_______________________________________________[  The Basics ]

======================== Various Ways to Find Hosts

nmap -sL   ( create a host list )

nmap -n    ( scan w/o DNS resolution )

nmap -sP    ( probe only )

nmap -sS –exclude    ( syn scan & exclude the gateway ip )

nmap -sT -iL mylist.txt    ( tcp connect scan on list of targets )

nmap -sU -iR    ( udp scan & randomize hosts )

nmap -sV -f -O -oA My-Scan-Output.Files      ( version scan with output files )

nmap -sR -oA My-Scan-Output.Files –stats-every 30  (RPC scan with output files with periodic updates on scan status shown every 30 seconds)

nmap -A –reason     ( Use every method possible to fingerprint target & explain reasons for results )

======================== Update NSE scripts

nmap –script-updatedb

======================== Run Default NSE scripts

nmap -sC

======================== Grab Banners

nmap -sS -T 5 -p –

======================== Enumerate DNS names for a range (no scanning directly to hosts done)

nmap -sL | grep domainname.com

======================== Try DNS Enumeration

nmap –script dns-zone-transfer.nse –script-args dns-zone-transfer.domain=<domainname> -p53 <hosts>

======================== Ping it all

nmap -PN     ( no ping )

nmap -PS     ( TCP SYN ping )

nmap -PA     ( TCP ACK ping )

nmap -PU     ( UDP ping )

nmap -PY     ( SCTP Init ping )

nmap -PE     ( ICMP echo ping )

nmap -PP     ( ICMP timestamp ping )

nmap -PM     ( address mask ping )

nmap -PO     ( IP ping )

nmap -PR     ( ARP ping )

_______________________________________________[  Evasion Tricks ]

nmap -f <hosts>     (Fragment Packet)

nmap –mtu <mtu-value><hosts>     (Modify MTU)

nmap -sI <hosts>     (Scan for Zombie Decoys)

nmap -D RND: {number}  <host>     (Use a Zombie Decoy)

nmap –spoof-mac {value} <hosts>

nmap –badsum <hosts>

======================== Delayed Scan for common ports
nmap –scan-delay 15s -p 21,23,25,80,8080,1433,1521,3306

======================== Send 1 Pkt every second
nmap –max-rate 0.1 -p 21,23,25,80,8080,1433,1521,3306

======================== 8 byte fragmented packet
nmap -f -p 21,23,25,80,8080,1433,1521,3306

======================== 16 byte fragmented packet
nmap –mtu 16 -p 21,23,25,80,8080,1433,1521,3306

_______________________________________________[  HTTP Scanning ]

======================== WAF Fingerprinting
nmap -sV -PN -p 80 –script http-waf-detect.nse domainname.com
nmap -p80 –script http-waf-detect.nse –script.args=”http-waf-detect.detectBodyChanges” domainname.com

======================== Obtaining hostname through ssl
nmap -p 443,444,8443,8080,8088 –script=ssl-cert –open

======================== Spider HTTP Robot Files

nmap –script http-robots.txt <hosts>

======================== HTTP Methods Test

nmap -p80,443 –script http-methods domainname.com

======================== HTTP Methods Test with testing for error codes
nmap -p80,443 –script http-methods –script-args http-methods.retest domainname.com
nmap -p80,443 –script http-methods –script-args http-methods.retest http-methods.urlpath=/someURLpath/ domainname.com

======================== HTTP User Agent Spoofing
nmap -p80 –script http-methods –script-args http.useragent=”Mozilla 42″ domainname.com

======================== HTTP PIPE Lining
nmap -p80 –script http-methods –script-args http.pipeline=25 domainname.com

======================== Find Open Proxies
nmap -p8080 –script http-open-proxy domainname.com
nmap -p8080 –script http-open-proxy –script-args http-open-proxy.url=http://whatsmyip.org,http-open-proxy-pattern=”Your IP address is” domainname.com

======================== HTTP content enumeration
nmap -p80 –script http-enum domainname.com
nmap -p80 –script http-enum –script.args http-enum.displayall domainname.com

======================== HTTP User enumeration
nmap -p80 –script http-userdir-enum domainname.com
nmap -p80 –script http-userdir-enum –script.args userdir.users=./user-list.txt domainname.com

======================== HTTP WordPress Brute Force
nmap -p80 –script http-wordpress-brute domainname.com
nmap -p80 –script http-wordpress-brute –script-args http.wordpressbrute.threads=5 domainname.com
nmap -p80 –script http-wordpress-brute –script-args http.wordpressbrute.uri=”/someURLpath/” domainname.com
nmap -p80 –script http-wordpress-brute –script-args http.wordpressbrute.uservar=nombre,http.wordpressbrute.userpass=secreto domainname.com

======================== HTTP JOOMLA Brute Force
nmap -p80 –script http-joomla-brute domainname.com

======================== Test for SQLi
nmap -p80 –script http-sql-injection domainname.com
nmap -p80 –script http-sql-injection –script-args httpspider.maxpagecount=200 domainname.com
nmap -p80 –script http-sql-injection –script-args httpspider.withinhost=false domainname.com
nmap -p80 –script http-sql-injection –script-args httpspider.maxdepth=10 domainname.com

======================== Test for XSS
nmap -p80 –script http-unsafe-output-escaping domainname.com
nmap -p80 –script http-phpself-xss,http-unsafe-output-escaping domainname.com
nmap -p80 –script http-phpself-xss –script-args httpspider.maxpagecount=200 domainname.com

_______________________________________________[  SMB Scanning ]

nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 <hosts>

nmap –script smb-brute.nse -p445 <hosts>
nmap –script smb-psexec.nse –script-args=smbuser=<username>, smbpass=<password>[,config=<config>] -p445 <hosts>

nmap –script p2p-conficker,smb-os-discovery,smb-check-vulns -p- –script-args checkall=1,safe=1 -T4 <hosts>

_______________________________________________[  Using Output Results ]

ndiff output1.xml output2.xml     (compare 2 NMAP scan output for differences)

ndiff -v output1.xml output2.xml     (verbosely compare 2 NMAP scan output for differences)

ndiff –xml output1.xml output2.xml     (output the difference of 2 NMAP scans to another XML report)

msf> db_import /path/to/my/output1.xml     (import XML results into Metasploit DB for exploitation)


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s