How to get the most out of Nmap

A huge amount of deconstructed resources and books relating to the highly utilitarian Penetration Tool Nmap.

    • Determine port states / running services
      • $ nmap scanme.org
    • Set specific DNS servers
      • $ nmap –dns-servers 8.8.8.8 8.8.4.4 <target>
    • Skip the Ping – very common
      • $ nmap -PN <target>
    • Skip Reverse DNS
      • $ nmap -n <target>
    • Launch TCP Port Scan
      • $ nmap -p1-30 <target> – Range of ports
      • $ nmap -p- – All ports 1-65535
    • Priv account = SYN Stealth scan, UnPriv account = TCP Connect scan
    • Port States
      • Open:
        • An application is listening for connections
      • Closed:
        • Probes received but no application listening
      • Filtering:
        • Indicates probes received and the state could not be established. Also indicates that probes are being dropped by some kind of filtering
      • Unfiltered:
        • Indicates that probes were received but the state could not be established
      • Open/Filtered:
        • Indicates port was open or filtered but state can not be established
      • Closed/Filtered:
        • Indicates port was closed but state can not be established
    • Display specific service version (more info)
      • $ nmap -sV <target>
    • Set number of probes / Intensity level [0-9]
      • $ nmap -sV –version-intensity 9
    • Aggressive detection
      • $ nmap -A <target>
        • -A
          • enables the following:
        • -O
          • OS Detection
        • -sV
          • Version Detection
        • -sC
          • Script Scanning
        • –Traceroute
          • TraceRoute
    • Perform a Ping scan – Find live network hosts
      • $ nmap -sP 192.1.1.1/24
    • Disable ARP Requests
      • $ nmap -sP –send-ip 192.1.1.1/24
      • Ping scanning does not perform port scanning or service detection. To do this run this script
      • $ nmap -sP –script discovery 192.1.1.1/24
    • Use Port ranges when scanning
      • $ nmap -p80 192.1.1.1/24
    • Port List
      • $ nmap -p80, 443 <target>
    • Port Range
      • $ nmap -p1-100 <target>
    • All Ports
      • $ nmap -p- <target>
    • Specific ports by protocol T: TCP, U: UDP
      • $ nmap -pT:25,U:53 <target>
    • Service Name
      • $ nmap -p smtp <target>
    • Service name wildcards
      • $ nmap -p smtp* <target>
    • Only ports registered in Nmap services
      • $ nmap -p[1-65535] <target>
    • To include the title of the index document of a web server in your scan results
      • $ nmap -sV –script http-title <target>
    • Run multiple scripts at once
      • $ nmap –script http-headers, https-title <target>
    • Run all scripts in the Vuln category
      • nmap -sV –script vuln <target>
    • Run the scripts in the categories version or discovery
      • $ nmap -sV –script=”version,discovery” <target>
    • Run all scripts except for the ones in the exploit category
      • $ nmap -sV –script “not exploit” <target>
    • Run all HTTP scripts except http-brute and http-slowloris
      • $ nmap -sV –script “(http-*) and not (http-slowloris or http-brute)” <target>
    • Debug scripts
      • $ nmap -sV –script exploit -d3 —script-trace 192.1.1.1
    • Script arguments
      • $ nmap -sV –script http-title —script-args http.useragent=”mozilla 999” <target>
    • Adding new scripts
      • $ nmap –script-update-db
    • Script categories
      • Auth:
        • Scripts related to user authentication
      • Broadcast:
        • Scripts used to broadcast petitions to gather info
      • Brute:
        • Scripts that help conduct brute force password auditing
      • Default:
        • Scripts that are executed when a script is executed
      • Discovery:
        • Scripts that relate to host and server discovery
      • Dos:
        • Scripts that relate to DOS attacks
      • Exploit:
        • Scripts that exploit security vulns
      • External:
        • Scripts that depend on a 3rd party service
      • Fuzzer:
        • Scripts that focus of Fuzzing
      • Intrusive:
        • Scripts that might crash something or make a lot of noise
      • Malware:
        • Scripts that relate to malware detection
      • Safe:
        • Scripts that are considered safe to run in all situations
      • Version:
        • Scripts that are used for advanced versioning
      • Vuln:
        • Scripts that are related to security vulnerabilities
    • Force a scan using a specific interface
      • $ nmap -e <INTERFACE> <target>
    • Checking a TCP Connection
      • $ nmap -sP -e <INTERFACE> <target>
    • Save scan results to an XML file -oX <filename>
    • Perform NAT Detection
      • #nping –ec “public” -c 1 <target>
      • Look a the SENT and CAPT source addresses, if they are different then NAT being used
      • –ec = echo mode
      • -c 1 = Send only one packet
    • Generate custom TCP packets, send a TCP SYN to port 80
      • #nping –tcp -flags syn -p800 -c 192.1.1.1
    • View all options
      • $ nping -h
    • TCP SYN ping scan
      • $ nmap -sP -PS 192.1.1.1/24
    • Firewalls and traffic filters
    • Note that there are firewalls that are configured to drop RST packets
    • $ nmap -sP -PS80 <target>
    • Set the port lists to be used with -PS
      • $ nmap -sP -PS80,21,53 <target>
      • $ nmap -sP -PS1-1000 <target>
      • $ nmap -sP -PS80, 100 -1000 <target>
  • Perform a TCP ACK ping scan
    • Used to detect hosts that block SYN packets or ICMP packets, but it will most likely blocked by modern firewalls that track connections states.
    • TCP ACK ping scans need to run as a priv user
    • Selecting ports in TCP ACK ping scans
      • $ nmap -sP -PA21,22,80 <target>
      • $ nmap -sP -PA80-150 <target>
        • $ nmap -sP -PA22,1000-65535 <target>
  • UDP Ping scan
    • $nmap -sP -PU <target>
  • Selecting ports in UDP Ping scans
    • $ nmap -sP -PE <target>
  • ICMP Timestamp reply -PP
  • Address mark reply -PM
    • These could bypass misconfigured firewalls
