Nmap Port Scan
Version Enumeration with Nmap:
Always start with a full nmap
scan to check it returns version information.
sudo nmap <ip> -p- -A -T4 -vv
We can also use the nmap
script scans to look for vulnerable services:
sudo nmap <ip> -p <ports> --script=vuln -T4 -vv
Introduction
Also see [[(3) Study Notes/(1) Red Team/Pentest/(2) Network/(99) Testing Tools/(1) Enumeration Tools/Nmap|Nmap]].
Example Payload:
sudo nmap $ip -T4 -p- -A -vv
Trick for faster scanning:
First, do a full port scan without -A
:
sudo nmap $ip -T4 -p-
Then, perform -A
on all open ports.
sudo nmap $ip -T4 -A -vv -p [Open Ports]
SYN Scan
Example Syntax:
sudo nmap -sS 192.168.50.149
Benefits:
Faster (as less packets were sent)
May be stealthier (if the firewall does not log incomplete connections. The application may also not record the connection as it never reached the application)
UDP Scan
Example Syntax:
sudo nmap -sU 192.168.50.149
Both SYN and UDP scans can also be combined into one scan:
sudo nmap -sU -sS 192.168.50.149
Network Sweeping
Example Syntax:
nmap -sn 192.168.50.1-253
Use the
-sn
option to perform no port scan.
We can use grep
for a larger network:
nmap -v -sn 192.168.50.1-253 -oG ping-sweep.txt
Then:
grep Up ping-sweep.txt | cut -d " " -f 2
Web Sweep:
nmap -p 80 192.168.50.1-253 -oG web-sweep.txt
This sweep for port 80 across the whole 192.168.50.0/24 network. Then:
grep open web-sweep.txt | cut -d " " -f 2
General Sweep:
nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt
--top-ports
for enumerating common services.
OS Detection
Example Syntax:
sudo nmap -O 192.168.50.14 --osscan-guess
Use
--osscan-guess
for aggressive OS guess.
Windows LOLBAS
Test-NetConnection
in PowerShell
Example Syntax:
Test-NetConnection -Port 445 192.168.50.151
This basically equals to testing the port with Telnet.
Basic Port Scan in PowerShell:
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null
This loops through 1 to 1024 and attempt to build TCP connections with each of the ports of 192.168.50.151.
Bonus: Monitoring Traffics
iptables
Use
iptables
to monitor traffics of scanning.
sudo iptables -I INPUT 1 -s 192.168.50.149 -j ACCEPT
-I
for inserting a new rule (to inbound traffic withINPUT
)The number following
INPUT
indicates where to insert the rule (Rule Order), with1
being at the top of all rules.
-s
for the source of traffic-j
for specifying what this rule does. HereACCEPT
means to let the packet go through.
sudo iptables -I OUTPUT 1 -d 192.168.50.149 -j ACCEPT
-I
for inserting a new rule (to outbound traffic withOUTPUT
)-d
for the destination of traffic
sudo iptables -Z
-Z
for zeroing the packet and the byte counter. This is to reset the counters in iptables to obtain a fresh set of data.
After Scanning, use this to show the traffic generated:
sudo iptables -vn -L
Nessus
Not much useful stuff.
Nmap
NSE Scripts:
sudo nmap --script "vuln" [ip]
How to use customized NSE Scripts:
1. Google the relevant NSE script:
Download the
.nse
file to out machine.
2. Copy the script into the nmap scripts folder:
sudo cp /home/kali/Downloads/[script].nse /usr/share/nmap/scripts/[script].nse
3. Update script.db
:
sudo nmap --script-updatedb
4. Use the script:
sudo nmap --script "[script].nse" [ip]
Last updated