# Nmap
###### tags: `nmap` `reconnaissance`
[TOC]
# Discover host
## ARP
Nnprivilege
Don't port scan (ICMP)
```
nmap -sn (host)
```
- sn ping scan
Don't prot scan (ARP)
```
nmap -sn -PR
```
## ICMP
ICMP echo request (it will be blocked by the firewall in default)
```
sudo nmap -PE -sn <host>
```
ICMP timestamp request
```
sudo nmap -PP -sn <host>
```
ICMP address mask request
```
sudo nmap -PM -sn 10.10.68.220/24
```
## TCP
### tcp syn ping
```
sudo nmap -PS -sn 10.10.68.220/24
```
### tcp ack ping
```
sudo nmap -PA -sn 10.10.68.220/24
```
## Discover host (UDP)
```
sudo nmap -PU -sn 10.10.68.220/24
```
no replay -> host up
ICMP (type 3 code 3 )-> host unreachable -> host up
# Reverse-DNS lookup
ip -> domain name
namp -n (host ip) //Don't do dns resolve
# Layer 4 Port Scan
## TCP connection scan
Remark:
You can only do that if you are not a root.
client SYN
server SYN/ACK
client RES/ACK
```
nmap -sT (hostname)
```
```
nmap -sT -F -r
```
-F > default (1000 -> 100 )port
-r > According the sequence to scan the port
## TCP SYN scan
(sudo default model)
```
nmap -sS (host name)
```
## UDP scan
(Fast)
```
nmap -sU -F -v 10.10.246.66`.
```
---
(More Advance Scanning)
By pass static firewall
Rule: block -> SYN packet
## Null Scan
```
sudo nmap -sN 10.10.43.27
```
## FIN Scan
Send the FIP packet
The result is similar to the null scan.
```
sudo nmap -sF 10.10.43.27
```
## Xmax Scan
Flags: FIN,PSH,URG =1
![Uploading file..._4spj6oh3l]()
```
nmap -sX (host)
```
## Maimon Scan
```
nmap -sM (host)
```
## ACK Scan (look up firewall configuration)
If the target host has not installed a firewall
if the target host has installed a firewall
ACK scanning is a useful technology for understand what the firewall configuration of a target host
```
nmap -sA (host)
```
## windows Scan
```
nmap -sA host
```
## Customer Scan
Setting packet flags
```
nmap --scanflags SYNACK (host)
```
---
# Fine-Tuning
## port tuning
-p80,443,53,22
-p1-1024
-F (1000 commend port)
--top-ports (10)
## Scan timing tuning
T0~T5
paranoid (0) (each port wait for (5 min))
sneaky (1)
polite (2)
normal (3)
aggressive (4)
insane (5)
Real engagement (stealth ++ ) we more like us T1 (skT T1 阿晟) -> By pass IDS
CTF or practices -> T4
## Packet rate
Rate : the number of packets / second
--max-rate (number) -> limit (stealth ++)
--min-rate (number)
## Probing
--min-parallelism=512
# Spoofing
## IP
```
nmap -e eth0 -Pn (target) -S "spoofed IP"
```
## Mac
Under the same sub network
Ethernet
Wi-Fi
```
nmap -sn -PR --spoof-mac "spoof_MAC"
```
# Decoy
```
nmap -Ss (target) -D 10.10.0.1,10.10.0.2,RND,RND,MYIP
```
# Fragment Packet
Fragment packets decrease was detected by firewall/IDS
- f (8 byte)
- ff (16 byte)
```
nmap -sS 10.20.3.12 -p80 -f
```
# More Detail
## reason
```
sudo nmap -sS -F -Pn 10.10.217.109 --reason
```
Host up -> user - set(we use -Pn flag)
Port discovery -> SYN/ACK
```
- v
- vv
- d
- dd
```
# Service Detecting
```
-sV
```
## Explore Intensity
```
-sv --version-intensity (0~9)
```
-\-version-light =2
-\-version-all =9
# Os detecting
```
nmap -sS -F -Pn 10.10.3.170 --reason -O
```
# TraceRoute
```
-- traceroute
```
# Script
default directory: /usr/share/nmap/scripts/
```
nmap -sC "target"
```
```
nmap --script=ssh2-enum-algos 10.10.209.20
```
# Out put
```
- oN
- oG
- oX
- oS
```
---
# cheat sheet
```
nmap -sC -sV -A -p- -t4 <target>
```
-p- 0~65535
## Enumerate
### SMB shares.
```
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.130.98
```
### NFS
```
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.130.98
```
Sign in with Wallet
Connect another wallet