This is for educational purposes,
The author is not responsible for
any action done by you.
#18: How do I detect remote services (server / daemon) version numbers?
nmap -sV 192.168.1.1
Sample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:34 IST
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 0.52 (protocol 2.0)
80/tcp open http?
1 service unrecognized despite returning data.
#19: Scan a host using TCP ACK (PA) and TCP Syn (PS) ping
If firewall is blocking standard ICMP pings, try the following host discovery methods:
nmap -PS 192.168.1.1
nmap -PS 80,21,443 192.168.1.1
nmap -PA 192.168.1.1
nmap -PA 80,21,200-512 192.168.1.1
#20: Scan a host using IP protocol ping
nmap -PO 192.168.1.1
#21: Scan a host using UDP ping
This scan bypasses firewalls and filters that only screen TCP:
nmap -PU 192.168.1.1
nmap -PU 2000.2001 192.168.1.1
#22: Find out the most commonly used TCP ports using TCP SYN Scan
---- Stealthy scan ----
nmap -sS 192.168.1.1
---- Find out the most commonly used TCP ports using TCP connect scan (warning: no stealth scan)
---- OS Fingerprinting ----
nmap -sT 192.168.1.1
---- Find out the most commonly used TCP ports using TCP ACK scan
nmap -sA 192.168.1.1
---- Find out the most commonly used TCP ports using TCP Window scan
nmap -sW 192.168.1.1
--- Find out the most commonly used TCP ports using TCP Maimon scan
nmap -sM 192.168.1.1
#23: Scan a host for UDP services (UDP scan)
Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and DHCP are three of the most common UDP services. Use the following syntax to find out UDP services:
nmap -sU nas03
nmap -sU 192.168.1.1
Sample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 00:52 IST
Stats: 0:05:29 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 32.49% done; ETC: 01:09 (0:11:26 remaining)
Interesting ports on nas03 (192.168.1.12):
Not shown: 995 closed ports
PORT STATE SERVICE
111/udp open|filtered rpcbind
123/udp open|filtered ntp
161/udp open|filtered snmp
2049/udp open|filtered nfs
5353/udp open|filtered zeroconf
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 1 IP address (1 host up) scanned in 1099.55 seconds
#24: Scan for IP protocol
This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines:
nmap -sO 192.168.1.1
#25: Scan a firewall for security weakness
The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:
--- TCP Null Scan to fool a firewall to generate a response ---
--- Does not set any bits (TCP flag header is 0) ---
nmap -sN 192.168.1.254
--- TCP Fin scan to check firewall ---
--- Sets just the TCP FIN bit ---
nmap -sF 192.168.1.254
--- TCP Xmas scan to check firewall---
--- Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree ---
nmap -sX 192.168.1.254
See how to block Xmas packkets, syn-floods and other conman attacks with iptables.
#26: Scan a firewall for packets fragments
The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over
several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.
nmap -f 192.168.1.1
nmap -f hackingterritory.b..
nmap -f 15 hackingterritory.b..
--- Set your own offset size with the --mtu option ---
nmap --mtu 32 192.168.1.1
#27: Cloak a scan with decoys
The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won't know which IP was scanning them and which were innocent decoys:
nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
nmap -n -D192.168.1.5,10.5.1.2,172.1.2.4,3.4.2.1 192.168.1.5
#28: Scan a firewall for MAC address spoofing
---- Spoof your MAC address ----
nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1
--- Add other options ---
nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.1
--- Use a random MAC address ---
--- The number 0, means nmap chooses a completely random MAC address ---
nmap -v -sT -PN --spoof-mac 0 192.168.1.1
#29: How do I save output to a text file?
The syntax is:
nmap 192.168.1.1 > output.txt
nmap -oN /path/to/filename 192.168.1.1
nmap -oN output.txt 192.168.1.1
The author is not responsible for
any action done by you.
#18: How do I detect remote services (server / daemon) version numbers?
nmap -sV 192.168.1.1
Sample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:34 IST
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 0.52 (protocol 2.0)
80/tcp open http?
1 service unrecognized despite returning data.
#19: Scan a host using TCP ACK (PA) and TCP Syn (PS) ping
If firewall is blocking standard ICMP pings, try the following host discovery methods:
nmap -PS 192.168.1.1
nmap -PS 80,21,443 192.168.1.1
nmap -PA 192.168.1.1
nmap -PA 80,21,200-512 192.168.1.1
#20: Scan a host using IP protocol ping
nmap -PO 192.168.1.1
#21: Scan a host using UDP ping
This scan bypasses firewalls and filters that only screen TCP:
nmap -PU 192.168.1.1
nmap -PU 2000.2001 192.168.1.1
#22: Find out the most commonly used TCP ports using TCP SYN Scan
---- Stealthy scan ----
nmap -sS 192.168.1.1
---- Find out the most commonly used TCP ports using TCP connect scan (warning: no stealth scan)
---- OS Fingerprinting ----
nmap -sT 192.168.1.1
---- Find out the most commonly used TCP ports using TCP ACK scan
nmap -sA 192.168.1.1
---- Find out the most commonly used TCP ports using TCP Window scan
nmap -sW 192.168.1.1
--- Find out the most commonly used TCP ports using TCP Maimon scan
nmap -sM 192.168.1.1
#23: Scan a host for UDP services (UDP scan)
Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and DHCP are three of the most common UDP services. Use the following syntax to find out UDP services:
nmap -sU nas03
nmap -sU 192.168.1.1
Sample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 00:52 IST
Stats: 0:05:29 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 32.49% done; ETC: 01:09 (0:11:26 remaining)
Interesting ports on nas03 (192.168.1.12):
Not shown: 995 closed ports
PORT STATE SERVICE
111/udp open|filtered rpcbind
123/udp open|filtered ntp
161/udp open|filtered snmp
2049/udp open|filtered nfs
5353/udp open|filtered zeroconf
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 1 IP address (1 host up) scanned in 1099.55 seconds
#24: Scan for IP protocol
This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines:
nmap -sO 192.168.1.1
#25: Scan a firewall for security weakness
The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:
--- TCP Null Scan to fool a firewall to generate a response ---
--- Does not set any bits (TCP flag header is 0) ---
nmap -sN 192.168.1.254
--- TCP Fin scan to check firewall ---
--- Sets just the TCP FIN bit ---
nmap -sF 192.168.1.254
--- TCP Xmas scan to check firewall---
--- Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree ---
nmap -sX 192.168.1.254
See how to block Xmas packkets, syn-floods and other conman attacks with iptables.
#26: Scan a firewall for packets fragments
The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over
several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.
nmap -f 192.168.1.1
nmap -f hackingterritory.b..
nmap -f 15 hackingterritory.b..
--- Set your own offset size with the --mtu option ---
nmap --mtu 32 192.168.1.1
#27: Cloak a scan with decoys
The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won't know which IP was scanning them and which were innocent decoys:
nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
nmap -n -D192.168.1.5,10.5.1.2,172.1.2.4,3.4.2.1 192.168.1.5
#28: Scan a firewall for MAC address spoofing
---- Spoof your MAC address ----
nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1
--- Add other options ---
nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.1
--- Use a random MAC address ---
--- The number 0, means nmap chooses a completely random MAC address ---
nmap -v -sT -PN --spoof-mac 0 192.168.1.1
#29: How do I save output to a text file?
The syntax is:
nmap 192.168.1.1 > output.txt
nmap -oN /path/to/filename 192.168.1.1
nmap -oN output.txt 192.168.1.1
No comments:
Post a Comment
NO LINK!!!!!!!!