Exploring Network Terrain: A Comprehensive Guide to Nmap Enumeration
As ethical hackers and penetration testers, the first step in uncovering potential vulnerabilities within a network is thorough enumeration. Nmap, a powerful network scanning tool, offers a plethora of scanning techniques to gather crucial information about target systems. In this article, we'll delve into various Nmap enumeration techniques, showcasing their utility and providing insights into their application.1. Nmap Stealth Scan
sudo nmap -sS <TARGET IP>
2. Nmap Connect Scan
nmap -sT <TARGET IP>
The connect scan establishes a full TCP connection to target ports, offering a more reliable but potentially more detectable method of enumeration.
3. Nmap UDP Scan
3. Nmap UDP Scan
sudo nmap -sU <TARGET IP>
Uncover open UDP ports with this scan, crucial for discovering potential entry points often missed by TCP scans.
4. Nmap Combination Scan
sudo nmap -sS -sU <TARGET IP>
Combine the stealth and UDP scans for a comprehensive assessment of the target's network landscape.
5. Nmap Network Sweeping
nmap -sn <TARGET IP RANGE>
Conduct a network sweep to identify live hosts within a specified IP range.
6. Nmap OS Fingerprinting
6. Nmap OS Fingerprinting
sudo nmap -O <TARGET IP>
Discover the operating system running on the target system using Nmap's OS fingerprinting capabilities.
7. Nmap Top 20 Port Scan and Output to Greppable Format
nmap -sT -A --top-ports=20 <TARGET IP RANGE> -oG top-port-sweep.txt
Focus on the top 20 ports, combining service version detection and outputting results to a greppable format for further analysis.
8. Nmap Banner Grabbing/Service Enumeration
nmap -sV -sT -A <TARGET IP>
Retrieve detailed information about services running on open ports, aiding in vulnerability assessment.
9. Nmap Scripting Engine (NSE) - SMB OS Discovery
nmap <TARGET IP> --script=smb-os-discovery
Utilize Nmap's Scripting Engine to connect to the SMB service and determine the target system's operating system.
10. Nmap DNS Zone Transferring
nmap --script=dns-zone-transfer -p 53 <TARGET DNS SERVER>
Check for potential DNS zone transfers, a common misconfiguration that can lead to valuable information disclosure.
11. Nmap NSE View Help
nmap --script-help <SCRIPT NAME>
# e.g., nmap --script-help dns-zone-transfer
Access the Nmap Scripting Engine's help to understand the functionalities of specific scripts.
12. Nmap SMB Enumeration
nmap -v -p 139,445 -oG smb.txt <TARGET IP RANGE>
Perform an in-depth enumeration of SMB services on target systems, identifying potential vulnerabilities.
13. Nmap SMB OS Discovery
nmap -v -p 139,445 --script=smb-os-discovery <TARGET IP>
Leverage Nmap's SMB OS Discovery script to determine the operating system of specific SMB services.
14. Nmap SMB Vulnerability Detection (MS08-067)
14. Nmap SMB Vulnerability Detection (MS08-067)
nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 <TARGET IP>
Identify missing critical patches related to the MS08-067 vulnerability in specific SMB services.
15. Nmap Scan for NFS Shares (Portmapper, rpcbind)
15. Nmap Scan for NFS Shares (Portmapper, rpcbind)
nmap -v -p 111 <TARGET IP RANGE>
Scan for Network File System (NFS) shares, potentially exposing sensitive information.
16. Nmap Find Services Registered with rpcbind
nmap -sV -p 111 --script=rpcinfo <TARGET IP RANGE>
Identify services registered with rpcbind, aiding in the discovery of additional attack vectors.
17. Nmap Scan for SNMP
sudo nmap -sU --open -p 161 <TARGET IP RANGE> -oG open-snmp.txt
Conduct a UDP scan to reveal open SNMP ports, a valuable resource for extracting network information.