Security
  • IT Security Knowledge Base
  • Blue team
    • Linux System Hardening
    • Phishing Analysis
    • Snort
    • Yara
  • Capture the Flag
    • OverTheWire
      • Bandit
        • Bandit Level 0
        • Bandit Level 0 → Level 1
        • Bandit Level 1 → Level 2
        • Bandit Level 2 → Level 3
        • Bandit Level 3 → Level 4
        • Bandit Level 4 → Level 5
        • Bandit Level 5 → Level 6
        • Bandit Level 6 → Level 7
        • Bandit Level 7 → Level 8
        • Bandit Level 8 → Level 9
        • Bandit Level 9 → Level 10
        • Bandit Level 10 → Level 11
        • Bandit Level 11 → Level 12
        • Bandit Level 12 → Level 13
        • Bandit Level 13 → Level 14
        • Bandit Level 14 → Level 15
        • Bandit Level 15 → Level 16
        • Bandit Level 16 → Level 17
        • Bandit Level 17 → Level 18
        • Bandit Level 18 → Level 19
        • Bandit Level 19 → Level 20
        • Bandit Level 20→ Level 21
        • Bandit Level 21→ Level 22
        • Bandit Level 22 → Level 23
        • Bandit Level 23 → Level 24
        • Bandit Level 24 → Level 25
        • Bandit Level 25 → Level 26
        • Bandit Level 26 → Level 27
        • Bandit Level 27 → Level 28
        • Bandit Level 28 → Level 29
        • Bandit Level 29 → Level 30
        • Bandit Level 30 → Level 31
        • Bandit Level 31 → Level 32
        • Bandit Level 32 → Level 33
    • OWASP Juice Shop
      • Installation
      • Level 1 - Challenges
      • Level 2 - Challenges
    • TryHackMe Rooms
      • Anthem
      • Capture!
      • Corridor
      • Gotta Catch'em All!
      • Mustacchio
      • Neighbour
      • Opacity
      • Source
    • CEH v12 practical resources
  • Cryptology
    • CryptoHack
      • Course: Introduction to CryptoHack
        • Introduction - Challenges
        • General - Encoding
        • General - XOR
      • Course: Modular Arithmetic
        • General - Mathematics
        • Mathematics - Modular Math
        • Mathematics - Brainteasers Part 1
      • Course: Symmetric Cryptography
        • How AES Works
        • Symmetric Starter
        • Block Ciphers
        • Stream Ciphers
  • Red Team
    • Reconnaissance
      • Foot-printing
      • Scanning (Nmap)
      • Enumeration
    • Vulnerability Analysis
    • Initial Access
      • Obtaining credentials
      • Vulnerability Exploitation
        • Buffer Overflow
        • Metasploit and Armitage
        • Ninja Jonin
    • Active Directory
      • Connect to AD
      • AD Explore
      • CMD and PowerShell enumeration
      • Certificates in AD
      • LDAP Pass-back Attacks
      • Cracking NetNTLM Challenge with Responder
      • Exploring Configuration Files for AD Credentials
      • Pass the hash with evil WinRM
      • Understanding Runas
    • Malware
    • Sniffing
      • Intercept HTTP traffic - Hetty
      • Intercept HTTP traffic - Bettercap
      • Wireshark
    • Social Engineering
    • Denial of Service
    • Web Hacking
      • Burp Suite
      • OWASP ZAP
      • Web servers
      • Web Server Footprinting
      • Directory Enumeration
      • Session Hijacking
      • Web Shells
      • Web vulnerability scanners
      • SQL Injection
    • Cloud
    • Wireless Networks
      • Attacking WEP
      • Attacking WPA/WPA2
    • Mobile Devices
    • Network Security Evasion
    • Privileges Escalation
    • Maintain Access and Hide Malicious Activity
      • Backdooring
    • Cover your Tracks
  • Internet of Things
    • IoT in general
    • Common IoT Protocols
      • CoAP
      • MQTT
      • ZIGBEE
      • Bluetooth
    • Scapy
      • Sniffing and spoofing
      • ARP cache Poisoning
  • Projects
    • Cybersecurity Roadshow
Powered by GitBook
On this page
  • Nmap
  • Target Specification
  • Host discovery
  • NSE Scripts
  • Useful NSE Script Examples
  • Firewall / IDS Evasion and Spoofing
  • Timing and Performance
  1. Red Team
  2. Reconnaissance

Scanning (Nmap)

Network scanning is where you will identify active hosts, open ports on live hosts, services, operating systems, system architecture and vulnerabilities.

