Nmap
Scanning when pings are allowed:
1- Discover online hosts
nmap -v -iL [file with scope] -sn -n -oG live_hosts.txt.gnmap
cat live_hosts.txt.gnmap | grep Up | cut -d' ' -f2 > live_hosts.txt
2- Port discovery of online hosts
nmap -v -sS -top-ports 2000 -n -oA top2000.online -iL live_hosts.txt
3- OS and version detection, default scripts on the discovered hosts (noisy)
nmap -A -oA [output] -iL live_hosts.txt
Flag | Description |
-sS | SYN scan, used to test if ports are open/filtered |
-sT | TCP scan (default when run without root) |
-sA | ACK scan, used to test firewall settings |
-sU | UDP scan |
-A | Performs -sV and -sC (scripts, version detection, etc) |
-Pn | Do not ping the host; just scan it |
-O | OS detection (not scripts) |
-T5 | Most noisy scan, maximum bandwidth. |
-R/-n | Never do DNS resolution |
Flag | Description |
-T4 or -T5 | T5 results in the fastest possible scanning (may overload the target) |
--max-rtt-timeout X | Per-port timeout: X time to get a result. X is seconds, for MS put "Xms" |
--host-timeout X | Per-host timeout: X time to get all results from a host in seconds |
| |
Flag | Description |
-sC | Use default NSE scripts |
--script dns-brute | Guess common subdomains |
Stealth scan on an ip, no ping, with version detection, saving the information on the msfconsole database
msf6 > db_nmap -sS -Pn -A [ip]
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
nmap -sV --script=smb-enum-shares -p445 $ip
note to self: if you get this far and you do not have the machine in your hosts file, you're going to miss subdomains.
Last modified 1yr ago