supplemental cheat on nmap

Home

1 nmap standard scans

nmap is a very extensive and useful tool for mapping open ports, and running network based analysis against network connected entities. It is used by white-hat hackers as well as black-hat hackers, so learn it first to close any security holes you may have. nmap is indespensible for penetration tests.

First resource to consider is the man page, man nmap

You will also notice that some scans are for one device while other scans are for the whole network. The latter are typically for the discovery phase of a security audit.

It is after you discover a certain host with a certain OS is on the network, you can run further scans directed specifically at that host.

1.1 discovery phase

nmap can be augmented with other useful, simple tools for the discovery phase On the local network, network arp can be used:

  • ip neigh # similar to arp -a
  • netdiscover -i eth0 -r 172.28.105.0/24 # comes with standard kali linux.

But nmap scans -s is often more flexible and can be done remotely where as arp tables are only local to a device. Basically a L2 (arp) vs L3 (ip) scan.

2 -s for "scan

In the next sections, you will see that the ALL begin with -s which tells nmap, to scan something.

The nmap syntax is nmap -sX <targeted> where target can be:

  • an ip address
  • a dns resolvable hostname
  • an ip range
  • several comma separated ip addresses or dns host names.

2.1 scan ping -sP

nmap -sP 192.168.128.0/24 # scan ping on a network

Hers is an nmap scan of my OPS335 network: 

sudo nmap -sP 172.28.105.0/24          
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 18:47 EDT
Nmap scan report for africa.continents.earth.ops (172.28.105.1)
Host is up (0.0012s latency).
MAC Address: 52:54:00:A5:97:C3 (QEMU virtual NIC)
Nmap scan report for australinea.continents.earth.ops (172.28.105.2)
Host is up (0.0016s latency).
MAC Address: 52:54:00:9A:EF:E6 (QEMU virtual NIC)
Nmap scan report for antarctica.continents.earth.ops (172.28.105.3)
Host is up (0.0023s latency).
MAC Address: 52:54:00:98:26:51 (QEMU virtual NIC)
Nmap scan report for asia.continents.earth.ops (172.28.105.5)
Host is up (0.0011s latency).
MAC Address: 52:54:00:F9:B1:AA (QEMU virtual NIC)
Nmap scan report for europe.continents.earth.ops (172.28.105.6)
Host is up (0.0034s latency).
MAC Address: 52:54:00:B3:BB:6F (QEMU virtual NIC)
Nmap scan report for southamerica.continents.earth.ops (172.28.105.8)
Host is up (0.0012s latency).
MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC)
Nmap scan report for kali.continents.earth.ops (172.28.105.55)
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 2.15 seconds

2.2 scan TCP ports -sT

This scans all common ports up to port 1000, (or only the top 1000 known ports? Not sure. man nmap to see.

If you want to scan all ports from 1 to 1,000:

  • nmap -sT 192.168.128.0/24
  • nmap -sT 192.168.128.0/24
  • nmap -sT 192.168.128.0/24

But, this will take a LONG time, even with only 7 hosts on the network.

2.2.1 port ranges -sT -p port

Often scanning all 1000 ports is not needed, if you already know that certain ports are your target. You can specify a port range with a single port, -sT -p 53, several ports -sT -p 22,53,149, or a range -sT -p 20-100.

if you omit the beginning range, i.e. -p ,443 nmap will start at 1 if you omit the ending range, i.e. -p 443, nmap will end at 65535

nmap -sT -p 80,443 192.168.128.0/24 # scan TCP

You can exclude ranges, i.e. the inverse port numbers with --exclude-port

  • nmap -sT --exclude-port 1968,

2.2.2 -F fast scan (top 100 ports only)

normally, nmap will scan 1000 most common ports. with -F option that 1000 is reduced to the top 100 ports.

2.3 ACK scan -sA

  • sA
send to target received from target deduced port state
No flags <no response> port open
No flags RST/ACK port closed

2.4 FIN scan -sF

  • sF

has only the FIN flag set

send to target received from target deduced port state
FIN <no response> port open
FIN RST/ACK port closed

2.5 IDLE scan -sI

  • sI

2.6 DNS scan -sL "Lookup"

  • sL like doing a whole bunch of "host" or "nslookup" commands really fast.
  • nmap -sL 192.168.128.0/24
  • nmap -sL 192.168.128.0/24
  • nmap -sL 192.168.128.0/24

2.7 NULL scan -sN

  • -sN

has none of the TCP flags set.

