Nmap (Cullinan CheatSheet)
Free and open source utility for network discovery and security auditing
Introduction
Nmap은 오픈소스 기반의 Network discovery 도구입니다. 일반적으로 포트스캐너로 알려져 있으며, Lua script(NSE)를 통해 별도의 테스팅 로직을 구성할 수 있어 웹부터 네트워크단 취약점에 대한 스캐닝까지 충분히 커버할 수 있습니다.
Installation
Mac
$ brew install nmap
Linux
$ apt install nmap
Windows
https://nmap.org/download.html
Go-to commands
$ nmap -sC 192.168.0.1 (same this, nmap 192.168.0.1 --script=default)
- 디폴트 스크립트로 대상 스캔
- scanning with default scripts
$ nmap -sn -sC 192.168.0.1
- 포트스캔 없이 스크립트 스캔만
- scanning default script without portscan
$ nmap -PN 192.168.0.1
- Host 스캔 없이 바로 포트 스캐닝
- Portscanning without host scan
$ nmap -PN 192.168.0.1 -p-
- Full port(1-65536) scanning
$ nmap -sS 192.168.0.1
- Syn 스캔
- Syn portscan
$ nmap -sS 192.168.0.1 --script=http* -oX test.xml
- Syn scanning with enable "http~~" scripts and xml output file
Default Commands
Scan single IP/Port
$ nmap 192.168.0.1
$ nmap www.hahwul.com
$ nmap 192.168.0.1 -p 443
Scan range of IP/Ports
IP range and subnet
$ nmap 192.168.0.1-254
$ nmap 192.168.0.0/24
Port range
$ nmap 192.168.0.1 -p 20-3000
Full port scanning
$ nmap 192.168.0.1 -p-
Most 100 port
$ nmap 192.168.0.1 -F
Scan from file
nmap -iL hosts.txt
Scan types
TCP
$ nmap -sT 192.168.0.1
Syn
$ nmap -sS 192.168.0.1
UDP
$ nmap -sU 192.168.0.1
PING(Ping sweep)
$ nmap -sP 192.168.0.1
Use NSE(Lua)
Usage
Same lines.
--script <NSE FILE>
--script=<NSE FILE>
Use NSE
$ nmap 192.168.0.1 --script <NSE FILE>
Use NSE with arguments
$ nmap 192.168.0.1 --script nse --script-args <ARGUMENTS>
Use NSE with arguments file
$ nmap 192.168.0.1 —-script nse --script-args-file <FILE>
Use NSE arguments scripts
$ nmap -sC --script-args 'user=foo,pass=",{}=bar",paths={/admin,/cgi-bin},xmpp-info.server_name=localhost’
nmap.registry.args = {
user = "foo",
pass = ",{}=bar",
paths = {
"/admin",
"/cgi-bin"
},
xmpp-info.server_name="localhost"
}
NSE list
- https://nmap.org/nsedoc/lib/nmap.html
- https://github.com/nmap/nmap/tree/master/scripts
- https://github.com/topics/nmap-scripts
Write NSE scripts
NSE Information
description = [[
Attempts to find the owner of an open TCP port by querying an auth
(identd - port 113) daemon which must also be open on the target system.
]]
author = "Diman Todorov"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "safe"}
portrule
portrule = function(host, port)
local auth_port = { number=113, protocol="tcp" }
local identd = nmap.get_port_state(host, auth_port)
return identd ~= nil
and identd.state == "open"
and port.protocol == "tcp"
and port.state == "open"
end
action
action = function(host, port)
local owner = ""
local client_ident = nmap.new_socket()
local client_service = nmap.new_socket()
local catch = function()
client_ident:close()
client_service:close()
end
local try = nmap.new_try(catch)
try(client_ident:connect(host.ip, 113))
try(client_service:connect(host.ip, port.number))
local localip, localport, remoteip, remoteport =
try(client_service:get_info())
local request = port.number .. ", " .. localport .. "\r\n"
try(client_ident:send(request))
owner = try(client_ident:receive_lines(1))
if string.match(owner, "ERROR") then
owner = nil
else
owner = string.match(owner,
"%d+%s*,%s*%d+%s*:%s*USERID%s*:%s*.+%s*:%s*(.+)\r?\n")
end
try(client_ident:close())
try(client_service:close())
return owner
end
Articles
- https://www.hahwul.com/2020/08/02/nmap-cheatsheet/
- https://www.hahwul.com/2019/05/12/nmap-nse-4/
- https://www.hahwul.com/2019/05/12/four-nmap-nse-scripts-for-penetration/
- https://www.hahwul.com/2016/03/27/hacking-nmap-part2-nsenmap-script/
- https://www.hahwul.com/2016/03/13/hacking-nmap-part1-nmap-network-scan/