Skip to main content

nmap


Exploring Network Terrain: A Comprehensive Guide to Nmap Enumeration
As ethical hackers and penetration testers, the first step in uncovering potential vulnerabilities within a network is thorough enumeration. Nmap, a powerful network scanning tool, offers a plethora of scanning techniques to gather crucial information about target systems. In this article, we'll delve into various Nmap enumeration techniques, showcasing their utility and providing insights into their application.

1. Nmap Stealth Scan

sudo nmap -sS <TARGET IP>

The stealth scan employs TCP SYN packets to quietly explore open ports without completing the full TCP handshake, reducing the likelihood of detection.


2. Nmap Connect Scan

nmap -sT <TARGET IP>

The connect scan establishes a full TCP connection to target ports, offering a more reliable but potentially more detectable method of enumeration.

3. Nmap UDP Scan


sudo nmap -sU <TARGET IP>

Uncover open UDP ports with this scan, crucial for discovering potential entry points often missed by TCP scans.

4. Nmap Combination Scan

sudo nmap -sS -sU <TARGET IP>

Combine the stealth and UDP scans for a comprehensive assessment of the target's network landscape.

5. Nmap Network Sweeping

nmap -sn <TARGET IP RANGE>

Conduct a network sweep to identify live hosts within a specified IP range.

6. Nmap OS Fingerprinting

sudo nmap -O <TARGET IP>

Discover the operating system running on the target system using Nmap's OS fingerprinting capabilities.

7. Nmap Top 20 Port Scan and Output to Greppable Format


nmap -sT -A --top-ports=20 <TARGET IP RANGE> -oG top-port-sweep.txt

Focus on the top 20 ports, combining service version detection and outputting results to a greppable format for further analysis.

8. Nmap Banner Grabbing/Service Enumeration

nmap -sV -sT -A <TARGET IP>

Retrieve detailed information about services running on open ports, aiding in vulnerability assessment.

9. Nmap Scripting Engine (NSE) - SMB OS Discovery


nmap <TARGET IP> --script=smb-os-discovery

Utilize Nmap's Scripting Engine to connect to the SMB service and determine the target system's operating system.

10. Nmap DNS Zone Transferring

nmap --script=dns-zone-transfer -p 53 <TARGET DNS SERVER>

Check for potential DNS zone transfers, a common misconfiguration that can lead to valuable information disclosure.

11. Nmap NSE View Help

nmap --script-help <SCRIPT NAME>
# e.g., nmap --script-help dns-zone-transfer

Access the Nmap Scripting Engine's help to understand the functionalities of specific scripts.

12. Nmap SMB Enumeration

nmap -v -p 139,445 -oG smb.txt <TARGET IP RANGE>

Perform an in-depth enumeration of SMB services on target systems, identifying potential vulnerabilities.

13. Nmap SMB OS Discovery

nmap -v -p 139,445 --script=smb-os-discovery <TARGET IP>

Leverage Nmap's SMB OS Discovery script to determine the operating system of specific SMB services.

14. Nmap SMB Vulnerability Detection (MS08-067)

nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 <TARGET IP>

Identify missing critical patches related to the MS08-067 vulnerability in specific SMB services.

15. Nmap Scan for NFS Shares (Portmapper, rpcbind)

nmap -v -p 111 <TARGET IP RANGE>

Scan for Network File System (NFS) shares, potentially exposing sensitive information.

16. Nmap Find Services Registered with rpcbind

nmap -sV -p 111 --script=rpcinfo <TARGET IP RANGE>

Identify services registered with rpcbind, aiding in the discovery of additional attack vectors.

17. Nmap Scan for SNMP

sudo nmap -sU --open -p 161 <TARGET IP RANGE> -oG open-snmp.txt

Conduct a UDP scan to reveal open SNMP ports, a valuable resource for extracting network information.


Popular posts from this blog

Open eClass – CVE-2024-26503: Unrestricted File Upload Leads to Remote Code Execution

During an assessment, I identified a severe security vulnerability within Open eClass, an e-learning platform extensively utilized across educational institutions, notably within Greece, where it is deployed by virtually all Greek Universities and educational entities. Open eClass, developed by GUnet (Greek Universities Network), is instrumental in delivering asynchronous e-learning services. The vulnerability, cataloged under CVE-2024-26503, involves an unrestricted file upload flaw that enables remote code execution (RCE), impacting versions 3.15 and earlier of the platform. This critical security lapse presents a significant risk, potentially allowing unauthorized access and control over the system, thereby compromising the integrity and security of the educational infrastructure. Affected Versions: ●   version <=  3.15 CVSSv3.1 Base Score: 9.1 ( Critical ) CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Exploitation Guide The vulnerability can be e...

Chamilo LMS: CVE-2024-27524 & CVE-2024-27525

CVE-2024-27524:  Stored XSS in tickets Severity:  High  (Base Score  7.1 ) CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H   Mitigation: Upgrade to Chamilo LMS 1.11.28 and above. Patch:  https://github.com/chamilo/chamilo-lms/commit/53275c152275958b33a1f87a21843daa52fb543a CVE-2024-27525:  Self XSS in social network Base Score:  Medium  (Base Score  4.6 ) CVSS Vector:  CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L Mitigation: Upgrade to Chamilo LMS 1.11.28 and above. Patch:  https://github.com/chamilo/chamilo-lms/commit/a63e03ef961e7bf2dab56f4ede6f87edef40ba0c Overview This advisory covers the discovery of two vulnerabilities within Chamilo LMS, an open-source learning management system (LMS) widely used across educational institutions. These vulnerabilities—stored cross-site scripting (Stored XSS) and self-cross-site scripting (Self XSS)—pose different levels of security risks but highlight critical consideration...

How I Use Obsidian for Penetration Testing, CVE Hunting, and Studying

In the ever-evolving realm of cyber security, the tools and techniques at our disposal are as varied as the threats we aim to counteract. Among these tools, note-taking applications play a pivotal role, not just in organizing our thoughts but in streamlining our entire workflow. Today, I'm excited to share how Obsidian, a tool I embraced over two and a half years ago while preparing for my eJPT exam, has become an indispensable ally in my journey through penetration testing, CVE hunting, and continuous learning. If you're not yet familiar with Obsidian, it's a robust note-taking application that operates on a local collection of plain text Markdown files. What sets it apart is its capability to interlink ideas, forming an expansive web of knowledge that is both intuitive and comprehensive to explore. Through considerable customization, I've developed what I consider to be an ideal method for consolidating notes, insights, and projects into a unified workspace. Here'...