2.8 XMAS scan -sX

  • -sX

Called the Christmas scan because it "lights up the packets like a christmas tree, with all of FIN, PSH, and URG flags set.

It can sneak through stateful firewalls because they usually block incoming TCP connections by blocking pkts with SYN bit set, and ACK bit cleared. So the XMAS scan has the SYN bit cleared. Aso the FIN flag is set which usually tells the firewall, this packet is closing a TCP session, not opening it.

2.9 Protocol scan -sO

  • -sO

2.10 RPC scan -sR

  • -sR

2.11 SYN scan -sS

  • -sS

post popular and default scan. it is fast, usually f/w pass SYN packets and is "S for stealthy" because it never responds to SYN packets with a SYN ACK which is the normal thing to do in a TCP 3-way handshake. So, the connection is never established.

2.12 TCP connect scan -sT

  • -sT

run against a host, NOT a subnet, as it takes too long. 

sudo nmap -sT 172.28.105.2   
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 19:04 EDT
Nmap scan report for australinea.continents.earth.ops (172.28.105.2)
Host is up (0.0020s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE  SERVICE
22/tcp closed ssh
53/tcp open   domain
MAC Address: 52:54:00:9A:EF:E6 (QEMU virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.75 seconds
  • sT -p 53 will limit to a particular port you are interested in. 
sudo nmap -sT -p 53 172.28.105.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 19:06 EDT
Nmap scan report for africa.continents.earth.ops (172.28.105.1)
Host is up (0.00052s latency).

PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 52:54:00:A5:97:C3 (QEMU virtual NIC)

Nmap scan report for australinea.continents.earth.ops (172.28.105.2)
Host is up (0.00083s latency).

PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 52:54:00:9A:EF:E6 (QEMU virtual NIC)

Nmap scan report for antarctica.continents.earth.ops (172.28.105.3)
Host is up (0.0012s latency).

PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 52:54:00:98:26:51 (QEMU virtual NIC)

Nmap scan report for asia.continents.earth.ops (172.28.105.5)
Host is up (0.0012s latency).

PORT   STATE    SERVICE
53/tcp filtered domain
MAC Address: 52:54:00:F9:B1:AA (QEMU virtual NIC)

Nmap scan report for europe.continents.earth.ops (172.28.105.6)
Host is up (0.0012s latency).

PORT   STATE    SERVICE
53/tcp filtered domain
MAC Address: 52:54:00:B3:BB:6F (QEMU virtual NIC)

Nmap scan report for southamerica.continents.earth.ops (172.28.105.8)
Host is up (0.0013s latency).

PORT   STATE    SERVICE
53/tcp filtered domain
MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC)

Nmap scan report for kali.continents.earth.ops (172.28.105.55)
Host is up (0.00086s latency).

PORT   STATE  SERVICE
53/tcp closed domain

Nmap done: 256 IP addresses (7 hosts up) scanned in 2.27 seconds

2.13 UDP scan -sU

Good for DNS, SNMP, and DHCP services as they use UDP. A UDP packet to every targeted port. Can be slow, but UDP handles the slow nature of UDP by automatically slowing down the rate of queries to every port.

2.14 Window scan -sW

  • -sW

2.15 Version scan -sV

After you have determined what hosts are online, and what ports are open, you can then dig deeper by determining the version of s/w on that host.

nmap comes with a simple version scan: nmap -sV 172.28.105.5

  • sV adds version detection to a scan, or can be run by itself. Normally this is to a particular host, as it is more intensive. i.e Don't run this against a /24 subnet.

