supplemental cheat on nmap
1 nmap standard scans
nmap
is a very extensive and useful tool for mapping open ports
, and running
network based analysis against network connected entities
. It is used by
white-hat hackers as well as black-hat hackers, so learn it first to close
any security holes you may have. nmap is indespensible for penetration tests.
First resource to consider is the man page, man nmap
You will also notice that some scans are for one device
while other scans are
for the whole network
. The latter are typically for the discovery phase
of
a security audit.
It is after you discover a certain host with a certain OS
is on the network,
you can run further scans directed specifically at that host
.
1.1 discovery phase
nmap can be augmented with other useful, simple tools for the discovery phase
On the local network, network arp
can be used:
ip neigh
# similar toarp -a
netdiscover -i eth0 -r 172.28.105.0/24
# comes with standard kali linux.
But nmap scans -s
is often more flexible and can be done remotely where as
arp
tables are only local to a device. Basically a L2 (arp) vs L3 (ip) scan.
2 -s for "scan
In the next sections, you will see that the ALL begin with -s
which tells
nmap
, to scan something.
The nmap syntax is nmap -sX <targeted>
where target
can be:
- an
ip address
- a
dns resolvable hostname
- an
ip range
several comma separated
ipaddresses
or dns hostnames
.
2.1 scan ping -sP
nmap -sP 192.168.128.0/24
# scan ping on a network
Hers is an nmap scan of my OPS335 network:
sudo nmap -sP 172.28.105.0/24 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 18:47 EDT Nmap scan report for africa.continents.earth.ops (172.28.105.1) Host is up (0.0012s latency). MAC Address: 52:54:00:A5:97:C3 (QEMU virtual NIC) Nmap scan report for australinea.continents.earth.ops (172.28.105.2) Host is up (0.0016s latency). MAC Address: 52:54:00:9A:EF:E6 (QEMU virtual NIC) Nmap scan report for antarctica.continents.earth.ops (172.28.105.3) Host is up (0.0023s latency). MAC Address: 52:54:00:98:26:51 (QEMU virtual NIC) Nmap scan report for asia.continents.earth.ops (172.28.105.5) Host is up (0.0011s latency). MAC Address: 52:54:00:F9:B1:AA (QEMU virtual NIC) Nmap scan report for europe.continents.earth.ops (172.28.105.6) Host is up (0.0034s latency). MAC Address: 52:54:00:B3:BB:6F (QEMU virtual NIC) Nmap scan report for southamerica.continents.earth.ops (172.28.105.8) Host is up (0.0012s latency). MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC) Nmap scan report for kali.continents.earth.ops (172.28.105.55) Host is up. Nmap done: 256 IP addresses (7 hosts up) scanned in 2.15 seconds
2.2 scan TCP ports -sT
This scans all common ports up to port 1000, (or only the top
1000 known ports? Not sure. man nmap
to see.
If you want to scan all ports
from 1 to 1,000:
nmap -sT 192.168.128.0/24
nmap -sT 192.168.128.0/24
nmap -sT 192.168.128.0/24
But, this will take a LONG time, even with only 7 hosts on the network.
2.2.1 port ranges -sT -p port
Often scanning all 1000 ports is not needed, if you already know that
certain ports are your target. You can specify a port range
with a single
port, -sT -p 53
, several ports -sT -p 22,53,149
, or a range -sT -p 20-100
.
if you omit the beginning range, i.e. -p ,443
nmap will start at 1
if you omit the ending range, i.e. -p 443,
nmap will end at 65535
nmap -sT -p 80,443 192.168.128.0/24
# scan TCP
You can exclude ranges, i.e. the inverse
port numbers with --exclude-port
nmap -sT --exclude-port 1968,
2.2.2 -F fast scan (top 100 ports only)
normally, nmap will scan 1000 most common ports.
with -F
option that 1000
is reduced to the top 100 ports
.
