TLDR

• Host discovery
• nmap -sP a.b.c.d/24
• Port discovery mit Hostlist ohne Pingcheck
• nmap -sS -PN -iL ip.list
• Einmal alles
• nmap -A -PN -iL ip.list

basics

• https://nmap.org/man/de/man-port-scanning-basics.html

ping scan

Im gleichen Netz wird arp genutzt ansonsten icmp

• nmap -sP 10.0.10.0/24

vollständiger connect

SYN - SYN/ACK - ACK - RST

• nmap -sT 10.0.10.104

einfacher scan

SYN - SYN/ACK - RST (ohne root rechte nicht möglich)

• nmap -sS 10.0.10.104

udp scan

ports von 50 bis 70 werden gescanned (zeigte keine gewünschte ergebnisse)

• nmap -sU 10.0.10.104 -p 50-70

tcp und udp scan

• nmap -sTU 10.0.10.104

bestimmer Ports scannen

• nmap -p21,22,80 10.0.10.104

alle Ports scannen

• nmap -p- 10.0.10.104

reverse auflösung der host

• nmap -sL 10.0.10.102

Angabe von Source Address und Interface

• nmap -e eth0 -S 10.0.10.101 -P0 -sS 10.0.10.104

kompletter scan in numerischer reihenfolge

-r numerische reihenfolge -p- alle ports -v verbose

• nmap -v -r -p- -sS 10.0.10.104

Webserver detection

• nmap -sV 10.0.10.104 -p 80

...
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))

Nameserver detection

• nmap -sV 10.0.10.103 -p 53

...
53/tcp open  domain  ISC BIND 9.16.1 (Ubuntu Linux)

SSH Server detection

• nmap -sV 10.0.10.104 -p 22

...
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)

Links

• https://nmap.org/book/osdetect.html

os detection

Linux

• nmap -O -v 10.0.10.104 --osscan-guess

Initiating OS detection (try #1) against 192.168.240.69
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0

Windows

• nmap -O -v 10.0.10.102 --osscan-guess

Initiating OS detection (try #1) against win10.secure.local (10.0.10.102) OS CPE: cpe:/o:microsoft:windows_10 OS details: Microsoft Windows 10 1709 - 1909 OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .

ssl-enum-ciphers

• nmap -sV --script ssl-enum-ciphers -p 443 www.xinux.de

Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-09 10:44 CET
Nmap scan report for www.xinux.de (94.130.248.212)
Host is up (0.027s latency).
Other addresses for www.xinux.de (not scanned): 2a01:4f8:13b:1e15:8000:0:212:1
rDNS record for 94.130.248.212: thor.tuxmen.de

PORT    STATE SERVICE VERSION
443/tcp open  ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.29 (Ubuntu)
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.85 seconds

schneller scan mit weniger Ports

• nmap -F 10.0.10.0/24

Ziele aus einer Datei lesen

• vi secure.local.list

10.0.10.1
10.0.10.102
10.0.10.103
10.0.10.104
10.0.10.105

Anwenden

• nmap -sP -iL secure.local.list

Links

• http://wiki.ubuntuusers.de/nmap
• https://nmap.org/man/de/