# NMAP
-----------#AD Pentesting
#grab all ports
nmap -Pn -p- IP -vv -oA nmap/all-ports
#parse open ports
cat nmap/all-ports.nmap | awk -F/ '/open/ {b=b","$1} END {print substr(b,2)}'
#quick servive enumeration
nmap --Pn sC -sV -oA nmap/services -p(ports) IP --script=vuln -vv
------------#INTERNAL PENTEST OBFUSCATION-WAF BYPASS OPTIONS
nmap -T2 -f --data-length 5 --randomize-hosts --max-retries 2 -Pn --open 10.10.10.1-254
---------------#Against SMB
nmap -p 139,445 -Pn --disable-arp-ping --discovery-ignore-rst --open --randomize-hosts -T2 --data-length 5 --max-retries 2 --host-timeout 5s --script smb-security-mode,smb2-security-mode -iL targets.txt
nmap -sV -v --data-length 5 --script vulners
nmap -sC -sV -oA quick 10.10.10.10 #Quick Scan
------------------WebApp Pentest Recon specific
nmap -Pn -script=http-sitemap-generator target.com # map generator for http site
sudo nmap -Pn -script=dns-brute target.com # DNS bruteforcer
nmap -Pn -script whois* interzero.it #Whois search
------------------Misc.
sudo nmap -sV --script vulners --script-args mincvss=7.0 -iL ip.txt #Vulners
sudo nmap -sS 10.10.10.10 #Stealth SYN scan
nmap -sT 10.10.10.10 #TCP connect scan|-sT option to start a connect scan
sudo nmap -sU 10.10.10.10 #UDP scan
nmap -v -sU -sS -p- -A -T4 10.10.10.10 #All TPC + UDP ports
sudo nmap -sS -sU #SYN scan + UDP
nmap -sn 10.11.1.1-254 #Network sweep
nmap -v -sn 10.11.1.1-254 -oG ping-sweep.txt #Greppable output
followed by : grep Up ping-sweep.txt | cut -d " " -f 2
nmap -p 80 10.11.1.1-254 -oG web-sweep.txt #Web sweep for port 80 on a given subnet (PWK labs internal network)
followed by grep open web-sweep.txt | cut -d" " -f2
nmap -sT -A --top-ports=20 10.11.1.1-254 -oG top-port-sweep.txt #Top ports
Top 20 ports are determined here: /usr/share/nmap/nmap-services
sudo nmap -O 10.11.1.220 #OS fingerprinting
nmap -sV -sT -A 10.11.1.220 #Banner grabbing / service enumeration
nmap --script "ssh-*" 10.10.10.10 #NSE scripts with Wildcard
nmap -p- 10.11.1.220 #Scan all ports
or
nmap -p 1-65535 10.11.1.220
nmap 10.11.1.220 --script=smb-os-discovery #SMB
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com #DNS-zone transfer script
sudo nmap --script vuln 10.11.1.14 #All Vulns (slow)
#Port knocking bash script
for i in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $i 10.10.10.10; done
#AWK trick | run nmap scan on all ports and redirect to txt file
nmap -p- -o scan.txt
#then
cat scan.txt | grep open | awk -F/ {'print $1'} ORS=',';echo
(will print out the open port numbers which can be then enumerated singularly)
#Firewall Evasion
nmap -f 10.10.10.10 # -f flag to fragment the packet
nmap --mtu 16 10.10.10.10 #Maximun Transmission Sum, must be multiple of 16
nmap -sS -T5 10.10.10.10 --script firewall-bypass #Using NSE script
hping3 -1 -c 1 192.168.1.12 # using hping3
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://davidtancredi.gitbook.io/pentesting-notes/r3dcl1ff/webapp-pentest/port-scanning/nmap.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.