    • $ nmap -sP -PP <target>
    • $ nmap -sP -PM <target>
  • IP Protocol ping scans
    • $ nmap -sP -PO <target>
  • The ping scan will use the protocols IGMP, IP-in-IP, ICMP
    • –packet-trace will show more information
    • $ nmap -sP -PO1,2,3 <target>
  • Generate random data in the packets
    • $ nmap -sP -PO –data-length 100 <target>
    • ICMP Protocol:
      • 1
    • IGMP Protocol:
      • 2
    • TCP Protocol:
      • 6
    • UDP Protocol:
      • 17
  • ARP Ping scan
    • $ nmap -sP -PR 192.1.1.1/24
  • Send an ARP Request
    • $ nmap -sP -PR –packet-trace 192.1.1.1
  • Force an ARP Ping scan$ nmap -sP -PS –packet-trace –send-ip 192.1.1.1
  • Spoof a MAC Address
    • $ nmap -sP -PR –spoof-mac xx:xx:xx:xx:xx
  • Discover new hosts with a broadcast ping using nmap NSE
    • $ nmap –script broadcast-ping
  • Increase the number of ICMP requests
    • $ nmap –script broadcast-ping –script-args broadcast-ping.num_probes=5
  • When scanning a large network, useful to increase the timeout limit. timeout=<time in ms>
    • $ nmap –script broadcast-ping –script-args broadcast-ping.timeout=10000
  • If you don’t specify an interface, broadcast-ping will send probes using all of the interfaces with an IP4 address
    • $ nmap –script broadcast-ping –script-args broadcast-ping.interface=wlan3
  • Force nmap to use new found hosts as targets
    • $ nmap –script broadcast-ping –script-args newtargets
  • Set max number of new hosts to be added
    • $ nmap –script broadcast-ping –script-args max-newtargets=3
  • Send additional random data in packets
    • Append 300 bytes of random data
    • $ nmap -sS -PS –data-length 300 <target>
  • Force nmap not to use any payloads in the requests
    • $ nmap –data-length 0 <target>
  • By default, nmap does not perform DNS resolution if a host is offline, force DNS resolution we can gather extra info.
    • Force DNS resolution for offline hosts
    • $ nmap -sS -PS -F -R x.x.x.220-230
  • Perform a DNS resolution -sL
    • Arguments
      • -sS
        • TCP Stealth scan
      • -PS
        • SYN Ping
      • -F
        • Fast port scan
      • -R
        • Always do DNS Resolution
      • The arguments -sS -PS -F -R tell nsmap to do a TCP SYN Stealth -sS scan SYN Ping -PS, fast port scan -F and always do a DNS resolution -R
  • Disable DNS resolution with -n
    • $ nmap -sS -PS -F -n <target>
  • Specifying different DNS nameservers
    • $ nmap -sS -PS -R –dns-servers 8.8.8.8,8.8.4.4 <target>
  • Exclude hosts from your scans
    • $ nmap -sV -O –exclude 192.1.1.1,192,1.1.1.2,192.1.1.3/24
    • $ nmap -sV -O –exclude 192.1.1.1-100
  • Exclude hosts from a scan based on the contents of a text file
    • $ nmap -sV -O –exclude-file dontscan.txt 191.1.1.1/24
  • Scan IPV6 addresses
    • $ nmap -6 ::1
    • ::1 = Local host
  • $ nmap -6 <target>
    • $ nmap -6 2600:3c01::f03c:91ff:fe93:cd19
  • OS Detection
    • $ nmap -6 -O <target>
  • Use the NSE broadcast scripts to collect interesting info
    • $ nmap — script broadcast
  • Sniff the network for only 10 seconds
    • $ nmap –script broadcast –script-args target-sniffer.timeout 30
  • Call all broadcast scripts but exclude the ones named targets-*
    • $ nmap –script “broadcast and not targets*”
  • IP Geolocation requires an external Database
    • And an API key is needed.
    • Download Maxminds city database
    • $ nmap –script ip-geolocation-* <target>
    • Retrieve the WhoIS record of an IP Address or domain
    • $ nmap –script whois <target>
  • Query the WHOIs records of a hostname list -iL <input file> without launching a port scan -sn
    • $ nmap -sn –script whois -v -iL hosts.txt
  • Disable cache, sometimes cached responses are preferred over querying the whois service.
    • $ nmap -sn –script whois –script-args whois.whodb=nocache <target>
  • Check if a host has been flagged by Googles safe browsing service Need a safebrowsing API key from Google
    • $ nmap -p80 –script http-google-malware –script-args http-google-malware.api=<API> <target>
  • Get a list of valid public email accounts
    • Need to download a script 1st, want the http-google-email from seclists.org and copy to local scripts dir
    • Then update the  db
    • $ nmap –script-updatedb
    • $ nmap -p80 –script http-google-email, http-email-harvest <target>
    • Http-email-harvest depends on httpspider library. To crawl addtional pages
      • $ nmap -p800 –script http-email-harvest –script-args httpspider.maxpagecount=50 <target>
    • To start from a different page other than the root.
      • $ nmap -p80 –script http-email-harvest –script-args httpspider.url=/welcome.php <target>
    • Specify the domain name to look for by using the script arg domain
      • $ nmap -p80 –script http-google-email –script-args domain=insecure.org <target>
    • By increasing the number of page results with the script arg pages you might get additional results
      • $ nmap -p80 –script http-google-email –script-args http.useragent=”mozilla 42”
  • Brute force DNS records
    • This brute force is easily detected by security mechanisms monitoring for NXDOMAIN responses
      • $ nmap –script dns-brute <target>
    • To specify your own dictionary file
      • $ nmap –script dns-brute –script-args dns-brute.hostlists=words.txt <target>
    • Set the number of threads to use
      • $ nmap –script dns-brute –script-args dns-brute.threads=8 <target>
    • Force nmap to use new hosts found as targets
      • $ nmap –script dns-brute –script-args newtargets
  • How to fingerprint the operating system of a remote host
    • High priv account required because raw packet creation required
      • $ nmap -O <target>
    • If -O fails, make a best guess using –osscan-guess
      • $ nmap -O -p- –osscan-guess <target>
    • OS detection in verbose mode
      • $ nmap -O -v <target>
  • UDP Scanning for services. UDP SCANNING IS SLOW
    • Difficult for nmap to differentiate between closed and filtered ports
      • $ nmap -sU -p- <target>
    • Scan ranges
