Useful NMAP commands for SysAdmins

Posted by SysAdmin Tools on

NMAP Is an extremely powerful tool for network scanning, surveillance and vulnerability management.

The typical format of an NMAP command is as follows.

  • nmap -function --script=scriptname <target> 

The target can be a host (192.168.0.1) or a network (192.168.0.0/24)
 

Typical open port (services) scan
nmap -sV <target>
nmap -sV <network/subnet> (Example <192.168.0.0/24)

LETS GET INTO IT!

SSL NMAP Commands


Enumerate the SSL ciphers enabled on a server/device to see if SSL2, SSL3 or TLS1.0 is still enabled

  • nmap -sV --script ssl-enum-ciphers -p 443 <target>



Detects whether a server is vulnerable to the OpenSSL Heartbleed bug

  • nmap -p 443 --script ssl-heartbleed <target>


Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.

  • nmap --script ssl-dh-params <target>


Retrieves a server's SSL certificate

  • nmap <target> --script=ssl-cert


Detects whether a server is vulnerable to the SSL/TLS "CCS Injection" vulnerability

  • nmap <target> --script ssl-ccs-injection


Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).

  • nmap <target> --script tls-ticketbleed


Enumerates a TLS server's supported protocols by using the next protocol negotiation extension.

  • nmap --script=tls-nextprotoneg <targets>


Enumerates a TLS server's supported application-layer protocols using the ALPN protocol.

  • nmap --script=tls-alpn <targets>

 

SSH NMAP Commands


Returns authentication methods that a SSH server supports.

  • nmap -p 22 --script ssh-auth-methods <target>


Reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.
If verbosity is set, the offered algorithms are each listed by type.

  • nmap -p 22 --script ssh2-enum-algos <target>

SNMP NMAP Commands


Attempts to find an SNMP community string by brute force guessing.
The default wordlist used to bruteforce the SNMP community strings is nselib/data/snmpcommunities.lst. In case this wordlist does not exist, the script falls back to nselib/data/passwords.lst

  • nmap -sU -p 161 --script=snmp-brute <target>

SMB NMAP Commands

Check the SMB version on a server to see if SMB1 is still enabled.

  • nmap -p445 --script smb-protocols <target>
  • nmap -p139 --script smb-protocols <target>
  • nmap --script smb-security-mode.nse -p445 <target>


Scan for SMB Vulnerbilities

  • nmap -p445 --script=smb-vuln-ms17-010 <target>
  • nmap -p445 --script=smb-vuln-ms10-061 <target>
  • nmap -p445 --script=smb-vuln-ms10-054 <target>
  • nmap -p445 --script=smb-vuln-ms08-067 <target>
  • nmap -p445 --script=smb-vuln-ms07-029 <target>
  • nmap -p445 --script=smb-vuln-ms06-025 <target>
  • nmap -p445 --script=smb-vuln-cve-2017-7494 <target>
  • nmap -p445 --script=smb-vuln-cve2009-3103 <target>
  • nmap -p445 --script=smb-vuln-conficker <target>
  • nmap -p445 --script=smb-vuln-webexec <target>
  • nmap -p445 --script=smb-webexec-exploit <target>
  • nmap -p445 --script=smb-vuln-regsvc-dos <target>
  • nmap -p445 --script=smb2-vuln-uptime <target>

 

RDP NMAP Commands

Check RDP Encryption and Vulnerbilities

  • nmap -p 3389 --script rdp-enum-encryption <target>
  • nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>

FTP NMAP Commands

  • nmap --script=ftp-vuln-cve2010-4221 <target>

 

HTTP NMAP Commands

Enumerates directories used by popular web applications and servers.

  • nmap -sV --script=http-enum <target>


Performs a HEAD request for the root folder ("/") of a web server and displays the HTTP headers returned.

  • nmap -sV --script=http-headers <target>


Various HTTP Vulnerability scans

  • nmap --script http-iis-webdav-vuln -p80,8080 <target>
  • nmap -sV --script http-vuln-wnr1000-creds <target> -p80
  • nmap <target> -p 7547 --script=http-vuln-misfortune-cookie
  • nmap --script http-vuln-cve2017-8917 -p 80 <target>
  • nmap -p 16992 --script http-vuln-cve2017-5689 <target>
  • nmap -p <port> --script http-vuln-cve2017-5638 <target>
  • nmap --script http-vuln-cve2017-1001000 <target>
  • nmap -p80 --script http-vuln-cve2015-1635.nse <target>
  • nmap --script=http-vuln-cve2015-1427 --script-args command= 'ls' <targets>

 