2.3 ACK scan -sA
sA
send to target | received from target | deduced port state |
---|---|---|
No flags | <no response> | port open |
No flags | RST/ACK | port closed |
2.4 FIN scan -sF
sF
has only the FIN flag set
send to target | received from target | deduced port state |
---|---|---|
FIN | <no response> | port open |
FIN | RST/ACK | port closed |
2.5 IDLE scan -sI
sI
2.6 DNS scan -sL "Lookup"
sL
like doing a whole bunch of "host" or "nslookup" commands really fast.nmap -sL 192.168.128.0/24
nmap -sL 192.168.128.0/24
nmap -sL 192.168.128.0/24
2.7 NULL scan -sN
-sN
has none of the TCP flags set.
2.8 XMAS scan -sX
-sX
Called the Christmas scan because it "lights up the packets like a christmas
tree, with all of FIN
, PSH
, and URG
flags set.
It can sneak through stateful firewalls because they usually block incoming
TCP connections by blocking pkts with SYN
bit set, and ACK
bit cleared. So
the XMAS scan has the SYN
bit cleared. Aso the FIN flag
is set which usually
tells the firewall, this packet is closing a TCP session
, not opening it.
2.9 Protocol scan -sO
-sO
2.10 RPC scan -sR
-sR
2.11 SYN scan -sS
-sS
post popular and default
scan. it is fast, usually f/w pass SYN packets and
is "S for stealthy
" because it never responds to SYN packets with a SYN ACK
which is the normal thing to do in a TCP 3-way handshake. So, the connection
is never established.
2.12 TCP connect scan -sT
-sT
run against a host, NOT a subnet, as it takes too long.
sudo nmap -sT 172.28.105.2 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 19:04 EDT Nmap scan report for australinea.continents.earth.ops (172.28.105.2) Host is up (0.0020s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp closed ssh 53/tcp open domain MAC Address: 52:54:00:9A:EF:E6 (QEMU virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 4.75 seconds
sT -p 53
will limit to a particular port you are interested in.
sudo nmap -sT -p 53 172.28.105.0/24 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 19:06 EDT Nmap scan report for africa.continents.earth.ops (172.28.105.1) Host is up (0.00052s latency). PORT STATE SERVICE 53/tcp open domain MAC Address: 52:54:00:A5:97:C3 (QEMU virtual NIC) Nmap scan report for australinea.continents.earth.ops (172.28.105.2) Host is up (0.00083s latency). PORT STATE SERVICE 53/tcp open domain MAC Address: 52:54:00:9A:EF:E6 (QEMU virtual NIC) Nmap scan report for antarctica.continents.earth.ops (172.28.105.3) Host is up (0.0012s latency). PORT STATE SERVICE 53/tcp open domain MAC Address: 52:54:00:98:26:51 (QEMU virtual NIC) Nmap scan report for asia.continents.earth.ops (172.28.105.5) Host is up (0.0012s latency). PORT STATE SERVICE 53/tcp filtered domain MAC Address: 52:54:00:F9:B1:AA (QEMU virtual NIC) Nmap scan report for europe.continents.earth.ops (172.28.105.6) Host is up (0.0012s latency). PORT STATE SERVICE 53/tcp filtered domain MAC Address: 52:54:00:B3:BB:6F (QEMU virtual NIC) Nmap scan report for southamerica.continents.earth.ops (172.28.105.8) Host is up (0.0013s latency). PORT STATE SERVICE 53/tcp filtered domain MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC) Nmap scan report for kali.continents.earth.ops (172.28.105.55) Host is up (0.00086s latency). PORT STATE SERVICE 53/tcp closed domain Nmap done: 256 IP addresses (7 hosts up) scanned in 2.27 seconds
2.13 UDP scan -sU
Good for DNS
, SNMP
, and DHCP
services as they use UDP
. A UDP packet to every
targeted port.
Can be slow, but UDP handles the slow nature of UDP by automatically slowing
down the rate of queries to every port.