Nmap

Nmap is differently the go to option if possible for network scanning.

My default aggressive command for full coverage is:

nmap -A -p- -v -T4 -sU $ip | tee nmap.log

Some times with the -Pn flag as well.

Below is some nice cheat sheets.

Target Specification

SWITCH

EXAMPLE

DESCRIPTION

nmap 192.168.1.1

Scan a single IP

nmap 192.168.1.1 192.168.2.1

Scan specific IPs

nmap 192.168.1.1-254

Scan a range

nmap scanme.nmap.org

Scan a domain

nmap 192.168.1.0/24

Scan using CIDR notation

-iL

nmap -iL targets.txt

Scan targets from a file

-iR

nmap -iR 100

Scan 100 random hosts

-exclude

nmap -exclude 192.168.1.1

Exclude listed hosts

Host discovery

TECHNIQUE

COMMAND

RESPONSE

DESCRIPTION

UDP Ping Scan

nmap -sn -PU <TARGET IP>

UDP response - Host is active Error messages (host unreachable or TTL exceeded) - Host is inactive

Detects systems behind firewalls with strict TCP filtering

ICMP ECHO Ping Scan

nmap -sn -PE <TARGET IP>

ICMP ECHO reply - Host is active No response - Host is inactive

Useful for locating active devices or determine if ICMP messages passes through a firewall Disadvantage: Does not work on Windows-based networks

TCP SYN Ping Scan

nmap -sn -PS <TARGET IP>

ACK response - Hos is active No response - Host is inactive

Does not create a connection. Logs are usually not recorded at the system or network level

ARP Ping Scan

nmap -sn -PR <TARGET IP>

ARP response - Host is active No response - Host is inactive

ARP is layer 2 protocol so discovery requires to be on same sub-network Very efficient

NSE Scripts

SWITCH

EXAMPLE

DESCRIPTION

-sC

nmap 192.168.1.1 -sC

Scan with default NSE scripts. Considered useful for discovery and safe

-script default

nmap 192.168.1.1 -script default

Scan with default NSE scripts. Considered useful for discovery and safe

-script

nmap 192.168.1.1 -script=banner

Scan with a single script. Example banner

-script

nmap 192.168.1.1 -script=http*

Scan with a wildcard. Example http

-script

nmap 192.168.1.1 -script=http,banner

Scan with two scripts. Example http and banner

-script

nmap 192.168.1.1 -script "not intrusive"

Scan default, but remove intrusive scripts

-script-args

nmap -script snmp-sysdescr -script-args snmpcommunity=admin 192.168.1.1

NSE script with arguments

Useful NSE Script Examples

COMMAND

DESCRIPTION

nmap -Pn -script=http-sitemap-generator scanme.nmap.org

http site map generator

nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000

Fast search for random web servers

nmap -Pn -script=dns-brute domain.com

Brute forces DNS hostnames guessing subdomains

nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1

Safe SMB scripts to run

nmap -script whois* domain.com

Whois query

nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org

Detect cross site scripting vulnerabilities

nmap -p80 -script http-sql-injection scanme.nmap.org

Check for SQL injections

Firewall / IDS Evasion and Spoofing

Switch

Example

Description

-f

nmap 192.168.1.1 -f

Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters

-mtu

nmap 192.168.1.1 -mtu 32

Set your own offset size

-D

nmap -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1

Send scans from spoofed IPs. Can also just be -D RND:10 for 10 random IP

-D

nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip

Above example explained

-S

nmap -S www.microsoft.com www.facebook.com

Scan Facebook from Microsoft (-e eth0 -Pn may be required)

-g

nmap -g 53 192.168.1.1

Use given source port number

-proxies

nmap -proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1

Relay connections through HTTP/SOCKS4 proxies

-data-length

nmap -data-length 200 192.168.1.1

Appends random data to sent packets

Timing and Performance

SWITCH

EXAMPLE

DESCRIPTION

-T0

nmap 192.168.1.1 -T0

Paranoid (0) Intrusion Detection System evasion

-T1

nmap 192.168.1.1 -T1

Sneaky (1) Intrusion Detection System evasion

-T2

nmap 192.168.1.1 -T2

Polite (2) slows down the scan to use less bandwidth and use less target machine resources

-T3

nmap 192.168.1.1 -T3

Normal (3) which is default speed

-T4

nmap 192.168.1.1 -T4

Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network

-T5

nmap 192.168.1.1 -T5

Insane (5) speeds scan; assumes you are on an extraordinarily fast network

PreviousFoot-printingNextEnumeration

Last updated 1 year ago