basics

• https://nmap.org/man/de/man-port-scanning-basics.html

reine pings scan

• nmap -sP 192.168.66.0/24

schneller scan mit weniger Ports

• nmap -F 192.168.66.0/24

vollständiger connect

SYN - SYN/ACK - ACK - RST

• nmap -sT 192.168.66.52

einfacher scan

SYN - SYN/ACK - RST (ohne root rechte nicht möglich)=

• nmap -sS 192.168.66.52

udp scan

ports von 50 bis 70 werden gescanned (zeigte keine gewünschte ergebnisse)

• nmap -sU 192.168.66.52 -p 50-70

tcp und udp scan

• nmap -sTU 192.168.66.52

bestimmer Ports scannen

• nmap -p21,22,80 192.168.66.52

alle Ports scannen

• nmap -p- 192.168.66.52

reverse auflösung der host

• nmap -sL 192.168.66.50-60

Angabe von Source Address und Interface

• nmap -e eth0 -S 192.168.66.54 -P0 -sS 192.168.66.53

kompletter scan in numerischer reihenfolge

-r numerische reihenfolge -p- alle ports -v verbose

• nmap -v -r -p- -sS 192.168.66.52

os detection

• nmap -O 192.168.66.53

Starting Nmap 6.40 ( http://nmap.org ) at 2015-10-14 14:05 CEST
Nmap scan report for 192.168.242.50
Host is up (0.00013s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 48:5B:39:AD:8A:F3 (Asustek Computer)
Device type: general purpose
Running: Microsoft Windows 2008|7
OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8
OS details: Microsoft Windows Server 2008 SP2, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.95 seconds

Linux

• nmap -O -v 192.168.240.69 | grep OS

Initiating OS detection (try #1) against 192.168.240.69
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0

Windows

• nmap -O -v 192.168.242.75 | grep OS

Initiating OS detection (try #1) against 192.168.242.75
OS CPE: cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_2012 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1

Links

• https://nmap.org/book/osdetect.html

Aktiviert OS detection und Version detection, Script scanning und Traceroute

-T 4 timing

• nmap -A -T 4 192.168.242.50

Starting Nmap 6.40 ( http://nmap.org ) at 2015-10-14 14:22 CEST
Nmap scan report for 192.168.242.50
Host is up (0.00015s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE     VERSION
135/tcp   open  msrpc       Microsoft Windows RPC
139/tcp   open  netbios-ssn
445/tcp   open  netbios-ssn
49152/tcp open  msrpc       Microsoft Windows RPC
49153/tcp open  msrpc       Microsoft Windows RPC
49154/tcp open  msrpc       Microsoft Windows RPC
49155/tcp open  msrpc       Microsoft Windows RPC
49156/tcp open  msrpc       Microsoft Windows RPC
49157/tcp open  msrpc       Microsoft Windows RPC
MAC Address: 48:5B:39:AD:8A:F3 (Asustek Computer)
Device type: general purpose
Running: Microsoft Windows 2008|7
OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8
OS details: Microsoft Windows Server 2008 SP2, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: WIN-VJCRWQXC6A7, NetBIOS user: <unknown>, NetBIOS MAC: 48:5b:39:ad:8a:f3 (Asustek Computer)
| smb-os-discovery: 
|   OS: Windows Server (R) 2008 Enterprise 6001 Service Pack 1 (Windows Server (R) 2008 Enterprise 6.0)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: WIN-VJCRWQXC6A7
|   NetBIOS computer name: WIN-VJCRWQXC6A7
|   Workgroup: WORKGROUP
|_  System time: 2015-10-14T14:23:23+02:00
| smb-security-mode: 
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.16 ms 192.168.242.50

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.83 seconds

Timing Template

Timing Templates werden benutzt wenn man vermutet das die Firewall einen Portscan erkennt und man deshalb verzögert scannen will. Oder man aggressiver an die Sache rangehen will.

• nmap -A -T sneaky 192.168.242.50

Es gibt folgende Templates

• paranoid (0) - verhindert IDS Erkennung
• sneaky (1) - verhindert IDS Erkennung
• polite (2) - langsamer Scan
• normal (3) - normaler Scan
• aggressive (4) - setzt schnelles Netzwerk voraus
• insane (5) - setzt sehr schnelles Netzwerk voraus

ssl-enum-ciphers

• nmap -sV --script ssl-enum-ciphers -p 443 www.xinux.de

Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-09 10:44 CET
Nmap scan report for www.xinux.de (94.130.248.212)
Host is up (0.027s latency).
Other addresses for www.xinux.de (not scanned): 2a01:4f8:13b:1e15:8000:0:212:1
rDNS record for 94.130.248.212: thor.tuxmen.de

PORT    STATE SERVICE VERSION
443/tcp open  ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.29 (Ubuntu)
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.85 seconds

Links

• http://wiki.ubuntuusers.de/nmap
• https://nmap.org/man/de/