šŸ”®
P4n1cBook
  • šŸ“ā€ā˜ ļøWelcome!
    • šŸ”®P4n1cBook
    • šŸ“šBookmarks
    • 🚨Licence and Disclaimer
  • Fundamentals
    • Starter Kit
      • Linux
      • PowerShell
      • Git
      • šŸ’¾Regex
      • Network Analysis
        • curl
        • tcpdump
        • Nmap
        • 🦈Wireshark
      • Metasploit
    • 🌐Network Protocols
      • ICMP
      • SSH
      • Telnet
      • DNS
      • FTP
      • HTTP/HTTPS
      • SMB
      • SNMP
      • SMTP
      • NFS
      • IPP
      • WinRM
      • LLMNR
      • JDWP
    • Code
      • Python Essentials
      • C & C++
    • Web APIs
      • GraphQL
    • Shells/TTYs
    • Dorks
    • Cryptography
    • Reverse Engineering
      • GDB
      • Binaries
  • Web Exploitation
    • Web Enumeration
      • User Endpoints
      • Web Fuzzing
        • ffuf
        • feroxbuster
        • Gobuster
        • GoWitness
      • Web Servers
        • Apache
        • Nginx
        • Werkzeug
      • Databases
        • MySQL
        • NoSQL
          • MongoDB
          • Redis
      • Web Services/Frameworks
        • Wordpress
        • Laravel
        • Express
        • Magento
        • AIOHTTP
        • HashiCorp Vault
        • Tiny File Manager
        • Joomla
        • CMS Made Simple
        • 🌵Cacti
        • Tomcat
        • Zabbix
        • OpenNetAdmin
        • ImageMagick
    • Vulnerabilities
      • Arbitrary File Read
      • Session Hijacking
      • SSRF
      • Eval Injection
      • Template Manipulation
      • Path Traversal
      • Prototype Pollution
      • XXE
      • Deserialization
      • Log Poisoning
      • Arbitrary Command Execution
      • SQLi
        • SQLmap
      • SSI
      • SSTI
      • LFI
      • XSS
    • Java-based web application
      • Struts
      • .WAR
      • pd4ml.jar
  • Cloud Exploitation
    • Kubernetes
    • AWS
  • Post Exploitation
    • File Transfer
      • Exfiltration
    • Credential Dumping
      • Thunderbird
    • Lateral Movement
    • Persistence
    • Linux Privilege Escalation
      • Static Binaries
      • Enumeration
      • Hijacks
      • Command Injection
      • Jailbreaks
      • Binary Exploitation - Linux
      • Kernel Exploits
      • Buffer Overflow - Linux
      • Docker
      • Abusing Wildcards
  • Wireless Exploitation
    • NFC
Powered by GitBook
On this page
Edit on GitHub
  1. Fundamentals
  2. Starter Kit
  3. Network Analysis

Nmap

Network Mapper

Performance Tuning
  • Timing tables go from 0 to 5, being 3 the default.

nmap -T4 192.168.1.1
  • --min-parallelism allows to manually control the concurrency of the scan:

nmap -sS -T4 --min-parallelism 20 --max-retries 1 -p 80,443,22,3389 192.168.1.1
  • Rate Limiting (--min-rate/--max-rate) gives you a better control over packets/second:

nmap -sS --min-rate 500 192.168.1.1
  • --max-rtt-timeout adjusts how long Nmap waits for responses before retrying:

