Toolbox

Nmap

Core scan patterns, output formats, and NSE script workflows.

Basic Commands

Initial Scan - Pro Tip

  • When running a scan against a machine it is often very slow to run a full service, vulnerability, etc. scan on all ports, so to get started quickly, firstly run a quick port scan that will scan the top 1000 ports like so:
nmap -F -Pn <ip_address>
  • Once run, you can start a versioning/vulnerability scan on the available ports found from the previous script like so:
nmap -Pn -A -p <22,53,80,443,...> <ip_address>
  • After this script has returned, you can begin manually enumerating and documenting the ports that have been found and run the following, longer scan, in the background to verify that all of the ports have been enumerated.
nmap -p- -Pn <ip_address>
  • Now, make sure to rinse and repeat this process with any new ports that have been found with another versioning/vulnerability scan like so:
nmap -Pn -A -p <ports> <ip_address>
Note: I run the -A flag in this script for simplicity to include version enumeration and script enumeration, but feel free to run them separately with -sV (version enumeration) etc… Run the command nmap --help for more options.

Force Greppable Output File

nmap -p 80,443 192.168.0.1 -oG nmap.txt

Quick Network Sweeping for Live Hosts

This will disable port scanning and send ICMP echo, SYN packet to port 443, ACK packet to port 80, and an ICMP Timestamp Request to verify if the host is alive. 
nmap -sn 192.168.0.1-253

Manually Selecting Top Ports to Scan

nmap -sT -A --top-ports=20
  • This will scan the top 20 ports with all of the vulnerability scans.

Vulnerability Scripts

  • Scripts are located in the file /usr/share/nmap/scripts.
  • Scripts can be categorized as safe and vuln, or intrusive and vuln.
  • Scripts categorized as "safe" have no potential impact to stability, while scripts in the "intrusive" category might crash a target service or system.

Updating the Script Database

Copy the Downloaded Script to the Local Scripts Repo

cp ../Downloads/cve-2021-41773.nse /usr/share/nmap/scripts

Update the Database

nmap --script-updatedb

Script Help

nmap --script-help http-headers

HTTP Header Script Example

nmap --script http-headers 192.168.0.1

Identifying the Script Safety Level

cd /usr/share/nmap/scripts
cat script.db | grep "\"vuln\""
  • This will grep for the lines pertaining to the safety level of the scripts in question.

Examine the Script Parameter

  • This parameter is responsible for determining which NSE scripts get executed in a scan.
  • The arguments for this parameter can be a:
    • category
    • a Boolean expression
    • a comma-separated list of categories
    • the full or wildcard-specified name of a NSE script in script.db
    • or an absolute path to a specific script
nmap -sV -p 443 --script "vuln" 192.168.50.124
  • The command we'll use contains the previously mentioned --script parameter with the vuln argument, which specifies all the scripts with this category.

Vulners Script Overview

The vulners script was integrated, which provides current vulnerability information about detected service versions from the Vulners Vulnerability Database. The script itself has the categories safe, vuln, and external. It essentially provides an overview of all CVEs mapped to the detected version.