    If that does not return any information, you can try: - =sV -Pn which

Here is an -sV scan against a DNS server: 

sudo nmap -sV 172.28.105.2        
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 19:09 EDT
Nmap scan report for australinea.continents.earth.ops (172.28.105.2)
Host is up (0.0018s latency).
Not shown: 998 filtered tcp ports (no-response), 1 filtered tcp ports
(port-unreach)

PORT   STATE SERVICE VERSION
53/tcp open  domain  ISC BIND 9.11.36 (RedHat Enterprise Linux 8)
MAC Address: 52:54:00:9A:EF:E6 (QEMU virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:8

Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.19 seconds

And the same -sV scan against an dns resolved host on the same network: 

sudo nmap -sV eu                   
[sudo] password for zintis: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 19:45 EDT
Nmap scan report for eu (172.28.105.6)
Host is up (0.0026s latency).
rDNS record for 172.28.105.6: europe.continents.earth.ops
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE    VERSION
22/tcp  open  ssh?
143/tcp open  imap?
993/tcp open  tcpwrapped
MAC Address: 52:54:00:B3:BB:6F (QEMU virtual NIC)

Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 162.94 seconds

and a third one, using ip address (same basic thing) 

$ nmap -sV -Pn antarctica.continents.earth.ops 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-19 20:21 EDT
Nmap scan report for ant (172.28.105.3)
Host is up (0.0012s latency).
rDNS record for 172.28.105.3: antarctica.continents.earth.ops
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE  SERVICE VERSION
22/tcp closed ssh
53/tcp open   domain  ISC BIND 9.11.36 (RedHat Enterprise Linux 8)
Service Info: OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:8

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.29 seconds

See scripts below that are often run with -sV version scans.

2.16 ICMP ping -PI

  • -PI

This scan returns more that a specific -sT -p53 scan for instance. 

sudo nmap -PI 172.28.105.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 19:11 EDT
Nmap scan report for africa.continents.earth.ops (172.28.105.1)
Host is up (0.00073s latency).
Not shown: 980 filtered tcp ports (no-response), 18 filtered tcp ports (port-unreach)
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
MAC Address: 52:54:00:A5:97:C3 (QEMU virtual NIC)

Nmap scan report for australinea.continents.earth.ops (172.28.105.2)
Host is up (0.0017s latency).
Not shown: 998 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach)
PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 52:54:00:9A:EF:E6 (QEMU virtual NIC)

Nmap scan report for antarctica.continents.earth.ops (172.28.105.3)
Host is up (0.0017s latency).
Not shown: 998 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach)
PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 52:54:00:98:26:51 (QEMU virtual NIC)

Nmap scan report for asia.continents.earth.ops (172.28.105.5)
Host is up (0.0017s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
25/tcp open  smtp
MAC Address: 52:54:00:F9:B1:AA (QEMU virtual NIC)

Nmap scan report for europe.continents.earth.ops (172.28.105.6)
Host is up (0.0018s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
143/tcp open  imap
993/tcp open  imaps
MAC Address: 52:54:00:B3:BB:6F (QEMU virtual NIC)

Nmap scan report for southamerica.continents.earth.ops (172.28.105.8)
Host is up (0.0016s latency).
Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach)
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC)

Nmap scan report for kali.continents.earth.ops (172.28.105.55)
Host is up (0.0000060s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 256 IP addresses (7 hosts up) scanned in 14.89 seconds

2.17 scan stealthy

Same as -sT but does not close the 3-way handshake

  • nmap -sS -p 80,443 192.168.128.0/24 # scan Stealth TCP

2.18 scan OS detection

  • nmap -O 192.168.128.1 # OS detect

Notice that this is for a specific host

Often combined with Version scans nmap -V -O -p 1-65000 for ports 1 to 65,000 

sudo nmap -O ant             
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 20:58 EDT
Nmap scan report for ant (172.28.105.3)
Host is up (0.0012s latency).
rDNS record for 172.28.105.3: antarctica.continents.earth.ops
Not shown: 998 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach)
PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 52:54:00:98:26:51 (QEMU virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc|specialized
Running (JUST GUESSING): Linux 3.X|4.X|5.X|2.6.X (97%), Synology DiskStation Manager 5.X (91%), Crestron 2-Series (88%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1 cpe:/o:linux:linux_kernel:2.6.32 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:crestron:2_series
Aggressive OS guesses: Linux 3.2 - 4.9 (97%), Linux 3.10 - 4.11 (96%), Linux 5.1 (96%), Linux 2.6.32 (92%), Linux 4.10 (91%), Linux 4.4 (91%), Linux 5.4 (91%), Synology DiskStation Manager 5.2-5644 (91%), Linux 2.6.32 - 3.10 (90%), Linux 2.6.32 - 3.13 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.08 seconds

2.19 scan ALL (OS detection, protocol versions, script scanning, traceroute)

  • nmap -A 192.168.128.1 # All
  • nmap -A 192.168.128.1 # All
  • nmap -A 192.168.128.1 # All

Notice that this is for a specific host.

