Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200821624
HistoryDec 25, 2008 - 12:00 a.m.

Some Nmap skills-vulnerability warning-the black bar safety net

2008-12-2500:00:00
佚名
www.myhack58.com
10
JSON

Source: Tr4c3’s blog

by d3hydr8 > www.darkc0de.com
date: 01/20/08

Use nmap as a host discovery tool.

> linuxbox:/home/d3hydr8 # nmap-sL 128.230.18.30-3 5
>
> Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 2 2:4 1 EST
Host npropane.syr.edu (128.230.18.30) not scanned
Host helpeiam1.syr.edu (128.230.18.31) not scanned
Host tracker5-18.syr.edu (128.230.18.32) not scanned
Host mirage2.syr.edu (128.230.18.33) not scanned
Host backup01-18.syr.edu (128.230.18.34) not scanned
Host cwis01.syr.edu (128.230.18.35) not scanned
Nmap done: 6 IP addresses (0 hosts up) scanned in 6.628 seconds

Use nmap as a banner scanner, scan an ip range for open port 2 5
running Imail.

> linuxbox:/home/d3hydr8 # nmap-sV 12.150.145.135-1 3 9-p25 | grep IMail-B 3
>
> Interesting ports on 138.145.static.conninc.com (12.150.145.138):
PORT STATE SERVICE VERSION
2 5/tcp open smtp IMail NT-ESMTP 6.06 28262-4

>
> Interesting ports on 139.145.static.conninc.com (12.150.145.139):
PORT STATE SERVICE VERSION
2 5/tcp open smtp IMail NT-ESMTP 6.06 28263-5

Use nmap as a banner scanner, scan an ip range for open port 2 5
running Imail and send the output to a file.

> linuxbox:/home/d3hydr8 # nmap-sV 12.150.145.137-1 3 9-p25 | grep IMail-B 3 >> nmap.txt
linuxbox:/home/d3hydr8 # cat nmap.txt
>
> Interesting ports on 138.145.static.conninc.com (12.150.145.138):
PORT STATE SERVICE VERSION
2 5/tcp open smtp IMail NT-ESMTP 6.06 29384-6

>
> Interesting ports on 139.145.static.conninc.com (12.150.145.139):
PORT STATE SERVICE VERSION
2 5/tcp open smtp IMail NT-ESMTP 6.06 29385-7

Use the more intensive version check option.

> linuxbox:/home/d3hydr8 # nmap-sV –version-all 128.230.18.35-p 8 0
>
> Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 2 2:3 7 EST
Interesting ports on cwis01.syr.edu (128.230.18.35):
PORT STATE SERVICE VERSION
8 0/tcp open http Apache httpd

Use nmap as a banner scanner, scan random ips for open port 2 1
running ProFTPD.

> linuxbox:/home/d3hydr8 # nmap-sV-iR 1 5 0 0-p21 | grep ProFTPD-B 3
Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 1 7:4 1 EST
Interesting ports on www.buford-thompson.net (161.58.19.143):
PORT STATE SERVICE VERSION
2 1/tcp open ftp ProFTPD

Use nmap to scan an ip address and get (guess) the OS being used.

> linuxbox:/home/d3hydr8 # nmap-PN-O –osscan-limit 38.117.198.214 | grep Running
Running (JUST GUESSING) : ZyXEL ZyNOS (9 6%)

Using nmap for a traceroute, finds an open port and counts the hops.

> linuxbox:/home/d3hydr8 # nmap –traceroute 128.230.18.35
>
> Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 2 2:2 7 EST
Interesting ports on cwis01.syr.edu (128.230.18.35):
Not shown: 1 6 5 6 closed ports, 4 9 filtered ports
PORT STATE SERVICE
8 0/tcp open http
>
> TRACEROUTE (using port 8 0/tcp)
HOP RTT ADDRESS
1 2.89 192.168.1.1
2 12.18 10.114.0.1
3 9.52 172.22.5.13
4 12.33 172.22.5.69
5 10.86 172.22.33.73
6 12.48 172.22.32.106
7 15.21 12.86.87.29
8 41.73 tbr2.attga.ip.att.net (12.122.96.74)
9 41.78 tbr1.dlstx.ip.att.net (12.122.2.89)
1 0 73.50 ggr3.dlstx.ip.att.net (12.123.16.201)
1 1 42.87 br2-a3120s2.attga.ip.att.net (192.205.33.206)
1 2 66.36 66.192.240.226
1 3 74.74 64-132-176-170.static.twtelecom.net (64.132.176.170)
1 4 77.85 128.230.61.1
1 5 74.08 c6509r-srv.syr.edu (128.230.61.58)
1 6 73.36 cwis01.syr.edu (128.230.18.35)
>
> Nmap done: 1 IP address (1 host up) scanned in 111.295 seconds

Use nmap to test the reason why a port is in a specific state.

> linuxbox:/home/d3hydr8 # nmap –reason 128.230.18.35-p 2 1
>
> Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 2 2:3 1 EST
Interesting ports on cwis01.syr.edu (128.230.18.35):
PORT STATE SERVICE REASON
2 1/tcp filtered ftp no-response
>
> Nmap done: 1 IP address (1 host up) scanned in 1.247 seconds

Use nmap with a spoofed MAC address.

> linuxbox:/home/d3hydr8 # nmap –spoof-mac 0 8:0 0:6 9:0 2:0 1:FC-iR 3
>
> Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 2 2:5 1 EST
Spoofing the MAC address 0 8:0 0:6 9:0 2:0 1:FC (Silicon Graphics)
Nmap done: 3 IP addresses (0 hosts up) scanned in 3.387 seconds

Use nmap with cloaked decoys. You can use my script for creating a list of ips to use. http://www.darkc0de.com/misc/ipgen1.1.py

> linuxbox:/home/d3hydr8 # nmap-D 198.162.1.100,198.162.1.101-iR 3
>
> Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 2 3:2 2 EST
Nmap done: 3 IP addresses (0 hosts up) scanned in 3.082 seconds

JSON