dokuwiki

User Tools

Site Tools

Trace: nsp lxc-backup firewall coa ip_resources openai azure_services nmap
dardan:cyberacademy:nmap
Target Specification
-iL <inputfilename> (Input from list)
-iR <num hosts> (Choose random targets)
--exclude <host1>[,<host2>[,...]] (Exclude hosts/networks)
--excludefile <exclude_file> (Exclude list from file)


Host Discovery
-sL (List Scan)
-sn (No port scan)
-Pn (No ping)
-PS <port list> (TCP SYN Ping)
-PA <port list> (TCP ACK Ping)
-PU <port list> (UDP Ping)
-PY <port list> (SCTP INIT Ping)
-PE; -PP; -PM (ICMP Ping Types)
-PO <protocol list> (IP Protocol Ping)
-PR (ARP Ping)
--disable-arp-ping (No ARP or ND Ping)
--traceroute (Trace path to host)
-n (No DNS resolution)
-R (DNS resolution for all targets)
--system-dns (Use system DNS resolver)
--dns-servers <server1>[,<server2>[,...]] (Servers to use for reverse DNS queries)


Port Scanning Basics
port states: 
open, 
closed, 
filtered, 
unfiltered, 
open|filtered 
closed|filtered

Port Scanning Techniques
-sU (UDP scans)
-sS (TCP SYN scan)
-sT (TCP connect scan)
-sY (SCTP INIT scan)
-sN; -sF; -sX (TCP NULL, FIN, and Xmas scans)
-sA (TCP ACK scan)
-sW (TCP Window scan)
-sM (TCP Maimon scan
--scanflags (Custom TCP scan)
-sZ (SCTP COOKIE ECHO scan)
-sI <zombie host>[:<probeport>] (idle sca)
-sO (IP protocol scan)
-b <FTP relay host> (FTP bounce scan)

Port Specification and Scan Order
-p <port ranges> (Only scan specified ports)
--exclude-ports <port ranges> (Exclude the specified ports from scanning)
-F (Fast (limited port) scan)
-r (Don't randomize ports
--port-ratio <ratio><decimal number between 0 and 1>
--top-ports <n>

Service and Version Detection
-sV (Version detection)
--allports (Don't exclude any ports from version detection)
--version-intensity <intensity> (Set version scan intensity)
--version-light (Enable light mode)
--version-all (Try every single probe)
--version-trace (Trace version scan activity)

OS Detection
-O (Enable OS detection)
--osscan-limit (Limit OS detection to promising targets)
--osscan-guess; --fuzzy (Guess OS detection results)
--max-os-tries (Set the maximum number of OS detection tries against a target)

Nmap Scripting Engine (NSE)
-sC  --Performs a script scan using the default set of scripts. It is equivalent to --script=default.
--script <filename>|<category>|<directory>|<expression>[,...] --Runs a script scan using the comma-separated list of filenames, script 
                                                                                                            categories, and directories.
--script-args <n1>=<v1>,<n2>={<n3>=<v3>},<n4>={<v4>,<v5>} --Lets you provide arguments to NSE scripts
--script-args-file <filename> --Lets you load arguments to NSE scripts from a file.
--script-help <filename>|<category>|<directory>|<expression>|all[,...] --Shows help about scripts. 
--script-trace --This option does what --packet-trace does, just one ISO layer higher.
--script-updatedb --This option updates the script database found in scripts/script.db which is used by Nmap to determine the available 
                                  default scripts and categories.

Timing and Performance
--min-hostgroup <numhosts>; --max-hostgroup <numhosts> (Adjust parallel scan group sizes)
--min-parallelism <numprobes>; --max-parallelism <numprobes> (Adjust probe parallelization)
--min-rtt-timeout <time>, --max-rtt-timeout <time>, --initial-rtt-timeout <time> (Adjust probe timeouts)
--max-retries <numtries> (Specify the maximum number of port scan probe retransmissions)
--host-timeout <time> (Give up on slow target hosts)
--script-timeout <time>
--scan-delay <time>; --max-scan-delay <time> (Adjust delay between probes)
--min-rate <number>; --max-rate <number> (Directly control the scanning rate)
--defeat-rst-ratelimit
--defeat-icmp-ratelimit
--nsock-engine epoll|kqueue|poll|select
-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template)

