Friday, December 01, 2017

Another nmap cheat list

Nmap Target Selection
Scan a single IP
nmap 192.168.1.1
Scan a host
Scan a range of IPs
nmap 192.168.1.1-20
Scan a subnet
nmap 192.168.1.0/24
Scan targets from a text file
nmap -iL list-of-ips.txt
These scans will scan 1000 TCP ports. Host discovery is the main objective.
Nmap Port Selection
Scan a single Port
nmap -p 22 192.168.1.1
Scan a range of ports
nmap -p 1-100 192.168.1.1
Scan 100 most common ports (Fast)
nmap -F 192.168.1.1
Scan all 65535 ports
nmap -p- 192.168.1.1
Nmap Port Scan types
Scan using TCP connect
nmap -sT 192.168.1.1
Scan using TCP SYN scan (default)
nmap -sS 192.168.1.1
Scan UDP ports
nmap -sU -p 123,161,162 192.168.1.1
Scan selected ports - ignore discovery
nmap -Pn -F 192.168.1.1
Ignoring discovery is used to bypass firewalls or hosts that does not respond to PING, but might increase the scan time as non existing hosts are also tried.
Scan for UDP DDOS reflectors
nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr 192.168.1.0/24

Service and OS Detection
Detect OS and Services
nmap -A 192.168.1.1
Standard service detection
nmap -sV 192.168.1.1
More aggressive Service Detection
nmap -sV --version-intensity 5 192.168.1.1
Lighter banner grabbing detection
nmap -sV --version-intensity 0 192.168.1.1

Nmap Output Formats
Save default output to file
nmap -oN outputfile.txt 192.168.1.1
Save results as XML
nmap -oX outputfile.xml 192.168.1.1
Save results in a format for grep
nmap -oG outputfile.txt 192.168.1.1
Save in all formats
nmap -oA outputfile 192.168.1.1

Digging deeper with NSE Scripts
Scan using default safe scripts
nmap -sV -sC 192.168.1.1
Get help for a script
nmap --script-help=ssl-heartbleed
Scan using a specific NSE script
nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1
Scan with a set of scripts
nmap -sV --script=smb* 192.168.1.1


Heartbleed Testing
nmap -sV -p 443 --script=ssl-heartbleed 192.168.1.0/24

To search for installed scripts         locate nse | grep script.

HTTP Service Information
Gather page titles from HTTP services
nmap --script=http-title 192.168.1.0/24
Get HTTP headers of web services
nmap --script=http-headers 192.168.1.0/24
Find web apps from known paths
nmap --script=http-enum 192.168.1.0/24

IP Address information
Find Information about IP address
nmap --script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24


Just a bookmark for handy nmap commands