Nmap (Cullinan CheatSheet)

Free and open source utility for network discovery and security auditing

Introduction

Nmap은 오픈소스 기반의 Network discovery 도구입니다. 일반적으로 포트스캐너로 알려져 있으며, Lua script(NSE)를 통해 별도의 테스팅 로직을 구성할 수 있어 웹부터 네트워크단 취약점에 대한 스캐닝까지 충분히 커버할 수 있습니다.

Installation

Mac

$ brew install nmap

Linux

$ apt install nmap

Windows

https://nmap.org/download.html

Go-to commands

$ nmap -sC 192.168.0.1   (same this, nmap 192.168.0.1 --script=default)
- 디폴트 스크립트로 대상 스캔
- scanning with default scripts
$ nmap -sn -sC 192.168.0.1
- 포트스캔 없이 스크립트 스캔만
- scanning default script without portscan
$ nmap -PN 192.168.0.1
- Host 스캔 없이 바로 포트 스캐닝
- Portscanning without host scan
$ nmap -PN 192.168.0.1 -p-
- Full port(1-65536) scanning
$ nmap -sS 192.168.0.1
- Syn 스캔
- Syn portscan
$ nmap -sS 192.168.0.1 --script=http* -oX test.xml
- Syn scanning with enable "http~~" scripts and xml output file

Default Commands

Scan single IP/Port

$ nmap 192.168.0.1
$ nmap www.hahwul.com
$ nmap 192.168.0.1 -p 443

Scan range of IP/Ports

IP range and subnet

$ nmap 192.168.0.1-254
$ nmap 192.168.0.0/24

Port range

$ nmap 192.168.0.1 -p 20-3000

Full port scanning

$ nmap 192.168.0.1 -p-

Most 100 port

$ nmap 192.168.0.1 -F

Scan from file

nmap -iL hosts.txt

Scan types

TCP

$ nmap -sT 192.168.0.1

Syn

$ nmap -sS 192.168.0.1

UDP

$ nmap -sU 192.168.0.1

PING(Ping sweep)

$ nmap -sP 192.168.0.1

Use NSE(Lua)

Usage

Same lines.
--script <NSE FILE>
--script=<NSE FILE>

Use NSE

$ nmap 192.168.0.1 --script <NSE FILE>

Use NSE with arguments

$ nmap 192.168.0.1 --script nse --script-args <ARGUMENTS>

Use NSE with arguments file

$ nmap 192.168.0.1 —-script nse --script-args-file <FILE>

Use NSE arguments scripts

$ nmap -sC --script-args 'user=foo,pass=",{}=bar",paths={/admin,/cgi-bin},xmpp-info.server_name=localhost’
nmap.registry.args = {
  user = "foo",
  pass = ",{}=bar",
  paths = {
    "/admin",
    "/cgi-bin"
  },
  xmpp-info.server_name="localhost"
}

NSE list

Write NSE scripts

NSE Information

description = [[
Attempts to find the owner of an open TCP port by querying an auth
(identd - port 113) daemon which must also be open on the target system.
]]

author = "Diman Todorov"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "safe"}

portrule

portrule = function(host, port)
    local auth_port = { number=113, protocol="tcp" }
    local identd = nmap.get_port_state(host, auth_port)

    return identd ~= nil
        and identd.state == "open"
        and port.protocol == "tcp"
        and port.state == "open"
end

action

action = function(host, port)
        local owner = ""
        local client_ident = nmap.new_socket()
        local client_service = nmap.new_socket()
        local catch = function()
                client_ident:close()
                client_service:close()
        end
        local try = nmap.new_try(catch)
        try(client_ident:connect(host.ip, 113))
        try(client_service:connect(host.ip, port.number))
        local localip, localport, remoteip, remoteport =
                try(client_service:get_info())

        local request = port.number .. ", " .. localport .. "\r\n"
        try(client_ident:send(request))
        owner = try(client_ident:receive_lines(1))
        if string.match(owner, "ERROR") then
                owner = nil
        else
                owner = string.match(owner,
                        "%d+%s*,%s*%d+%s*:%s*USERID%s*:%s*.+%s*:%s*(.+)\r?\n")
        end
        try(client_ident:close())
        try(client_service:close())
        return owner
end

Articles

References