Target Specification: ........................................................................................................ Wildcards - 192.168.*.* Range - 192.168.0-255.0-255 Mask Notation - 192.168.0.0/16 Ports - -p 25,110,80 Common ports - -p 21,22,23,25,53,80,110,115,135,139,143,194,443,445,1433,3306,3389,5632,5900,6129 (http://www.iana.org/assignments/port-numbers) Load target list from file nmap -iL d:\target.txt Eksempler: ........................................................................................................ -sT > TCP Scan connect scan -sn > Ping Scan uden port scan -sU > UDP scan -sV > Sevice Detection - prober åbne porte. -I > Ident scanning Port 113 > nmap -I 192.168.1.1 -T1-5 > Timing template - højerer er hurtigerer -O eller -A > OS detection -PE > ICMP Echo -PS > Portlist -PA > TCP SYN/AcK -P0 eller -PN > No ping -sn > Ping scan no portscan Port scanning af specifikke porte mellem ip 10-20 > nmap -p 25,80,110 192.168.10.0-20 -PN POrt scanning af specifikke porte mellem flere net > nmap -p 25,110,80 192.168.10.0/24 scanning af bestemte net: namp -p 25,110 192.168.1.* -P0 Eksempler på scanninger: ........................................................................................................ Syn Connect Scan nmap -oA c:\Syn-connect -sT --open -p0-65535 --randomize_hosts 192.168.1.1-10 -PN Service scan nmap -oA c:\service scan -sV -PR --open -p0-65535 --randomize_hosts 192.168.1.1-10 Service scan - på bestemte porte nmap -oA c:\service scan -sV --open -p21,25,80,443,3128,3389,8080,8081 192.168.1.1-10 -PN Kan ikke bruges hvis Anti-ARP inspection er enabeld - Giver Discovery af hosts nmap -oA c:\MAC-scan -sU -p53000 -P0 192.168.1.* Scanning af telnet devises virker ikke med -sT - Dette skal være connect scan nmap -oA c:\telnet -sS -p 23 192.168.1.* Ping sweep: nmap -oA c:\ping-sweep -sP 192.168.1.0/24 UDP scan: nmap -oA c:\UDP-Scan -sU 192.168.1.0/24 -PN UDP scan Common Ports: nmap -oA c:\UDP-Scan -sU -p 53,67,68,69,123,161,162,500,520,521,2049,4500,5060,5004,10000 192.168.1.0/24 -PN OS-Detection nmap -oA c:\os-detection -O 192.168.1.1 OS-Detection - på bestemte porte nmap -oA c:\os-detection-ports -p80,137,138,443,445 192.168.1.1-10 Banner grabbing nmap -oA c:\Banner-grabbing-Scan -sV --script=banner 192.168.1.0/24 -PN XMAS Scan nmap -oA c:\XMAS-scan -sX -v 192.168.1.1 Ping sweep - No port scan nmap -oA c:\ping sweep -sn -T4 -iL -PE 192.168.1-10 script scanninger ........................................................................................................ HTTP bruteforce scanning nmap -Pn -p 80 --script http-enum www.netcowboy.dk DNS Brutefore scanning nmap -Pn --script dns-brute netcowboy.dk SMB OS Discoveryscanning nmap -p 445 -Pn --script smb-os-discovery 192.168.1.1 SSL Enum scanning - poodle nmap -Pn -p 443,465,563,636,989,992,993,994,995,25 -n ---script ssl-enum-ciphers 192.168.1.1 nmap ssl heartbleed scanning nmap -Pn -p 443,465,563,636,989,992,993,994,995,25 -n --script ssl-heartbleed 192.168.1.1 nmap Modbus scanning nmap -Pn -p 502 --script modbus-discover.nse --script-args='modbus-discover.aggressive=true' 192.168.1.1 SPAM sender lookup scanning ........................................................................................................ Scanning for port 25 med reverse DNS lookup nmap -oA c:\spam-lookup -sT -T4 -p 25 -R 192.168.20.1-255 -PN Looking for zombie hosts: ........................................................................................................ Looking for zombie host til Idel scan - Bruges til at spoofe loggen i en firewall. Der må ikke lave service scan eller os Detection inden denne scan ellers bliver afsløret i loggen ej heller Ping inden scan. Scan IP range nmap -v -O 192.168.10.0/24 Find en med > TCP Secquence Prediction:Class=trivial time dependency Difficulty==0 (Trivial joke) Firewalls: ........................................................................................................ Fin scan - Denne er god til firewall scanning: nmap -oA c:\FIN-Scan -sN 192.168.1.1 -PR - ARP ping God hvis der ikke må pinges i en scan - (Virker kun på samme subnet) God til at bestemme om en host er oppe selvom denne er firewalled. --randomize_hosts Dette gør scanningen mere stelth i et netværk Kan bruges hvis et helt range scannes. Paranoide scanning: undgå firewall og IDS blocking -T Paranoid (or -T0) scan will wait (generally) at least 5 minutes between each packet sent (Denne scanning tager ca 1 time og 40 min pr IP med angivende porte) nmap -oA c:\paraniode -sT -p 21,22,23,25,53,80,110,115,135,139,143,194,443,445,1433,3306,3389,5632,5900,6129 -T0 -Pn 192.168.1.1 Firewalk. Denne kan bruges indefra imod firewalls til at se hvilke porte der biver forwarded ud. nmap --traceroute --script firewalk --script-args firewalk.ttl 192.168.1.1 Decoy Scanning: ..................................................................................................... Bemærk at alle brugte decoys skal helst være oppe, ellers er det for nemt at afsløre hvem der scanner. Der kan som decoy benyttes både LAN og WAN adresser i samme scanning. nmap -n -Ddecoy-ip1,decoy-ip2,decoy-ip3,decoy-ip4,decoy-ip5 remote-host-ip nmap -p0-1024 -T4 -oA "c:\\Decoy-Scan" -Pn -D 192.168.1.9,192.168.1.34,192.168.1.1,192.168.1.15 192.168.1.20 Log formater: ..................................................................................................... -oA > Logfile formats - Gemmer alle 3 typer log > nmap -oA c:\test gemmer også en xlm fil - denne kan eks åbnes i firefox Pipe til TXT filer: Pipe til txt fil: nmap -sP >IP-TO-SCAN< > c:\scan.txt Pipe til txt fil vidreskriv i samme fil: nmap -sP >IP-TO-SCAN< >> c:\scan.txt DNS Scan: ..................................................................................................... List scan Revers IP to DNS nmap -oA c:\IP-DNS -R -sn >IP< -n ingen DNS lookup Dette gør scanningen hurtig -R > (DNS opslag for all targets) --system-dns > Bruger DNS Resolver --dns-servers > Specificer hvilke DNS servere der skal bruges. Conficker scanning: ..................................................................................................... Scanning efter Conficker orm nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns,smb-os-discovery --script-args safe=1 [targetnetworks] You will only see Conficker-related output if either port 139 or 445 are open on a host. A clean machine reports at the bottom: “Conficker: Likely CLEAN”, while likely infected machines say: “Conficker: Likely INFECTED”. For more advice, see this nmap-dev post by Brandon Enright. Dan Kaminsky broke the story on Doxpara.com. Script Scanninger ..................................................................................................... http://nmap.org/nsedoc/index.html Banner grabber nmap -sV --script=banner Denne kan bruges indefra imod firewalls til at se hvilke porte der biver forwarded ud. nmap --traceroute --script firewalk --script-args firewalk.ttl