This will show you lots of infomation and will take time. But you will get DNS settings, SAMBA shares, OS, lots of stuff.

2.20 scan stealthy with a decoy

  • nmap -sS -D 192.168.128.1 192.168.128.99 # Decoy

the target host, .1 will see these scans coming from .99, as well as from my actual ip address which is .33.

2.21 Selecting speed of scans (for obfuscation)

-T0 up to -T4 for serial slowest, serial slow, serial normal, parallel normal parallel fast.

Timer Speed
T0 serial, slowest
T1 serial, slow
T2 serial, normal
T3 parallel, normal
T4 parallel, fast

3 nmap in batch

You can specify a specific format and specific output file, rather than leave it to the default STDOUT with these options:

3.0.1 -oN <outputfile>

  • -oN specify "N normal output format"
  • mynmap-xyz-script-output.txt

Other output formats are:

  • -oN for normal
  • -oX for XML
  • -oS for scriptkiddie
  • -oG for greppable

3.0.2 predefined sets of scans:

  • -A enable OS detection, version detection, script scanning, and traceroute.

3.0.3 verbose

  • -v verbose output.

Example with -v -oN -T4 output: 

$ sudo nmap -T4 --script "smb-enum-shares" -oN ~/smbscript-scans.txt -v  sa  
[sudo] password for zintis: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 22:45 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:45
Completed NSE at 22:45, 0.00s elapsed
Initiating ARP Ping Scan at 22:45
Scanning sa (172.28.105.8) [1 port]
Completed ARP Ping Scan at 22:45, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:45
Completed Parallel DNS resolution of 1 host. at 22:45, 6.50s elapsed
Initiating SYN Stealth Scan at 22:45
Scanning sa (172.28.105.8) [1000 ports]
Discovered open port 445/tcp on 172.28.105.8
Discovered open port 139/tcp on 172.28.105.8
Completed SYN Stealth Scan at 22:45, 4.10s elapsed (1000 total ports)
NSE: Script scanning 172.28.105.8.
Initiating NSE at 22:45
Completed NSE at 22:45, 33.02s elapsed
Nmap scan report for sa (172.28.105.8)
Host is up (0.0016s latency).
rDNS record for 172.28.105.8: southamerica.continents.earth.ops
Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach)
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC)

NSE: Script Post-scanning.
Initiating NSE at 22:45
Completed NSE at 22:45, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 44.04 seconds
           Raw packets sent: 2000 (87.984KB) | Rcvd: 6 (276B)

4 nmap port states

nmap scans on ports return six different port states.

  1. open
  2. closed # accessible, but not responding. (firewall allows)
  3. filtered # firewall most likely filtering
  4. unfiltered # port is accessible, but nmap unsure if open or closed
  5. open|filtered # open ports that give no response. could have been a f/w
  6. closed|filtered

5 Putting multiple options together:

Try this example: 

nmap -sS -n -Pn eu -p 22 -sC
      |   |  |  |   |     |
      |   |  |  |   |     -> script scan with default set of scripts
      |   |  |  |   |        same as --script=default
      |   |  |  |   |        can be intrusive, so get permission.
      |   |  |  |   |
      |   |  |  |   |----> restrict to port 22
      |   |  |  |   
      |   |  |  |------> target host is "eu" resolved by DNS
      |   |  |
      |   |  |-------> disable host discovery when you know the host is there
      |   |            i.e. skip the host pinging (called host discovery)
      |   |
      |   |------> "numeric" do not resolve dns names
      |
      |------> "stealthy" ignore SYN reply & do not complete 3-way handshake

Here is the output, (not restricting to port 22) where the default scripts are able to determine that antarctica is running bind version 9.11.36 on a RedHat Linux version 9.11.36-3.e18 

sudo nmap -sS -n -Pn ant -sC
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 20:50 EDT
Nmap scan report for ant (172.28.105.3)
Host is up (0.0015s latency).
Not shown: 998 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach)
PORT   STATE SERVICE
53/tcp open  domain
| dns-nsid: 
|_  bind.version: 9.11.36-RedHat-9.11.36-3.el8
MAC Address: 52:54:00:98:26:51 (QEMU virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 19.04 seconds

AFter this I would want to run a vulnerability scan on port 53, dns-bind.

