nmap cheat and pro tricks

0
3451

Nmap features a multitude of choices and once you initial begin fidgeting with this wonderful tool it is a touch discouraging. In this cheat sheet you’ll notice a series of sensible example commands for running Nmap and obtaining the foremost of this powerful tool.
Keep in mind that this cheat sheet just touches the surface of the on the market choices. The Nmap Documentation portal is your reference for excavation deeper into the choices on the market.
Nmap Target Selection
Scan a single IP nmap 192.168.1.1
Scan a host nmap www.testhostname.com
Scan a range of IPs nmap 192.168.1.1-20
Scan a subnet nmap 192.168.1.0/24
Scan targets from a computer file nmap -iL list-of-ips.txt
These square measure all default scans, which will scan 1000 TCP ports. Host discovery will take place.
Nmap Port Selection
Scan a single Port nmap -p 22 192.168.1.1
Scan a spread of ports nmap -p 1-100 192.168.1.1
Scan a hundred most typical ports (Fast) nmap -F 192.168.1.1
Scan all 65535 ports nmap -p- 192.168.1.1
Nmap Port Scan types
Scan using TCP connect nmap -sT 192.168.1.1
Scan mistreatment protocol SYN scan (default) nmap -sS 192.168.1.1
Scan UDP ports nmap -sU -p 123,161,162 192.168.1.1
Scan elect ports – ignore discovery nmap -Pn -F 192.168.1.1
Privileged access is needed to perform the default SYN scans. If privileges square measure lean a protocol connect scan are going to be used. A protocol connect needs a full protocol affiliation to be established and thus could be a slower scan. Ignoring discovery is commonly needed as several firewalls or hosts won’t reply to PING, therefore can be uncomprehensible unless you choose the -Pn parameter. Of course this will build scan times for much longer as you’ll find yourself causation scan probes to hosts that don’t seem to be there.
Service and OS Detection
Detect OS and Services nmap -A 192.168.1.1
Standard service detection nmap -sV 192.168.1.1
More aggressive Service Detection nmap -sV –version-intensity five 192.168.1.1
Lighter banner grabbing detection nmap -sV –version-intensity zero 192.168.1.1
Service and OS detection deem completely different ways to see the package or service running on a selected port. The a lot of aggressive service detection is commonly useful if there square measure services running on uncommon ports. On the opposite hand the lighter version of the service are going to be a lot of quicker because it doesn’t extremely arrange to discover the service merely grabbing the banner of the open service.
Nmap Output Formats
Save default output to file nmap -oN outputfile.txt 192.168.1.1
Save results as XML nmap -oX outputfile.xml 192.168.1.1
Save leads to a format for grep nmap -oG outputfile.txt 192.168.1.1
Save in all formats nmap -oA outputfile 192.168.1.1
The default format may even be saved to a file employing a straightforward file direct command > file. Using the -oN choice permits the results to be saved however can also be monitored within the terminal because the scan is underneath method.
Digging deeper with NSE Scripts
Scan mistreatment default safe scripts nmap -sV -sC 192.168.1.1
Get help for a script nmap –script-help=ssl-heartbleed
Scan employing a specific NSE script nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1
Scan with a collection of scripts nmap -sV –script=smb* 192.168.1.1
According to my Nmap install there square measure presently 581 NSE scripts. The scripts square measure ready to perform a good vary of security connected testing and discovery functions. If you’re serious concerning your network scanning you actually ought to take the time to induce accustomed to a number of them.
The option –script-help=$scriptname will display help for the individual scripts. To get a simple list of the put in scripts strive find nse | grep script.
You will notice I even have used the -sV service detection parameter. Generally most NSE scripts are going to be simpler and you’ll make a come back coverage by as well as service detection.
A scan to go looking for DDOS reflection UDP services
Scan for UDP DDOS reflectors nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr 192.168.1.0/24
UDP based mostly DDOS reflection attacks square measure a standard downside that network defenders return up against. This is a handy Nmap command which will scan a target list for systems with open UDP services that permit these attacks to require place. Full details of the command and also the background is found on the Sans Institute journal wherever it had been initial announce.
HTTP Service Information
Gather page titles from protocol services nmap –script=http-title 192.168.1.0/24
Get protocol headers of internet services nmap –script=http-headers 192.168.1.0/24
Find internet apps from identified methods nmap –script=http-enum 192.168.1.0/24
There square measure several protocol operation scripts, here are a few that are simple but helpful when examining larger networks. Helps in quickly characteristic what the protocol service that’s running on the open port. Note the http-enumscript is particularly noisy. It is the same as nikto in this it’ll arrange to enumerate identified methods of internet applications and scripts. This will inevitably generated many 404 protocol responses within the internet server error and access logs.
Detect Heartbleed SSL Vulnerability
Heartbleed Testing nmap -sV -p 443 –script=ssl-heartbleed 192.168.1.0/24
Heartbleed detection is one in every of the on the market SSL scripts. It will discover the presence of the documented Heartbleed vulnerability in SSL services. Specify different ports to check SSL on mail and alternative protocols (Requires Nmap six.46).
IP Address information
Find Information about IP address nmap –script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24
Gather information related to the IP address and net block owner of the IP address. Uses ASN, whois and geo ip location lookups. See the ip tools for more information and similar IP address and DNS look ups.
Remote Scanning
Testing your network perimeter from AN external perspective is essential once you would like to induce the foremost correct results. By assessing your exposure from the attackers perspective you can validate firewall rule audits and understand exactly what is allowed into your network.To enable remote scanning easily and effectively because anyone WHO has compete with shodan.io is aware of okay however badly folks take a look at their perimeter networks.

Previous articlehow hackers hack fb accounts
Next articleOld Android App CamScanner With 100M Downloads Starts Delivering Malware
i'am author, founder and CEO of 1xknow.com , i am Ethical hacker, cyber security expert, bug hunter,

LEAVE A REPLY

Please enter your comment!
Please enter your name here