Nmap

Clickjacking Script

sudo nmap --script clickjacking-prevent-check -Pn -p 443 www.example.com -oN NmapClickJacking.txt

DNS Cache Snooping

sudo nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={www.google.com}' 192.168.1.253-

Greppable Output

sudo nmap -PER -sn 192.168.1.0/24 -oG - | awk '/Up$/{print $2}

nmap -n -sn 192.0.2.0/24 -oG - | awk '/Up$/{print $2}'

Internal IP Leak

nmap --script http-internal-ip-disclosure -oN NmapIPLeak.txt www.example.com

Terminal Services RDP

sudo nmap -p3389 --script rdp-enum-encryption 192.168.0.1

Default Credential Scanning:

nmap -p80 --script http-default-accounts host/ip

Could add common web ports above as follows:

66,80,81,443,445,457,1080,1100,1241,1352,1433,1434,1521,1944,2301,3128,3306,4000,4001,4002,4100,4433,5000,5432,5800,5801,5802,6346,6347,7001,7002,8008,8080,8443,8888,30821

Telnet

Host Discovery

TCP Scan

All ports All Scripts (use sSV for version detection)

Top 1000 ports

UDP Scan Top 1000

UDP All ports

Find Hosts

Find Services

IP or File Exclusion

Scripts

NFS Share

LDAP Port 389

Nmap HTML Output Conversion

Nmap Timing Template

As we have seen that Nmap has multiple timing templates that can be used differently as according to the requirement. Click here to check the timing scan article. Let’s see what’s inside the timing template. to get the description of timing template we’ll use -d attribute.

Maximum Retries (–max-retries)

–max-retries specifies the number of times a packet is to be resent on a port to check if it is open or closed. If –max-retries is set to 0, the packets will be sent only once on a port and no retries will be done.

Host-timeout

The –host-timeout is an attribute that specifies the scan to give up on a host after the specified time. The lesser the time specified the more are the chances of inaccuracy in scan results.

We can specify the time in milliseconds (ms), seconds (s), minutes (m)

Hostgroup

The host group attribute is specified to scan a specified number of hosts in the network at a time. You need to specify the minimum number of hosts or maximum number of hosts or both to be scanned at a time

Maximum rate (max-rate)

Rate is an attribute that specifies at what rate is the packets are to be sent, in other words, number of packets to be sent at a time. Max-rate specifies the maximum number of packets to be sent at once.

Minimum rate (min-rate)

Min-rate specifies the maximum number of packets to be sent at once. Here if we want at least 2 packets must be sent on target’s network at the same time not less than this, then need to execute below command.

Parallelism

Parallelism attribute is used to send multiple packets in parallel, min-parallelism means that the number of packets to be sent in parallel is to be greater than the value specified and max-parallelism means that the number of packets to be sent in parallel is to be less than or equal to the value specified

Max-rtt-timeout

max-rtt-timeout specifies the maximum value of time that is to be taken by a packet to return a reply

Output Live Machines on a network with Nmap

During the Red Team Operations, It is sometimes benifitial to monitor the dynamic nature of the client's Infrastructure. As a intial scan we can use nmap to monitor Network State in a short period of time gap and check if any specific port changes accordingly. We can simply use a small bash script for that. You can also modify this script as per your requirement.

RAW Bash Script

Setting up Cron

We can also set up a cron job and redirect logs to a file for our reference by adding cron job as below

This is a very basic script that runs nmap every day using default ports and then uses ndiff to compare the results. We can then take the output of this script and use it to notify our team of new ports discovered daily.