Nmap
Target Selection
|
Scan a single IP
|
nmap 192.168.1.1
|
|
Scan a host
|
nmap www.hostname.com
|
|
Scan a range of IPs
|
nmap 192.168.1.1-20
|
|
Scan a subnet
|
nmap 192.168.1.0/24
|
|
Scan targets from a text file
|
nmap -iL list-of-ips.txt
|
These scans will scan 1000 TCP ports. Host discovery is the main objective.
Nmap
Port Selection
|
Scan a single Port
|
nmap -p 22 192.168.1.1
|
|
Scan a range of ports
|
nmap -p 1-100 192.168.1.1
|
|
Scan 100 most common ports (Fast)
|
nmap -F 192.168.1.1
|
|
Scan all 65535 ports
|
nmap -p- 192.168.1.1
|
Nmap
Port Scan types
|
Scan using TCP connect
|
nmap -sT 192.168.1.1
|
|
Scan using TCP SYN scan (default)
|
nmap -sS 192.168.1.1
|
|
Scan UDP ports
|
nmap -sU -p 123,161,162 192.168.1.1
|
|
Scan selected ports - ignore discovery
|
nmap -Pn -F 192.168.1.1
|
Ignoring discovery is used to bypass firewalls or hosts that does not respond to PING, but might increase the scan time as non existing hosts are also tried.
|
Scan
for UDP DDOS reflectors
|
nmap
–sU –A –PN –n –pU:19,53,123,161
–script=ntp-monlist,dns-recursion,snmp-sysdescr 192.168.1.0/24
|
Service
and OS Detection
|
Detect OS and Services
|
nmap -A 192.168.1.1
|
|
Standard service detection
|
nmap -sV 192.168.1.1
|
|
More aggressive Service Detection
|
nmap -sV --version-intensity 5 192.168.1.1
|
|
Lighter banner grabbing detection
|
nmap -sV --version-intensity 0 192.168.1.1
|
Nmap
Output Formats
|
Save default output to file
|
nmap -oN outputfile.txt 192.168.1.1
|
|
Save results as XML
|
nmap -oX outputfile.xml 192.168.1.1
|
|
Save results in a format for grep
|
nmap -oG outputfile.txt 192.168.1.1
|
|
Save in all formats
|
nmap -oA outputfile 192.168.1.1
|
Digging
deeper with NSE Scripts
|
Scan using default safe scripts
|
nmap -sV -sC 192.168.1.1
|
|
Get help for a script
|
nmap --script-help=ssl-heartbleed
|
|
Scan using a specific NSE script
|
nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1
|
|
Scan with a set of scripts
|
nmap -sV --script=smb* 192.168.1.1
|
|
Heartbleed
Testing
|
nmap
-sV -p 443 --script=ssl-heartbleed 192.168.1.0/24
|
To search for installed scripts locate nse | grep script.
HTTP
Service Information
|
Gather
page titles from HTTP services
|
nmap
--script=http-title 192.168.1.0/24
|
|
Get
HTTP headers of web services
|
nmap
--script=http-headers 192.168.1.0/24
|
|
Find
web apps from known paths
|
nmap
--script=http-enum 192.168.1.0/24
|
IP
Address information
|
Find
Information about IP address
|
nmap
--script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24
|
Just a bookmark for handy nmap commands
No comments:
Post a Comment