Nmap Port Scan

Version Enumeration with Nmap:

Always start with a full nmap scan to check it returns version information.

sudo nmap <ip> -p- -A -T4 -vv

We can also use the nmap script scans to look for vulnerable services:

sudo nmap <ip> -p <ports> --script=vuln -T4 -vv

Introduction

Also see [[(3) Study Notes/(1) Red Team/Pentest/(2) Network/(99) Testing Tools/(1) Enumeration Tools/Nmap|Nmap]].

Example Payload:

sudo nmap $ip -T4 -p- -A -vv

Trick for faster scanning:

First, do a full port scan without -A:

sudo nmap $ip -T4 -p-

Then, perform -A on all open ports.

sudo nmap $ip -T4 -A -vv -p [Open Ports]

SYN Scan

Example Syntax:

sudo nmap -sS 192.168.50.149

Benefits:

Faster (as less packets were sent)
May be stealthier (if the firewall does not log incomplete connections. The application may also not record the connection as it never reached the application)

UDP Scan

Example Syntax:

sudo nmap -sU 192.168.50.149

Both SYN and UDP scans can also be combined into one scan:

sudo nmap -sU -sS 192.168.50.149

Network Sweeping

Example Syntax:

nmap -sn 192.168.50.1-253

Use the -sn option to perform no port scan.

We can use grep for a larger network:

nmap -v -sn 192.168.50.1-253 -oG ping-sweep.txt

Then:

grep Up ping-sweep.txt | cut -d " " -f 2

Web Sweep:

nmap -p 80 192.168.50.1-253 -oG web-sweep.txt

This sweep for port 80 across the whole 192.168.50.0/24 network. Then:

grep open web-sweep.txt | cut -d " " -f 2

General Sweep:

nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt

--top-ports for enumerating common services.

OS Detection

Example Syntax:

sudo nmap -O 192.168.50.14 --osscan-guess

Use --osscan-guess for aggressive OS guess.

Windows LOLBAS

Test-NetConnection in PowerShell

Example Syntax:

Test-NetConnection -Port 445 192.168.50.151

This basically equals to testing the port with Telnet.

Basic Port Scan in PowerShell:

1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null

This loops through 1 to 1024 and attempt to build TCP connections with each of the ports of 192.168.50.151.

Bonus: Monitoring Traffics

iptables

Use iptables to monitor traffics of scanning.

sudo iptables -I INPUT 1 -s 192.168.50.149 -j ACCEPT

-I for inserting a new rule (to inbound traffic with INPUT)
- The number following INPUT indicates where to insert the rule (Rule Order), with 1 being at the top of all rules.
-s for the source of traffic
-j for specifying what this rule does. Here ACCEPT means to let the packet go through.

sudo iptables -I OUTPUT 1 -d 192.168.50.149 -j ACCEPT

-I for inserting a new rule (to outbound traffic with OUTPUT)
-d for the destination of traffic

sudo iptables -Z

-Z for zeroing the packet and the byte counter. This is to reset the counters in iptables to obtain a fresh set of data.

After Scanning, use this to show the traffic generated:

sudo iptables -vn -L

Nessus

Not much useful stuff.

Nmap

NSE Scripts:

sudo nmap --script "vuln" [ip]

How to use customized NSE Scripts:

1. Google the relevant NSE script:

Download the .nse file to out machine.

2. Copy the script into the nmap scripts folder:

sudo cp /home/kali/Downloads/[script].nse /usr/share/nmap/scripts/[script].nse

3. Update script.db:

sudo nmap --script-updatedb

4. Use the script:

sudo nmap --script "[script].nse" [ip]

Last updated 6 months ago

Nmap Port Scan

Version Enumeration with Nmap:

Always start with a full nmap scan to check it returns version information.

sudo nmap <ip> -p- -A -T4 -vv

We can also use the nmap script scans to look for vulnerable services:

sudo nmap <ip> -p <ports> --script=vuln -T4 -vv

Introduction

Also see [[(3) Study Notes/(1) Red Team/Pentest/(2) Network/(99) Testing Tools/(1) Enumeration Tools/Nmap|Nmap]].

Example Payload:

sudo nmap $ip -T4 -p- -A -vv

Trick for faster scanning:

First, do a full port scan without -A:

sudo nmap $ip -T4 -p-

Then, perform -A on all open ports.

sudo nmap $ip -T4 -A -vv -p [Open Ports]

SYN Scan

Example Syntax:

sudo nmap -sS 192.168.50.149

Benefits:

Faster (as less packets were sent)
May be stealthier (if the firewall does not log incomplete connections. The application may also not record the connection as it never reached the application)

UDP Scan

Example Syntax:

sudo nmap -sU 192.168.50.149

Both SYN and UDP scans can also be combined into one scan:

sudo nmap -sU -sS 192.168.50.149

Network Sweeping

Example Syntax:

nmap -sn 192.168.50.1-253

Use the -sn option to perform no port scan.

We can use grep for a larger network:

nmap -v -sn 192.168.50.1-253 -oG ping-sweep.txt

Then:

grep Up ping-sweep.txt | cut -d " " -f 2

Web Sweep:

nmap -p 80 192.168.50.1-253 -oG web-sweep.txt

This sweep for port 80 across the whole 192.168.50.0/24 network. Then:

grep open web-sweep.txt | cut -d " " -f 2

General Sweep:

nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt

--top-ports for enumerating common services.

OS Detection

Example Syntax:

sudo nmap -O 192.168.50.14 --osscan-guess

Use --osscan-guess for aggressive OS guess.

Windows LOLBAS

Test-NetConnection in PowerShell

Example Syntax:

Test-NetConnection -Port 445 192.168.50.151

This basically equals to testing the port with Telnet.

Basic Port Scan in PowerShell:

1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null

This loops through 1 to 1024 and attempt to build TCP connections with each of the ports of 192.168.50.151.

Bonus: Monitoring Traffics

iptables

Use iptables to monitor traffics of scanning.

sudo iptables -I INPUT 1 -s 192.168.50.149 -j ACCEPT

-I for inserting a new rule (to inbound traffic with INPUT)
- The number following INPUT indicates where to insert the rule (Rule Order), with 1 being at the top of all rules.
-s for the source of traffic
-j for specifying what this rule does. Here ACCEPT means to let the packet go through.

sudo iptables -I OUTPUT 1 -d 192.168.50.149 -j ACCEPT

-I for inserting a new rule (to outbound traffic with OUTPUT)
-d for the destination of traffic

sudo iptables -Z

-Z for zeroing the packet and the byte counter. This is to reset the counters in iptables to obtain a fresh set of data.

After Scanning, use this to show the traffic generated:

sudo iptables -vn -L

Nessus

Not much useful stuff.

Nmap

NSE Scripts:

sudo nmap --script "vuln" [ip]

How to use customized NSE Scripts:

1. Google the relevant NSE script:

Download the .nse file to out machine.

2. Copy the script into the nmap scripts folder:

sudo cp /home/kali/Downloads/[script].nse /usr/share/nmap/scripts/[script].nse

3. Update script.db:

sudo nmap --script-updatedb

4. Use the script:

sudo nmap --script "[script].nse" [ip]

Last updated 6 months ago