      • $ nmap -p1-500 -sU <target>
    • Fast port scanning
      • $ nmap -F -sU <target>
  • IP Protocol Scan – useful for determining what communication protocols are being used by a host
    • Enumerate all of the IP Protocols
      • $ nmap -sO <target>
    • Error code 1,3,9,10,13 indicates protocol filtering
    • No response received results in filtered/open
    • ICMP protocol error type 3 Code 2, marked as closed
    • All other response codes the protocol to be marked as open
    • Specify the protocols that should be scanned
      • $ nmap -p1,3,5 -sO <target>
      • $ nmap -p1-10 -sO <target>
  • Perform TCP ACK port scanning
    • $ nmap -sA <target>
    • If port open or closed you get a RST reply which means host is not behind a statefull firewall
    • No response or ICMP error message indicates that the host is behind a firewall
    • Does not differentiate between open and closed ports
    • Mainly used to detect host behind firewalls
  • Scanning ranges
    • $ nmap -sA -p80 <target>
    • $ nmap -sA -p1-100 <target>
    • $ nmap -sA -p- <target>
  • Version discovery is essential to pen-testers as they can use this information to find public security vulns affecting a scanned service
    • Need to use the NSE script vulscan, need to download it from www.computec.ch copy to local script folder.
      • Update the db
      • $ nmap –script-update-db
      • $ nmap -sV –script vulscan <target>
  • How to find zombie hosts and use them to spoof your IP address
    • To find hosts with an incremental IP ID sequence
    • $ nmap -p80 –script ipidseq <your ip>/24
    • $ nmap -p80 –script ipidseq -iE 1000
  • To launch an idle scan
    • This technique only works if the zombie host is idle
    • Many isps today block and even modify spoofed packets, replacing the spoofed address with your real IP address, making this technique useless as the target will receive your real IP address. Nmap cannot detect this situation.
      • $ nmap -Pn -sI <zombie host> <target>
  • Use verbose mode with OS detection
    • $ nmap -sV -v -O <target>
  • Enumerate all of the HTTP methods supported by a web server
    • Having a method listed by OPTIONS does not necessarily mean that it is accessible to you
    • $ nmap -p80,443 –script http-methods <target>
  • Individually check the status code response of the methods returned by OPTIONS
    • $ nmap p-80,443 –script http-methods –script-args https-methods.retest <target>
  • Want to set it from a different base path
    • $ nmap -p80,443 –script http-methods –script-args http-methods.url-path=/mypath/ <target>
  • The HTTP methods TRACE, CONNECT, PUT, DELETE might present a security risk and they need to be tested thoroughly
    • TRACE makes applications susceptible to Cross Site Tracing (XST) attacks
    • The CONNECT methods might allow the web server to use as an unauthorised web proxy
    • The PUT and DELETE have the ability to change the contents of a folder
  • Some packet filtering products that block requests that use Nmaps default HTTP user agent.
    • Can use a different Http user agent
    • $ nmap -p80 –script http-methods –script-args http.useragent=”mozilla 42” <target>
  • Some web servers allow the encapsulation of more than one HTTP request in a single packet. This may speed up the execution of an NSE HTTP script and it is recommended that is used.
    • $ nmap -p80 –script http-methods –script-args http.pipeline=25 <target>
  • Detect an open HTTP Proxy
    • $ nmap –script http-open-proxy -p8080 <target>
  • Scan web server in order to discover interesting files, directories and even vulnerabilities in web applications.
    • $ nmap –script http-enum -p80 <target>
  • Specify a different base path
    • $ nmap –script http-enum http-enum.basepath=/web/ -p80 <target>
  • Display all the entries that returned a status code that could possibly indicate a page exists.
    • $ nmap –script http-enum http-enum.displayall -p80 <target>
  • Brute force password auditing against web servers that are using http authentication
    • $ nmap -p80 –script http-brute -script-args http-brute.path=/admin/ <target>
  • Http-brute uses, by default the files usernames.lst and passwords.lst in /nselib/data. To use a different username and password lists
    • $ nmap -p80 –script http-brute –script-args userdb=/var/usernames.txt, passdb=/var/passwords.txt <target>
  • To quit after finding one valid account
    • $ nmap -p80 –script http-brute –script-args brute.firstonly <target>
  • By default http-brute uses nmaps timing template
    • -T3, T2, T1:
      • 10 mins
    • -T4:
      • 5 mins
    • -T5:
      • 3 mins
    • To run indefinitely set to -0
      • $ nmap -p80 –script http-brute –script-args unpwdb.timelimit=0 <target>
      • $ nmap -p80 –script http-brute –script-args unpwdb.timelimit-60m <target>
  • Brute modes
    • User: for each user lists in userdb, every password in passdb should be tried
      • $ nmap –script http-brute –script-args brute.mode=user <target>
    • Pass: for each password listed in passdb, try every user in userdb
      • $ nmap –script http-brute –script-args brute.mode=pass <target>
    • Creds: this mode requires the additional argument brute.credfile
      • $ nmap –script http-brute –script-args brute.mode=creds, brute.credfile=./creds.txt <target>
    • Perform brute force attacks to enumerate user accounts in Apache servers, with mod_userdir enabled
      • $ nmap -p80 –script http-userdir-enum <target>
    • The script http-userdir-enum uses, by default, the word list usernames.lst located at /nselib/data/ set a different file by using
      • $ nmap -p80 –script http-userdir-enum –script-args userdir.users=./users.txt <target>
    • Test default credentials access in supported applications
      • $ nmap -p80 –script http-default-accounts <target>
  • For less intrusive scans
    • Available categories, Web: router: voip: security:
      • $ nmap -p80 –script http-default-accounts –script-args http-default-accounts.category=routers <target>