Firewall/IDS Evasion and Spoofing
-f (fragment packets); --mtu (using the specified MTU)
-D <decoy1>[,<decoy2>][,ME][,...] (Cloak a scan with decoys)
-S <IP_Address> (Spoof source address)
-e <interface> (Use specified interface)
--source-port <portnumber>; -g <portnumber> (Spoof source port number)
--data <hex string> (Append custom binary data to sent packets)
--data-string <string> (Append custom string to sent packets)
--data-length <number> (Append random data to sent packets)
--ip-options <S|R [route]|L [route]|T|U ... >; --ip-options <hex string> (Send packets with specified ip options)
--ttl <value> (Set IP time-to-live field)
--randomize-hosts (Randomize target host order)
--spoof-mac <MAC address, prefix, or vendor name> (Spoof MAC address)
--proxies <Comma-separated list of proxy URLs> (Relay TCP connections through a chain of proxies)
--badsum (Send packets with bogus TCP/UDP checksums)
--adler32 (Use deprecated Adler32 instead of CRC32C for SCTP checksums)

Output
-oN <filespec> (normal output)
-oX <filespec> (XML output)
-oG <filespec> (grepable output)
-oA <basename> (Output to all formats)
Verbosity and debugging options
-v (Increase verbosity level) , -v<level> (Set verbosity level)
-d (Increase debugging level) , -d<level> (Set debugging level)
--reason (Host and port state reasons)
--stats-every <time> (Print periodic timing stats)
--packet-trace (Trace packets and data sent and received)
--open (Show only open (or possibly open) ports)
--iflist (List interfaces and routes)
Miscellaneous output options
--append-output (Append to rather than clobber output files)
--resume <filename> (Resume aborted scan)
--stylesheet <path or URL> (Set XSL stylesheet to transform XML output)
--webxml (Load stylesheet from Nmap.Org)
--no-stylesheet (Omit XSL stylesheet declaration from XML)

Miscellaneous Options
-6 (Enable IPv6 scanning)
-A (Aggressive scan options)
--datadir <directoryname> (Specify custom Nmap data file location)
--servicedb <services file> (Specify custom services file)
--versiondb <service probes file> (Specify custom service probes file)
--send-eth (Use raw ethernet sending)
--send-ip (Send at raw IP level)
--privileged (Assume that the user is fully privileged)
--unprivileged (Assume that the user lacks raw socket privileges)
--release-memory (Release memory before quitting)
-V; --version (Print version number)
-h; --help (Print help summary page)

Runtime Interaction
v / V
Increase / decrease the verbosity level

d / D
Increase / decrease the debugging Level

p / P
Turn on / off packet tracing

?
Print a runtime interaction help screen

Examples
nmap -v scanme.nmap.org
nmap -sS -O scanme.nmap.org/24
nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127
nmap -v -iR 100000 -Pn -p 80
nmap -Pn -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20

https://nmap.org/book/toc.html



nmap 172.16.60.208 /---top 1000 ports

-n no resolution, -sP ping scan= icmp echo req, syn 443, ack 80, icmp timestmp req.
nmap -sP 192.168.* or /24 or 1,2,3... -n

nmap 172.16.65.91 -O /---per OS
nmap -p80 172.16.60.208 /---specific tcp port
nmap -p80-100 172.16.60.208 /---specific tcp port range
nmap 172.16.60.1/24 -p- /--- -p- check all range ports
nmap -sS -sV 172.16.1.172 -- -p5988 ### check specific port
-sn: Ping Scan
-Pn: Treat all hosts as online -- skip host discovery
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sV: Probe open ports to determine service/version info
-sU: UDP Scan
-sO: IP protocol scan
-f; --mtu <val>: fragment packets (optionally w/given MTU)

nmap -p445 --scripts smb-vuln-ms17-010 172.16.0.16 (tregon SMB vuln. infos
dardan/cyberacademy/nmap.txt · Last modified: 2018/08/30 08:43 by dardan
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki