NMAP- My penetration Testing Guide and Notes

-
Nmap (Network Mapper) is used for network discovery and security auditing.

Nmap can be used to determine whether the hosts are available on the network, listing services those hosts currently offering and their open ports, determine hosts operating system, filter or network protection are in use on the network.

Nmap provides great functionality and features. Can be used to scan multiple targets or large network, mapping out networks and it is an open source software.

Nmap interactions are on command line, but if you prefer to have a graphical user interface, you can use Zenmap which includes an advanced graphical user interface and results viewer.

These notes written by me in my early day when I interested in infosec as my reference when pentesting or trying boxes. I simplified the command and what it do.

I also provide this note part by part in my Basic Penetration Testing repository  starting from number 15 to 18 in my Github. Here I provide the link to the notes or you can just read it here.





These notes are for educational purposes only, author assumes no responsibility for damages that occur as a result of improper or unethical use of this skills.

Thank you.


+Manual or help
#nmap --help


+ Scan without any option
++ this by default nmap will scan 1000 common port
#nmap [ip address / domain name]
# nmap 192.168.202.142


NMap - Scanning multiple target

+ scanning multiple IP address / domain, separated by white space
# nmap 192.168.202.100 192.168.202.200

+ scanning multiple IP address in same subnet
# nmap 192.168.202.1,2,3,4,5

+ scanning range of IP address by using hyphen (-)
# nmap 192.168.202.1-255

+ Scanning an entire subnet
# nmap xxx.xxx.xxx.xxx/[subnet mask CIDR]
# nmap 192.168.202.1/24

+ Scanning from a list of IP in text file
# nmap -iL [nameoffile.txt]
# nmap -iL target.txt

+ Scanning using nmap and excluding target from a scan
# nmap xxx.xxx.xxx.xxx-xxx --exclude xxx.xxx.xxx.xxx
# nmap 192.168.202.1-255 --exclude 192.168.202.1

+ Scanning using nmap and excluding multiple target from a scan
# nmap xxx.xxx.xxx.xxx-xxx --exclude xxx.xxx.xxx.xxx,xxx
# nmap xxx.xxx.xxx.xxx-xxx --exclude xxx.xxx.xxx.xxx-xxx

# nmap 192.168.202.1-255 --exclude 192.168.202.20,30,40,50
# nmap 192.168.202.1-255 --exclude 192.168.202.20-30

+ Scanning a range and exclude list of IP from text file
# nmap xxx.xxx.xxx.xxx/xx --excludefile [nameoffile.txt]
# nmap xxx.xxx.xxx.xxx-xxx --excludefile [nameoffile.txt]

# nmap 192.168.202.1/24 --excludefile exclude.txt


Output Scan Result

+ oN - output result to normal text file
+ oX - output result to xml file
+ oS - output result to s|<rIpt kIddi3 format
+ oG - output result to grepable format


Using combination of NMap option in command

+ Enable OS detection, application version detection, script scanning, and traceroute
# nmap -A 192.168.202.142

+ Using SYN scan
++ in SYN scan, 3 Way Handshake is not complete
++ the reason is less noisy and stealthy, because firewall usually on looking at complete TCP 3 way handshake
++ SYN is fast scan
#nmap -sS 192.168.202.1

+ Nmap UDP scan
# nmap -sU xxx.xxx.xxx.xxx
# nmap -sU 192.168.202.142


NMap Script Engine

+ Allow you to perform a wide variety of scans from network discovery, vulnerability analysis, vulnerability detection or vulnerability exploitation

+ Automate scans essentially creating a script to automate a specific type of scan or extensive scan

+ script are store at /usr/share/nmap/scripts/

+ running default script scan
++ default script option use scripting engine to scan service on target services or port using any available nmap script
# nmap -sC [ip or domain]
# nmap -sC 192.168.202.142

+ running specific script scan on target
# nmap -script=[name of script] [target ip]
# nmap --script=ssh-hostkey.nse 192.168.202.142

+ running specific script scan on target at specific port
# nmap -script=[name of script] -p [port number] [target ip]
# nmap --script=ssh-hostkey.nse -p 22 192.168.202.142

Comments

Post a Comment

Popular posts from this blog

Deploying open-source SOC lab with red team simulation, at home. Elasticsearch Stack EDR + SIEM (Part 1)

-
Image
Introduction I’m always want to have my own lab that can mimic enterprise monitoring at home which include EDR (Endpoint Detection and Response), SIEM (Security Information and Event Management), case management and have a threat intel platform. It must be something that can be built from open source and free... Since there is significant upgrade on my personal workstation, I’m able to ramp up my virtualization capacity to support my endeavor. let’s gooooo! Network & Resources Allocation For this lab, everything will be deployed in virtual machine (VM) and in private network, simple. These are minimum specification I used in this lab; you can allocate more if you have more resources. CPU: 2 cores Network: bridged connection and replicate physical network connection state Storage: 80 GB RAM: 8 GB (For both Ubuntu VM, I’m allocating 16GB for better performance) Architectural & System Design Refer to the diagram above We will deploy two (2) Ubuntu 20.04 Desktop a...
Read more

Deploying open-source SOC lab with red team simulation, at home. MISP, Cortex and TheHive (Part 2)

-
Image
Sorry for posting this a bit late for those who are waiting for part 2. During my time writing part 1 and part 2, I was in rush to prepare for the new addition to my family, we (me, wife & family) have been blessed with our firstborn baby boy. So yeah, with the birth of my son, Ramadhan, and preparation for Aidilfitri all together at once, time is a little bit tight. Hehe Thank you very much for all your wishes and thank you for still following this series, so this time we will set up and install components for MISP, Cortex, and TheHive. This includes installation and integration between these 3 components as described in part 1. Once you have completed all the installation and integration, this server will tremendously help your analysis and automate a lot of things, you can track your progress or investigation, manage case, alert, task, and IOCs found. With a click of a button, you can receive reports and threat intel from multiple sources. This can be your great tool as a ...
Read more

Android Application Security - obfuscation using ProGuard in Android Studio

-
There are many techniques out there for Android Application code obfuscation. Most popular and easy to be applied is using ProGuard in Android Studio. What it usually does is it will shorten your app's class name, optimize your code, remove unnecessary resources and code. The main goal of it is to make your app harder to be reverse engineered. Obfuscation in Android Application has been applied extensively by malware author to hide their malicious code and give security researcher like us a bad day. As developer, you can applied ProGuard in your Android App project by implement this additional rule in your project level build.grade(Module:app)  file. buildTypes { release { minifyEnabled true shrinkResources true proguardFiles getDefaultProguardFile ( 'proguard-android-optimize.txt' ), 'proguard-rules.pro' } debug { minifyEnabled false shrinkResources false proguardFiles getDefaultProguardFile ( 'proguard-and...
Read more