    • To change the base path from root
      • $ nmap -p80 –script http-default-accounts –script-args https-default-accounts.basepath=/web/ <target>
    • Default fingerprint file can be changed via
      • $ nmap -p80 –script http-default-accounts –script-args http-default-accounts.fingerprintfile=./more-signatures.txt <target>
  • Brute force against WordPress
    • $ nmap  -p80 –script http-wordpress-brute <target>
  • Brute force again Joomla! Installations
    • $ nmap -p80 –script http-joomla-brute <target>
  • Set the thread number
    • $ nmap -p80 –script http-joomla-brute –script-args http-joomla-brute.threads=5 <target>
  • Set the host in the HTTP Requests
    • $ nmap -p80 –script http-joomla-brute –script-args https-joomla-brute.hostname=”hostname.com” <target>
  • Set a different login URI
    • $ nmap -p80 –script http-joomla-brute –script-args http-joomla-brute.uri=”/joomla/admin.login.php” <target>
  • Change the name of the POST variable that stores usernames and passwords
    • $ nmap -p80 –script http-joomla-brute –script-args http-joomla-brute.uservar-usario, http-joomla-brute.passvar=pasguord <target>
  • Detect a Web Application Firewall or IPS
    • $ nmap -p80 –script http-waf-detect <target>
  • Detect changes in the response body. Good when pages have little dynamic content.
    • $ nmap -p80 -script http-waf-detect –script-args=”http-waf-detect.detectBodyChanges” <target>
    • To include more attack payloads use http-waf-detect.aggro
    • To set a different URI for the probes http-waf-detect.uri=/webapp/ <target>
  • To check if TRACE is enabled and therefore vulnerable to possible Cross Site Tracing (XST) vulns
    • $ nmap -p80 –script http-methods, http-trace –script-args https-methods.retest <target>
  • Test HTTP method listed by OPTIONS and analyse the return value to conclude if TRACE is accessible and not blocked by a firewall or configuration
    • $ nmap -p80 –script http-methods, http-trace –script-args http-methods.retest <target>
  • How to find Cross Site Scripting CSS vulns
    • $ nmap -p80 –script http-unsafe-output-escaping <target>
  • If working with a PHP server, use
    • $ nmap -p80 –script http-phpself-xss, http-unsafe-output-escaping <target>
  • Library only crawls 20 pages by default.
    • $ nmap -p80 –script http-phpself-xss –script-args httpspide.maxpagecount=200 <target>
  • If you need to test a collection of web applications linked to each other
    • $ nmap -p80 –script http-phpself-xss –script-args httpspider.withinhost=false <target>
  • The max depth of directories is 3. Go deeper
    • $ nmap -p80 –script http-phpself-xss –script-args httpspider.maxdepth=10 <target>
  • Find SQL injections vulns
    • $ nmap -p80 –script http-sql-injection <target>
  • Only crawls 20 pages by default. Change this with
    • $ nmap -p80 –script http-sql-injection –script-args httpspider.maxpagecount=200 <target>
  • Test web applications linked to each other
    • $ nmap -p80 –script http-sql-injection –script-args httpspider.withinhost-false <target>
  • Change max depth of directories
    • $ nmap -p80 –script http-sql-injection –script-args httpspider.maxdepth=10 <target>
  • Detect if a webserver is vulnerable to a SlowLoris Dos Attack
    • $ nmap -p80 –script http-slowloris –max–paralleslism 300 <target>
  • Set time between HTTP header
    • $ nmap -p80 –script http-slowloris –script-args http-slowloris.send_interval=200 –max-parallelism 300
  • To run slowloris for a certain amount of time
    • $ nmap -p80 –script http-slowloris –script-args http-slowloris.timelimit=15m <target>
  • Attack indefinitely
    • $ nmap -p80 –script http-slowloris –script-args http-slowloris.runforever <target>
  • To check for vulnerable web server to slowloris
    • $ nmap -p80 –script http-slowloris-check <target>
  • List databases in a MySql Server
    • $ nmap -p3306 –script mysql-database –script-args mysqluser=<user>, mysqlpass=<password> <target>
  • To enumerate databases if an empty root account is found use the command
    • $ nmap -p3306 –script mysql-empty-password,mysql-databases <target>
  • If service is running on an port different to port 3306, use the service detection -sV or set the port manually using the arg -p
    • $ nmap -sV –script mysql-databases <target $ nmap -p1111 –script mysql-databases <target>
  • Enumerate users in MySql Servers
    • $ nmap -p3306 –script mysql-users –script-args mysqluser=<user>, mysqlpass=<password> <target>
    • If no authentication credentials are set with the script arguments mysqluser and mysqlpass, it will attempt to use the results of mysql-brute and mysql-empty-password
  • Enumerate databases and users in MySql installations with root accounts with an empty password
    • $ nmap -sV –script mysql-empty-password, mysql-databases, mysql-users <target>
  • If running on another port than 3006
    • $ nmap -p3333 –script mysql-users <target> $ nmap -sV –script mysql-users <target>
  • List environment variables in MySql servers
    • $ nmap -p3306 –script mysql-variables –script-args mysqluser<root>, mysqlpass=<password> <target>
  • Retrieve databases, usernames and variables from a mySql server with an empty root password
    • $ nmap -sV –script mysql-variables, mysql-empty-password, mysql-users <target>
  • Check for empty root passwords on mysql servers
    • $ nmap -p3306 –script mysql-empty-password <target>
  • Use a custom list of usernames you need to modify the NSE script mysql-empty-password.nse
    • find : local users {“”, “root”} And replace with stuff like Local users {“plesk”, “root”, “cpanel”, “test”, “db}
    • Run it as
      • $ nmap -sV –script mysql-empty-password <target>
      • $ nmap -p3306 –script mysql-empty-password <target>
  • Launch dictionary attack against MySql server
    • $ nmap -p3306 –script mysql-brute <target>
  • If running on a non standard port
    • $ nmap -sV –script mysql-brute <target> $ nmap -p1234 –script mysql-brute <target>
  • To detect insecure configurations in MySql servers
