Hacknetics
  • Hacknetics
  • Active Directory Management
    • How to Join a Windows 11 PC to a Domain
    • Allow RDP in the domain
  • Active Directory AD Attacks
    • Bloodhound
      • Bloodhound Cypher Queries
    • Impacket-install
    • Kerberos cheatsheet
    • Domain Controllers
    • Overpass The Hash/Pass The Key (PTK)
    • Bloodhound Python
    • Rubeus to Ccache
    • Silver Ticket
    • Golden Ticket
    • Abusing GPO Permissions
    • AppLocker Bypasses
    • SharpView Enumeration
    • DonPapi
    • AD Overview
    • Enumerating Forests
    • NOPAC Priv esc
  • buffer-overflows
    • Buffer Overflows
  • c2-frameworks
    • Sliver
    • Powershell Empire
      • IronPython Empire
    • Metasploit
      • Metasploit Basics
      • Custom MSF Resource Scripts
      • Meterpreter Device Survey
      • Paranoid Mode
    • Pwncat-cs
    • Cobalt Strike
    • Dcrat
      • Modules
      • Builder
      • Dcrat AV Evasion
      • C2 Comms
    • FFM Documentation
  • covering-tracks
    • Evading Logging and Monitoring
    • Linux Logging
    • Tor
    • Windows Log Clearing
    • Ghost Writing Binaries
    • Backdoor Linux Commands
  • Data Exfiltration
  • Exploit Development
    • ROP Finding the vulnerable function
    • Useful Tools for Exploit Dev
    • ropeme
    • Obtaining MSFT Patches for Analysis
    • Mutiny Fuzzer
    • GDB
  • file-transfers
    • Transfering Files
  • lateral-movement
    • Pivoting Enumeration
      • Proxychains and FoxyProxy
      • SSH Tunneling and Port Forwarding
      • Plink.exe
      • socat
      • Chisel
      • SShuttle
  • lin-priv-esc
    • Linux Privilege Escalation
    • Bash Jails
    • ssh agent
  • Things I have Pwn'd before
    • Tomcat
    • Jenkins
  • persistence
    • Linux Persistence
    • Windows Persistence
      • Assign Group Memberships
      • Guest Windows Account Persistence
      • WMI Persist With Event Filters
      • SAM SYSTEM Exfil / Pass The Hash
      • Backdoor Executable
      • Special Privileges and Security Descriptors
      • RID Hijacking
      • Task Scheduler
      • Hijacking File Associations
      • Abusing Services
      • Logon Triggered Persistence
      • MSSQL Enabling xp cmdshell
      • Sticky Keys
      • Using Web Shells
  • recon-enumeration
    • Exploit Research
    • Pentesting DNS
    • Pentesting Kerberos
    • Pentesting FTP
    • Pentesting Email
    • Pentesting SMB
    • Pentesting Redis
    • Banner Grabbing
    • Pentesting Rsync
    • Pentesting MsSql
    • Scanning
    • Pentesting SNMP
    • Pentesting NFS
    • Pentesting LDAP
    • Pentesting Finger
    • User Recon
  • resources
    • resources
    • Youtube / Book List
    • CS/Software Engineer Resources
  • shells
    • Shells
    • web-shells
      • PHP Reverse Shell
      • wwwolf's PHP web shell
  • tool-guides
    • Asymmetric File Encrypt and Decrypt
    • Aws Buckets
    • cewl-crunch
    • Creating a Custom Wordlist
    • evil-winrm
    • Git
    • gobuster
    • Hashcat
    • Hydra User Guide
    • John
    • Linux Basics
    • Mimikatz
    • netcat
    • Nmap
    • nuclei
    • PowerView
    • r2
    • Resources
    • tcpdump
    • T-Shark User Guide
    • tmux
    • ssh
    • Vim
    • Wireshark
    • kwp
    • LAPS
    • KeePass KeeThief
    • FileCryptography.psm1
    • Impacket Pastable Commands
    • crackmapexec Pastable Commands
    • feroxbuster
    • NetExec
    • Ligolo-ng
    • gs-netcat
    • Scarecrow
  • Web Path
    • Testing for LFI
    • Testing for RFI
    • Testing for SQL
    • Testing for XSS
    • Authentication Bypass
    • Cmd Injection
    • Javascript Vulnerabilities
    • SSTI
    • Web Servers
    • JWT Tokens
    • Adobe Coldfusion
    • NoSQL Injection
    • vhost Enumeration
  • Wifi/Bluetooth/ZigBee/SDR/SmartCards
    • Wifi Capture Filters
    • Bluetooth Basics
    • Wifi Overview
    • Bettercap Bluetooth / Wifi
    • Aircrack-ng
    • Airdecap-ng
    • Aireplay-ng
    • RTL-SDR Radio
    • Bluetooth Low Energy
    • Smart Cards
    • Airodump-ng Airgraph-ng
    • gqrx
  • Windows
    • powershell-cheatsheet
    • Windows Privlage Escalation
    • Anti-Virus Evasion
    • Windows Registry
    • exploits
      • printspoofer
    • Windows Kernel Vulnerabilities
    • Windows Defender
    • AMSI Bypasses
    • pktmon Packet Capture Windows
    • Powershell Constrained Language Mode
    • Windows Survey
    • Windows Persistence
    • Windows World Writeable Dirs
  • firewalls
    • iptables
    • ufw
    • netsh advfirewall
  • Malware Analysis
    • Malware Analysis Fundamentals
    • Packer Identification by File section names
    • Analyzing Malicious Documents
    • In Depth Malware Analysis
    • Reversing Malicious Code
  • Infrastructure Development
    • SSL Cert Generation
    • Pfsense
      • OpenVPN Server on Pfsense
    • Proxmox OVA Import
  • Python3 Reference
    • Python3 Cheatsheet
    • Regex Python3
  • EDR
    • Velociraptor EDR
  • Host Forensics
    • Windows Host Forensics
    • Windows NT Versions
    • Windows Logs
  • Cloud
    • AWS
  • OSINT
    • Spiderfoot
    • Shodan Dorks
  • Phishing
  • Random
  • Linux
    • awk
    • cut
    • grep
    • sort
    • Cups CVE2024
  • Windows Malware Development
    • Win32 API
    • Processes Threads Handles
      • Message Box Example (Basic)
      • CreateProcess Example (Basic)
  • Golang
  • Mikrotik
    • Implementing a Password Reset Function for Persistent Access in MikroTik RouterOS
    • Cleaner Wrasse
  • Firmware Reversing
Powered by GitBook
On this page
  • Host Discovery
  • Option Purpose
  • Port Scan Type Example Command
  • Option Purpose
  • Nmap Results
  • Nmap Advanced Scanning
  • Port Scan Type Example Command
  • Option Purpose
  • Option Purpose
  • Subnet enumeration
  • Top 3000 Packets
  • TCP Header
  • NSE
  • Script Category Description
  • Run Scripts
  • NSE + Output
  • Searching Through Output

Was this helpful?

Edit on GitHub
  1. tool-guides

Nmap

Host Discovery

  • Scan Type Example Command

  • ARP Scan sudo nmap -PR -sn MACHINE_IP/24

  • ICMP Echo Scan sudo nmap -PE -sn MACHINE_IP/24

  • ICMP Timestamp Scan sudo nmap -PP -sn MACHINE_IP/24

  • ICMP Address Mask Scan sudo nmap -PM -sn MACHINE_IP/24

  • TCP SYN Ping Scan sudo nmap -PS22,80,443 -sn MACHINE_IP/30

  • TCP ACK Ping Scan sudo nmap -PA22,80,443 -sn MACHINE_IP/30

  • UDP Ping Scan sudo nmap -PU53,161,162 -sn MACHINE_IP/30

  • Remember to add -sn if you are only interested in host discovery without port-scanning. Omitting -sn will let Nmap default to port-scanning the live hosts.

Option Purpose

  • -n no DNS lookup

  • -R reverse-DNS lookup for all hosts

  • -sn host discovery only

Port Scan Type Example Command

  • TCP Connect Scan nmap -sT MACHINE_IP

  • TCP SYN Scan sudo nmap -sS MACHINE_IP

  • UDP Scan sudo nmap -sU MACHINE_IP

  • These scan types should get you started discovering running TCP and UDP services on a target host.

Option Purpose

  • -p- all ports

  • -p1-1023 scan ports 1 to 1023

  • -F 100 most common ports

  • -r scan ports in consecutive order

  • -T<0-5> -T0 being the slowest and T5 the fastest

  • --max-rate 50 rate <= 50 packets/sec

  • --min-rate 15 rate >= 15 packets/sec

  • --min-parallelism 100 at least 100 probes in parallel

Nmap Results

  • Open: indicates that a service is listening on the specified port.

  • Closed: indicates that no service is listening on the specified port, although the port is accessible. By accessible, we mean that it is reachable and is not blocked by a firewall or other security appliances/programs.

  • Filtered: means that Nmap cannot determine if the port is open or closed because the port is not accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s host.

  • Unfiltered: means that Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan -sA.

  • Open|Filtered: This means that Nmap cannot determine whether the port is open or filtered.

  • Closed|Filtered: This means that Nmap cannot decide whether a port is closed or filtered.

