Haft

Backlinks

Nmap

Most common

nmap -v -sV -oG <IP> --reason
 
#Complete scan :
nmap -v -sC -Pn -oG <IP> -p- 
 
#Output port to be copied and used again for a precise scan
nmap -p- $ipscope | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed 's/,$//'
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan

Scan Network Range

nmap $ipscope/{mask} -sn -oA nmap_range_scan
 
#Only retrieve IP :
sudo nmap 10.129.2.0/24 -sn -oN scan_output | grep for | cut -d" " -f5
 
#Specify file input with -iL. Expect IP each line for file format. Output will only give active host.
sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

Use - to specify range

Same as -p-, you can use it on IP address checks.

sudo nmap -sn -oA tnet 10.129.2.18-20

Use input files with IP

cat hosts.lst
#expected format
10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28

UDP Scan

nmap $ipscope -sU [-F]
  • -F : Top 100 ports (optional). Great for a first scan followed by a complete one.

Packet-trace

Disable DNS, ICMP, ARP to observe packet handling 

sudo nmap $ipscope -p {ports} --packet-trace -Pn -n --disable-arp-ping

Response state

A nmap scan will return up to 6 results types depending on the results. Unknown result indicates no response from the server like time out. Host scan is checked using ARP and ICMP if first result is not conclusive.

StateDescription
openThis indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.
closedWhen the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.
filteredNmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
unfilteredThis state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
open|filteredIf we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.
closed|filteredThis state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.

Update nmap db

Update your nmap 

nmap --script-updatedb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 13:49 CEST
NSE: Updating rule database.
NSE: Script Database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.28 seconds

Output

  • Normal output (-oN) with the .nmap file extension
  • Grepable output (-oG) with the .gnmap file extension
  • XML output (-oX) with the .xml file extension
  • -oA output the 3 formats.
#For grepable use -oG
nmap $ipscope -{options} -oG
#For saving and inserting in PCF or tools go for xml
nmap $ipscope -{options} -oX

Nmap Script Engine

CategoryDescription
authDetermination of authentication credentials.
broadcastScripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.
bruteExecutes scripts that try to log in to the respective service by brute-forcing with credentials.
defaultDefault scripts executed by using the -sC option.
discoveryEvaluation of accessible services.
dosThese scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.
exploitThis category of scripts tries to exploit known vulnerabilities for the scanned port.
externalScripts that use external services for further processing.
fuzzerThis uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.
intrusiveIntrusive scripts that could negatively affect the target system.
malwareChecks if some malware infects the target system.
safeDefensive scripts that do not perform intrusive and destructive access.
versionExtension for service detection.
vulnIdentification of specific vulnerabilities.
Table from HTB.
nmap $ipscope --script {category}

Locate nmap scripts

specific scripts can be searched for using :

locate -r nse$|grep {keyword}

Aggressive script scan can be used with -A. Otherwise, individual scripts can be selected individually, separated by a coma script1,script2,...

Backlinks

Recent Notes