Backlink: reference-notes-readme

Nmap Discovery Scans

Nmap UDP Port Scan

nmap -vv --reason -Pn -sU -A --top-ports=20 --version-all -oN _top_20_udp_nmap.txt 10.10.10.188

Nmap Full TCP Quick Port Scan

This command skips the host availability check, scans the top 1k TCP ports, uses the SYN scan technique, and uses the default timing of -T 3 (doesn’t need to be specified since default).

nmap -vv --reason -Pn -sV -sC --version-all -oN _quick_tcp_nmap.txt 10.10.10.188

Nmap Full TCP Port Scan

This command also skips host availability check, runs all service/OS enumeration checks, (-A), etc. This one has the potential to take a while to run. If I've run a faster scan, like the max-retries 0 on below, use this command to target specific ports for banner grabs and simple checks.

nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN _full_tcp_nmap.txt 10.10.10.188

Nmap Full TCP w/o everything else

This command is a good one to run in the beginning. It will run quick on almost all hosts, and shouldn't cause any blocks or anything. Keep in mind that banners aren't grabbed, so all this tells us is what numerical ports are opened, not necessarily what is running on those ports.

nmap -vv -p 1-65535 -sS -T4 --max-retries 0 -oN _aggresive_tcp_nmap.txt 10.10.10.76

Nmap Quick/Full

First I run a quick nmap scan just to see what ports are open.

nmap -v -Pn -T4 --max-retries 0 -p- 10.11.1.133 -oN nmap.quick

Next I dump all the discovered open ports out onto a single line, separated by commas.

grep open nmap.quick | grep -v Warning | sed 's/ open  //g'| awk -F '/' '{print $1}'|tr '\n' ','

Then I run the full nmap scan on those open ports, copy/pasting the comma-separated port numbers into the nmap command in the proper location.

nmap -sV -A -p 80, 10.11.1.133 -oN nmap.full

Then I get the formatted open ports block from my full nmap output so the service names are correct.

cat nmap.full | grep -v Warning | grep open

Port scan w/ nc

Sometimes nmap will report back that ports are "filtered". This usually occurs because a firewall or something is dropping the traffic, but many times there are services listening on some of these ports. We can usually just connect straight to them using nc, so we can use the following command to do a port scan.

nc -nvvz 10.11.1.237 1-1000 | tee nc.portscan.1k

To scan and grep the output directly you need to redirect the stderr to stdout. The grep search term sometimes needs to change depending on which version of nc is being used.

nc -nvvz 10.1.1.65 1000-1 2>&1 | grep succeeded

Service Specific Scans

SSH

nmap --reason -Pn -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN tcp_22_ssh_nmap.txt 10.10.10.188

HTTP

nmap -vv --reason -Pn -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN tcp_80_http_nmap.txt

curl -sSik [http://10.10.10.188:80/](http://10.10.10.188:80/) -m 10 2>&1 | tee "tcp_80_http_index.html"

curl -sSik http://10.10.10.188:80/robots.txt -m 10 2>&1 | tee "tcp_80_http_robots.txt"

gobuster dir -u http://10.10.10.188:80/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -z -k -l -x "txt,html,php,asp,aspx,jsp" -o "tcp_80_http_gobuster.txt"

Gobuster Loop

for i in dir1 dir2 dir3 dir4; do gobuster dir -u http://10.10.10.111:9999/$i -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -o gobuster-$i.txt; done

NFS

nmap -vv --reason -Pn -sV -p 111 --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN tcp_111_nfs_nmap.txt 10.10.10.76

showmount -e 10.10.10.76 2>&1 | tee tcp_111_showmount.txt

RPC

nmap -vv --reason -Pn -sV -p 111 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN tcp_111_rpc_nmap.txt 10.10.10.76

SMB

nmap -vv --reason -Pn -sV -p 139,445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN nmap.smb 10.11.1.136