Nmap - (Useful) Notes

📋

(Useful) Notes

Search…

Tools List

Hacker Mode

Nmap

SQL

Reverse Shells and SSH

File Transfer

Linux Privilege Escalation

Bash-fo

CMD and Powershell

Forensics - Sleuthkit and Autopsy

PWN, Assembly, and Smashing the Stack

Python

Python Quirks and Tricks

[Unfinished] NodeJS Quirks

Nmap

Scan Methodology
Scanning when pings are allowed:
1- Discover online hosts
nmap -v -iL [file with scope] -sn -n -oG live_hosts.txt.gnmap
cat live_hosts.txt.gnmap | grep Up | cut -d' ' -f2 > live_hosts.txt
2- Port discovery of online hosts
nmap -v -sS -top-ports 2000 -n -oA top2000.online -iL live_hosts.txt
3- OS and version detection, default scripts on the discovered hosts (noisy)
nmap -A -oA [output] -iL live_hosts.txt
​
General flags
Flag
Description
-sS
SYN scan, used to test if ports are open/filtered
-sT
TCP scan (default when run without root)
-sA
ACK scan, used to test firewall settings
-sU
UDP scan
-A
Performs -sV and -sC (scripts, version detection, etc)
-Pn
Do not ping the host; just scan it
-O
OS detection (not scripts)
-T5
Most noisy scan, maximum bandwidth.
-R/-n
Never do DNS resolution
Speedy flags
Flag
Description
-T4 or -T5
T5 results in the fastest possible scanning (may overload the target)
--max-rtt-timeout X
Per-port timeout: X time to get a result. X is seconds, for MS put "Xms"
--host-timeout X
Per-host timeout: X time to get all results from a host in seconds
​
​
Script flags
Flag
Description
-sC
Use default NSE scripts
--script dns-brute
Guess common subdomains
Nmap + msfconsole host database
If you do not have the database running yet, follow this kali guide​
Stealth scan on an ip, no ping, with version detection, saving the information on the msfconsole database
msf6 > db_nmap -sS -Pn -A [ip]
Enumeration
mySQL Enumeration (courtesy of hacktricks)
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
SMB enumeration (courtesy of codecentric)
nmap -sV --script=smb-enum-shares -p445 $ip
note to self: if you get this far and you do not have the machine in your hosts file, you're going to miss subdomains.
More Resources
​StationX Nmap - General commands with example
​

Tools List

Next - Hacker Mode

SQL

Last modified 10mo ago

Copy link

On this page

Scan Methodology

General flags

Speedy flags

Script flags

Nmap + msfconsole host database

Enumeration

More Resources