So these past few months been really getting familiar with Nmap and I wanted to share a few commands that have really helped me in narrowing discovery vectors for exposing vulnerabilities.
To start here is a key that show what each command does:
-v = detailed information about host
-A = gives operating system, service/port version detection
-sS = stealth scan
-O = attempted to detect operating system
-Sa = see if a firewall is present
-Sp = check to see if the host device is alive
-oN = allows you to save to a text file at the location of your choosing
-sV = find the ports and services associated with a host and the versions of these services
-sV –version-intensity 5 [IP or range] = most aggressive services detection on unknown ports that are not common
-sV –version-intensity 0 [IP or range] = less agressive service detection on known ports
-sV -p 443 –script=ssl-heartbleed [IP or range] = this is useful for when you want to find a known vulnerability in a SSL heartbeat
-Sn = performs a scan of a host if you suspect a firewall is blocking the scan
-sP = performs a scan sees what device give a ICMP back
-iflist = gives you a print out of the host device “netstat -r” results, which is useful if you’d like to learn about a network. ie: routers.
-T0 = slowest scan possible, like uber stealthy but will probably take days.
-T1 = slower scan possible that is the most accurate but also the extremely slow – if you have the time and want to do a scan that will avoid most detentions then use this flag.
-T2 = a slow scan that quite accurate but extremely slow – good if you want to avoid detection
-T3 = middle ground scan that is quite accurate with normal speeds
-T4 = moderately aggressive scan that is more accurate and fast
-T5 = most aggressive faster scan that is but not always the most accurate
-p [1-65535] [IP or range] = specify the range of ports to scan. note: higher the number the longer the scan, useful if you suspect a port was changed to avoid detection. ie: https was changed from 443 to say 8282 or something like that. Remember most ports are in the common ports but some savvy IT people might choose a higher number to avoid normal scans.
-p 80,443 [IP or range] = this will scan just HTTP and HTTPs ports = ideal to see if a server has a web server to attack
-p 53 [IP or range] = use this if you want to see if you can do a zone transfer of DNS from a server that is probably a domain controller
nmap [IP range except last octet has a .* ie: 172.16.10.*] –exclude 172.16.10.1 = example of doing a network range scan but excluding say .1 from the scan that could be a IPS/IDS firewall that could alert a defender to a port scan.
So with this being stated let put these all together
Here are some example outputs that I typically run 1st:
1. This one will do a scan of the range in question and attempt to get all of the ports open on devices with their services and versions with the operating systems, it’s a stealth scan plus its a slow scan. I like being stealthy.
nmap -A -sS -T2 192.168.100.0/24
2. Then I’ll run a scan to see if hosts have a firewall with a stealthy scans and of slower speed.
nmap -Sa -T1 192.168.100.0/24
3. Then I’ll run this command to check all ports not just the common ones, it checks operating systems and their versions, all ports, it’s stealthy, and uses the slow scan speed. Again stealthy except if I know a firewall is present I’ll use the flag as stated above at the end of the range:
nmap -v -p 1-65535 -O -sS -T2 [IP or Range]
4. Then after doing this I try to find a server that has server ports open like 53, 137, 139, 150, 389, 547 as this is typically a C&C server; so I’ll run a port scan on those ports, with an aggressive services discovery, find out the operating systems w/ versions of operating system as-well as services and also see if these server has an active firewall (I always assume it’s a smart firewall so I use the smart firewall flag).
nmap -sV –version-intensity 5 -p 53, 137, 139, 150, 389, 547 -O [IP]
5. Then I’ll start drilling down on specific targets that seem interesting from the open ports and operating systems with an aggressive discovery of the services, cause if I’m able to get information of a domain controller as in step 3 above then its assumed that the rest of the network is probably not fully patched or protected.
nmap -v -p [port or range of ports that peak interest] -sV –version-intensity 3 -A -sS -T4 [IP or Range]
6. Lastly, if you want to save these result to file, you can end the “-oN [UNC mapping] example for linux \root\Documents\192.168.100.0-network.txt”
nmap -sV 192.168.100.0/24 -oN \root\Documents\192.168.100.0-network.txt
After this is done I know my targets and start using script like discussed below and see what is attachable. After collecting this information I move onward to Metasploit Framework in Kali to see if these ports are exploitable from their versions. Giving examples of Metasploit will be for a later discussion.
on the nmap.org website there is a bunch of script you can run against stuff, like over 470+ scripts to date, not going to type them out, cause there is so many, so here if you’d like to learn more:
One script I’ve used is this:
nmap -sV -p 443 –script=ssl-heartbleed [IP or range]
This is useful for when you want to find a known vulnerability in a SSL heartbeat
So this is enough for now, will update this as I come across more nmap commands.
Thanks for reading,