Another example to search for web servers that you can browse:

  • nmap -Pn -sS -p 80 -iR 0 --open 172.28.105.0/24

6 scan scripts from nmap.org

The nmap scripting engine has many scripts and vulnerability scans available for download from nmap.org, vuln category

6.0.1 Using built-in scripts:

For one specific scripts:

  • nmap --script script-name 172.28.105.9

combining -sV (version scan) with a vulners script:

  • nmap -sV --script vulners 172.28.105.9 
sudo nmap -sV --script vulners asia
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 21:02 EDT
Nmap scan report for asia (172.28.105.5)
Host is up (0.0014s latency).
rDNS record for 172.28.105.5: asia.continents.earth.ops
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh?
25/tcp open  smtp?
MAC Address: 52:54:00:F9:B1:AA (QEMU virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 169.23 seconds

Now limiting that to particular ports:

  • nmap -p 53 -sV --script vulners

For ALL the scripts in the vuln class of scripts!

  • nmap --script vuln 192.168.128.0/24 # all vuln class scripts
  • nmap --script vuln 192.168.128.0/24
  • nmap --script vuln 192.168.128.0/24 # this will take some time
  • nmap --script vuln 192.168.128.0/24 # maybe 15 minutes or more

CVE common vulnerabilities and exposures list is used by these VULN class scripts.

Two more examples targetting southamerica (sa) host, which is serving a samba share. First a netbios broadcast script sudo nmap -sV --script broadcast-netbios-master-browser sa 

sudo nmap -sV --script broadcast-netbios-master-browser sa
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 21:12 EDT
Nmap scan report for sa (172.28.105.8)
Host is up (0.0015s latency).
rDNS record for 172.28.105.8: southamerica.continents.earth.ops
Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach)
PORT    STATE SERVICE       VERSION
139/tcp open  netbios-ssn?
445/tcp open  microsoft-ds?
MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 155.91 seconds

Now a samba cve script that is also in the standard nmap library of scripts: -sudo nmap -sV --script samba-vuln-cve-2012-1182 sa (sa is a host alias) 

$ sudo nmap -sV --script samba-vuln-cve-2012-1182  sa       
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 21:18 EDT
Nmap scan report for sa (172.28.105.8)
Host is up (0.0013s latency).
rDNS record for 172.28.105.8: southamerica.continents.earth.ops
Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach)
PORT    STATE SERVICE       VERSION
139/tcp open  netbios-ssn?
445/tcp open  microsoft-ds?
MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC)

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.13 seconds

I am not seeing much here because these hosts are well locked down, with tight iptables, and application security in place.

6.1 multiple scripts in one run

Simply by entering several scripts separated by commas:

  • sudo nmap --script samba-vuln-cve-2012-1182,broadcast-netbios-master-browser sa (sa is a host alias)

Here are the results: 

sudo nmap --script samba-vuln-cve-2012-1182,broadcast-netbios-master-browser sa 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 21:28 EDT
Nmap scan report for sa (172.28.105.8)
Host is up (0.0021s latency).
rDNS record for 172.28.105.8: southamerica.continents.earth.ops
Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach)
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC)

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT

Nmap done: 1 IP address (1 host up) scanned in 24.14 seconds

6.1.1 wildcard globbing on script names.

If you have the time, maybe overnight, you can run all scripts that start with "ftp-" if you run:

  • sudo nmap --script "ftp-*" southamerica

Here are two example, one targeting all imap scripts, the second targeting all smb scripts:

first: imap 

$ sudo nmap --script "imap-*" eu
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 21:41 EDT
Nmap scan report for eu (172.28.105.6)
Host is up (0.0012s latency).
rDNS record for 172.28.105.6: europe.continents.earth.ops
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
143/tcp open  imap
993/tcp open  imaps
MAC Address: 52:54:00:B3:BB:6F (QEMU virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 20.30 seconds

Then second, targetting all smb scripts:

7 installing nmap scripts for NSE

nmap scripts are writtin in the lua language and have a .kse ending.

