🟥
LSWSec - Offensive
  • Introduction
  • File transfer
    • Transferring Files
      • Transferring Files - Linux
      • Transferring Files - Windows
  • Recon
    • Passive information Gathering
      • Website
      • Finding SubDomains
        • DNS
        • DNS Zone Transfer
    • Subdomain Enumeration
    • OSINT
      • Email
      • People
      • Social Media
      • Username and Accounts
      • Passwords
      • Business
      • Image and Location
    • Active Information Gathering
      • Nmap
      • Netcat
      • ss
      • Unknown Port Scanning
      • Footprinting
        • FTP
        • SMB
        • NFS
        • DNS
    • Vulnerability Searching
  • Ports
    • 21 - FTP
    • 22 - SSH
    • 23 - Telnet
    • 25 - SMTP
    • 69 - TFTP
    • 80 - HTTP
    • 88 - Kerberos
    • 110 - Pop3
    • 111 - RPCBind
    • 119 - NNTP
    • 135 - MSRPC
    • 139/445 - SMB
      • PSExec
      • Nmap
      • Other tools
    • 143/993 - IMAP
    • 161/162 - SNMP
    • 389/636 - LDAP
    • 443 - HTTPS
    • 554 - RTSP
    • 587 - Submission
    • 631 - Cups
    • 1433 - MsSQL
    • 2049 - NFS
    • 3306 - MySQL
    • 3389 - RDP
  • Web
    • useful information
    • Web Proxy
      • Burp
    • Web Content Discovery
    • SQL
    • Web Fuzzing with FFUF
      • Directory Fuzzing
      • Domain Fuzzing
      • Paramater fuzzing
    • Local File Inclusion
      • LFI
      • Basic Bypass
    • Authentication Bypass
    • IDOR
  • Priv-esc
    • Windows
      • mimikatz
  • Pivoting
    • Info
    • Locating other machines
    • proxy
    • SSH tunneling/port forwarding
    • plink
    • socat
    • chisel
    • sshuttle
    • connecting to windows environments with a user account
  • Command and Control
    • powershell empire
    • Armitage
  • Active Directory
    • Debugging DNS
    • NTLM Authenticated Services
    • LDAP Bind Credentials
Powered by GitBook
On this page
  1. Recon
  2. Active Information Gathering

Nmap

Nmap Commands

nmap <ip>

nmap -sV -sC -p- <ip>

locate scripts/citrix

List various available nmap scripts

nmap --script smb-os-discovery.nse -p445 10.10.10.40 Run an nmap script on an IP

-sC scripts should be used

-sV perform a version scan

-p- all ports

-sV –script=banner banner grab

-sS Stealth Scan

-sn ping scan

-sU UDP scan

First Nmap scan (get every open port)

nmap -p- <IP>

Second Nmap Scan

nmap -sC -sV -A -p<open-ports> <ip>

Vulnerability scan

nmap -A --script vuln <ip>

Host Discovery

Use this to scan a subnet for ips

nmap 192.168.x.x/24 -sn -oA tnet | grep for | cut -d" " -f5

if you have a list of ips you can use this

nmap -iL hosts.lst

Format

  • Normal output (-oN) with the .nmap file extension

  • Grepable output (-oG) with the .gnmap file extension

  • XML output (-oX) with the .xml file extension

  • -oA - All

Category

Description

auth

Determination of authentication credentials.

broadcast

Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.

brute

Executes scripts that try to log in to the respective service by brute-forcing with credentials.

default

Default scripts executed by using the -sC option.

discovery

Evaluation of accessible services.

dos

These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.

exploit

This category of scripts tries to exploit known vulnerabilities for the scanned port.

external

Scripts that use external services for further processing.

fuzzer

This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.

intrusive

Intrusive scripts that could negatively affect the target system.

malware

Checks if some malware infects the target system.

safe

Defensive scripts that do not perform intrusive and destructive access.

version

Extension for service detection.

vuln

Identification of specific vulnerabilities.

Firewalls

  • sending an ACK packet using -sA usually forces a firewall to respond

  • if you get an RST flag back the port will be listed as unfilters, filtered ports then mean the traffic is dropped

  • Several Virtual provate servers with different IPs are recommended to determine whether IDS/IPS is on the network.

  • -D can be used to generate various random IP addresses inserted into the IP header

    • using RND:5 we can choose to generate 5 random IPs

SYN-Scan of a Filtered Port

sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace

SYN-Scan From DNS Port

sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

Netcat can be used to connect to a filtered port

ncat -nv --source-port 53 10.129.2.28 50000

PreviousActive Information GatheringNextNetcat

Last updated 1 month ago