    • $ nmap -p3306 –script mysql-audit –script-args ‘mysql-audit.username=”<username>”, mysql-audit.password=”<password>”, mysql-audit.filename=/usr/local/share/nmap/nselib/data/mysql-cis.audit’ <target>
  • Brute force password auditing against Oracle
    • $ nmap -sV –script oracle-brute –script-args oracle-brute.sid=TEST <target>
  • You can use the same change of password/usernames, quit after finding 1st valid user account, and different timeout limits
    • Brute force Oracle SID names
      • $ nmap -sV –script oracle-sid-brute <target>
  • Retrieve information from an MS Sql Server
    • $ nmap -p1433 –script ms-sql-info <target>
  • If port 445 is open you can retrieve info via Pipes
    • $ nmap -sV –script-args mssql.instance-name=MSSQLSERVER –script ms-sql-info -p445 -v <target>
    • $ nmap -sV –script-args mssql.instance-all –script ms-sql-info -p445 <target>
  • Brute force password auditing against MS Sql server
    • $ nmap -p1433 –script ms-sql-brute <target>
  • Dump crackable password hashes on a SQL server
    • $ nmap -p1433 –script ms-sql-empty-password, ms-sql-dump-hashes <target>
  • Run windows commands through MS Sql Server
    • After 2005/08 it is disabled by default
    • $ nmap –script-args ‘mssql.username=”<user>”, mssql.password=””’ –script ms-sql-xp-cmdshell -p1433 <target>
  • Find MsSql servers with an empty sa account
    • $ nmap -p1433 –script ms-sql-empty-password -v <target>
  • If port 445 is open you can retrieve info via pipes
    • $ nmap -sV –script-args mssql.instance-name=MSSQLSERVER –script ms-sql-empty-password -p445 -v <target>
  • MongoDB may contain several DBs in a single installation
    • List databases in MongoDB
    • $ nmap -p 27017 –script mongodb-databases <target>
  • Retrieve server information from a MongoDB
    • $ nmap -p27017 –script mongodb-info <target>
  • List all databases in a CouchDB installation
    • $ nmap -p5984 –script couchdb-databases <target>
  • Retrieve database stats from CouchDB HTTP service
    • $ nmap -p5984 –script couchdb-stats 127.0.0.1
  • Discover valid email accounts that could be used as usernames in some web applications or during brute force password auditing
    • Need to download the http-google-search.nse from seclists.org
    • $ nmap –script-updatedb
  • Valid email accounts using Google Search and Google Groups
    • $ nmap -p80 –script http-google-email <target>
  • Show only results belonging to a certain hostname
    • $ nmap -p80 –script http-google-email –script-args http-google-email.domain=<hostname> <target>
  • Increase the number of pages to be crawled, the default is 5 pages.
    • $ nmap -p80 –script http-google-email –script-args http-google-email.pages=10 <target>
  • If something weird happens when running a NSE script, turn on debugging. -d = debugging, levels between 0 and 9
    • $ nmap -p80 –script http-google-email -d4 <target>
  • Detect open relays
    • $ nmap -sV –script smtp-open-relay -v <target>
    • If a 503 response, server is protected and not open to relay.
    • Smtp-open-relay executes on ports 25,465 and 587
  • Specify an alternative IP Address or domain name
    • $ nmap -sV –script smtp-open-relay -v –script-args smtp-open-relay.ip=<ip> <target>
    • $ nmap -sV –script smtp-open-relay -v –script-args smtp-open-relay.domain=<domain> <target>
  • Specify the source and destination email addresses used in the tests.
    • $ nmap -sV –script smtp-open-relay -v –script-args smtp-open-relay.to=<destination email address>, smtp-open-relay.from=<source email address> <target>
  • Launch a dictionary attack against an SMTP server
    • $ nmap -p25 –script smtp-brute <target>
    • By default the script uses the wordlists /nselib/data/username.lst and /nselib/data/password.lst
    • Same rules, you can change the password/username lists, the timeout length and the quit after 1st account found
  • Enumerate users on an SMTP server
    • This script only works on SMTP servers that do not require authentication
    • $ nmap -p25 –script smtp-enum-users <target>
  • Choose which methods to try (RCPT, VRFY and EXPN) and the order in which to try them.
    • $ nmap -p25 –script smtp-enum-users –script-args smtp-enum-users.methods={VRFY, EXPN, RCPT} <target>
  • To set a different domain in the SMTP commands
    • Same deal, set different username list, timeout and quit after finding first account
    • $ nmap -p25 –script smtp-enum-users –script-args smtp-enum-users.domain=<domain> <target>
  • Detect rogue SMTP servers installed on your server
    • $ nmap -sV –script smtp-strangeport <target>
    • If an SMTP server is found running on a port other than 25, 465 and 587 you will be notified.
    • It’s possible to set this up as an ongoing monitoring tool
  • Brute force password auditing against IMAP
    • Same deal about specifying username list, timeout and quit after 1st successful account found
      • $ nmap -p143 –script imap-brute <target>
  • List the capabilities of an IMAP server
    • $ nmap -p143,993 –script imap-capabilities <target>
  • For cases where the IMAP server is running on a non standard port
    • $ nmap -sV –script imap-capabilities <target>
  • Brute force password auditing against pop3 mail servers
    • Same deal with timeout and username/password lists
    • $ nmap -p110 –script pop3-brute <target>
  • List the capabilities of a Pop3 mail server
    • $ nmap -p110 –script pop3-capabilities <target>
  • EXIM SMTP servers 4.70 to 4.75 with DKIM enabled are vulnerable to a format string bug that allows remote attackers to execute code.
    • $ nmap –script smtp-vuln-cve2011-1764 –script-args mailfrom=<source address>, mailto=<destination address>, domain=<domain> -p25,465,587 <target>
  • How to work with IP Addresses ranges when scanning with Nmap
    • $ nmap -A -O 192.1.1.1-255
    • $ nmap -A -O 192.1.1.1/24
    • $ nmap -A -O 192.1.1.1 192.1.1.2
    • $ nmap -p25, 80 -O -T4 192.1.1.1/24 <target>/24
  • Three ways to deal with IP Address ranges