2.14 Window scan -sW
-sW
2.15 Version scan -sV
After you have determined what hosts are online, and what ports are open, you can then dig deeper by determining the version of s/w on that host.
nmap comes with a simple version scan: nmap -sV 172.28.105.5
sV
adds version detection to a scan, or can be run by itself. Normally this is to a particular host, as it is more intensive. i.e Don't run this against a /24 subnet.If that does not return any information, you can try:
- =sV -Pn
which
Here is an -sV
scan against a DNS server:
sudo nmap -sV 172.28.105.2 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 19:09 EDT Nmap scan report for australinea.continents.earth.ops (172.28.105.2) Host is up (0.0018s latency). Not shown: 998 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach) PORT STATE SERVICE VERSION 53/tcp open domain ISC BIND 9.11.36 (RedHat Enterprise Linux 8) MAC Address: 52:54:00:9A:EF:E6 (QEMU virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:8 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.19 seconds
And the same -sV
scan against an dns resolved host on the same network:
sudo nmap -sV eu [sudo] password for zintis: Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 19:45 EDT Nmap scan report for eu (172.28.105.6) Host is up (0.0026s latency). rDNS record for 172.28.105.6: europe.continents.earth.ops Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh? 143/tcp open imap? 993/tcp open tcpwrapped MAC Address: 52:54:00:B3:BB:6F (QEMU virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 162.94 seconds
and a third one, using ip address (same basic thing)
$ nmap -sV -Pn antarctica.continents.earth.ops
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-19 20:21 EDT
Nmap scan report for ant (172.28.105.3)
Host is up (0.0012s latency).
rDNS record for 172.28.105.3: antarctica.continents.earth.ops
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp closed ssh
53/tcp open domain ISC BIND 9.11.36 (RedHat Enterprise Linux 8)
Service Info: OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:8
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.29 seconds
See scripts below that are often run with -sV
version scans.
2.16 ICMP ping -PI
-PI
This scan returns more that a specific -sT -p53 scan for instance.
sudo nmap -PI 172.28.105.0/24 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 19:11 EDT Nmap scan report for africa.continents.earth.ops (172.28.105.1) Host is up (0.00073s latency). Not shown: 980 filtered tcp ports (no-response), 18 filtered tcp ports (port-unreach) PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain MAC Address: 52:54:00:A5:97:C3 (QEMU virtual NIC) Nmap scan report for australinea.continents.earth.ops (172.28.105.2) Host is up (0.0017s latency). Not shown: 998 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach) PORT STATE SERVICE 53/tcp open domain MAC Address: 52:54:00:9A:EF:E6 (QEMU virtual NIC) Nmap scan report for antarctica.continents.earth.ops (172.28.105.3) Host is up (0.0017s latency). Not shown: 998 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach) PORT STATE SERVICE 53/tcp open domain MAC Address: 52:54:00:98:26:51 (QEMU virtual NIC) Nmap scan report for asia.continents.earth.ops (172.28.105.5) Host is up (0.0017s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp MAC Address: 52:54:00:F9:B1:AA (QEMU virtual NIC) Nmap scan report for europe.continents.earth.ops (172.28.105.6) Host is up (0.0018s latency). Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 143/tcp open imap 993/tcp open imaps MAC Address: 52:54:00:B3:BB:6F (QEMU virtual NIC) Nmap scan report for southamerica.continents.earth.ops (172.28.105.8) Host is up (0.0016s latency). Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach) PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC) Nmap scan report for kali.continents.earth.ops (172.28.105.55) Host is up (0.0000060s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh Nmap done: 256 IP addresses (7 hosts up) scanned in 14.89 seconds
2.17 scan stealthy
Same as -sT but does not close the 3-way handshake
nmap -sS -p 80,443 192.168.128.0/24
# scan Stealth TCP
2.18 scan OS detection
nmap -O 192.168.128.1
# OS detect
Notice that this is for a specific host
Often combined with Version scans nmap -V -O -p 1-65000
for ports 1 to 65,000
sudo nmap -O ant Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 20:58 EDT Nmap scan report for ant (172.28.105.3) Host is up (0.0012s latency). rDNS record for 172.28.105.3: antarctica.continents.earth.ops Not shown: 998 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach) PORT STATE SERVICE 53/tcp open domain MAC Address: 52:54:00:98:26:51 (QEMU virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|storage-misc|specialized Running (JUST GUESSING): Linux 3.X|4.X|5.X|2.6.X (97%), Synology DiskStation Manager 5.X (91%), Crestron 2-Series (88%) OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1 cpe:/o:linux:linux_kernel:2.6.32 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:crestron:2_series Aggressive OS guesses: Linux 3.2 - 4.9 (97%), Linux 3.10 - 4.11 (96%), Linux 5.1 (96%), Linux 2.6.32 (92%), Linux 4.10 (91%), Linux 4.4 (91%), Linux 5.4 (91%), Synology DiskStation Manager 5.2-5644 (91%), Linux 2.6.32 - 3.10 (90%), Linux 2.6.32 - 3.13 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.08 seconds
2.19 scan ALL (OS detection, protocol versions, script scanning, traceroute)
nmap -A 192.168.128.1
# Allnmap -A 192.168.128.1
# Allnmap -A 192.168.128.1
# All
Notice that this is for a specific host
.
This will show you lots of infomation and will take time. But you will get
DNS
settings, SAMBA
shares, OS
, lots of stuff.
2.20 scan stealthy with a decoy
nmap -sS -D 192.168.128.1 192.168.128.99
# Decoy
the target host, .1 will see these scans coming from .99, as well as from my actual ip address which is .33.
2.21 Selecting speed of scans (for obfuscation)
-T0
up to -T4
for serial slowest, serial slow, serial normal, parallel normal
parallel fast.
Timer | Speed |
---|---|
T0 | serial, slowest |
T1 | serial, slow |
T2 | serial, normal |
T3 | parallel, normal |
T4 | parallel, fast |
3 nmap in batch
You can specify a specific format and specific output file, rather than leave it to the default STDOUT with these options:
3.0.1 -oN <outputfile>
-oN
specify "N normal output format"mynmap-xyz-script-output.txt
Other output formats are:
-oN
for normal-oX
for XML-oS
for scriptkiddie-oG
for greppable
3.0.2 predefined sets of scans:
-A
enableOS detection
,version detection
,script scanning
, andtraceroute
.
3.0.3 verbose
-v
verbose output.
Example with -v -oN -T4 output:
$ sudo nmap -T4 --script "smb-enum-shares" -oN ~/smbscript-scans.txt -v sa [sudo] password for zintis: Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 22:45 EDT NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 22:45 Completed NSE at 22:45, 0.00s elapsed Initiating ARP Ping Scan at 22:45 Scanning sa (172.28.105.8) [1 port] Completed ARP Ping Scan at 22:45, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 22:45 Completed Parallel DNS resolution of 1 host. at 22:45, 6.50s elapsed Initiating SYN Stealth Scan at 22:45 Scanning sa (172.28.105.8) [1000 ports] Discovered open port 445/tcp on 172.28.105.8 Discovered open port 139/tcp on 172.28.105.8 Completed SYN Stealth Scan at 22:45, 4.10s elapsed (1000 total ports) NSE: Script scanning 172.28.105.8. Initiating NSE at 22:45 Completed NSE at 22:45, 33.02s elapsed Nmap scan report for sa (172.28.105.8) Host is up (0.0016s latency). rDNS record for 172.28.105.8: southamerica.continents.earth.ops Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach) PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC) NSE: Script Post-scanning. Initiating NSE at 22:45 Completed NSE at 22:45, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 44.04 seconds Raw packets sent: 2000 (87.984KB) | Rcvd: 6 (276B)
4 nmap port states
nmap scans on ports return six different port states.
open
closed
# accessible, but not responding. (firewall allows)filtered
# firewall most likely filteringunfiltered
# port is accessible, but nmap unsure ifopen
orclosed
open|filtered
# open ports that give no response. could have been a f/wclosed|filtered
5 Putting multiple options together:
Try this example:
nmap -sS -n -Pn eu -p 22 -sC | | | | | | | | | | | -> script scan with default set of scripts | | | | | same as --script=default | | | | | can be intrusive, so get permission. | | | | | | | | | |----> restrict to port 22 | | | | | | | |------> target host is "eu" resolved by DNS | | | | | |-------> disable host discovery when you know the host is there | | i.e. skip the host pinging (called host discovery) | | | |------> "numeric" do not resolve dns names | |------> "stealthy" ignore SYN reply & do not complete 3-way handshake
Here is the output, (not restricting to port 22) where the default scripts are able to determine that antarctica is running bind version 9.11.36 on a RedHat Linux version 9.11.36-3.e18
sudo nmap -sS -n -Pn ant -sC Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 20:50 EDT Nmap scan report for ant (172.28.105.3) Host is up (0.0015s latency). Not shown: 998 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach) PORT STATE SERVICE 53/tcp open domain | dns-nsid: |_ bind.version: 9.11.36-RedHat-9.11.36-3.el8 MAC Address: 52:54:00:98:26:51 (QEMU virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 19.04 seconds
AFter this I would want to run a vulnerability scan on port 53, dns-bind.
