Port Scan

Powershell

PS C:\Users\jamie\Desktop> Test-NetConnection -Port 1433 192.168.210.15

Scanning without Nmap

# Find IPs
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done    

# Find Ports
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done

Naabu

GitHub - projectdiscovery/naabu: A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentestsGitHub

naabu -host target.com

Masscan

Nmap

Nmap binary:

static-binaries/nmap at master · andrew-d/static-binariesGitHub

For Windows - Zenmap

Download the Free Nmap Security Scanner for Linux/Mac/Windows

nmap -sV --open -oA nibbles_initial_scan 10.129.42.190

nmap -sC -p 22,80 -oA nibbles_script_scan 10.129.42.190

nmap -sV --script=http-enum -oA nibbles_nmap_http_enum 10.129.42.190 

List of common ports:

Common Ports

Host file

nmap -iL targets.txt

Nmap options

Nmap Option	Description
10.10.10.0/24	Target network range.
-sn	Disables port scanning.
-Pn	Disables ICMP Echo Requests
-n	Disables DNS Resolution.
-PE	Performs the ping scan by using ICMP Echo Requests against the target.
--packet-trace	Shows all packets sent and received.
--reason	Displays the reason for a specific result.
--disable-arp-ping	Disables ARP Ping Requests.
--top-ports=<num>	Scans the specified top ports that have been defined as most frequent.
-p-	Scan all ports.
-p22-110	Scan all ports between 22 and 110.
-p22,25	Scans only the specified ports 22 and 25.
-F	Scans top 100 ports.
-sS	Performs an TCP SYN-Scan.
-sA	Performs an TCP ACK-Scan.
-sU	Performs an UDP Scan.
-sV	Scans the discovered services for their versions.
-sC	Perform a Script Scan with scripts that are categorized as "default".
--script <script>	Performs a Script Scan by using the specified scripts.
-O	Performs an OS Detection Scan to determine the OS of the target.
-A	Performs OS Detection, Service Detection, and traceroute scans.
-D RND:5	Sets the number of random Decoys that will be used to scan the target.
-e	Specifies the network interface that is used for the scan.
-S 10.10.10.200	Specifies the source IP address for the scan.
-g	Specifies the source port for the scan.
--dns-server <ns>	DNS resolution is performed by using a specified name server.

Output Options

Nmap Option	Description
-oA filename	Stores the results in all available formats starting with the name of "filename".
-oN filename	Stores the results in normal format with the name "filename".
-oG filename	Stores the results in "grepable" format with the name of "filename".
-oX filename	Stores the results in XML format with the name of "filename".

Performance Options

Nmap Option	Description
--max-retries <num>	Sets the number of retries for scans of specific ports.
--stats-every=5s	Displays scan's status every 5 seconds.
-v/-vv	Displays verbose output during the scan.
--initial-rtt-timeout 50ms	Sets the specified time value as initial RTT timeout.
--max-rtt-timeout 100ms	Sets the specified time value as maximum RTT timeout.
--min-rate 300	Sets the number of packets that will be sent simultaneously.
-T <0-5>	Specifies the specific timing template.

Open port

nmap 10.129.2.0/24 -F -oN tnet.default
cat tnet.default | grep "/tcp" | wc -l

IDS/IPS Detection

IDS IPS AV Evasion

UDP

sudo nmap 10.129.2.28 -F -sU

Convert XML Result to HTML

xsltproc target.xml -o target.html

Vulnerability

Update nse scripts: sudo nmap --script-updatedb

sudo nmap 10.129.2.28 -p 80 -sV --script vuln 

Nmap scan report for 10.129.2.28
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2
|   /: WordPress version: 5.3.4
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715

Admin interface:

Default CredentialsWeb login

CMS :

CMS

Find NSE script

$ locate -r nse$|grep nfs
/usr/share/nmap/scripts/nfs-ls.nse
/usr/share/nmap/scripts/nfs-showmount.nse
/usr/share/nmap/scripts/nfs-statfs.nse

Nmap - NSE

• safe:- Won't affect the target

• intrusive:- Not safe: likely to affect the target

• vuln:- Scan for vulnerabilities

• exploit:- Attempt to exploit a vulnerability

• auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)

• brute:- Attempt to bruteforce credentials for running services

• discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).