    • Multiple host specifications
    • Octet range addressing
    • CIDR notation
  • $ nmap -A -O 192.1.1.1-255 –exclude 192.1.1.15
  • $ nmap -A -O 192.1.1.1-255 –exclude 192.1.1.15,192.1.1.16
  • Or you can do it via a file
    • $ cat dontscan.txt
    • 192.168.1.1
    • 192.169.1.2
    • $ nmap -A -O –exclude-file dontscan.txt 192.1.1.1-255
  • $ nmap -h for a list of port scanning techniques
  • Scan the targets loaded from an external file
    • $ cat targets.txt
    • 192.1.1.1
    • 192.1.1.2
    • Comments in files use #
      • E.g. # FTP Servers X.x.x.x
    • To use
      • $ nmap -iL targets.txt
  • Exclude a host list from a scan
    • $ nmap -sV -O –exclude-file dontscan.txt 192.1.1.1/24
  • Generate random hosts as targets of your scans
    • To generate a target list of 100 hosts
    • $ nmap -iR 100
  • Combine this options with a ping scan
    • $ nmap -sP iR 3
    • Use this feature wisely
  • Generate an unlimited number of IPs and hence run indefinitely
    • $ nmap -iR 0
  • Find random NFS share online
    • $ nmap -p2049 –open -iR 0
  • A full port scan with the timing template set to aggressive and without the reverse DNS resolution or ping
    • To skip the host discovery phase (no ping) use the flag -Pn
    • $ nmap -T4 -n -Pn -p- 192.1.1.1
  • Nmap performs reverse dns looksups, to skip this use the arg -n
  • To Scan without skipping reverse DNS
    • $ nmap -Pn -p80 –packet-trace <target>
  • SYN Scanning can be skipped with -sn
    • $ nmap -sn -R –packet-trace 192.1.1.1
  • ISPs have slow DNS servers, set your own
    • $ nmap -R –dns-servers 8.8.8.8,8.8.4.4 -O <target>
  • Scanning phases of NMAP
    • Script pre scanning:
      • only executed with you use the -sC or –script
    • Target Enumeration:
      • -Pn – to check if host is online
    • Host discovery:
      • -Pn can be used to skip this phase. -R = do revese DNS lookup. -n Don’t do reverse lookup
    • Port Scanning:
      • -sn = don’t determine the state of port
    • Version Detection:
      • -sV + provide more detailed information
    • OS Detection:
      • -O = determine operating system
    • Traceroute:
      • –traceroute performs traceroute
    • $ nmap -A <target> is the same as running $ nmap -sC -sV -O <target>
  • Nmaps timing templates [0-5] 0 slowest 5 fastest
    • Setting these values incorrectly will most likely hurt performance rather than improving it
    • -T[0-5]
      • Paranoid:
        • -0 Good for avoiding detection systems, ports scanned individually and 5 mins between probes
      • Sneaky:
        • -1 Useful for avoiding detection systems, but still very slow
      • Polite:
        • -2 When scanning is not supposed to interfere with target system
      • Normal:
        • -3 Default, use when the -T arg is not set
      • Aggressive:
        • -4 Recommended timing templates for Broadband and Ethernet connections
      • Insane:
        • -5 Sacrifices accuracy for speed
  • RTT value is used to know when to give up or retransmit a probe response
    • $ nmap -A -p- –initial-rtt-timeout 150ms <target>
  • Set min and max timeout limits
    • $ nmap -A -p- –min-rtt-timeout 200ms –max-rtt-timeout 600ms <target>
  • Control the waiting time between probes
    • $ nmap -A –max-scan-delay 10s <target>
    • $ nmap -A –scan-delay 1s <target>
    • Don’t set max-scan-delay to low as it will likely miss ports
    • The two above args are very good for avoiding detection
    • Quit scan after a specific amount of time
      • $ nmap-sV -A -p- –host-timeout 5m <timeout>
  • Estimate route trip time between you and the target
    • Best practice, double the maximum RTT value for the initial-rtt-timeout. Set four times the maximum round time value for the -max-rtt-timeout
    • Will send 30 packet and then calculate an average
      • $ nmap -c30 <target>
  • Limit the number of packets sent per second by nmap the args –min-rate and –max-rate need to used carefully do avoid undesirable results. These rates are set automatically by nmap if the args are not set
    • $ nmap -A -p- –min-rate 50 –max-rate 100 <target>
  • To quit the scan after a certain amount of time
    • $ nmap -sV -A -p- –host-timeout 5m <target>
  • Scan indefinitely for web servers and collect their HTTP headers
    • $ nmap -p80 -Pn -n -T4 –open –script http-headers,http-title –script-args http.useragent=”A firend web crawler (http://someurl.com)”, http-headers.useget -oX random-webservers.xml -iR 0
  • Dnmap is a project for distributing scans among different clients
    • You must install on each client
    • #apt-get install libssl-dev python-twisted
  • Save scan results to a file in normal mode
    • $ nmap -F -oN scanme.txt <target>
    • $ nmap -A -oN mormal-output.txt -oX xml-output.xml <target>
    • -oA <basename> save the scan in all available formats .nmap, .xml, .grep
  • Include debugging info in output logs
    • $ nmap -A -T4 -oN output.txt –log-errors <target>
  • Include the reasons why a port is marked as opened or closed and why the host is marked as alive use –reason
    • $ nmap -F –reason <target>
  • Appending output logs
    • $ nmap –append-output -oN existing.log <target>
  • OS detection in verbose mode can reveal more info
    • $ nmap -O -v <target>
  • Save scan to a file
    • $ nmap -A -O -oX scanme.xml <target>
  • Print XML results instead of writing to a file
    • $ nmap -oX – <target>
  • Apply a stylesheet
  • By default, logfiles are overwritten, append results with
    • $ nmap –append-output -oN existing.log <target>
  • Generate an image of network topology with ZenMap
    • Feature works best with –traceroute
    • Topology tab of zenmap also offers different visualisations controls
      • $ nmap -O -A 192.1.1.1/24
  • Nmap can be turn into a vuln scanner by using NSE scripts, library vuln does this
    • $ nmap -sV –script vuln <target>
  • To report all of the security checks, even unsuccessful ones use the vulns.showall
    • $ nmap -sV –script vuln –script-args vulns.showall <target>

