nmap

Scan methodology

  1. Scan for live hosts

    1. nmap -sn -oA subnet_live 192.168.1.0/24
  2. Parse list w/ live hosts

    1. cat subnet_live.gnmap | awk ‘{print $2}’ > subnet_live_parsed
  3. Scan hosts for app ver. of top 500 ports

    1. nmap -sS -sV -O -min-parallelism 400 -max-parallelism 512 -script banner.nse,http-headers -top-ports 500 -iL subnet_live_parsed -oA subnet_live_top500
  4. Parse lists for top vuln. ports

    1. All found
      1. cat subnet_live_top500.gnmap | grep ’21/open\|22/open\|80/open\|81/open\|85/open\|88/open\|443/open\|1433/open\|3128/open\|3306/open\|5900/open\|8080/open’ | awk ‘{print $2}’ > subnet_live_top_vulnports
    2. FTP
      1. cat subnet_live_top500.gnmap | grep 21/open | awk ‘{print $2}’ > subnet_live_ftp
    3. SSH
      1. cat subnet_live_top500.gnmap | grep 22/open | awk ‘{print $2}’ > subnet_live_ssh
    4. MSSQL
      1. cat subnet_live_top500.gnmap | grep 1433/open | awk ‘{print $2}’ > subnet_live_mssql
    5. MYSQL
      1. cat subnet_live_top500.gnmap | grep 3306/open | awk ‘{print $2}’ > subnet_live_mysql
    6. VNC
      1. cat subnet_live_top500.gnmap | grep 5900/open | awk ‘{print $2}’ > subnet_live_vnc
    7. HTTP
      1. cat subnet_live_top500.gnmap | grep 80/open | awk ‘{print $2}’ > subnet_live_http

Metasploit scans of found hosts & their respective ports

  1. FTP scan :: msf > use auxiliary/scanner/ftp/ftp_login
  2. SSH scan :: msf > use auxiliary/scanner/ssh/ssh_login
  3. MSSQL scan :: msf > use auxiliary/scanner/mssql/mssql_login
  4. SNMP scan :: msf > use auxiliary/scanner/snmp/snmp_enum; snmp_login
  5. MYSQL scan :: msf > use auxiliary/scanner/mysql/mysql_login
  6. VNC scan :: msf > use auxiliary/scanner/vnc/vnc_login

Top Ports

nmap -sS -sV -O –min-parallelism 400 –max-parallelism 512 –script banner.nse,http-headers –top-ports 500 192.168.1.1

Search for BMC Vuln

nmap -p 49152 -n -oA ./bmc_vuln.txt –min-parallelism 512 –min-rate 400 -Pn 192.168.1.0/24

Search for MSSQL

  • nmap -sV -p T:1433 -n -oG ./scans/mssql_tcp_1433_scan.txt -Pn –min-parallelism 512 –min-rate 400 [ip_range]
  • nmap -p 1433 -oG ./scans/mssql_tcp_1433_scan.txt –script ms-sql-info –script-args mssql.instance-port=1433 –min-parallelism 512 –min-rate 400 [ip_range]

Web server enumeration
nmap -sV –script=http-enum [target_ip]

Check for vulns.
nmap –script=smb-check-vulns -p445 [target_ip]

dns-blacklist
nmap -sn [target_ip] –script=dns-blacklist

SQLi
nmap -T4 -A -v –script=sql-injection [target_ip]

Decoy scan
nmap -D RND:10 [target_ip]

nmap -D decoy1,decoy2,etc [target_ip]

Live hosts
nmap -sn [target_net]

Host scan
nmap -sS -Pn -n -PS [target_ip]

Host service scan
nmap -sS -Pn -n -A [target_ip]

Hosts down
nmap -v -sn -oG – target_ip | grep Down