✍️
OSCP Prep
  • Welcome Aboard
  • Linux Basics
    • Command Line Fundamentals
  • Writeups
    • HackTheBox
      • Windows
        • Granny
        • Devel
        • Blue
        • Legacy
      • Linux
        • shocker
    • OSPG
    • TryHackMe
    • Vulnhub
      • Kioptrix Level1
  • Scanning and Enumeration
    • Index
    • Wordpress
      • wpscan
    • NMAP
    • DNS
    • NFS
    • DB
      • Oracle DB 1521
      • MySQL
    • SMB
      • msfconsole
      • crackmapexec
      • smbmap
      • smbclient
      • enum4linux
      • Mount smb share locally
    • SSH
    • HTTP
      • PUT Method
      • Untitled
  • Tools and Techniques
    • File Transfer
    • CMD-Fu
    • Cross Platform Exploit Compilation
    • Bash-Fu
    • Sniffing
      • tcpdump
      • Wireshark
    • Brute Force
      • Untitled
      • Hydra
    • Msfvenom
    • Password Cracking
      • John
      • Hashcat
  • Gaining Access and Exploitation
  • SQL Injection
    • sqlmap
    • mysql syntax
    • ms sql syntax
  • File Upload
  • LFI
  • Privilege Escalation
    • Windows
      • references links
      • Manual
        • SeTokenImpersonate
      • Scripts
    • Linux
      • Manual
        • Know your Enemy
      • Scripts
  • Mislu Tips
    • Troubleshooting
  • Buffer OverFlow under 30 min.
    • point n shoot
    • fuzzer.py
    • Addons reading material
  • Active Directory
    • Untitled
Powered by GitBook
On this page
  • All TCP Ports
  • Version Detection n Default Scripts
  • UDP Scan
  • SMB Enum
  • NFS Enum
  • OS Discovery
  • Formatting Output BashFu

Was this helpful?

  1. Scanning and Enumeration

NMAP

A to Z about nmap n what you can do with it.

All TCP Ports

nmap -p- -Pn -n -vvv $ip -oA nmap/scan1

Version Detection n Default Scripts

nmap -p $ports -sCV $ip -oA nmap/scan2

UDP Scan

nmap -p- -sU $ip -oG udp.nmap

SMB Enum

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.16.35

nmap —script smb-vuln* -p 137,139,445 10.11.1.5 
 
sudo nmap -p445 --script smb-protocols 10.10.10.40


https://book.hacktricks.xyz/pentesting/pentesting-smb#port-445

NFS Enum

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.16.35

OS Discovery

nmap -p 139,445 --script-args=unsafe=1 --script=smb-os-discovery 10.11.1.5 

Formatting Output BashFu

nmap output filter

list of open ports in a comma seperate line -oN

cat output.nmap | grep “open” | grep -v “filtered” | cut -d “/” -f 1 | sort -u | cat *.nmap | grep “open” | grep -v “filtered” | cut -d “/” -f 1 | sort -u | xargs | tr ' ' ','

xargs for writing everything in one line sepearted by a space tr to replace the mentioned char with mentioned char grep -v for negative grep ... remove lines with this keyword

nmap --script "http*" 10.10.10.12

runs all the scripts having http keyword in starting

nmap --script-updatedb

when u add some customm script in nse path and want to use it

nmap --script banner ip

nmap --script default ip =this is equals to= -sC

nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p- ip

instead of verbosity we use --stats-every 3m

above scan acts as stage one scan

stage 2 scan is like

nmap -nvvv -Pn -sSV -p22,80,111,139,445 --version-intensity 9 -A ip

nmap --top-ports 1000 0sU --stats-every 3m --max-retires 1 -T3 ip

ips bypass techniques

--scan-delay 15s

1 probe every 15 seconds

--max-rate 0.1

1 packet every 10 seconds

-f

8 byte fragmentpackets

--mtu 16

16 byte fragment packet max trasnfer unit

PreviouswpscanNextDNS

Last updated 3 years ago

Was this helpful?