nmap

Connecting to TCP and UDP ports to determine what services and applications are running on the target. 65,534 ports each for both TCP and UDP. The first 1024 ports are well-known ports (associated with specific services).

Officially allowed during the OSCP exam according to the OSCP Exam Guide (including NSE)

Help

Displays nmap cheat sheet and help

Nmap Timing Templates

nmap
nmap --help

Options
-T: timing, 1 the slowest, 5 the fastest. Use T0 when scanning client network or would slow down the network
-v: verbose, capture the banner
-PN: not to ping, to identify active system
-O: operating system
-n: no dns resolution will be made
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scan
-sn: ping scan, host discovery
--top-ports 100: scan top 100 ports listed by nmap, from /usr/share/nmap/nmap-services
--max-parallelism 10: limit the number of probes that are sent out
-oA: output the results to all formats to file, including greppable
-A: aggressive and more advanced options
-oG: send output to a file, greppable

-iL list-of-ips.txt
--dns-server x.x.x.x

List top ports (–top-ports 100)

This will print the XML output to the terminal which includes the exact ports. You don’t need to specify a real host list either.

nmap -oX - --top-ports 1000 fakehost | grep services

Nmap on Windows

For a graphical version, use Zenmap. Download nmap for Windows.

wget https://nmap.org/dist/nmap-7.92-setup.exe

Stealthy scans…

# Spoof your MAC Address:
nmap --spoof-mac 00:11:22:33:44:55 $IP

# Spoof your MAC Address with a Random MAC:
nmap --spoof-mac 0 $IP

# TCP SYN Scan / Half-Open Scan (doesn't open a full TCP connection)
sudo nmap -sS -p0-65535 --spoof-mac 0 $IP

Pentest ready

The top 1,000 (out of 65,536 possible) finds roughly 93% of the open TCP ports and more than 95% of the open UDP ports, according to nmap’s website.

TCP

# Connect scan for a list of IP addresses
# Generates one file per IP
for IP in $(cat ./IPs.txt | grep -v "#"); do nmap -T4 -sT -p 1-65535 $IP > ./nmap_tcp_all_ports_${IP}.txt; done;

# Lighter scan (e.g. on production systems)
for IP in $(cat ./IPs.txt | grep -v "#"); do nmap -T4 -sT --top-ports 1000 $IP > ./nmap_tcp_top1000_${IP}.txt; done;

# TCP SYN Scan / Half-Open Scan (doesn't open a full TCP connection), Random spoofed MAC
for IP in $(cat ./IPs.txt | grep -v "#"); do sudo nmap -T4 -sS -p 1-65535 --spoof-mac 0 $IP > ./nmap_tcp_syn_all_ports_${IP}.txt; done;

UDP

sudo nmap -sU --open --top-ports 1000 -iL IPs.txt -oA nmap_udp_top1000-$(date '+%Y.%m.%d.%Hh%M')
for IP in $(cat ./IPs.txt | grep -v "#"); do sudo nmap -sU --open --top-ports 1000 $IP > ./nmap_udp_top1000_${IP}.txt; done;

Host Discovery

Ping scan

# Live host discovery (IP range from 1 to 254).
# Uses ICMP echo replies and TCP SYN packets on port 80 and 443 at the same time.
nmap -T4 -v -sn x.x.x.1-254
# Easier format to grep
nmap -v -sn x.x.x.1-254 -oA nmap-sweep-ping-$(date '+%Y.%m.%d.%Hh%M')
grep Up nmap-sweep-ping-*.gnmap | cut -d " " -f 2

Port Scan

IP=x.x.x.x
IP=x.x.x.1-254

UDP

sudo nmap -T5 -v -Pn -n -sU -sC -sV --top-ports 1000 --max-parallelism 10 $IP -oA nmap-udp-top1000-${IP}-$(date '+%Y.%m.%d.%Hh%M')

SYN Scan

Half-open scanning: just sends a request like you want to connect, but don’t establish the connection. Response is SYN-ACK: port is listening, RESET: non-listener port, nothing: port is filtered.

