Nmap
Frequent scans
I keep searching my shell history for these.
| Command | Description |
|---|---|
nmap -sS -p 1-65535 hostname |
TCP SYN scan, all ports |
nmap -sU -p 1-65535 hostname |
UDP scan, all ports |
nmap -T5 -sn 192.168.0.0/24 |
Fast ping scan of a subnet |
nmap -p 80,443 --script "http-*" hostname |
Run all HTTP scripts against host |
nmap -A hostname |
OS+version detection, script scanning, traceroute |
Scripts
- Scripts are usually in
/usr/share/nmap/scripts/or/opt/homebrew/share/nmap/scripts - To update scripts, run
nmap --script-updatedb(maybe withsudo) - Searching w/
cat script.db | grepcan filter by lots, likesafeorintrusiveandvuln - Use
nmap --script-help script-title-hereto see built-in man pages for that script
SSL ciphers
Enumerate SSL/TLS ciphers supported by a server, script docs.
1
nmap -sV --script ssl-enum-ciphers -p <port> <target>
For FIPS 140-2 projects - note that RC4-MD5 ciphers, Camellia ciphers, curve 25519 and other elliptic curves are all not acceptable and shouldn’t show up in compliant results.
Vulners
Enumerate vulnerabilities on a host, script docs.
1
nmap -sV --script vulners [--script-args mincvss=<arg_val>] <target>
Links
The nmap book has it all, somewhere.
This post is licensed under CC BY 4.0 by the author.