Nmap

Nmap is the most popular port scanner. Next are described some common uses: nmap 192.168.0.200 nmap -sn 192.168.0.200-250 nmap -v -sn 192.168.1.200-250 -oG ping-sweep.txt nmap -p 80 192.168.1.100-200 -oG web-sweep.txt nmap -sT -A --top-ports=20 192.168.1.200-250 nmap -p- 192.168.1.100 nmap -sV -sT 10.0.0.19 nmap 192.168.1.200 -O nmap 192.168.1.200 -A nmap -sU --open -p 161 192.168.1.132-140 -oG mega-snmp.txt nmap 192.168.1.0/24 -sP --unprivileged Nmap allows timing options. Going faster is more supicious. Faster scans are achieved with the options -T4 and -T5, as opposed to slower scans with -T0 or -T1. The latter are super slow, only for paranoic users. nmap -T5 192.168.1.200
 * Standard scan on a single IP:
 * Scan an IP range, equivalent to a ping sweep, to discover which hosts are up (-sn = "Sweep Network"):
 * Standard scan on a single IP, with greppable output, sent to a text file:
 * Look for hosts with port 80 open in a range of IPs, and send result to a text file:
 * Scan the 20 most common ports in a range of IPs, and use a connect scan (-sT = TCP connect scan, which uses higher level packets, if SYN cannot be used):
 * Scan all ports:
 * Scan a host and identify services running on the 1000 most common ports (-sV = services):
 * Scan the 1000 most common ports of a host and try to detect its OS (-O = OS discovery):
 * Exhaustive analysis of a host (-A = detailed scan, OS, version, scripts and traceroute):
 * Scan UDP port 161 in a range of IPs and save the open ports to a file (-sU = scan UDP ports):
 * Can help if some hosts are not up in a network sweep (--unprivileged):

Nmap scripting engine.
Scripts are located in /usr/share/nmap/scripts nmap -sC 192.168.1.200 nmap --script safe 192.168.1.200 nmap --script vuln 192.168.1.200 nmap --script all 192.168.1.200
 * Run default scripts agains a host (-sC = default scripts):
 * Run non intrusive scripts against a host.
 * Run vulnerability detecting scripts against a host.
 * Run all relevant scripts against a host. Can be very slow and "noisy"

Examples of specific scripts:
nmap 10.0.0.19 -p 139,445 -­-script smb-­os-­discovery.nse nmap -p 139, 145 --script smb-enum-users 192.168.1.200 nmap -p 139,445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.200 nmap --script=dns-zone-­transfer -p 53 ns2.megacorpone.com nmap -v -p 80 --script=http-vuln-cve2010-2861 192.168.1.139 nmap -v -p 21 --script=ftp-anon.nse 192.168.1.130-140
 * Scan a host and use SMB OS discovery script (--script = use specified script):
 * Detect users using SMB:
 * Check for known SMB vulnerabilities_
 * Zone transfer against hosts running a DNS server:
 * Script against a Coldfusion server to try to get admin password using directory traversal:
 * Script to check if FTP server allows anonymous login: