Nmap

A short wiki of Nmap scripts and tricks to use on different scenarios

Clickjacking Script

sudo nmap --script clickjacking-prevent-check -Pn -p 443 www.example.com -oN NmapClickJacking.txt

DNS Cache Snooping

sudo nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={www.google.com}' 192.168.1.253-

Greppable Output

sudo nmap -PER -sn 192.168.1.0/24 -oG - | awk '/Up$/{print $2}
nmap -n -sn 192.0.2.0/24 -oG - | awk '/Up$/{print $2}'

Internal IP Leak

nmap --script http-internal-ip-disclosure -oN NmapIPLeak.txt www.example.com

Terminal Services RDP

sudo nmap -p3389 --script rdp-enum-encryption 192.168.0.1

Default Credential Scanning:

nmap -p80 --script http-default-accounts host/ip

Could add common web ports above as follows:

66,80,81,443,445,457,1080,1100,1241,1352,1433,1434,1521,1944,2301,3128,3306,4000,4001,4002,4100,4433,5000,5432,5800,5801,5802,6346,6347,7001,7002,8008,8080,8443,8888,30821

Telnet

sudo nmap -p23 192.168.9.232 --script telnet-encryption

Host Discovery

nmap -sn 10.0.0.0/24 -oN output.txt
nmap -Pn 10.0.0.0/24 -oN output.txt (no Ping scan)

TCP Scan

All ports All Scripts (use sSV for version detection)

nmap -iL Desktop/desktopstargets -sS -p 0-65535 -A --min-rate=2000 -oN Desktop/desktops_tcp_script --stats-every 10s

Top 1000 ports

nmap -sSV -iL hostlist.txt -oN TCPTop100VersionScan.txt

UDP Scan Top 1000

nmap -sU -iL hostlist.txt -oN UDPTop1000Scan.txt --max-rtt-timeout=220ms --max-retries 0

UDP All ports

nmap -sU -iL hostlist.txt -p0-65535 -oN UDPTop1000Scan.txt --max-rtt-timeout=220ms --max-retries 0

Find Hosts

sudo nmap -PER -sn 192.168.93.0/24 -oG - | awk '/Up$/{print $2}'
nmap -PER -sn 172.16.10.0/24 (find live hosts on an ip range)
nmap -sn 10.0.0.0/24 โ€“oN file (ping scan )
nmap -Pn 10.0.0.0/24 โ€“oN file (no ping)
Sometimes shown as -P0 (Zero)
arp-scan 10.0.0.0/24 - arp cant get passed routers
nmap -sP 10.0.0.0/24- arp cant get passed routers
ettercap - arp cant get passed routers

Find Services

nmap -sSV -p0-65535 -oN text.txt 10.0.0.1 --script=banner
nmap -sUV -p0-65535 1--script=ssl*,tls*0.0.0.5 --max-rtt-timeout=250ms --max-retries 0 -oN file
ncat โ€“v โ€“n โ€“t โ€“w 10.0.0.1 1-100
nmap -iL text.txt
nmap โ€“O 10.0.0.1 (os scan
--script=ssl*,tls* (ssl and tls scripts)

IP or File Exclusion

--excludefile <filename> (for exluding list of ip's in a file)
--exclude <ip> for 1 ip

Scripts

nmap -> scripts
find / -name *.nse 2>/dev/null
or
updatedb
locate *.nse

NFS Share

nmap -sV --script=nfs-showmount

LDAP Port 389

$ nmap -p389 --script ldap-rootdse 10.0.0.1

Nmap HTML Output Conversion

nmap -A -oX nmapoutput -T5 192.168.0.1
xsltproc nmapoutput.xml -o scanme.html

Nmap Timing Template

As we have seen that Nmap has multiple timing templates that can be used differently as according to the requirement. Click here to check the timing scan article. Letโ€™s see whatโ€™s inside the timing template. to get the description of timing template weโ€™ll use -d attribute.

nmap -T4 โ€“d -p21-25 192.168.1.139

Maximum Retries (โ€“max-retries)

โ€“max-retries specifies the number of times a packet is to be resent on a port to check if it is open or closed. If โ€“max-retries is set to 0, the packets will be sent only once on a port and no retries will be done.

nmap -p21-25 192.168.1.139 --max-retries 0

Host-timeout

The โ€“host-timeout is an attribute that specifies the scan to give up on a host after the specified time. The lesser the time specified the more are the chances of inaccuracy in scan results.

We can specify the time in milliseconds (ms), seconds (s), minutes (m)

nmap -p21-25 192.168.1.139 --host-timeout 100ms

Hostgroup

The host group attribute is specified to scan a specified number of hosts in the network at a time. You need to specify the minimum number of hosts or maximum number of hosts or both to be scanned at a time

nmap -sP 192.168.1.1/24 --min-hostgroup 3 --max-hostgroup 3

Maximum rate (max-rate)

Rate is an attribute that specifies at what rate is the packets are to be sent, in other words, number of packets to be sent at a time. Max-rate specifies the maximum number of packets to be sent at once.

nmap -p21-25 192.168.1.139 --max-rate 2

Minimum rate (min-rate)

Min-rate specifies the maximum number of packets to be sent at once. Here if we want at least 2 packets must be sent on targetโ€™s network at the same time not less than this, then need to execute below command.

nmap -p21-25 192.168.1.139 --min-rate 2

Parallelism

Parallelism attribute is used to send multiple packets in parallel, min-parallelism means that the number of packets to be sent in parallel is to be greater than the value specified and max-parallelism means that the number of packets to be sent in parallel is to be less than or equal to the value specified

nmap -p21-25 192.168.1.139 --min-parallelism 2 --max-parallelism 2

Max-rtt-timeout

max-rtt-timeout specifies the maximum value of time that is to be taken by a packet to return a reply

nmap -p21-25 192.168.1.139 --max-rtt-timeout 50ms

Output Live Machines on a network with Nmap

nmap -n -sn 192.0.2.0/24 -oG - | awk '/Up$/{print $2}'

During the Red Team Operations, It is sometimes benifitial to monitor the dynamic nature of the client's Infrastructure. As a intial scan we can use nmap to monitor Network State in a short period of time gap and check if any specific port changes accordingly. We can simply use a small bash script for that. You can also modify this script as per your requirement.

RAW Bash Script

nmap-diffing.sh
#!/bin/bash
mkdir /Nmap-Diffing/
d=$(date +%Y-%m-%d)
y=$(date -d yesterday +%Y-%m-%d)
/usr/bin/nmap -Pn -A -sV --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oX /Nmap-Diffing/scan_$d.xml 192.168.0.1/24 > /dev/null 2>&1
if [ -e /opt/nmap_diff/scan_$y.xml ]; then
	/usr/bin/ndiff /Nmap-Diffing/scan_$y.xml /Nmap-Diffing/scan_$d.xml > /Nmap-Diffing/diff
.txt 
fi

Setting up Cron

We can also set up a cron job and redirect logs to a file for our reference by adding cron job as below

crontab -e
0 9 * * * /THP/Recon/nmap-diffing.sh >> /var/log/demowebsite.log 2>&1

This is a very basic script that runs nmap every day using default ports and then uses ndiff to compare the results. We can then take the output of this script and use it to notify our team of new ports discovered daily.

Last updated