_______________________________________________[ The Basics ]
======================== Various Ways to Find Hosts
nmap -sL 192.168.0.0/24 ( create a host list )
nmap -n 192.168.0.0/24 ( scan w/o DNS resolution )
nmap -sP 192.168.0.0/24 ( probe only )
nmap -sS 192.168.0.0/24 –exclude 192.168.0.1 ( syn scan & exclude the gateway ip )
nmap -sT -iL mylist.txt ( tcp connect scan on list of targets )
nmap -sU -iR 192.168.0.0/24 ( udp scan & randomize hosts )
nmap -sV -f -O -oA My-Scan-Output.Files 192.168.0.0/24 ( version scan with output files )
nmap -sR -oA My-Scan-Output.Files –stats-every 30 192.168.0.0/24 (RPC scan with output files with periodic updates on scan status shown every 30 seconds)
nmap -A –reason ( Use every method possible to fingerprint target & explain reasons for results )
======================== Update NSE scripts
nmap –script-updatedb
======================== Run Default NSE scripts
nmap -sC 192.168.0.0/24
======================== Grab Banners
nmap -sS -T 5 -p – 192.168.0.0/24
======================== Enumerate DNS names for a range (no scanning directly to hosts done)
nmap -sL 148.87.1.0-255 | grep domainname.com
======================== Try DNS Enumeration
nmap –script dns-zone-transfer.nse –script-args dns-zone-transfer.domain=<domainname> -p53 <hosts>
======================== Ping it all
nmap -PN ( no ping )
nmap -PS ( TCP SYN ping )
nmap -PA ( TCP ACK ping )
nmap -PU ( UDP ping )
nmap -PY ( SCTP Init ping )
nmap -PE ( ICMP echo ping )
nmap -PP ( ICMP timestamp ping )
nmap -PM ( address mask ping )
nmap -PO ( IP ping )
nmap -PR ( ARP ping )
_______________________________________________[ Evasion Tricks ]
nmap -f <hosts> (Fragment Packet)
nmap –mtu <mtu-value><hosts> (Modify MTU)
nmap -sI <hosts> (Scan for Zombie Decoys)
nmap -D RND: {number} <host> (Use a Zombie Decoy)
nmap –spoof-mac {value} <hosts>
nmap –badsum <hosts>
======================== Delayed Scan for common ports
nmap –scan-delay 15s -p 21,23,25,80,8080,1433,1521,3306 192.168.0.0/24
======================== Send 1 Pkt every second
nmap –max-rate 0.1 -p 21,23,25,80,8080,1433,1521,3306 192.168.0.0/24
======================== 8 byte fragmented packet
nmap -f -p 21,23,25,80,8080,1433,1521,3306 192.168.0.0/24
======================== 16 byte fragmented packet
nmap –mtu 16 -p 21,23,25,80,8080,1433,1521,3306 192.168.0.0/24
_______________________________________________[ HTTP Scanning ]
======================== WAF Fingerprinting
nmap -sV -PN -p 80 –script http-waf-detect.nse domainname.com
nmap -p80 –script http-waf-detect.nse –script.args=”http-waf-detect.detectBodyChanges” domainname.com
======================== Obtaining hostname through ssl
nmap -p 443,444,8443,8080,8088 –script=ssl-cert –open 148.87.1.0-255
======================== Spider HTTP Robot Files
nmap –script http-robots.txt <hosts>
======================== HTTP Methods Test
nmap -p80,443 –script http-methods domainname.com
======================== HTTP Methods Test with testing for error codes
nmap -p80,443 –script http-methods –script-args http-methods.retest domainname.com
nmap -p80,443 –script http-methods –script-args http-methods.retest http-methods.urlpath=/someURLpath/ domainname.com
======================== HTTP User Agent Spoofing
nmap -p80 –script http-methods –script-args http.useragent=”Mozilla 42″ domainname.com
======================== HTTP PIPE Lining
nmap -p80 –script http-methods –script-args http.pipeline=25 domainname.com
======================== Find Open Proxies
nmap -p8080 –script http-open-proxy domainname.com
nmap -p8080 –script http-open-proxy –script-args http-open-proxy.url=http://whatsmyip.org,http-open-proxy-pattern=”Your IP address is” domainname.com
======================== HTTP content enumeration
nmap -p80 –script http-enum domainname.com
nmap -p80 –script http-enum –script.args http-enum.displayall domainname.com
======================== HTTP User enumeration
nmap -p80 –script http-userdir-enum domainname.com
nmap -p80 –script http-userdir-enum –script.args userdir.users=./user-list.txt domainname.com
======================== HTTP WordPress Brute Force
nmap -p80 –script http-wordpress-brute domainname.com
nmap -p80 –script http-wordpress-brute –script-args http.wordpressbrute.threads=5 domainname.com
nmap -p80 –script http-wordpress-brute –script-args http.wordpressbrute.uri=”/someURLpath/” domainname.com
nmap -p80 –script http-wordpress-brute –script-args http.wordpressbrute.uservar=nombre,http.wordpressbrute.userpass=secreto domainname.com
======================== HTTP JOOMLA Brute Force
nmap -p80 –script http-joomla-brute domainname.com
======================== Test for SQLi
nmap -p80 –script http-sql-injection domainname.com
nmap -p80 –script http-sql-injection –script-args httpspider.maxpagecount=200 domainname.com
nmap -p80 –script http-sql-injection –script-args httpspider.withinhost=false domainname.com
nmap -p80 –script http-sql-injection –script-args httpspider.maxdepth=10 domainname.com
======================== Test for XSS
nmap -p80 –script http-unsafe-output-escaping domainname.com
nmap -p80 –script http-phpself-xss,http-unsafe-output-escaping domainname.com
nmap -p80 –script http-phpself-xss –script-args httpspider.maxpagecount=200 domainname.com
_______________________________________________[ SMB Scanning ]
nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 <hosts>
nmap –script smb-brute.nse -p445 <hosts>
nmap –script smb-psexec.nse –script-args=smbuser=<username>, smbpass=<password>[,config=<config>] -p445 <hosts>
nmap –script p2p-conficker,smb-os-discovery,smb-check-vulns -p- –script-args checkall=1,safe=1 -T4 <hosts>
_______________________________________________[ Using Output Results ]
ndiff output1.xml output2.xml (compare 2 NMAP scan output for differences)
ndiff -v output1.xml output2.xml (verbosely compare 2 NMAP scan output for differences)
ndiff –xml output1.xml output2.xml (output the difference of 2 NMAP scans to another XML report)
msf> db_import /path/to/my/output1.xml (import XML results into Metasploit DB for exploitation)
[security.pimp] 
Leave a Reply