NMAP

https://github.com/nmap/nmap

Basis

nmap -sn [TARGET_NETWORK]/24
Do not do port scan: scan for hosts (ARP, ICMP, TCP/UDP Ping).

nmap -sV -sC [TARGET_IP]
Ports services + Default script.

Host dicovering Process (-sn)

• Privileged user scans targets in local network: ARP requests.
• Privileged user scans targets outside local network: ICMP echo requests, TCP ACK to port 80, TCP SYN to port 443, and ICMP timestamp request.
• Unprivileged user scans targets outside local network: SYN to ports 80 and 443.

Flags

-O
OS detection.

-sV
Service detection (Force Nmap to proceed with the TCP 3-way handshake).

-oN myOutputFile
Normal Output.

-vv
Verbose.

-n
Do not resolve DNS.

-Pn
Do not ping to determine if host is up.

-r
Scan the ports in consecutive order instead of random order.

Ports

-p 80
Scan port 80.

-p 80,443
Scan ports 80 and 443.

-p 80-443
Scan ports 80 to 443.

-p-
Scan all ports.

Timing

-T0
Paranoid (5 minutes between sending each probe/ Avoid IDS Dectection).

-T1
Sneaky (Avoid IDS Dectection).

-T2
Polite.

-T3
Normal (Default).

-T4
Aggressive.

-T5
Insane (Can affect scan accuracy)

Scans Types

-sT
TCP connect scan. Default running with non privileged users.

-sS
SYN scan (Half TCP / “Sneaky”). Default running with privileged users.

-sU
UDP port scan.

Firewall Bypass and Evasion

-sN
Null scan (do not set any TCP flag). No response is either port open or filtered.

-sF
FIN scan (FIN flag). No response is either port open or filtered.

-sX
Xmas scan (FIN, PSH, and URG flags simultaneously). No response is either port open or filtered.

-A
Used to discover firewall rules. Return unfiltered ports (dosn't mean they're up).

-D [TARGET_IP]RND,ME
Send same request with decoy IP addresses (RND is Random IP and ME is my IP).

-f and -ff
Send fragmented packets (divided into 8 and 16 bytes).

Scripts

/usr/share/nmap/scripts

-sC
Default script scanning.

-A
Agressive Scan (-O + -sV + -sC + --traceroute).

--script vuln
Run a script.

--script http-put --script-args http-put.url='https://security.kaldei.xyz/dav/shell.php',http-put.file='./shell.php' Script with arguments

SMB Scan

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse [TARGET_IP]
Search for SMB Shares.

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount [TARGET_IP]
Enumerate rpcbind.

nmap --script=smb2-security-mode.nse -p445 [TARGET_IP]
Scan for disabled SMB Signing.

Weak Cipher Scan

nmap --script=ssl-enum-ciphers -p 443 [TARGET_IP]
Check for weak cipher. Under B score, it’s a bad cipher.