search

hieuhtr / Blog

Don’t be lazy. Don’t make excuses. No one cares. Work fucking harder.
Other
6 stars 2 forks source link

Basic Nmap commands #80

Open hieuhtr opened 6 years ago

hieuhtr commented 6 years ago

Basic Nmap commands

Enable scripts, service detection, OS fingerprinting and traceroute ```shell sudo nmap -A 45.79.85.159 Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-08 20:52 +07 Nmap scan report for li1184-159.members.linode.com (45.79.85.159) Host is up (0.19s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c1:bd:c3:9e:75:74:27:76:f7:a3:21:25:c5:bf:41:ea (RSA) | 256 64:e6:37:97:dc:f7:f0:69:e0:51:f2:73:2d:11:17:fe (ECDSA) |_ 256 d1:0d:f4:74:d9:41:d9:85:32:d2:74:e1:8d:ef:14:8d (EdDSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: usnode.members.linode.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=usnode | Not valid before: 2017-10-17T14:41:31 |_Not valid after: 2027-10-15T14:41:31 |_ssl-date: TLS randomness does not represent time 80/tcp open http nginx 1.10.3 (Ubuntu) |_http-server-header: nginx/1.10.3 (Ubuntu) |_http-title: Welcome to nginx! 9000/tcp open cslistener? | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 400 Bad Request | Accept-Ranges: bytes | Content-Type: application/xml | Server: Minio/DEVELOPMENT.2017-10-29T10-14-45Z (linux; amd64) | Vary: Origin | X-Amz-Request-Id: 14F520AC5557517F | Date: Wed, 08 Nov 2017 13:52:54 GMT | | InvalidBucketNameThe specified bucket is not valid./nice ports,/Trinity.txt.bak3L1373L137 | GetRequest: | HTTP/1.0 403 Forbidden | Accept-Ranges: bytes | Content-Type: application/xml | Server: Minio/DEVELOPMENT.2017-10-29T10-14-45Z (linux; amd64) | Vary: Origin | X-Amz-Request-Id: 14F520A98FF1826F | Date: Wed, 08 Nov 2017 13:52:42 GMT | | AccessDeniedAccess Denied./3L1373L137 | HTTPOptions: | HTTP/1.0 200 OK | Vary: Origin | Vary: Access-Control-Request-Method | Vary: Access-Control-Request-Headers | Date: Wed, 08 Nov 2017 13:52:43 GMT | Content-Length: 0 | Content-Type: text/plain; charset=utf-8 | RTSPRequest, SIPOptions: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close |_ Request 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port9000-TCP:V=7.60%I=7%D=11/8%Time=5A030C2A%P=x86_64-apple-darwin16.7. SF:0%r(GetRequest,1C1,"HTTP/1\.0\x20403\x20Forbidden\r\nAccept-Ranges:\x20 SF:bytes\r\nContent-Type:\x20application/xml\r\nServer:\x20Minio/DEVELOPME SF:NT\.2017-10-29T10-14-45Z\x20\(linux;\x20amd64\)\r\nVary:\x20Origin\r\nX SF:-Amz-Request-Id:\x2014F520A98FF1826F\r\nDate:\x20Wed,\x2008\x20Nov\x202 SF:017\x2013:52:42\x20GMT\r\n\r\n<\?xml\x20version=\"1\.0\"\x20encoding=\" SF:UTF-8\"\?>\nAccessDeniedAccess\x20Denied\. SF:/3L1373L137")%r(HTTPOptions SF:,CD,"HTTP/1\.0\x20200\x20OK\r\nVary:\x20Origin\r\nVary:\x20Access-Contr SF:ol-Request-Method\r\nVary:\x20Access-Control-Request-Headers\r\nDate:\x SF:20Wed,\x2008\x20Nov\x202017\x2013:52:43\x20GMT\r\nContent-Length:\x200\ SF:r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n\r\n")%r(RTSPReques SF:t,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain SF:;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request SF:")%r(FourOhFourRequest,1F7,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nAccep SF:t-Ranges:\x20bytes\r\nContent-Type:\x20application/xml\r\nServer:\x20Mi SF:nio/DEVELOPMENT\.2017-10-29T10-14-45Z\x20\(linux;\x20amd64\)\r\nVary:\x SF:20Origin\r\nX-Amz-Request-Id:\x2014F520AC5557517F\r\nDate:\x20Wed,\x200 SF:8\x20Nov\x202017\x2013:52:54\x20GMT\r\n\r\n<\?xml\x20version=\"1\.0\"\x SF:20encoding=\"UTF-8\"\?>\nInvalidBucketName SF:The\x20specified\x20bucket\x20is\x20not\x20valid\. SF:/nice\x20ports,/Trinity\.txt\.bak3L1373L137")%r( SF:SIPOptions,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x SF:20Request"); Device type: general purpose|WAP|storage-misc|broadband router Running (JUST GUESSING): Linux 3.X|4.X|2.6.X|2.4.X (95%), Asus embedded (92%), HP embedded (91%) OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel cpe:/h:asus:rt-ac66u cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:3.4 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linux:linux_kernel:2.4 Aggressive OS guesses: Linux 3.10 - 4.8 (95%), Linux 3.13 (95%), Linux 3.13 or 4.2 (95%), Linux 4.4 (95%), Linux 3.16 (94%), Linux 3.16 - 4.6 (94%), Linux 3.12 (93%), Linux 3.2 - 4.8 (93%), Linux 3.8 - 3.11 (93%), Asus RT-AC66U WAP (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 12 hops Service Info: Host: usnode.members.linode.com; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 53/tcp) HOP RTT ADDRESS 1 4.28 ms 172.16.0.1 2 6.12 ms static.vnpt.vn (14.169.128.1) 3 ... 4 6.07 ms static.vnpt.vn (113.171.14.37) 5 5.49 ms static.vnpt.vn (113.171.7.209) 6 ... 7 392.21 ms unknown.telstraglobal.net (202.127.78.129) 8 ... 9 78.34 ms 100ge8-2.core1.tyo1.he.net (184.105.64.130) 10 201.74 ms 100ge8-1.core1.sea1.he.net (184.105.213.117) 11 180.47 ms 173.230.159.3 12 182.92 ms li1184-159.members.linode.com (45.79.85.159) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 77.96 seconds ```
Perform TCP and UDP scanning ```shell sudo nmap -sSU 45.79.85.159 Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-08 20:57 +07 sendto in send_ip_packet_sd: sendto(4, packet, 28, 0, 45.79.85.159, 16) => Network is down Offending packet: UDP 172.16.6.163:33418 > 45.79.85.159:49176 ttl=44 id=39224 iplen=7168 Stats: 0:02:28 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan UDP Scan Timing: About 16.00% done; ETC: 21:12 (0:12:26 remaining) Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan . . UDP Scan Timing: About 63.58% done; ETC: 21:14 (0:06:03 remaining) Nmap scan report for li1184-159.members.linode.com (45.79.85.159) Host is up (0.19s latency). Not shown: 1995 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 9000/tcp open cslistener 53/udp open|filtered domain Nmap done: 1 IP address (1 host up) scanned in 1045.86 seconds. ```

NOTE: Add -F if you want to scan faster because it's fast mode that will scan fewer ports than the default scan

More details

https://duckduckgo.com/?q=nmap+cheat+sheet&t=hf&ia=cheatsheet&iax=1

screen shot 2017-11-08 at 9 16 11 pm