nmap - Walkthroughs

#nmap ## TCP and UDP Scan ```shell TARGETIP=*target_ip* ``` #TCP ```shell TCPPORTS=$(sudo nmap -sT -p- --min-rate=1000 -T4 $TARGETIP | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); sudo nmap -p$TCPPORTS -sTVC -O $TARGETIP --open ``` #UDP ```shell UDPPORTS=$(sudo nmap -sU -p- --min-rate=1000 -T4 $TARGETIP | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); sudo nmap -sUVC -O -p$UDPPORTS $TARGETIP --open ``` ## Information #SCRIPTSCAN: -sC: equivalent to --script=default #SERVICE/VERSION: -sV: Probe open ports to determine service/version info We can use the `-sC` parameter to specify that `Nmap` scripts should be used to try and obtain more detailed information. The `-sV` parameter instructs `Nmap` to perform a version scan -p-: All ports -oA: saves output to files -sn: disables port scanning -PE: Performs the ping scan by using 'ICMP Echo requests' against the target. --reason: Displays the reason for specific result. -sT: Connect scan. The `Connect` scan is useful because it is the most accurate way to determine the state of a port, and it is also the most stealthy. Default TTL is 128 for windows, 64 for linux Press spacebar to show scan status The syntax for running an Nmap script is `nmap --script <script name> -p<port> <host>` ```shell #scan from DNS port sudo namp <source IP> --source-port 53 ``` ```shell #Scan from different Source IP sudo namp <source IP> -S <IP to Scan From> -e <Interface to use> ``` #### Banner Grab `nmap -sV --script=banner <target>` [smb-os](https://nmap.org/nsedoc/scripts/smb-os-discovery.html) #### Script Scan Category | Description -|- auth | Determination of authentication credentials. broadcast | Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans. brute | Executes scripts that try to log in to the respective service by brute-forcing with credentials. default | Default scripts executed by using the -sC option. discovery | Evaluation of accessible services. dos | These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services. exploit | This category of scripts tries to exploit known vulnerabilities for the scanned port. external | Scripts that use external services for further processing. fuzzer | This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time. intrusive| Intrusive scripts that could negatively affect the target system. malware | Checks if some malware infects the target system. safe | Defensive scripts that do not perform intrusive and destructive access. version | Extension for service detection. vuln | Identification of specific vulnerabilities. ```shell sudo nmap <target> -sC sudo nmap <target> --script <category> ``` ![[nmap_cheet_sheet_v7.pdf]]