Requires sudo.

sudo nmap -Pn -sS -sC -sV --top-ports=100 -T4 --open $IP -oA nmap-syn-top100-${IP}-$(date '+%Y.%m.%d.%Hh%M')
grep open nmap-syn-top100-${IP}-*.gnmap |cut -d" " -f2

TCP/Connect Scan

Discover open ports, does complete TCP handshake.

nmap -sT $IP
nmap -sT -p 1-65535 $IP
nmap -sT -p "*" $IP
nmap -T4 -v -Pn -n -sT -sC -sV -p 1-65535 --max-parallelism 10 $IP -oA nmap-tcp-allports-${IP}-$(date '+%Y.%m.%d.%Hh%M')
grep open nmap-tcp-allports-${IP}-*.gnmap |cut -d" " -f2

ACK Scan

Map firewall rulesets, stateful or not, and which ports are filtered.

nmap -T4 -v -Pn -n -sA --top-ports 100 --max-parallelism 10 -oA nmap-ack-top100-${IP}-$(date '+%Y.%m.%d.%Hh%M') $IP

Web Server Scan

#!/bin/bash

top-web-ports() {
  awk '$2 ~ /^((.+0)?8.|8...|443|^[35]000)\/tcp/' /usr/share/nmap/nmap-services |
    sort -rnk 3 | head -n ${1:-100} | grep -Po '\d+(?=/)'
}

ports=$(top-web-ports 30)
echo $ports
nmap -sS -v -n -p ${ports//$'\n'/,} -oA tcp-web-top30 localhost

Sweep for specific ports (-p) across the network

Sweep for specific TCP or UDP ports (-p) across the network, probing for common services and ports with services that may be useful, or otherwise have known vulnerabilities.

nmap -p 80 x.x.x.1-254 -oA nmap-sweep-http-$(date '+%Y.%m.%d.%Hh%M')
grep open nmap-sweep-http-*.gnmap | cut -d" " -f2
# TCP connect scan, Top 20 ports, sweep
nmap -sT -A --top-ports=20 x.x.x.1-254 -oA nmap-sweep-tcp-top20-$(date '+%Y.%m.%d.%Hh%M')
grep open nmap-sweep-tcp-top20-*.gnmap | cut -d" " -f2

DNS sweep

nmap -p 53 x.x.x.1-254 -oA nmap-sweep-dns-$(date '+%Y.%m.%d.%Hh%M')
grep open nmap-sweep-dns.gnmap | cut -d" " -f2

Other examples

# Agressive scan. Operating system detection, version scanning, script scanning and traceroute. SLOW
IP=x.x.x.x
nmap -T5 -Pn -v -A -oA nmap-complete-${IP}-$(date '+%Y.%m.%d.%Hh%M') $IP

# -A: more agressive scanning with more details (like product name and version), takes 1 or 2 minutes, generates a lot of traffic if done on all the network.
nmap -sV -A -O $IP
nmap -sV -A -O $IP > result

# Intensive scan (maximum results), verbose * Pen test
IP=x.x.x.x
RESULTS=/root/Documents/nmap.txt
nmap -A -v -T4 -oA nmap-intensive-${IP}-$(date '+%Y.%m.%d.%Hh%M') $IP

# Display the Reason why Nmap thinks that a port is in a particular state:
nmap --reason $IP

# Show Only Open Ports (or possibly open):
nmap --open $IP

ALWAYS validate open ports found by Nmap. Firewalls or other network devices can respond instead of the scanned IP…

nmap -sV -A -p $PORT $IP

OS Fingerprinting

TCP/IP fingerprinting (for OS scan) requires root privileges.

IP=x.x.x.x
sudo nmap -O $IP
IP=x.x.x.x
nmap -sV -sT $IP
nmap -PN -sT -sV -p0-65535 $IP

Traceroute

# Same as traceroute, but uses TCP protocol instead (not likely to be blocked).
IP=x.x.x.x
nmap -v --traceroute $IP

Find web backup files

IP=x.x.x.x
DIR_SPIDER="/"
nmap -sV -p 80 --script=/usr/share/nmap/scripts/http-backup-finder.nse --script-args "http-backup-finder.url=${DIR_SPIDER}" $IP

