NMAP

A to Z about nmap n what you can do with it.

All TCP Ports

nmap -p- -Pn -n -vvv $ip -oA nmap/scan1

Version Detection n Default Scripts

nmap -p $ports -sCV $ip -oA nmap/scan2

UDP Scan

nmap -p- -sU $ip -oG udp.nmap

SMB Enum

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.16.35

nmap —script smb-vuln* -p 137,139,445 10.11.1.5 
 
sudo nmap -p445 --script smb-protocols 10.10.10.40


https://book.hacktricks.xyz/pentesting/pentesting-smb#port-445

NFS Enum

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.16.35

OS Discovery

nmap -p 139,445 --script-args=unsafe=1 --script=smb-os-discovery 10.11.1.5 

Formatting Output BashFu

nmap output filter

list of open ports in a comma seperate line -oN

cat output.nmap | grep “open” | grep -v “filtered” | cut -d “/” -f 1 | sort -u | cat *.nmap | grep “open” | grep -v “filtered” | cut -d “/” -f 1 | sort -u | xargs | tr ' ' ','

xargs for writing everything in one line sepearted by a space tr to replace the mentioned char with mentioned char grep -v for negative grep ... remove lines with this keyword

nmap --script "http*" 10.10.10.12

runs all the scripts having http keyword in starting

nmap --script-updatedb

when u add some customm script in nse path and want to use it

nmap --script banner ip

nmap --script default ip =this is equals to= -sC

nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p- ip

instead of verbosity we use --stats-every 3m

above scan acts as stage one scan

stage 2 scan is like

nmap -nvvv -Pn -sSV -p22,80,111,139,445 --version-intensity 9 -A ip

nmap --top-ports 1000 0sU --stats-every 3m --max-retires 1 -T3 ip

ips bypass techniques

--scan-delay 15s

1 probe every 15 seconds

--max-rate 0.1

1 packet every 10 seconds

-f

8 byte fragmentpackets

--mtu 16

16 byte fragment packet max trasnfer unit