Another example to search for web servers that you can browse:
nmap -Pn -sS -p 80 -iR 0 --open 172.28.105.0/24
6 scan scripts from nmap.org
The nmap scripting engine has many scripts and vulnerability scans available for download from nmap.org, vuln category
6.0.1 Using built-in scripts:
For one specific scripts:
nmap --script script-name 172.28.105.9
combining -sV (version scan
) with a vulners
script:
nmap -sV --script vulners 172.28.105.9
sudo nmap -sV --script vulners asia Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 21:02 EDT Nmap scan report for asia (172.28.105.5) Host is up (0.0014s latency). rDNS record for 172.28.105.5: asia.continents.earth.ops Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh? 25/tcp open smtp? MAC Address: 52:54:00:F9:B1:AA (QEMU virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 169.23 seconds
Now limiting that to particular ports:
nmap -p 53 -sV --script vulners
For ALL the scripts in the vuln class of scripts!
nmap --script vuln 192.168.128.0/24
# all vuln class scriptsnmap --script vuln 192.168.128.0/24
nmap --script vuln 192.168.128.0/24
# this will take some timenmap --script vuln 192.168.128.0/24
# maybe 15 minutes or more
CVE common vulnerabilities and exposures list is used by these VULN class scripts.
Two more examples targetting southamerica (sa) host, which is serving a
samba share. First a netbios broadcast script
sudo nmap -sV --script broadcast-netbios-master-browser sa
sudo nmap -sV --script broadcast-netbios-master-browser sa Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 21:12 EDT Nmap scan report for sa (172.28.105.8) Host is up (0.0015s latency). rDNS record for 172.28.105.8: southamerica.continents.earth.ops Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach) PORT STATE SERVICE VERSION 139/tcp open netbios-ssn? 445/tcp open microsoft-ds? MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 155.91 seconds
Now a samba cve script that is also in the standard nmap library of scripts:
-sudo nmap -sV --script samba-vuln-cve-2012-1182 sa
(sa is a host alias)
$ sudo nmap -sV --script samba-vuln-cve-2012-1182 sa Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 21:18 EDT Nmap scan report for sa (172.28.105.8) Host is up (0.0013s latency). rDNS record for 172.28.105.8: southamerica.continents.earth.ops Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach) PORT STATE SERVICE VERSION 139/tcp open netbios-ssn? 445/tcp open microsoft-ds? MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC) Host script results: |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 159.13 seconds
I am not seeing much here because these hosts are well locked down, with tight iptables, and application security in place.
6.1 multiple scripts in one run
Simply by entering several scripts separated by commas:
sudo nmap --script samba-vuln-cve-2012-1182,broadcast-netbios-master-browser sa
(sa is a host alias)
Here are the results:
sudo nmap --script samba-vuln-cve-2012-1182,broadcast-netbios-master-browser sa Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 21:28 EDT Nmap scan report for sa (172.28.105.8) Host is up (0.0021s latency). rDNS record for 172.28.105.8: southamerica.continents.earth.ops Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach) PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 52:54:00:F3:B2:58 (QEMU virtual NIC) Host script results: |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT Nmap done: 1 IP address (1 host up) scanned in 24.14 seconds
6.1.1 wildcard globbing on script names.