Nmap scripts

Fix for keyboard-interactive authentication type

Scripts location

ls -la /usr/share/nmap/scripts/

Script description

nmap --script-help <script.nse>

Debug mode

nmap $IP --script=x -d

All scripts starting with ldap except ldap*brute

nmap -n -sV --script "ldap* and not brute" $IP
# On each port found in nmap scan, execute the appropriate nmap scripts.
nmap -sV -p 23 --script=ssh* $IP

# http endless... 2 or 3 hours
nmap -sV -p 80 --script=http* $IP
nmap -sV -p 8080 --script=http* $IP

# Brute force ftp accounts
nmap -p 21 --script=ftp* $IP

# POP3
nmap -p 110 --script=pop3* $IP

# IMAP4
nmap -p 143 --script=imap* $IP

# IMAP4 over SSL
nmap -p 993 --script=imap* $IP

# POP3 over SSL
nmap -p 995 --script=pop3* $IP

# Attempt to connect to the SMB service on a target system, and determine its 
# operating system version as shown below.
nmap $IP --script smb-os-discovery.nse

# DNS transfer
nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com

# SMTP enumeration of users
nmap -p 25 --script=smtp-enum-users.nse $IP

Exploits

cd /usr/share/nmap/scripts
grep Exploits *.nse

Oracle Scanning with nmap NSE scripts

Use oracle-sid.txt (GitHub)

IP=x.x.x.x
WL_SID=/root/Documents/oracle-sid.txt
SID=ORCL
PORT="1521-1560"

# Bruteforce SID, use default SID list
nmap --script=oracle-sid-brute -p $PORT $IP

# Bruteforce SID, providing SID list
nmap --script=oracle-sid-brute --script-args=oraclesids=$WL_SID -p $PORT $IP

# Bruteforce user accounts. Warning: MIGHT LOCK ACCOUNTS
# oracle-brute.nodefault
# https://nmap.org/nsedoc/scripts/oracle-brute.html
nmap -sV --script oracle-brute --script-args oracle-brute.sid=$SID $IP

# with credential file containing login/password
nmap -sV --script oracle-brute --script-args oracle-brute.nodefault,brute.mode=creds,brute.credfile=/root/creds_oracle.txt,oracle-brute.sid=$SID $IP

# Exploits the CVE-2012-3137 vulnerability, a weakness in Oracle's O5LOGIN authentication scheme.
nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=$SID $IP

Vulnerability Scanning with nmap NSE scripts

ls -l /usr/share/nmap/scripts/*vuln*
IP=x.x.x.x

# Scan a Cold Fusion web server for a directory traversal vulnerability
nmap -v -p 80 --script=http-vuln-cve2010-2861 $IP

# Scan a range of IP addresses for FTP servers that allow anonymous access
nmap -v -p 21 --script=ftp-anon.nse x.x.x.1-254

# Check the security level of an SMB server
nmap -v -p 139, 445 --script=smb-security-mode $IP

# Verify that all domain web servers have been patched against CVE-2011-3192 (Apache DoS)
nmap -v -p 80 --script=http-vuln-cve2011-3192 10.11.1.205-210

Service Message Block (SMB) Enumeration

# Service Message Block Enumeration
# Netbios port 139,445

# Look for any machine using this port, to get information
# -p: port
# 1-254: IP range
nmap -v -p 139,445 x.x.x.1-254 --open

nmap -v -p 139,445 -oA nmap-smb-$(date '+%Y.%m.%d.%Hh%M') x.x.x.1-254

SMB1 - Windows 2000, XP and Windows 2003
SMB2 - Windows Vista SP1 and Windows 2008
SMB2.1 - Windows 7 and Windows 2008 R2
SMB3 - Windows 8 and Windows 2012

# Look for SMB vulnerabilities
nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 $IP

SNMP Enumeration

# scan for open SNMP ports
nmap -sU --open -p x.x.x.1-254 -oA nmap-sweep-snmp-$(date '+%Y.%m.%d.%Hh%M')

# For example, the following SNMP Management Information Base (MIB) values 
# correspond to specific Microsoft Windows SNMP parameters
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm. aix.progcomm/doc/progcomc/mib.htm

1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports