scans for http servers on port 80 and pipes into Nikto for scanning. | |
nmap -p80,443 10.0.1.0/24 -oG - | nikto.pl -h - | |
Scans for http/https servers on port 80, 443 and pipes into Nikto for scanning. | |
### The following are real world examples of Nmap enumeration. | |
Enumerating Netbios | |
The following example enumerates Netbios on the target networks, the same process can be applied to other services by modifying ports / NSE scripts. | |
Detect all exposed Netbios servers on the subnet. | |
Nmap find exposed Netbios servers | |
root:~# nmap -sV -v -p 139,445 10.0.1.0/24 | |
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT | |
Nmap scan report for nas.decepticons 10.0.1.12 | |
Host is up (0.014s latency). | |
PORT STATE SERVICE VERSION | |
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON) | |
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON) | |
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . | |
Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74 seconds | |
Nmap find Netbios name. | |
Nmap find exposed Netbios servers | |
root:~# nmap -sU --script nbstat.nse -p 137 10.0.1.12 | |
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT | |
Nmap scan report for nas.decepticons 10.0.1.12 | |
Host is up (0.014s latency). | |
PORT STATE SERVICE VERSION | |
137/udp open netbios-ns | |
Host script results: | |
|_nbstat: NetBIOS name: STARSCREAM, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown) | |
Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74 seconds | |
Check if Netbios servers are vulnerable to MS08-067 | |
Nmap check MS08-067 | |
root:~# nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 10.0.0.1 | |
Nmap scan report for ie6winxp.decepticons (10.0.1.1) | |
Host is up (0.00026s latency). | |
PORT STATE SERVICE | |
445/tcp open microsoft-ds | |
Host script results: | |
| smb-check-vulns: | |
| MS08-067: VULNERABLE | |
| Conficker: Likely CLEAN | |
| regsvc DoS: NOT VULNERABLE | |
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE | |
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive) | |
Nmap done: 1 IP address (1 host up) scanned in 5.45 seconds | |
The information gathered during the enumeration indicates the target is vulnerable to MS08-067, exploitation will confirm if it’s vulnerable to MS08-067. | |
https://github.com/scipag/vulscan | |
extract commun port | |
nmap --top-ports 1000 -v -oG - | |
MS17-010 | |
nmap -p445 --script smb-vuln-ms17-010 <target> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment