{% tabs %} {% tab title="Documentation and Reference" %}
- https://nmap.org/book/toc.html
- NSEDoc Reference Portal
- https://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717
- https://blogs.sans.org/pen-testing/files/2013/10/NmapCheatSheetv1.1.pdf
- https://blog.zsec.uk/nmap-rtfm/
- https://gtfobins.github.io/gtfobins/nmap/
- Operator Handbook: NMAP - pg. 222
- Penetration Testing: Port Scanning with NMAP - pg.125 {% endtab %}
{% tab title="NMAP Scripting" %}
- https://nmap.org/book/man-nse.html
- Ultimate List of Nmap NSE Scripts (Interactive Spreadsheet) - InfosecMatter {% endtab %}
{% tab title="Nmap for pentester articles" %}
- Nmap for Pentester: Host Discovery
- Nmap for Pentester: Output Format Scan
- Nmap for Pentester: Vulnerability Scan
- Nmap for Pentester: Timing Scan
- Nmap for Pentester: Ping Scan
- Nmap for Pentester: Port Status
- Nmap for Pentester: Password Cracking {% endtab %}
{% tab title="Training" %}
- https://tryhackme.com/room/nmap01
- https://tryhackme.com/room/furthernmap {% endtab %} {% endtabs %}
Handy options
- -sS - Stealthy SYN scan
- -sV - Loud version scan, will make complete connection, grab banner, and version info
- -A - run service enumeration scripts
- -oA [filename] - Print nmap output to file name
- -Pn - disable ping. Most big companies will have ping diabled on most external entities
- -n - disable DNS resolution, helps speed up scan
Basic scan
#nmap [IP Address] or nmap [website.com]
Specify ports
Top Ports
#nmap [IP Address] --top-ports
All Ports
#nmap -p- [IP Address]
UDP Ports
#nmap -sU [IP Address]
TCP Ports (Connect Scan)
#nmap -sT [IP Address]
Quick TCP Scan
nmap -sC -sV -vv -oA quick 10.10.10.10
Quick UDP Scan
nmap -sU -sV -vv -oA quick_udp 10.10.10.10
Full TCP Scan
nmap -sC -sV -p- -vv -oA full 10.10.10.10
Port knock
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 10.10.10.10; done
Network Sweep
Broad scans then specific on hosts of interest
#nmap -sn 10.0.0.1-254
Banner grabbing
nmap -sV -v -p- [IP Address]
OS scan
#sudo nmap -O -sV [IP Address]
- --osscan-guess provides a faster, more aggressive scan, which is useful when Nmap retrieves close to 100% OS detection. However, aggressive scanning may result in missing some ports.
- --osscan-limit is an option used to limit what targets to scan. This option is useful when you have a large range of IPs to scan.
Nmap Scripting Engine (NSE) allows users to run custom and community generated scripts. ◇ stored in /usr/share/nmap/scripts
{% tabs %} {% tab title="Basics" %} The most basic way of running Nmap scripts is by using the -sC option, invoking the default scripts.
#nmap -sV -sC 192.168.1.1
To run a specific script against a target, the name of the script must be specified in the command.
#nmap -sV --script http-sql-injection.nse 192.168.1.1
As well as specifying the name of the script, it is sometimes necessary to specify arguments to achieve the desired behaviour
#nmap --script http-wordpress-brute.nse --script-args ‘passdb=passwords.txt’ 192.168.1.1
#nmap -sV --script mysql-dump-hashes 10.102.9.39 --script-args='username=root,password=abc123'
Run all NSE scripts against found ports
$nmap -Pn -sV -O -pT:{TCP ports found},U:{UDP ports found} --script *vuln* $ip
{% endtab %}
{% tab title="Vulscan" %}
Advanced vulnerability scanning with Nmap NSE
$ mkdir /usr/share/nmap/scripts/vulnscan
$ cd /usr/share/nmap/scripts/vulnscan
$ git clone https://github.com/scipag/vulscan.git
$ nmap -sS -sV --script=/usr/share/nmap/scripts/vulnscan/vulscan.nse $ip
- https://hakin9.org/vulscan-advanced-vulnerability-scanning-with-nmap-nse/
- https://www.computec.ch/projekte/vulscan/
{% endtab %} {% endtabs %}
https://book.hacktricks.xyz/pentesting/pentesting-network/ids-evasion
{% tabs %} {% tab title="TTL Manipulation" %} Send some packets with a TTL enough to arrive to the IDS/IPS but not enough to arrive to the final system. And then, send another packets with the same sequences as the other ones so the IPS/IDS will think that they are repetitions and won't check them, but indeed they are carrying the malicious content.
Nmap option: --ttlvalue <value>
{% endtab %}
{% tab title="Junk Data" %} Just add garbage data to the packets so the IPS/IDS signature is avoided.
Nmap option: --data-length 25
{% endtab %}
{% tab title="Fragmentation" %} Just fragment the packets and send them. If the IDS/IPS doesn't have the ability to reassemble them, they will arrive to the final host.
Nmap option {% endtab %}
{% tab title="Invalid checksum" %} Sensors usually don't calculate checksum for performance reasons. **** So an attacker can send a packet that will be interpreted by the sensor but rejected by the final host. Example:Send a packet with the flag RST and a invalid checksum, so then, the IPS/IDS may thing that this packet is going to close the connection, but the final host will discard the packet as the checksum is invalid. {% endtab %}
{% tab title="Overlapping" %} It is possible that when you fragment a packet, some kind of overlapping exists between packets (maybe first 8 bytes of packet 2 overlaps with last 8 bytes of packet 1, and 8 last bytes of packet 2 overlaps with first 8 bytes of packet 3). Then, if the IDS/IPS reassembles them in a different way than the final host, a different packet will be interpreted. Or maybe, 2 packets with the same offset comes and the host has to decide which one it takes.
- BSD: It has preference for packets with smaller offset. For packets with same offset, it will choose the first one.
- Linux: Like BSD, but it prefers the last packet with the same offset.
- First (Windows): First value that comes, value that stays.
- Last (cisco): Last value that comes, value that stays. {% endtab %} {% endtabs %}
Hackersploit has one of the best video series on using NMAP.
{% embed url="https://youtu.be/5MTZdN9TEO4" %}
{% embed url="https://youtu.be/VFJLMOk6daQ" %}
{% embed url="https://youtu.be/OUQkCAHdX_g" %}