Port Scan

Powershell

PS C:\Users\jamie\Desktop> Test-NetConnection -Port 1433 192.168.210.15

Nmap

nmap -sV --open -oA nibbles_initial_scan 10.129.42.190

nmap -sC -p 22,80 -oA nibbles_script_scan 10.129.42.190

nmap -sV --script=http-enum -oA nibbles_nmap_http_enum 10.129.42.190

List of common ports:

Common Ports

Host file

nmap -iL targets.txt

Nmap options

Nmap Option

Description

10.10.10.0/24

Target network range.

-sn

Disables port scanning.

-Pn

Disables ICMP Echo Requests

-n

Disables DNS Resolution.

-PE

Performs the ping scan by using ICMP Echo Requests against the target.

--packet-trace

Shows all packets sent and received.

--reason

Displays the reason for a specific result.

--disable-arp-ping

Disables ARP Ping Requests.

--top-ports=<num>

Scans the specified top ports that have been defined as most frequent.

-p-

Scan all ports.

-p22-110

Scan all ports between 22 and 110.

-p22,25

Scans only the specified ports 22 and 25.

-F

Scans top 100 ports.

-sS

Performs an TCP SYN-Scan.

-sA

Performs an TCP ACK-Scan.

-sU

Performs an UDP Scan.

-sV

Scans the discovered services for their versions.

-sC

Perform a Script Scan with scripts that are categorized as "default".

--script <script>

Performs a Script Scan by using the specified scripts.

-O

Performs an OS Detection Scan to determine the OS of the target.

-A

Performs OS Detection, Service Detection, and traceroute scans.

-D RND:5

Sets the number of random Decoys that will be used to scan the target.

-e

Specifies the network interface that is used for the scan.

-S 10.10.10.200

Specifies the source IP address for the scan.

-g

Specifies the source port for the scan.

--dns-server <ns>

DNS resolution is performed by using a specified name server.

Output Options

Nmap Option

Description

-oA filename

Stores the results in all available formats starting with the name of "filename".

-oN filename

Stores the results in normal format with the name "filename".

-oG filename

Stores the results in "grepable" format with the name of "filename".

-oX filename

Stores the results in XML format with the name of "filename".

Performance Options

Nmap Option

Description

--max-retries <num>

Sets the number of retries for scans of specific ports.

--stats-every=5s

Displays scan's status every 5 seconds.

-v/-vv

Displays verbose output during the scan.

--initial-rtt-timeout 50ms

Sets the specified time value as initial RTT timeout.

--max-rtt-timeout 100ms

Sets the specified time value as maximum RTT timeout.

--min-rate 300

Sets the number of packets that will be sent simultaneously.

-T <0-5>

Specifies the specific timing template.

Open port

nmap 10.129.2.0/24 -F -oN tnet.default
cat tnet.default | grep "/tcp" | wc -l

IDS/IPS Detection

IDS IPS AV Evasion

UDP

sudo nmap 10.129.2.28 -F -sU

Convert XML Result to HTML

xsltproc target.xml -o target.html

Vulnerability

Update nse scripts: sudo nmap --script-updatedb

sudo nmap 10.129.2.28 -p 80 -sV --script vuln 

Nmap scan report for 10.129.2.28
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2
|   /: WordPress version: 5.3.4
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715

Admin interface:

Default Credentials Web login

CMS :

CMS

Find NSE script

$ locate -r nse$|grep nfs
/usr/share/nmap/scripts/nfs-ls.nse
/usr/share/nmap/scripts/nfs-showmount.nse
/usr/share/nmap/scripts/nfs-statfs.nse

PreviousProtocols NextCommon Ports

Last updated 3 months ago