# 10 Nmap ## Initial Scan nmap -sC -sV -oA \ -sC Default Scripts -sV Enumerate Versions -oA Output All Formats ## Long/Background Scan nmap -p- -T5 -oA \ -p- All Ports: 1-65535 -T5 Very Aggressive Fast Scan (not recommended) -oA Output All Formats ## UDP scan Quick UDP nmap -sU -v -oA \ ## Longer UDP nmap -v -sC -sV -sU -Pn --disable-arp-ping -oA ## Get the ports in the right format for a targeted nmap scan ``` a=`grep -oP '\d{1,5}/open' kioptrix2.short.gnmap |sort -u |sed -e 's/\/open//g' |tr '\n' ','`; a=${a::-1} ``` -o Print only the matching part (not the entire line) -P interpret as Perl-compatible regex '\d{1,5}/open' Our regex to grep for (1 to 5 occurrences of any digit followed by /open) ## Scanning ipv6 nmap -sC -sV -oA scans/mischief-ipv6 -6 dead:beef::250:56ff:feb2:0190 ## Perform a targeted port scan nmap -p $a -sC -sV -oA \ --script vuln ## Webserver enumeration nmap -p 80,443,8000,8080,8443 --script=http-enum ## Nmap Ping Sweep nmap -sn 10.11.0.0/16 -oG ping\_sweep.txt grep Up ping\_sweep.txt |cut -f2 -d " " OR nmap -sn 10.11.1.1-254 -oG ping\_sweep.txt grep Up ping\_sweep.txt |cut -f2 -d " " ``` Keep in mind that systems that have ICMP disabled will not respond to ping sweeps even though they are in fact online this method is good/effecient but not definitive ``` ## Find Low-Hanging Fruit nmap -sT -A --top-ports=20 10.11.1.1-254 -oG top\_port\_sweep.txt grep open top\_port\_sweep.txt |cut -f2 -d " " ``` Machines that prove to be rich in services, or otherwise interesting, would then be individually port scanned, using a more exhaustive port list ``` ## OS Fingerprinting nmap -O 10.0.0.19 will attempt to guess the underlying operating system, by inspecting the packets received from the target kerberos (TCP 88) + LDAP (TCP 389) = Active Directory Domain Controller ## Identifying NMAP Scripts locate -r '.nse$' | xargs grep categories |grep 'default|version' |grep smb ## Identify all nmap default scripts (-sC) ``` grep -r categories /usr/share/nmap/scripts/*.nse |grep default |awk -F: '{print $1}' |awk -F/ '{print $6}' ``` ## Check for Shellshock vulnerability nmap -p 80 --script=http-shellshock --script-args uri=/cgi-bin/test.cgi --script-args uri=/cgi-bin/admin.cgi 10.11.1.71 ``` for the --script-args uri use the cgi URIs that you found using ka e.g. gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://10.11.1.71:80/ -s '200,204,301,307,403,500' -e | tee 'alpha/10.11.1.71/scans/10.11.1.71_80_gobuster_cgi ``` View the arguments of an nmap script nmap --script-help e.g. nmap --script-help "irc-unrealircd-backdoor" ## Enumerate NetBios Users nmap -sC --script=smb-enum-users Stealth (SYN) scans Sends the initial SYN packets and waits for the SYN/ACK packet from the server Does not respond to the SYN/ACK packet with ACK; thus does not complete the three-way handshake Called "stealth" scans because this method used to evade detection from primitive firewalls; however, this is definitely not the case with modern firewalls you will be detected doing this, so the term "stealth" can be misleading UDP scans are often unreliable as firewalls and routers may drop ICMP packets *\** But it is a mistake to neglect them TCP is only half of the equation --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xdecaf2bad.gitbook.io/red-team-notes/02-information-gathering-enumeration/10-namp-scans.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.