NMAP CheatSheet

Cullinan(Wiki) 프로젝트를 진행하면서 Cullinan - Nmap에 다시 정리해두었습니다. 해당 페이지가 최신이니 참고 부탁드려요 😎

Go-to command

1
2
3
4


nmap -sC 192.168.0.1   (same this, nmap 192.168.0.1 --script=default)
- 디폴트 스크립트로 대상 스캔
- scanning with default scripts

1
2
3
4


nmap -sn -sC 192.168.0.1
- 포트스캔 없이 스크립트 스캔만
- scanning default script without portscan

1
2
3
4


nmap -PN 192.168.0.1
- Host 스캔 없이 바로 포트 스캐닝
- Portscanning without host scan

1
2
3


nmap -PN 192.168.0.1 -p-
- Full port(1-65536) scanning

1
2
3
4


nmap -sS 192.168.0.1
- Syn 스캔
- Syn portscan

1
2
3


nmap -sS 192.168.0.1 --script=http* -oX test.xml
- Syn scanning with enable "http~~" scripts and xml output file

Default

Scan single IP/Port

1
2


nmap 192.168.0.1

1
2


nmap www.hahwul.com

1
2


nmap 192.168.0.1 -p 443

Scan range of IP/Port

IP Range and Subnet

1
2


nmap 192.168.0.1-254

1
2


nmap 192.168.0.0/24

Port Range

1
2


nmap 192.168.0.1 -p 20-3000

Full port scan

1
2


nmap 192.168.0.1 -p-

100 most command port

1
2


nmap 192.168.0.1 -F

Scan from file

1
2


nmap -iL hosts.txt

Scan types

TCP

1
2


nmap -sT 192.168.0.1

SYN

1
2


nmap -sS 192.168.0.1

UDP

1
2


nmap -sU 192.168.0.1

PING(Ping Sweep)

1
2


nmap -sP 192.168.0.1

NSE(lua)

Usage

1
2
3
4


Same lines.
--script <NSE FILE>
--script=<NSE FILE>

Using NSE

1
2


nmap 192.168.0.1 --script <NSE FILE>

1
2


nmap 192.168.0.1 --script=<NSE FILE>

Use NSE with nse arguments

1
2


nmap 192.168.0.1 --script nse --script-args <ARGUMENTS>

Use NSE with nse arguments file

1
2


nmap 192.168.0.1 --script nse --script-args-file <FILE>

Use NSE Arguments Script

1
2


nmap -sC --script-args 'user=foo,pass=",{}=bar",paths={/admin,/cgi-bin},xmpp-info.server_name=localhost’

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


nmap.registry.args = {
  user = "foo",
  pass = ",{}=bar",
  paths = {
    "/admin",
    "/cgi-bin"
  },
  xmpp-info.server_name="localhost"
}

NSE List

NSE Tools

AutoNSE: https://github.com/m4ll0k/AutoNSE
HTTPRecon: https://github.com/scipag/httprecon-nse
Sandmap: https://github.com/trimstray/sandmap

Write NSE scripts

NSE Information

1
2
3
4
5
6
7
8
9


description = [[
Attempts to find the owner of an open TCP port by querying an auth
(identd - port 113) daemon which must also be open on the target system.
]]

author = "Diman Todorov"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "safe"}

portrule

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


portrule = function(host, port)
    local auth_port = { number=113, protocol="tcp" }
    local identd = nmap.get_port_state(host, auth_port)

    return identd ~= nil
        and identd.state == "open"
        and port.protocol == "tcp"
        and port.state == "open"
end

action

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38


action = function(host, port)
        local owner = ""

        local client_ident = nmap.new_socket()
        local client_service = nmap.new_socket()

        local catch = function()
                client_ident:close()
                client_service:close()
        end

        local try = nmap.new_try(catch)

        try(client_ident:connect(host.ip, 113))
        try(client_service:connect(host.ip, port.number))

        local localip, localport, remoteip, remoteport =
                try(client_service:get_info())

        local request = port.number .. ", " .. localport .. "\r\n"

        try(client_ident:send(request))

        owner = try(client_ident:receive_lines(1))

        if string.match(owner, "ERROR") then
                owner = nil
        else
                owner = string.match(owner,
                        "%d+%s*,%s*%d+%s*:%s*USERID%s*:%s*.+%s*:%s*(.+)\r?\n")
        end

        try(client_ident:close())
        try(client_service:close())

        return owner
end

(https://nmap.org/book/nse-tutorial.html)