Useful NMAP commands for SysAdmins
Posted by SysAdmin Tools on
NMAP Is an extremely powerful tool for network scanning, surveillance and vulnerability management.
The typical format of an NMAP command is as follows.
- nmap -function --script=scriptname <target>
The target can be a host (192.168.0.1) or a network (192.168.0.0/24)
Typical open port (services) scan
nmap -sV <target>
nmap -sV <network/subnet> (Example <192.168.0.0/24)
LETS GET INTO IT!
SSL NMAP Commands
Enumerate the SSL ciphers enabled on a server/device to see if SSL2, SSL3 or TLS1.0 is still enabled
- nmap -sV --script ssl-enum-ciphers -p 443 <target>
Detects whether a server is vulnerable to the OpenSSL Heartbleed bug
- nmap -p 443 --script ssl-heartbleed <target>
Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.
- nmap --script ssl-dh-params <target>
Retrieves a server's SSL certificate
- nmap <target> --script=ssl-cert
Detects whether a server is vulnerable to the SSL/TLS "CCS Injection" vulnerability
- nmap <target> --script ssl-ccs-injection
Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).
- nmap <target> --script tls-ticketbleed
Enumerates a TLS server's supported protocols by using the next protocol negotiation extension.
- nmap --script=tls-nextprotoneg <targets>
Enumerates a TLS server's supported application-layer protocols using the ALPN protocol.
- nmap --script=tls-alpn <targets>
SSH NMAP Commands
Returns authentication methods that a SSH server supports.
- nmap -p 22 --script ssh-auth-methods <target>
Reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.
If verbosity is set, the offered algorithms are each listed by type.
- nmap -p 22 --script ssh2-enum-algos <target>
SNMP NMAP Commands
Attempts to find an SNMP community string by brute force guessing.
The default wordlist used to bruteforce the SNMP community strings is nselib/data/snmpcommunities.lst. In case this wordlist does not exist, the script falls back to nselib/data/passwords.lst
- nmap -sU -p 161 --script=snmp-brute <target>
SMB NMAP Commands
Check the SMB version on a server to see if SMB1 is still enabled.
- nmap -p445 --script smb-protocols <target>
- nmap -p139 --script smb-protocols <target>
- nmap --script smb-security-mode.nse -p445 <target>
Scan for SMB Vulnerbilities
- nmap -p445 --script=smb-vuln-ms17-010 <target>
- nmap -p445 --script=smb-vuln-ms10-061 <target>
- nmap -p445 --script=smb-vuln-ms10-054 <target>
- nmap -p445 --script=smb-vuln-ms08-067 <target>
- nmap -p445 --script=smb-vuln-ms07-029 <target>
- nmap -p445 --script=smb-vuln-ms06-025 <target>
- nmap -p445 --script=smb-vuln-cve-2017-7494 <target>
- nmap -p445 --script=smb-vuln-cve2009-3103 <target>
- nmap -p445 --script=smb-vuln-conficker <target>
- nmap -p445 --script=smb-vuln-webexec <target>
- nmap -p445 --script=smb-webexec-exploit <target>
- nmap -p445 --script=smb-vuln-regsvc-dos <target>
- nmap -p445 --script=smb2-vuln-uptime <target>
CLICK ON THE BANNER TO CHECK OUT OUR FREE AND PREMIUM TOOLS HERE
RDP NMAP Commands
Check RDP Encryption and Vulnerbilities
- nmap -p 3389 --script rdp-enum-encryption <target>
- nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>
FTP NMAP Commands
- nmap --script=ftp-vuln-cve2010-4221 <target>
HTTP NMAP Commands
Enumerates directories used by popular web applications and servers.
- nmap -sV --script=http-enum <target>
Performs a HEAD request for the root folder ("/") of a web server and displays the HTTP headers returned.
