Skip to main content

nmap


Exploring Network Terrain: A Comprehensive Guide to Nmap Enumeration
As ethical hackers and penetration testers, the first step in uncovering potential vulnerabilities within a network is thorough enumeration. Nmap, a powerful network scanning tool, offers a plethora of scanning techniques to gather crucial information about target systems. In this article, we'll delve into various Nmap enumeration techniques, showcasing their utility and providing insights into their application.

1. Nmap Stealth Scan

sudo nmap -sS <TARGET IP>

The stealth scan employs TCP SYN packets to quietly explore open ports without completing the full TCP handshake, reducing the likelihood of detection.

2. Nmap Connect Scan

nmap -sT <TARGET IP>

The connect scan establishes a full TCP connection to target ports, offering a more reliable but potentially more detectable method of enumeration.

3. Nmap UDP Scan

sudo nmap -sU <TARGET IP>

Uncover open UDP ports with this scan, crucial for discovering potential entry points often missed by TCP scans.

4. Nmap Combination Scan

sudo nmap -sS -sU <TARGET IP>

Combine the stealth and UDP scans for a comprehensive assessment of the target's network landscape.

5. Nmap Network Sweeping

nmap -sn <TARGET IP RANGE>

Conduct a network sweep to identify live hosts within a specified IP range.

6. Nmap OS Fingerprinting

sudo nmap -O <TARGET IP>

Discover the operating system running on the target system using Nmap's OS fingerprinting capabilities.

7. Nmap Top 20 Port Scan and Output to Greppable Format

nmap -sT -A --top-ports=20 <TARGET IP RANGE> -oG top-port-sweep.txt

Focus on the top 20 ports, combining service version detection and outputting results to a greppable format for further analysis.

8. Nmap Banner Grabbing/Service Enumeration

nmap -sV -sT -A <TARGET IP>

Retrieve detailed information about services running on open ports, aiding in vulnerability assessment.

9. Nmap Scripting Engine (NSE) - SMB OS Discovery

nmap <TARGET IP> --script=smb-os-discovery

Utilize Nmap's Scripting Engine to connect to the SMB service and determine the target system's operating system.

10. Nmap DNS Zone Transferring

nmap --script=dns-zone-transfer -p 53 <TARGET DNS SERVER>

Check for potential DNS zone transfers, a common misconfiguration that can lead to valuable information disclosure.

11. Nmap NSE View Help

nmap --script-help <SCRIPT NAME>
# e.g., nmap --script-help dns-zone-transfer

Access the Nmap Scripting Engine's help to understand the functionalities of specific scripts.

12. Nmap SMB Enumeration

nmap -v -p 139,445 -oG smb.txt <TARGET IP RANGE>

Perform an in-depth enumeration of SMB services on target systems, identifying potential vulnerabilities.

13. Nmap SMB OS Discovery

nmap -v -p 139,445 --script=smb-os-discovery <TARGET IP>

Leverage Nmap's SMB OS Discovery script to determine the operating system of specific SMB services.

14. Nmap SMB Vulnerability Detection (MS08-067)

nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 <TARGET IP>

Identify missing critical patches related to the MS08-067 vulnerability in specific SMB services.

15. Nmap Scan for NFS Shares (Portmapper, rpcbind)

nmap -v -p 111 <TARGET IP RANGE>

Scan for Network File System (NFS) shares, potentially exposing sensitive information.

16. Nmap Find Services Registered with rpcbind

nmap -sV -p 111 --script=rpcinfo <TARGET IP RANGE>

Identify services registered with rpcbind, aiding in the discovery of additional attack vectors.

17. Nmap Scan for SNMP

sudo nmap -sU --open -p 161 <TARGET IP RANGE> -oG open-snmp.txt

Conduct a UDP scan to reveal open SNMP ports, a valuable resource for extracting network information.


Popular posts from this blog

Open eClass – CVE-2024-26503: Unrestricted File Upload Leads to Remote Code Execution

During an assessment, I identified a severe security vulnerability within Open eClass, an e-learning platform extensively utilized across educational institutions, notably within Greece, where it is deployed by virtually all Greek Universities and educational entities. Open eClass, developed by GUnet (Greek Universities Network), is instrumental in delivering asynchronous e-learning services. The vulnerability, cataloged under CVE-2024-26503, involves an unrestricted file upload flaw that enables remote code execution (RCE), impacting versions 3.15 and earlier of the platform. This critical security lapse presents a significant risk, potentially allowing unauthorized access and control over the system, thereby compromising the integrity and security of the educational infrastructure. Affected Versions: ●   version <=  3.15 CVSSv3.1 Base Score: 9.1 ( Critical ) CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Exploitation Guide The vulnerability can be exploited
Read more

How I Use Obsidian for Penetration Testing, CVE Hunting, and Studying

In the ever-evolving realm of cyber security, the tools and techniques at our disposal are as varied as the threats we aim to counteract. Among these tools, note-taking applications play a pivotal role, not just in organizing our thoughts but in streamlining our entire workflow. Today, I'm excited to share how Obsidian, a tool I embraced over two and a half years ago while preparing for my eJPT exam, has become an indispensable ally in my journey through penetration testing, CVE hunting, and continuous learning. If you're not yet familiar with Obsidian, it's a robust note-taking application that operates on a local collection of plain text Markdown files. What sets it apart is its capability to interlink ideas, forming an expansive web of knowledge that is both intuitive and comprehensive to explore. Through considerable customization, I've developed what I consider to be an ideal method for consolidating notes, insights, and projects into a unified workspace. Here'
Read more

CTF: Portfolio Walkthrough

Scenario A passionate web developer recently launched his personal portfolio website, proudly displaying his projects and sharing his thoughts through a vibrant blog. His focus on design and functionality has left glaring security holes. As his blog gains popularity, you, a skilled hacker, spot the perfect target. Your mission is clear: exploit the vulnerabilities, compromise his site, and expose his negligence. Every weakness is an opportunity, every oversight a path to control. In this CTF challenge, you are the hacker. Uncover the flaws, break through the defenses, and leave your mark on the developer’s digital pride. Welcome to "Portfolio CTF" The game is on. Good luck! You can download the OVA for the Portfolio CTF from this  link SPOILER ALERT: Do not read further if you intend to solve the CTF challenge on your own. The write-up follows below. Introduction I created this Capture The Flag (CTF) machine with dual objectives: to provide a comprehensive training ground fo
Read more