CEH_nmap - yenbohuang/techNotes GitHub Wiki
nmap: https://nmap.org/
zenmap (Official nmap Security Scanner GUI): https://nmap.org/zenmap/
Check if the server is alive?
| Command |
Note |
nmap -sn -PR 10.10.1.22 |
ARP ping scan |
nmap -sn -PU 10.10.1.22 |
UDP ping scan |
nmap -sn -PE 10.10.1.* |
ICMP ECHO ping scan |
nmap -sn -PP 10.10.1.22 |
ICMP timestamp ping |
nmap -sn -PM 10.10.1.22 |
ICMP Address Mask Ping Scan |
nmap -sn -PS 10.10.1.22 |
TCP SYN Ping Scan |
nmap -sn -PA 10.10.1.22 |
TCP ACK Ping Scan |
nmap -sn -PO 10.10.1.22 |
IP Protocol Ping Scan |
Discover open ports/services
| Command |
Note |
nmap -sV 10.10.1.22 |
Find open ports and the version of services. |
nmap -sT -v 10.10.1.22 |
TCP connect/full open scan |
nmap -sS -v 10.10.1.22 |
Stealth scan/TCP half-open scan |
nmap -sX -v 10.10.1.22 |
Xmas scan (have open/filtered ports -> firewall is on) |
nmap -sM -v 10.10.1.22 |
TCP Maimon scan (have open/filtered ports -> firewall is on) |
nmap -sA -v 10.10.1.22 |
ACK flag probe scan (have filtered ports -> stateful firewall is on) |
nmap -sU -v 10.10.1.22 |
UDP scan (no response -> port is open) |
nmap -sN -T4 -A -v 10.10.1.9 |
Null scan |
nmap -sI -v 10.10.1.22 |
IDLE/IPID Header Scan (Zombie Scan) |
nmap -sY -v 10.10.1.22 |
SCTP INIT Scan (INIT+ACK -> port is open) |
nmap -sZ -v 10.10.1.22 |
SCTP COOKIE ECHO Scan (no response -> port is open) |
OS Discovery
| Command |
Note |
nmap -O 10.10.1.22 |
OS discovery |
nmap --script smb-os-discovery.nse 10.10.1.22 |
Determine the OS, computer name, domain, workgroup, and current time over the SMB protocol. |
Scanning Behind IDS/Firewall
| Command |
Note |
nmap -f 10.10.1.22 |
Split the IP packet into tiny fragment packets. |
nmap -g 80 10.10.1.11 |
Source port manipulation. |
nmap -mtu 8 10.10.1.11 |
Specifies the number of MTU. |
nmap -D RND:10 10.10.1.11 |
Decoy scan. |
nmap -sT -Pn --spoof-mac 0 10.10.1.11 |
MAC address spoofing. |
Enumeration
| Command |
Service |
Note |
nmap -sV -v --script=nbstat.nse 10.10.1.22 |
NetBIOS |
Service versions/opened ports by NetBIOS enumeration. |
nmap -sU -p 137 --script=nbstat.nse 10.10.1.22 |
NetBIOS |
NetBIOS enumeration by UDP scan. |
nmap -sU -p 161 --script=snmp-sysdescr 10.10.1.22 |
SNMP |
SNMP server type and operating system details. |
nmap -sU -p 161 --script=snmp-processes 10.10.1.22 |
SNMP |
Running SNMP processes along with the associated ports. |
nmap -sU -p 161 --script=snmp-win32-software 10.10.1.22 |
SNMP |
All running applications. |
nmap -sU -p 161 --script=snmp-interfaces 10.10.1.22 |
SNMP |
Operating system, network interfaces, and applications. |
nmap -sU -p 389 10.10.1.22 |
LDAP |
Check LDAP port number 389. |
nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=CEH,dc=com"' 10.10.1.22 |
LDAP |
Brute-force LDAP authentication and displays usernames. |
nmap -p 2049 10.10.1.19 |
NFS |
Check NFS on Windows. |
nmap --script=broadcast-dns-service-discovery certifiedhacker.com |
DNS |
All the available DNS services. |
nmap -T4 -p 53 --script dns-brute certifiedhacker.com |
DNS |
All the subdomains. |
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='certifiedhacker.com'" |
DNS |
Common service (SRV) records. |
nmap -p 25 --script=smtp-enum-users 10.10.1.19 |
SMTP |
All possible mail users. |
nmap -p 25 --script=smtp-open-relay 10.10.1.19 |
SMTP |
Open SMTP relays. |
nmap -p 25 --script=smtp-commands 10.10.1.19 |
SMTP |
Supported SMTP commands. |
nmap -p 21 10.10.1.19 |
FTP |
Detect FTP server. |
You should not use them against target networks without permission!
Enable aggressive scan by using -A option.
| Command |
Service |
Note |
nmap -A 10.10.1.* |
|
Aggressive scan. |
nmap -T4 -A 10.10.1.19 |
|
Open ports, services & versions. |
nmap -p 21 -A 10.10.1.19 |
FTP |
FTP with traceroute information. |
nmap -p 445 -A 10.10.1.19 |
SMB |
SMB information. |
Sniffing
| Command |
Service |
Note |
nmap --script=sniffer-detect 10.10.1.19 |
|
Check if the target system is in promiscuous mode. |
Evading IDS, Firewalls, and Honeypots
| Command |
Service |
Note |
nmap -sP 10.10.1.0/24 |
|
Ping Sweep scan on the subnet to discover the live machines in the network. |
nmap -sI 10.10.1.22 10.10.1.11 |
|
Perform Zombie Scan and discover ports and services. |
Hacking Web Servers
| Command |
Service |
Note |
nmap -sV --script=http-enum www.goodshopping.com |
|
Enumerate the directories used by web servers and web applications. |
nmap --script hostmap-bfk -script-args hostmap-bfk.prefix=hostmap- www.goodshopping.com |
|
Discover the hostnames that resolve the targeted domain. |
nmap --script http-trace -d www.goodshopping.com |
|
detect a vulnerable server that uses the TRACE method by sending an HTTP TRACE request that shows if the method is enabled or not. |
nmap -p80 --script http-waf-detect www.goodshopping.com |
|
Check whether Web Application Firewall is configured on the target host or domain. |