SMTP NMAP Commands

Scan for various SMTP vulnerbilities

  • nmap --script=smtp-vuln-cve2011-1764 -pT:25,465,587 <host>
  • nmap --script=smtp-vuln-cve2011-1720 --script-args='smtp.domain=<domain>' -pT:25,465,587 <host>
  • nmap --script=smtp-vuln-cve2010-4344 --script-args="smtp-vuln-cve2010-4344.exploit" -pT:25,465,587 <host>

 

MSSQL NMAP Commands

MSSQL Instance discovery - requires SQL server Browser service to run

  • nmap --script broadcast-ms-sql-discover


MySQL NMAP Commands

MySQL Vulnerbility Scan

  • nmap -p3306 --script mysql-vuln-cve2012-2122 <target>

 

VNC NMAP Commands

  • nmap -sV -sC <target>
  • nmap -sV --script=vnc-title <target>
  • nmap --script vnc-brute -p 5900 <host>

 

OTHER USEFUL NMAP Commands

Detect Target Operating System

  • nmap -O <target>


Discover DHCP Servers

  • nmap --script=broadcast-dhcp-discover

Checks if a target on a local Ethernet has its network card in promiscuous mode.

  • nmap -sV --script=sniffer-detect <target>

WHOIS

  • nmap --script whois-domain.nse <domain>


Unusual Port Detection
Compares the detected service on a port against the expected service for that port number (e.g. ssh on 22, http on 80) and reports deviations. The script requires that a version scan has been run in order to be able to discover what service is actually running on each port.

  • nmap --script unusual-port <ip>


Checks if a target is a known Tor node.

  • nmap --script=tor-consensus-checker <host>

 

Telnet NMAP Commands

This script enumerates information from remote Microsoft Telnet services with NTLM authentication enabled.

  • nmap -p 23 --script telnet-ntlm-info <target>


Determines whether the encryption option is supported on a remote telnet server.

  • nmap -p 23 <ip> --script telnet-encryption


General Vulnerability Scan

Download the .nse file from https://github.com/vulnersCom/nmap-vulners and place them in the nmap\scripts directory

  • nmap -Pn -sV --script=vulners <target>
  • nmap -Pn -sV -p80 --script=vulners <target>

*There are two a few examples on the GitHub page

Detects whether a host is infected with the Stuxnet worm

  • nmap --script stuxnet-detect -p 445 <host>

 

STUN NMAP Commands


Sends a binding request to the server and attempts to extract version information from the response, if the server attribute is present.

  • nmap -sU -sV -p 3478 <target>


Retrieves the external IP address of a NAT:ed host using the STUN protocol.

  • nmap -sV -PN -sU -p 3478 --script stun-info <ip>

 

RCP NMAP Commands


Connects to portmapper and fetches a list of all registered programs. It then prints out a table including (for each program) the RPC program number, supported version numbers, port number and protocol, and program name.

  • nmap -sV --script rpcinfo <target>


Performs brute force password auditing against Mikrotik RouterOS devices with the API RouterOS interface enabled

  • nmap -p8728 --script mikrotik-routeros-brute <target>

 

LDAP NMAP Commands


Attempts to perform an LDAP search and returns all matches.
If no username and password is supplied to the script the Nmap registry is consulted. If the ldap-brute script has been selected and it found a valid account, this account will be used. If not anonymous bind will be used as a last attempt.

  • nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=users,ldap.attrib=sAMAccountName' <host>

 

  • nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows *Server*",ldap.attrib=operatingSystem,whencreated,OperatingSystemServicePack}' <host>=

 

iSCSI NMAP Commands

Collects and displays information from remote iSCSI targets.

  • nmap -sV -sC <target>

 

GEOLOCATION NMAP Commands

Tries to identify the physical location of an IP address using the Geoplugin geolocation web service (http://www.geoplugin.com/). There is no limit on lookups using this service.

  • nmap --script ip-geolocation-geoplugin 8.8.8.8

 

FIREWALL Bypass NMAP Commands


Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.

  • nmap --script firewall-bypass <target>
  • nmap --script firewall-bypass --script-args firewall-bypass.helper="ftp", firewall-bypass.targetport=22 <target>



SonicWALL / Ubiquity Device NMAP Commands


SonicWALL - may only work if SonicWALL is on same subnet

  • nmap -e eth0 --script broadcast-sonicwall-discover

Ubiquity

  • nmap -sU -p 10001 --script ubiquiti-discovery <target/subnet>

 

DROPBOX NMAP Commands 


Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds

  • nmap --script=broadcast-dropbox-listener


Check your script directory for more discovery, vulnerability and brute scripts to see if there are other scripts that can help you identify vulnerabilities

  

Sources
nmap.org
networkstraining.com


Share this post



← Older Post Newer Post →


Leave a comment

Please note, comments must be approved before they are published.