- nmap -sV --script=http-headers <target>
Various HTTP Vulnerability scans
- nmap --script http-iis-webdav-vuln -p80,8080 <target>
- nmap -sV --script http-vuln-wnr1000-creds <target> -p80
- nmap <target> -p 7547 --script=http-vuln-misfortune-cookie
- nmap --script http-vuln-cve2017-8917 -p 80 <target>
- nmap -p 16992 --script http-vuln-cve2017-5689 <target>
- nmap -p <port> --script http-vuln-cve2017-5638 <target>
- nmap --script http-vuln-cve2017-1001000 <target>
- nmap -p80 --script http-vuln-cve2015-1635.nse <target>
- nmap --script=http-vuln-cve2015-1427 --script-args command= 'ls' <targets>
SMTP NMAP Commands
Scan for various SMTP vulnerbilities
- nmap --script=smtp-vuln-cve2011-1764 -pT:25,465,587 <host>
- nmap --script=smtp-vuln-cve2011-1720 --script-args='smtp.domain=<domain>' -pT:25,465,587 <host>
- nmap --script=smtp-vuln-cve2010-4344 --script-args="smtp-vuln-cve2010-4344.exploit" -pT:25,465,587 <host>
MSSQL NMAP Commands
MSSQL Instance discovery - requires SQL server Browser service to run
- nmap --script broadcast-ms-sql-discover
MySQL NMAP Commands
MySQL Vulnerbility Scan
- nmap -p3306 --script mysql-vuln-cve2012-2122 <target>
VNC NMAP Commands
- nmap -sV -sC <target>
- nmap -sV --script=vnc-title <target>
- nmap --script vnc-brute -p 5900 <host>
OTHER USEFUL NMAP Commands
Detect Target Operating System
- nmap -O <target>
Discover DHCP Servers
- nmap --script=broadcast-dhcp-discover
Checks if a target on a local Ethernet has its network card in promiscuous mode.
- nmap -sV --script=sniffer-detect <target>
WHOIS
- nmap --script whois-domain.nse <domain>
Unusual Port Detection
Compares the detected service on a port against the expected service for that port number (e.g. ssh on 22, http on 80) and reports deviations. The script requires that a version scan has been run in order to be able to discover what service is actually running on each port.
- nmap --script unusual-port <ip>
Checks if a target is a known Tor node.
- nmap --script=tor-consensus-checker <host>
CLICK ON THE BANNER TO CHECK OUT OUR FREE AND PREMIUM TOOLS HERE
Telnet NMAP Commands
This script enumerates information from remote Microsoft Telnet services with NTLM authentication enabled.
- nmap -p 23 --script telnet-ntlm-info <target>
Determines whether the encryption option is supported on a remote telnet server.
- nmap -p 23 <ip> --script telnet-encryption
General Vulnerability Scan
Download the .nse file from https://github.com/vulnersCom/nmap-vulners and place them in the nmap\scripts directory
- nmap -Pn -sV --script=vulners <target>
- nmap -Pn -sV -p80 --script=vulners <target>
*There are two a few examples on the GitHub page
Detects whether a host is infected with the Stuxnet worm
- nmap --script stuxnet-detect -p 445 <host>
STUN NMAP Commands
Sends a binding request to the server and attempts to extract version information from the response, if the server attribute is present.
- nmap -sU -sV -p 3478 <target>
Retrieves the external IP address of a NAT:ed host using the STUN protocol.
- nmap -sV -PN -sU -p 3478 --script stun-info <ip>
RCP NMAP Commands
Connects to portmapper and fetches a list of all registered programs. It then prints out a table including (for each program) the RPC program number, supported version numbers, port number and protocol, and program name.
- nmap -sV --script rpcinfo <target>
Performs brute force password auditing against Mikrotik RouterOS devices with the API RouterOS interface enabled
- nmap -p8728 --script mikrotik-routeros-brute <target>
LDAP NMAP Commands
Attempts to perform an LDAP search and returns all matches.
If no username and password is supplied to the script the Nmap registry is consulted. If the ldap-brute script has been selected and it found a valid account, this account will be used. If not anonymous bind will be used as a last attempt.
- nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=users,ldap.attrib=sAMAccountName' <host>
- nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows *Server*",ldap.attrib=operatingSystem,whencreated,OperatingSystemServicePack}' <host>=
iSCSI NMAP Commands
Collects and displays information from remote iSCSI targets.
- nmap -sV -sC <target>
GEOLOCATION NMAP Commands
Tries to identify the physical location of an IP address using the Geoplugin geolocation web service (http://www.geoplugin.com/). There is no limit on lookups using this service.
- nmap --script ip-geolocation-geoplugin 8.8.8.8
CLICK ON THE BANNER TO CHECK OUT OUR FREE AND PREMIUM TOOLS HERE
FIREWALL Bypass NMAP Commands
Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.
- nmap --script firewall-bypass <target>
- nmap --script firewall-bypass --script-args firewall-bypass.helper="ftp", firewall-bypass.targetport=22 <target>
SonicWALL / Ubiquity Device NMAP Commands
SonicWALL - may only work if SonicWALL is on same subnet
- nmap -e eth0 --script broadcast-sonicwall-discover
Ubiquity
- nmap -sU -p 10001 --script ubiquiti-discovery <target/subnet>
DROPBOX NMAP Commands
Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds
- nmap --script=broadcast-dropbox-listener
Check your script directory for more discovery, vulnerability and brute scripts to see if there are other scripts that can help you identify vulnerabilities
Sources
nmap.org
networkstraining.com
CLICK ON THE BANNER TO CHECK OUT OUR FREE AND PREMIUM TOOLS HERE