Optimized for LANs
nmap -sS --max-rtt-timeout 200ms 192.168.1.1
TCP Scans
Connect Scan
nmap -sT -sV -p- 192.168.1.1
ACK Scan
nmap -sA 192.168.1.1
Window Scan
nmap -sW 192.168.1.1
Maimon Scan
nmap -sM 192.168.1.1
Host Discovery
Ping Sweep
nmap -sn 192.168.1.0/24
Disable Host Discovery
nmap -Pn 192.168.1.0/24
List targets Only
nmap 192.168.1.1-3 -sL
From Target File
nmap -iL targets.txt
Range Scan
nmap 192.168.1.1-254
TCP SYN Ping
nmap 192.168.1.1-5 -PS22-25,80
TCP ACK Ping
nmap 192.168.1.1-5 -PA22-25,80
ARP Ping
nmap 192.168.1.1-1/24 -PR
Ping Host (ICMP, ACK, ARP)
nmap -PE -PA80 -PR 192.168.1.0/24
Host Scan with traceroute
nmap -iR 10 -sn -traceroute
Script for Discovery
nmap --script discovery 192.168.1.1
DNS Scans
Standard Scan
nmap --dns-servers 8.8.8.8 192.168.1.1
Disable DNS Resolution
nmap 192.168.1.1 -n
Resolve Hostnames in a Range
nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1
Service and OS Detection
Service Version Detection
nmap -sV 192.168.1.1
OS Detection
nmap -O 192.168.1.1
Limits OS Detection
nmap 192.168.1.1 -O -osscan-limit
Aggressive Scan
nmap -A 192.168.1.1
Target Specific Ports
sudo nmap -sCV -oA nmap -p 'PORTS' [IP]
UDP Scans
Basic Scan
nmap -sU 192.168.1.1
Specific Ports
nmap -p 53,123,161 -sU -sC 192.168.1.1
All Ports
nmap -p- -sU 192.168.1.1
Service Detection
nmap -sU -sV 192.168.1.1
Script Scanning
nmap -sU --script=udp* 192.168.1.1

Host discovery for UDP

UDP Ping first
nmap -PU53,161,123 192.168.1.1-254 -oN udp_live_hosts.txt  
Then scan live hosts
nmap -sS -sV -p- -iL udp_live_hosts.txt -oA full_scan --max-retries 1  
Stealthy Scans
Example
nmap -f -t 0 -n -Pn --data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1
SYN Scan
nmap -sS 192.168.1.1
FIN Scan
nmap -sF 192.168.1.1
Xmas
nmap -sX 192.168.1.1
Scan with Decoys
nmap -D RND:10 192.168.1.1
Fragments Packets
nmap -f 192.168.1.1
Zombie Scan
nmap -sI <zombie_host> 192.168.1.1
Spoofed Source Address
nmap -S 10.10.10.10 192.168.1.1
Set Offset Size
nmap 192.168.1.1 -mtu 32
Specific Source Port
nmap -g 53 192.168.1.1
Use proxies
nmap -proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1
Append Random Data
nmap -data-length 200 192.168.1.1
Non-intrusive Scripts
nmap 192.168.1.1 -script "not intrusive"
Scripting Engine - NSE
List Scripts
locate scripts/citrix
Look At The Categories
locate .nse | xargs grep "categories" | grep -oP '".*?"' | sort -u
Look at any Specific category
locate .nse | xargs grep -l 'categories =.*"discovery"'
Default Scripts
nmap -sC 192.168.1.1
Specific Script
nmap --script smb-vuln* 192.168.1.1
Version and Vulnerabilities
nmap -sV -p<PORT> --script vuln <IP>
Outputs
Normal Output
nmap -oN output.txt 192.168.1.1
XML Output
nmap -oX output.xml 192.168.1.1
All formats
nmap -oA output_prefix 192.168.1.1
Grepable Output
nmap -oG output.txt 192.168.1.1

Filtering

Regex, Parse, Direct
cat nmap.txt | grep -oP '([\d]+)/open' | awk -F/ '{print $1}' | tr '\n' ','
Removes Duplicates
cat nmap.txt | grep open | grep -v '#' | cut -d"/" -f1 | sort | uniq | sed -z 's/\n/,/g;s/,$/\n/'
Filtering Function
function extractPorts(){
	ports="$(cat $1 | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')"
	ip_address="$(cat $1 | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | sort -u | head -n 1)"
	echo -e "\n[*] Extracting information...\n" > extractPorts.tmp
	echo -e "\t[*] IP Address: $ip_address"  >> extractPorts.tmp
	echo -e "\t[*] Open ports: $ports\n"  >> extractPorts.tmp
	echo $ports | tr -d '\n' | xclip -sel clip
	echo -e "[*] Ports copied to clipboard\n"  >> extractPorts.tmp
	cat extractPorts.tmp; rm extractPorts.tmp
}
Reverse sorted list
grep " open " results.nmap | sed -r ā€˜s/ +/ /g’ | sort | uniq -c | sort -rn | less

Generate a IPs live hosts list

nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt
Append IPs
nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txt

Other Techniques

TCP and UDP
nmap 192.168.1.1 -p U:53,T:21-25,80
IPv6
nmap -6 2607:f0d0:1002:51::4

PrevioustcpdumpNextWireshark

Last updated 2 months ago