If you have the time, maybe overnight, you can run all scripts that start
with "ftp-"
if you run:
sudo nmap --script "ftp-*" southamerica
Here are two example, one targeting all imap scripts, the second targeting all smb scripts:
first: imap
$ sudo nmap --script "imap-*" eu Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-23 21:41 EDT Nmap scan report for eu (172.28.105.6) Host is up (0.0012s latency). rDNS record for 172.28.105.6: europe.continents.earth.ops Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 143/tcp open imap 993/tcp open imaps MAC Address: 52:54:00:B3:BB:6F (QEMU virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 20.30 seconds
Then second, targetting all smb scripts:
7 installing nmap scripts for NSE
nmap scripts are writtin in the lua
language and have a .kse
ending.
The built-in scripts are in /usr/share/nmap/scripts
. Als look in these
directories:
/usr/share/exploitdb/expoits/...
/usr/share/legion/scripts/nmap/shodan-hq.nse
Easy to grep for scripts such as :
ls /usr/share/nmap/scripts | grep -i dns
(or ftp, or smb etc.)
My Kali linux distro had 604 .nse scripts in that directory.
8 nmap scripting engine, NSE
NSE
is the nmap scripting engine
that is used by scripts that you create
or that others created and made available to the nmap community.
There are four types of NSE scripts, usually run in this order:
pre-rule scripts
- run before any nmap scans take place. No info knownhost-scripts
- run agains a specific, already discovered hostservice-scripts
- run against specific services listening on a target hostpost-rule scripts
- run alfter nmap has scanned all target hosts.
Often pre-rule
scripts can also be run as post-rule
scripts, but pre-rule
is the choice
.
Also nmap sees 6 catergories of scripts:
auth
for authenticationbroadcast
for discovering hostsbrute
for brute force authentication attacks guessing credentialsdiscovery
for what is on the network. (ping scan on steriods) goal is toreduce
the large number ofip addresses
on the network to ones that have anactive host
.dos
for denial of service attacksexploit
for scripts that actually exploit an open vulnerability.
8.1 downloading NSE scripts
The vulscan
script is a very good script. Here's how you install it and
how you run it:
To download: github.com/scipag/vulscan
To install, you need to move the files to your nmap directory, usually it is
/usr/share/nmap/scripts/*.nse
- Using vulscan and the built-in vulners scripts
nmap --script vulscan,nmap-vulners -sV 172.28.105.5
nmap --script vulscan,nmap-vulners -sV 172.28.105.5
8.1.1 script timeouts:
From stackoverflow
nmap -p 80 --script http-joomla-brute --script-args \
'passdb=/Users/abc/Documents/passwords.txt,http-joomla-brute.threads=5,brute.firstonly=true, \
unpwdb.timelimit=0' my.website.here.
Answer:
Nmap calculates the percent-done timing of NSE by a simple calculation: progress("printStats", 1-(nr+nw)/total); Where nr is the number of running NSE threads, nw is the number of waiting threads, and total is the total number of threads launched. In this case, http-joomla-brute is a single-threaded script, and you only are running one of them, so it will show "0.00% done" until it is completely done. In a previous question, you asked for and received an answer on how to bypass the default 10-minute limit on brute forcing attempts. Without this limit, it is very difficult to tell how much longer it will take your script to finish. You can get diagnostic output by increasing the debug level to 2 with the -d2 option or by pressing d twice while running. You may be able to observe the particular usernames and passwords being attempted, and infer from that how far through your lists the script has gone.
Then from github
Sometimes a script misbehaves, entering an infinite loop. Other times the loop may have an end condition that is not well defined, depending on a network connection that is no longer available (because the target has gone down or firewalled the scanner). You can use the --script-timeout option to prevent any one script from running too long; in Nmap 7.70 and later, the -T5 option adds a 10-minute timeout, for instance. To determine what script is running, you can press d twice to increase debugging to level 2, then press any key to get a traceback of all running script threads. This can be overwhelming output in an ordinary scan, but with a single misbehaving script against a single target, it ought to show which script is causing issues and exactly where it is stuck. Please note that Ubuntu 18.04 is using Nmap 7.60, which was released over 2 years ago, and we have made 2 new releases since then that may have already addressed the issue you're seeing. If you update to Nmap 7.80 and still experience problems, you may re-open this issue or open a new one with debugging output as described above so we can better diagnose the problem.
9 vlunhub.com
Search for kioptrix and you can download images that have many vulnerabilities against which you can test your nmap hacking skills.