Nmap bestpractice
Zur Navigation springen
Zur Suche springen
TLDR
- Host discovery
- nmap -sP a.b.c.d/24
- Port discovery mit Hostlist ohne Pingcheck
- nmap -sS -PN -iL ip.list
- Einmal alles
- nmap -A -PN -iL ip.list
basics
ping scan
- Im gleichen Netz wird arp genutzt ansonsten icmp
- nmap -sP 10.0.10.0/24
vollständiger connect
SYN - SYN/ACK - ACK - RST
- nmap -sT 10.0.10.104
einfacher scan
SYN - SYN/ACK - RST (ohne root rechte nicht möglich)
- nmap -sS 10.0.10.104
udp scan
ports von 50 bis 70 werden gescanned (zeigte keine gewünschte ergebnisse)
- nmap -sU 10.0.10.104 -p 50-70
tcp und udp scan
- nmap -sTU 10.0.10.104
bestimmer Ports scannen
- nmap -p21,22,80 10.0.10.104
alle Ports scannen
- nmap -p- 10.0.10.104
reverse auflösung der host
- nmap -sL 10.0.10.102
Angabe von Source Address und Interface
- nmap -e eth0 -S 10.0.10.101 -P0 -sS 10.0.10.104
kompletter scan in numerischer reihenfolge
-r numerische reihenfolge -p- alle ports -v verbose
- nmap -v -r -p- -sS 10.0.10.104
Webserver detection
- nmap -sV 10.0.10.104 -p 80
... 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
Nameserver detection
- nmap -sV 10.0.10.103 -p 53
... 53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
SSH Server detection
- nmap -sV 10.0.10.104 -p 22
... 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
Links
os detection
Linux
- nmap -O -v 10.0.10.104 --osscan-guess
Initiating OS detection (try #1) against 192.168.240.69 OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.0
Windows
- nmap -O -v 10.0.10.102 --osscan-guess
Initiating OS detection (try #1) against win10.secure.local (10.0.10.102) OS CPE: cpe:/o:microsoft:windows_10 OS details: Microsoft Windows 10 1709 - 1909 OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
ssl-enum-ciphers
- nmap -sV --script ssl-enum-ciphers -p 443 www.xinux.de
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-09 10:44 CET Nmap scan report for www.xinux.de (94.130.248.212) Host is up (0.027s latency). Other addresses for www.xinux.de (not scanned): 2a01:4f8:13b:1e15:8000:0:212:1 rDNS record for 94.130.248.212: thor.tuxmen.de PORT STATE SERVICE VERSION 443/tcp open ssl/ssl Apache httpd (SSL-only mode) |_http-server-header: Apache/2.4.29 (Ubuntu) | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.85 seconds
schneller scan mit weniger Ports
- nmap -F 10.0.10.0/24
Ziele aus einer Datei lesen
- vi secure.local.list
10.0.10.1 10.0.10.102 10.0.10.103 10.0.10.104 10.0.10.105
Anwenden
- nmap -sP -iL secure.local.list