NMAP

From BHaFSec Pentesting Notes Wiki
Jump to: navigation, search

CREATE AN IP LIST

nmap -sL -n 192.168.1.1-100,102-254 | grep "report for" | cut -d " " -f 5 > ip_list_192.168.1.txt
nmap -v -sn 192.168.13.200-254 -oG targets.txt | grep Up targets.txt | cut -d" " -f 2

Test for MS08-067 Vuln

nmap -sS --script=smb-check-vulns 192.168.13.201-254 --script-args=unsafe=1 | egrep "(report|MS08-067)" | grep -B1 "MS08-067"

Enumerate Shares

nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 


Enumerate Everything on SMB

nmap -v -sU -sS --min-hostgroup 50 --script=smb-os-discovery --script=smbv2-enabled --script=smb-enum-domains --script=smb-enum-groups --script=smb-enum-processes --script=smb-enum-sessions --script=smb-enum-users --script=smb-security-mode --script=smb-server-stats --script=smb-system-info -p 137,139,445 -oA nmap.smb.scripts.scan.results 10.10.10.10/24

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369)

nmap -sV --script realvnc-auth-bypass.nse 192.168.101.3

Dumps the Password Hashes from an MySQL Server in a Format Suitable for Cracking by Tools such as John-the-ripper:

nmap -p 3306 192.168.101.9 --script mysql-dump-hashes --script-args='username=root,password=secret'

Grep Nmap files for a hosts with a particular open port:

cat nmap.gnmap |grep “30011/open/tcp” |cut –d “ ” -f2

Test Network For Admin Access Through SMB Shares

nmap -T4 -v -oA myshares --script smb-enum-shares --script-args smbuser=testuser,smbpass=testpass -p445 192.168.0.1-255 && cat myshares.nmap|grep '|\|192'|awk '/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ { line=$0 } /\|/ { $0 = line $0}1'|grep \||grep -v -E '(smb-enum-shares|access: <none>|ADMIN\$|C\$|IPC\$|U\$|access: READ)'|awk '{ sub(/Nmap scan report for /, ""); print }' >> sharelist.txt

NSE script to get a screenshot from the host:

description = [[
Gets a screenshot from the host
]]

author = "Ryan Linn <rlinn at trustwave.com>"

license = "GPLv2"

categories = {"discovery", "safe"}

-- Updated the NSE Script imports and variable declarations
local shortport = require "shortport"

local stdnse = require "stdnse"

portrule = shortport.http

action = function(host, port)
	-- Check to see if ssl is enabled, if it is, this will be set to "ssl"
	local ssl = port.version.service_tunnel

	-- The default URLs will start with http://
	local prefix = "http"

	-- Screenshots will be called screenshot-namp-<IP>:<port>.png
        local filename = "screenshot-nmap-" .. host.ip .. ":" .. port.number .. ".png"
	
	-- If SSL is set on the port, switch the prefix to https
	if ssl == "ssl" then
		prefix = "https"	
	end

	-- Execute the shell command wkhtmltoimage-i386 <url> <filename>
	local cmd = "wkhtmltoimage-i386 -n " .. prefix .. "://" .. host.ip .. ":" .. port.number .. " " .. filename .. " 2> /dev/null   >/dev/null"
	
	local ret = os.execute(cmd)

	-- If the command was successful, print the saved message, otherwise print the fail message
	local result = "failed (verify wkhtmltoimage-i386 is in your path)"

	if ret then
		result = "Saved to " .. filename
	end

	-- Return the output message
	return stdnse.format_output(true,  result)

end