More Screenshots from an Nmap book

Screen Shot 2018-11-04 at 11.35.20

Screen Shot 2018-11-04 at 11.36.01

Screen Shot 2018-11-04 at 11.36.29

Screen Shot 2018-11-04 at 12.15.03

Screen Shot 2018-11-04 at 12.21.28

Screen Shot 2018-11-04 at 12.32.48

Screen Shot 2018-11-04 at 12.46.37

Screen Shot 2018-11-04 at 12.47.52

Screen Shot 2018-11-04 at 12.49.45

Screen Shot 2018-11-04 at 12.50.03

Screen Shot 2018-11-04 at 12.51.25

Screen Shot 2018-11-04 at 12.54.50

Screen Shot 2018-11-04 at 12.55.10

Screen Shot 2018-11-04 at 12.55.50

Screen Shot 2018-11-04 at 12.58.36

Screen Shot 2018-11-04 at 12.59.00

Screen Shot 2018-11-04 at 12.59.26

Screen Shot 2018-11-04 at 13.00.42

Screen Shot 2018-11-04 at 13.01.55

Screen Shot 2018-11-04 at 13.03.11

Screen Shot 2018-11-04 at 13.12.26

Screen Shot 2018-11-04 at 13.37.15

Screen Shot 2018-11-04 at 13.37.36

Screen Shot 2018-11-04 at 13.40.01

Screen Shot 2018-11-04 at 13.40.25

Screen Shot 2018-11-04 at 13.42.47

Screen Shot 2018-11-04 at 14.14.17

Screen Shot 2018-11-04 at 14.15.10

Screen Shot 2018-11-05 at 05.30.25

Screen Shot 2018-11-05 at 05.41.33

Screen Shot 2018-11-05 at 05.44.24

Screen Shot 2018-11-05 at 06.16.36

Screen Shot 2018-11-05 at 06.17.01

Screen Shot 2018-11-05 at 06.17.39

Screen Shot 2018-11-05 at 06.18.28

Screen Shot 2018-11-05 at 06.19.23

Screen Shot 2018-11-05 at 06.19.53

Screen Shot 2018-11-05 at 06.22.06

Screen Shot 2018-11-05 at 06.24.40

Screen Shot 2018-11-05 at 06.25.30

Screen Shot 2018-11-05 at 06.28.25

Screen Shot 2018-11-05 at 06.28.35

Screen Shot 2018-11-05 at 06.29.01

Screen Shot 2018-11-05 at 06.29.26

Screen Shot 2018-11-05 at 06.30.12

Screen Shot 2018-11-05 at 06.30.42

Screen Shot 2018-11-05 at 06.32.00

Screen Shot 2018-11-05 at 06.34.11

Screen Shot 2018-11-05 at 06.48.59

Screen Shot 2018-11-05 at 06.49.24

Screen Shot 2018-11-05 at 06.50.04

Screen Shot 2018-11-05 at 06.50.31

Screen Shot 2018-11-05 at 06.53.11

Screen Shot 2018-11-05 at 06.54.04

Screen Shot 2018-11-05 at 06.54.20

Screen Shot 2018-11-05 at 06.56.01

Screen Shot 2018-11-05 at 06.56.48

Screen Shot 2018-11-05 at 06.58.09

Screen Shot 2018-11-05 at 06.59.51

Screen Shot 2018-11-05 at 07.00.23

Screen Shot 2018-11-05 at 07.01.10

Screen Shot 2018-11-05 at 07.01.43

Screen Shot 2018-11-05 at 07.02.24

Screen Shot 2018-11-05 at 07.02.43

Screen Shot 2018-11-05 at 07.10.00

Screen Shot 2018-11-05 at 07.10.19

Screen Shot 2018-11-05 at 07.12.14

Screen Shot 2018-11-05 at 07.12.45

Screen Shot 2018-11-05 at 07.13.38

Screen Shot 2018-11-05 at 07.18.44

Screen Shot 2018-11-05 at 07.19.24

Screen Shot 2018-11-05 at 07.20.20

Screen Shot 2018-11-05 at 07.24.20

Screen Shot 2018-11-05 at 07.28.50

Screen Shot 2018-11-05 at 07.28.59

Screen Shot 2018-11-05 at 07.29.25

Screen Shot 2018-11-05 at 07.29.42

Screen Shot 2018-11-05 at 07.30.25

Screen Shot 2018-11-05 at 07.31.16

Screen Shot 2018-11-05 at 08.25.14

Screen Shot 2018-11-05 at 08.26.52

Screen Shot 2018-11-05 at 08.28.00

Screen Shot 2018-11-05 at 08.35.25

Screen Shot 2018-11-05 at 08.35.43

Screen Shot 2018-11-05 at 08.36.20

Screen Shot 2018-11-05 at 08.37.06

Screen Shot 2018-11-05 at 08.37.41

Screen Shot 2018-11-05 at 08.38.16

Screen Shot 2018-11-05 at 08.38.51

Screen Shot 2018-11-05 at 08.40.30

Screen Shot 2018-11-05 at 08.47.57

Screen Shot 2018-11-05 at 08.50.32

Screen Shot 2018-11-05 at 08.50.53

Screen Shot 2018-11-05 at 08.51.37

Screen Shot 2018-11-05 at 09.04.02

Screen Shot 2018-11-05 at 09.09.30

Screen Shot 2018-11-05 at 09.10.42

Screen Shot 2018-11-05 at 09.11.14