Nmap Advanced Scanning

Port Scan Type Example Command

  • TCP Null Scan sudo nmap -sN MACHINE_IP

  • TCP FIN Scan sudo nmap -sF MACHINE_IP

  • TCP Xmas Scan sudo nmap -sX MACHINE_IP

  • Three above scan types can be efficient when scanning a target behind a stateless (non-stateful) firewall. A stateless firewall will check if the incoming packet has the SYN flag set to detect a connection attempt. Using a flag combination that does not match the SYN packet makes it possible to deceive the firewall and reach the system behind it.

  • TCP Maimon Scan sudo nmap -sM MACHINE_IP

  • TCP ACK Scan sudo nmap -sA MACHINE_IP

  • TCP Window Scan sudo nmap -sW MACHINE_IP

  • Custom TCP Scan sudo nmap --scanflags URGACKPSHRSTSYNFIN MACHINE_IP

  • Spoofed Source IP sudo nmap -S SPOOFED_IP MACHINE_IP

  • Spoofed MAC Address --spoof-mac SPOOFED_MAC

  • Decoy Scan nmap -D DECOY_IP,ME MACHINE_IP

  • Idle (Zombie) Scan sudo nmap -sI ZOMBIE_IP MACHINE_IP

  • Fragment IP data into 8 bytes -f

  • Fragment IP data into 16 bytes -ff

Option Purpose

  • --source-port PORT_NUM specify source port number

  • --data-length NUM append random data to reach given length

  • These scan types rely on setting TCP flags in unexpected ways to prompt ports for a reply. Null, FIN, and Xmas scan provoke a response from closed ports, while Maimon, ACK, and Window scans provoke a response from open and closed ports.

Option Purpose

  • --reason explains how Nmap made its conclusion

  • -v verbose

  • -vv very verbose

  • -d debugging

  • -dd more details for debugging

Subnet enumeration 

user@slingshot:~$ nmap -n -sn 10.130.10.0/24 --packet-trace

Starting Nmap 7.60 ( https://nmap.org )
SENT (0.0509s) ICMP [10.254.252.2 > 10.130.10.1 Echo request (type=8/code=0) id=65308 seq=0] IP [ttl=44 id=3373 iplen=28 ]
SENT (0.0513s) ICMP [10.254.252.2 > 10.130.10.2 Echo request (type=8/code=0) id=27237 seq=0] IP [ttl=37 id=41108 iplen=28 ]
SENT (0.0517s) ICMP [10.254.252.2 > 10.130.10.3 Echo request (type=8/code=0) id=64932 seq=0] IP [ttl=37 id=40840 iplen=28 ]
SENT (0.0520s) ICMP [10.254.252.2 > 10.130.10.4 Echo request (type=8/code=0) id=45780 seq=0] IP [ttl=59 id=29404 iplen=28 ]

  • --packet-trace will show you the enumeration packets sent out

Top 3000 Packets

  • By default nmap will scan the top 1000 ports, if you dont want to scan all 65536 ports but want to scan more than just 1000 you can scan 3000 like seen below 

sudo nmap -n -sT 10.130.10.33 --top-ports 3000

TCP Header

NSE

Script Category Description

  • auth Authentication related scripts

  • broadcast Discover hosts by sending broadcast messages

  • brute Performs brute-force password auditing against logins

  • default Default scripts, same as -sC

  • discovery Retrieve accessible information, such as database tables and DNS names

  • dos Detects servers vulnerable to Denial of Service (DoS)

  • exploit Attempts to exploit various vulnerable services

  • external Checks using a third-party service, such as Geoplugin and Virustotal

  • fuzzer Launch fuzzing attacks

  • intrusive Intrusive scripts such as brute-force attacks and exploitation

  • malware Scans for backdoors

  • safe Safe scripts that won’t crash the target

  • version Retrieve service versions

  • vuln Checks for vulnerabilities or exploit vulnerable services

Run Scripts

nmap --script "http*" 10.10.10.10
nmap --script "ssh2-enum-algos" 10.10.220.56

NSE + Output

  • Option Meaning

  • -sV determine service/version info on open ports

  • -sV --version-light try the most likely probes (2)

  • -sV --version-all try all available probes (9)

  • -O detect OS

  • --traceroute run traceroute to target

  • --script=SCRIPTS Nmap scripts to run

  • -sC or --script=default run default scripts

  • -A equivalent to -sV -O -sC --traceroute

  • -oN save output in normal format

  • -oG save output in grepable format

  • -oX save output in XML format

  • -oA save output in normal, XML and Grepable formats

Searching Through Output

  • Looking for open port 445 in nmap output and returning ips 

grep ' 445/open/' /tmp/scan.gnmap | cut -d ' ' -f 2
10.130.10.4
10.130.10.5
10.130.10.6
10.130.10.21
10.130.10.25
10.130.10.33
10.130.10.44
10.130.10.45
PreviousnetcatNextnuclei

Last updated 10 months ago

Was this helpful?

tcp-header