The built-in scripts are in /usr/share/nmap/scripts. Als look in these directories:

  • /usr/share/exploitdb/expoits/...
  • /usr/share/legion/scripts/nmap/shodan-hq.nse

Easy to grep for scripts such as :

  • ls /usr/share/nmap/scripts | grep -i dns (or ftp, or smb etc.)

My Kali linux distro had 604 .nse scripts in that directory.

8 nmap scripting engine, NSE

NSE is the nmap scripting engine that is used by scripts that you create or that others created and made available to the nmap community.

There are four types of NSE scripts, usually run in this order:

  1. pre-rule scripts - run before any nmap scans take place. No info known
  2. host-scripts - run agains a specific, already discovered host
  3. service-scripts - run against specific services listening on a target host
  4. post-rule scripts - run alfter nmap has scanned all target hosts.

Often pre-rule scripts can also be run as post-rule scripts, but pre-rule is the choice.

Also nmap sees 6 catergories of scripts:

  1. auth for authentication
  2. broadcast for discovering hosts
  3. brute for brute force authentication attacks guessing credentials
  4. discovery for what is on the network. (ping scan on steriods) goal is to reduce the large number of ip addresses on the network to ones that have an active host.
  5. dos for denial of service attacks
  6. exploit for scripts that actually exploit an open vulnerability.

8.1 downloading NSE scripts

The vulscan script is a very good script. Here's how you install it and how you run it:

To download: github.com/scipag/vulscan

To install, you need to move the files to your nmap directory, usually it is /usr/share/nmap/scripts/*.nse

  1. Using vulscan and the built-in vulners scripts
    • nmap --script vulscan,nmap-vulners -sV 172.28.105.5
    • nmap --script vulscan,nmap-vulners -sV 172.28.105.5

8.1.1 script timeouts:

From stackoverflow

nmap -p 80 --script http-joomla-brute --script-args \ 'passdb=/Users/abc/Documents/passwords.txt,http-joomla-brute.threads=5,brute.firstonly=true, \ unpwdb.timelimit=0' my.website.here.

Answer: 

 Nmap calculates the percent-done timing of NSE by a simple calculation:

progress("printStats", 1-(nr+nw)/total); Where nr is the number of running
NSE threads, nw is the number of waiting threads, and total is the total
number of threads launched. In this case, http-joomla-brute is a
single-threaded script, and you only are running one of them, so it will show
"0.00% done" until it is completely done.

In a previous question, you asked for and received an answer on how to bypass
the default 10-minute limit on brute forcing attempts. Without this limit, it
is very difficult to tell how much longer it will take your script to
finish. You can get diagnostic output by increasing the debug level to 2 with
the -d2 option or by pressing d twice while running. You may be able to
observe the particular usernames and passwords being attempted, and infer
from that how far through your lists the script has gone.

Then from github 

Sometimes a script misbehaves, entering an infinite loop. Other times the
loop may have an end condition that is not well defined, depending on a
network connection that is no longer available (because the target has gone
down or firewalled the scanner). You can use the --script-timeout option to
prevent any one script from running too long; in Nmap 7.70 and later, the
-T5 option adds a 10-minute timeout, for instance.

To determine what script is running, you can press d twice to increase
debugging to level 2, then press any key to get a traceback of all running
script threads. This can be overwhelming output in an ordinary scan, but
with a single misbehaving script against a single target, it ought to show
which script is causing issues and exactly where it is stuck.

Please note that Ubuntu 18.04 is using Nmap 7.60, which was released over 2
years ago, and we have made 2 new releases since then that may have already
addressed the issue you're seeing. If you update to Nmap 7.80 and still
experience problems, you may re-open this issue or open a new one with
debugging output as described above so we can better diagnose the problem.

9 vlunhub.com

Search for kioptrix and you can download images that have many vulnerabilities against which you can test your nmap hacking skills.

9.1 Home