NMAP
One liners
-----------#AD Pentesting
#grab all ports
nmap -Pn -p- IP -vv -oA nmap/all-ports
#parse open ports
cat nmap/all-ports.nmap | awk -F/ '/open/ {b=b","$1} END {print substr(b,2)}'
#quick servive enumeration
nmap --Pn sC -sV -oA nmap/services -p(ports) IP --script=vuln -vv
------------#INTERNAL PENTEST OBFUSCATION-WAF BYPASS OPTIONS
nmap -T2 -f --data-length 5 --randomize-hosts --max-retries 2 -Pn --open 10.10.10.1-254
---------------#Against SMB
nmap -p 139,445 -Pn --disable-arp-ping --discovery-ignore-rst --open --randomize-hosts -T2 --data-length 5 --max-retries 2 --host-timeout 5s --script smb-security-mode,smb2-security-mode -iL targets.txt
nmap -sV -v --data-length 5 --script vulners
nmap -sC -sV -oA quick 10.10.10.10 #Quick Scan
------------------WebApp Pentest Recon specific
nmap -Pn -script=http-sitemap-generator target.com # map generator for http site
sudo nmap -Pn -script=dns-brute target.com # DNS bruteforcer
nmap -Pn -script whois* interzero.it #Whois search
------------------Misc.
sudo nmap -sV --script vulners --script-args mincvss=7.0 -iL ip.txt #Vulners
sudo nmap -sS 10.10.10.10 #Stealth SYN scan
nmap -sT 10.10.10.10 #TCP connect scan|-sT option to start a connect scan
sudo nmap -sU 10.10.10.10 #UDP scan
nmap -v -sU -sS -p- -A -T4 10.10.10.10 #All TPC + UDP ports
sudo nmap -sS -sU #SYN scan + UDP
nmap -sn 10.11.1.1-254 #Network sweep
nmap -v -sn 10.11.1.1-254 -oG ping-sweep.txt #Greppable output
followed by : grep Up ping-sweep.txt | cut -d " " -f 2
nmap -p 80 10.11.1.1-254 -oG web-sweep.txt #Web sweep for port 80 on a given subnet (PWK labs internal network)
followed by grep open web-sweep.txt | cut -d" " -f2
nmap -sT -A --top-ports=20 10.11.1.1-254 -oG top-port-sweep.txt #Top ports
Top 20 ports are determined here: /usr/share/nmap/nmap-services
sudo nmap -O 10.11.1.220 #OS fingerprinting
nmap -sV -sT -A 10.11.1.220 #Banner grabbing / service enumeration
nmap --script "ssh-*" 10.10.10.10 #NSE scripts with Wildcard
nmap -p- 10.11.1.220 #Scan all ports
or
nmap -p 1-65535 10.11.1.220
nmap 10.11.1.220 --script=smb-os-discovery #SMB
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com #DNS-zone transfer script
sudo nmap --script vuln 10.11.1.14 #All Vulns (slow)
#Port knocking bash script
for i in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $i 10.10.10.10; done
#AWK trick | run nmap scan on all ports and redirect to txt file
nmap -p- -o scan.txt
#then
cat scan.txt | grep open | awk -F/ {'print $1'} ORS=',';echo
(will print out the open port numbers which can be then enumerated singularly)
#Firewall Evasion
nmap -f 10.10.10.10 # -f flag to fragment the packet
nmap --mtu 16 10.10.10.10 #Maximun Transmission Sum, must be multiple of 16
nmap -sS -T5 10.10.10.10 --script firewall-bypass #Using NSE script
hping3 -1 -c 1 192.168.1.12 # using hping3
Last updated