github/thc-tips-tricks-hacks-cheat-sheet
1
1
Fork 0
mirror of https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet.git synced 2026-01-08 23:38:07 -05:00
Code Issues Packages Projects Releases Wiki Activity

nmap

Browse Source
This commit is contained in:
Root THC
2024-08-25 09:41:56 +01:00
parent 4b2c8f2f32
commit 654a7d9e9f
2 changed files with 19 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/push_www.yaml vendored
View File

@@ -26,10 +26,9 @@ jobs:
git clone -b gh-pages --single-branch git@github.com:hackerschoice/hackerschoice.github.io.git git clone -b gh-pages --single-branch git@github.com:hackerschoice/hackerschoice.github.io.git
cd hackerschoice.github.io cd hackerschoice.github.io
cmp -s /tmp/whatserver.sh ws || { cat /tmp/whatserver.sh >ws; is_updated=1; } cmp -s /tmp/whatserver.sh ws || { cat /tmp/whatserver.sh >ws; is_updated=1; }
#cmp -s /tmp/hackshell.sh ws || { cat /tmp/hackshell.sh >hs; is_updated=1; }
[ -n $is_updated ] && { [ -n $is_updated ] && {
git config --local user.name "GitHub Action" git config --local user.name "GitHub Action"
git config --local user.email "root@proton.thc.org" git config --local user.email "root@proton.thc.org"
git add ws hs && git commit -m "whatserver" && git push git add ws && git commit -m "whatserver" && git push
} }

30
README.md
View File

@@ -165,17 +165,17 @@ $ id
Hide as "syslogd". Hide as "syslogd".
```shell ```shell
(exec -a syslogd nmap -T0 10.0.2.1/24) # Note the brackets '(' and ')' (exec -a syslogd nmap -Pn -F -n --open -oG - 10.0.2.1/24) # Note the brackets '(' and ')'
``` ```
Start a background hidden process: Start a background hidden process:
``` ```
(exec -a syslogd nmap -T0 10.0.2.1/24 &>nmap.log &) (exec -a syslogd nmap -Pn -F -n --open -oG - 10.0.2.1/24 &>nmap.log &)
``` ```
Start within a [GNU screen](https://linux.die.net/man/1/screen): Start within a [GNU screen](https://linux.die.net/man/1/screen):
``` ```
screen -dmS MyName nmap -T0 10.0.2.1/24 screen -dmS MyName nmap -Pn -F -n --open -oG - 10.0.2.1/24
### Attach back to the nmap process ### Attach back to the nmap process
screen -x MyName screen -x MyName
``` ```
@@ -183,7 +183,7 @@ screen -x MyName
Alternatively if there is no Bash: Alternatively if there is no Bash:
```sh ```sh
cp "$(command -v nmap)" syslogd cp "$(command -v nmap)" syslogd
PATH=.:$PATH syslogd -T0 10.0.2.1/24 PATH=.:$PATH syslogd -Pn -F -n --open -oG - 10.0.2.1/24
``` ```
In this example we execute *nmap* but let it appear with the name *syslogd* in *ps alxwww* process list. In this example we execute *nmap* but let it appear with the name *syslogd* in *ps alxwww* process list.
@@ -193,9 +193,9 @@ In this example we execute *nmap* but let it appear with the name *syslogd* in *
Use [zapper](https://github.com/hackerschoice/zapper): Use [zapper](https://github.com/hackerschoice/zapper):
```sh ```sh
# Start Nmap but zap all options and show it as 'klog' in the process list: # Start Nmap but zap all options and show it as 'klog' in the process list:
./zapper -a klog nmap -T0 10.0.0.1/24 ./zapper -a klog nmap -Pn -F -n --open -oG - 10.0.0.1/24
# Same but started as a daemon: # Same but started as a daemon:
(./zapper -a klog nmap -T0 10.0.0.1/24 &>nmap.log &) (./zapper -a klog nmap -Pn -F -n --open -oG - 10.0.0.1/24 &>nmap.log &)
# Replace the existing shell with tmux (with 'exec'). # Replace the existing shell with tmux (with 'exec').
# Then start and hide tmux and all further processes - as some kernel process: # Then start and hide tmux and all further processes - as some kernel process:
exec ./zapper -f -a'[kworker/1:0-rcu_gp]' tmux exec ./zapper -f -a'[kworker/1:0-rcu_gp]' tmux
@@ -319,7 +319,8 @@ echo "ssh-ed25519 AAAAOurPublicKeyHere....blah x@y"$'\r'"$(<authorized_keys)" >a
Scan 20 hosts in parallel and log each result to a separate log file: Scan 20 hosts in parallel and log each result to a separate log file:
```sh ```sh
# hosts.txt contains a long list of hostnames or ip-addresses # hosts.txt contains a long list of hostnames or ip-addresses
cat hosts.txt | parallel -j20 'exec nmap -n -Pn -sCV -F --open {} >nmap_{}.txt' # (Use -sCV for more verbose version)
cat hosts.txt | parallel -j20 'exec nmap -n -Pn -sV -F --open -oG - {} >nmap_{}.txt'
``` ```
Note: The example uses `exec` to replace the underlying shell with the last process (nmap, gsexec). It's optional but reduces the number of running shell binaries. Note: The example uses `exec` to replace the underlying shell with the last process (nmap, gsexec). It's optional but reduces the number of running shell binaries.
@@ -499,13 +500,18 @@ ssh -D1080 -R31339:0:31339 -i sshd_key -p 31337 joe@1.2.3.4
**3.i. Discover hosts** **3.i. Discover hosts**
```sh ```sh
## ARP disocer computers on the local network ## ARP discover computers on the _LOCAL_ network only
nmap -r -sn -PR 192.168.0.1/24 nmap -n -sn -PR -oG - 192.168.0.1/24
``` ```
```sh ```sh
## ICMP discover computers on the local netowork ### ICMP discover hosts
NET="10.11.0" # discover 10.11.0.1-10.11.0.254 nmap -n -sn -PI -oG - 192.168.0.1/24
```
```sh
## ICMP discover hosts (local LAN) ROOT
# NET="10.11.0" # discover 10.11.0.1-10.11.0.254
seq 1 254 | xargs -P20 -I{} ping -n -c3 -i0.2 -w1 -W200 "${NET:-192.168.0}.{}" | grep 'bytes from' | awk '{print $4" "$7;}' | sort -uV -k1,1 seq 1 254 | xargs -P20 -I{} ping -n -c3 -i0.2 -w1 -W200 "${NET:-192.168.0}.{}" | grep 'bytes from' | awk '{print $4" "$7;}' | sort -uV -k1,1
``` ```
@@ -780,7 +786,7 @@ curl https://internetdb.shodan.io/1.1.1.1
Fast (-F) vulnerability scan Fast (-F) vulnerability scan
```shell ```shell
# Version gathering # Version gathering
nmap -sCV -F -Pn --min-rate 10000 scanme.nmap.org nmap nmap -n -Pn -sCV -F --open --min-rate 10000 scanme.nmap.org
# Vulns # Vulns
nmap -A -F -Pn --min-rate 10000 --script vulners.nse --script-timeout=5s scanme.nmap.org nmap -A -F -Pn --min-rate 10000 --script vulners.nse --script-timeout=5s scanme.nmap.org
``` ```