nmap

Kennedy Sanchez <ksanchez@cldeveloper.com>
https://github.com/ksanchezcld

-------------------------------------------------------------------------------
-> nmap -T5 192.168.50.10
-> nmap -A 192.168.50.20    
	|
	--- simple scan to determine what ports are open on our target system
--------------------------------------------------------------------------------

-> nmap -A -p 1-65535 -T4 -A -v -D 192.168.1.185 -iL ips.txt 

-> nmap -P0 -n -sS --max_hostgroup 1 --max_retries 0 --max_parallelism 10 192.168.50.0/24

-> nmap -v -O -Pn -n 192.168.50.10

-> nmap -D192.168.75.10,192.168.75.11,192.168.75.1,ME -p 80,21,22,25,443 -Pn 192.168.75.2

-> nmap --script=/usr/share/nmap/scripts/broadcast-netbios-master-browser.nse 192.168.1.103

-> nmap -sP -n -sn 192.168.1.0/24

-> nmap -sP 192.168.1.0/24 |awk '{print $6}'

-> nmap -sV -A -O 192.168.1.0/24 --open -oX OutputName.xml

-> nmap -f -n -P0 -v -p- -T4 192.168.75.0/24

-> nmap -n -sTUV -pT:22 ,80,111,139,443,32768,U:111,137,32768 192.168.75.14

-> nmap -p 1-65535 -T4 -A -v -D 10.0.0.141 10.0.0.142

-> nmap -sV --script=dhcp-discover <target>

-> nmap -p 443 --script ssl-heartbleed.nse <target>
	- http://nmap.org/nsedoc/scripts/sslheartbleed.html

-> nmap -p 443 --script ssl-heartbleed.nse 192.168.1.103

-> nmap -sV --script ssl-heartbleed 192.168.1.103

-> nmap –sV –sS –O –oA myreport –vvv -iL targets.txt –p 1-65535 –P0 

-> nmap -Pn -p5900 x.x.x.x --script=realvnc-auth-bypass 

-> nmap -sV -n 192.168.1.10

-> nmap -sTV -n 192.168.1.10

-> nmap -O -sV -sC -oX /home/ksanchez/nmap-scan-with-report.xml --stylesheet=nmap.xsl 192.168.1.10





[IDLE SCAN]

# nmap -p 23,53,80,1780,5000 -Pn -sI 192.168.1.88 192.168.1.111

[SYN SCAN]

# nmap -sS -T5 192.168.50.10

[NULL SCAN]

# nmap -sN -T5 192.168.50.10

[ACK scan]
# nmap -sA -T5 192.168.50.10


[PARAMETERS]

-p: to initiate a scan of TCP ports that we already know are opened. also indicated we did not want to ping.

-Pn: Treat all hosts as online.  also indicated we did not want to ping.

-D switch that will cause us to perform a decoy scan.

-T(0-5) templates allow you to set the aggressiveness of the scan. This is the
most simplistic method of detection avoidance. 0 is paranoid, 5 is insane
which should be used only on a LAN.

--max-hostgroup will limit the hosts that are scanned to only one at a
time

--max-retries: In penetration testing this is a setting that you may not want to
adjust unless you are very certain of the network stability. You could reduce
this value to 0 if you are very paranoid and not concerned with missing a
potentially vulnerable system in your scan.

-max-parallelism 10 would only allow 10 outstanding probes to be out at
once.

--scan-delay allows you to set a pause between probes.



[EXTRA NOTES]

Do not use the --scan_delay option when using --max_parallelism as they are not compatible with each other.

Use live decoys when scanning. This will make it more difficult to determine which system is actively scanning. Live decoys are
IPs that are currently active on the network.

[SAMPLES]

# nmap --script=/usr/share/nmap/scripts/http-enum.nse 192.168.1.103

80/tcp   open  http
| http-enum: 
|   /tikiwiki/: Tikiwiki
|   /test/: Test page
|   /phpinfo.php: Possible information file
|   /phpMyAdmin/: phpMyAdmin
|   /doc/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
|   /icons/: Potentially interesting folder w/ directory listing
|_  /index/: Potentially interesting folder

# nmap --script=/usr/share/nmap/scripts/broadcast-netbios-master-browser.nse 192.168.103

| broadcast-netbios-master-browser: 
| ip             server  domain
|_192.168.1.156  XXX     WORKGROUP