Screen Shot 2018-11-05 at 09.40.29

Screen Shot 2018-11-05 at 09.45.47

Screen Shot 2018-11-05 at 10.06.58

Screen Shot 2018-11-05 at 10.39.43

Screen Shot 2018-11-06 at 05.26.43

Screen Shot 2018-11-06 at 05.27.16

Screen Shot 2018-11-06 at 05.55.55

Screen Shot 2018-11-06 at 05.56.17

Screen Shot 2018-11-06 at 05.56.44

Screen Shot 2018-11-06 at 05.57.01

Screen Shot 2018-11-06 at 05.57.10

Screen Shot 2018-11-06 at 05.57.31

Screen Shot 2018-11-06 at 05.57.54

Screen Shot 2018-11-06 at 05.58.19

Screen Shot 2018-11-06 at 06.00.42

Screen Shot 2018-11-06 at 06.02.37

Screen Shot 2018-11-06 at 06.12.48

Screen Shot 2018-11-06 at 06.30.07

Screen Shot 2018-11-06 at 06.31.08

Screen Shot 2018-11-06 at 06.59.22

Screen Shot 2018-11-06 at 07.03.39

Screen Shot 2018-11-06 at 07.03.47

Screen Shot 2018-11-06 at 07.03.57

Screen Shot 2018-11-06 at 07.04.11

Screen Shot 2018-11-06 at 07.04.45

Screen Shot 2018-11-06 at 07.05.18

Screen Shot 2018-11-06 at 07.05.47

Screen Shot 2018-11-06 at 07.06.10

Screen Shot 2018-11-06 at 07.06.41

Screen Shot 2018-11-06 at 07.06.51

Screen Shot 2018-11-06 at 07.07.36

Screen Shot 2018-11-06 at 07.08.52

Screen Shot 2018-11-06 at 07.14.20

Screen Shot 2018-11-06 at 07.24.34

Screen Shot 2018-11-06 at 07.25.14

Screen Shot 2018-11-06 at 07.48.02

Screen Shot 2018-11-06 at 07.49.17

Screen Shot 2018-11-06 at 07.49.40

Screen Shot 2018-11-06 at 07.51.48

Screen Shot 2018-11-06 at 07.53.09

Screen Shot 2018-11-06 at 07.53.23

Screen Shot 2018-11-06 at 07.53.32

Screen Shot 2018-11-06 at 07.54.19

Screen Shot 2018-11-06 at 07.55.04

Screen Shot 2018-11-06 at 07.55.20

Screen Shot 2018-11-06 at 07.56.21

Screen Shot 2018-11-06 at 07.56.45

Screen Shot 2018-11-06 at 07.57.26

Screen Shot 2018-11-06 at 07.57.40

Screen Shot 2018-11-06 at 07.59.10

Screen Shot 2018-11-06 at 08.03.22

Screen Shot 2018-11-06 at 08.03.33

Screen Shot 2018-11-06 at 08.04.45

Screen Shot 2018-11-06 at 08.23.20

Screen Shot 2018-11-06 at 08.23.36

Screen Shot 2018-11-06 at 08.25.42

Screen Shot 2018-11-06 at 08.26.32

Screen Shot 2018-11-06 at 08.28.43

Screen Shot 2018-11-06 at 08.28.58

Screen Shot 2018-11-06 at 09.17.43

Screen Shot 2018-11-06 at 09.58.43

Screen Shot 2018-11-06 at 10.01.15

Screen Shot 2018-11-06 at 10.01.25

Screen Shot 2018-11-06 at 10.01.39

Screen Shot 2018-11-06 at 10.02.31

Screen Shot 2018-11-06 at 10.02.51

Yet another Nmap Book

Screen Shot 2016-07-16 at 19.08.38

Screen Shot 2016-07-16 at 19.15.00

Screen Shot 2016-07-16 at 19.16.15

Screen Shot 2016-07-16 at 19.16.54

Screen Shot 2016-07-16 at 19.18.11

Screen Shot 2016-07-16 at 19.20.17

Screen Shot 2016-07-16 at 19.21.42

Screen Shot 2016-07-16 at 19.22.58

Screen Shot 2016-07-16 at 19.24.35

Screen Shot 2016-07-16 at 19.25.50

Screen Shot 2016-07-16 at 19.26.21

Screen Shot 2016-07-16 at 19.27.15

Screen Shot 2016-07-16 at 19.27.42

Screen Shot 2016-07-16 at 19.34.53

Screen Shot 2016-07-16 at 19.35.27

Screen Shot 2016-07-16 at 19.36.01

Screen Shot 2016-07-16 at 19.39.26

Screen Shot 2016-07-16 at 19.39.33

Screen Shot 2016-07-16 at 19.40.08

Screen Shot 2016-07-16 at 19.40.24

Screen Shot 2016-07-16 at 19.41.58

Screen Shot 2016-07-16 at 19.43.09

Screen Shot 2016-07-16 at 19.43.14

Screen Shot 2016-07-16 at 19.44.41

Screen Shot 2016-07-16 at 19.44.57

Screen Shot 2016-07-16 at 19.47.36

Screen Shot 2016-07-16 at 19.48.27

Screen Shot 2016-07-16 at 19.49.09

Screen Shot 2016-07-16 at 19.49.26

Screen Shot 2016-07-16 at 19.50.01

Screen Shot 2016-07-16 at 19.50.51

Screen Shot 2016-07-16 at 19.51.47

Screen Shot 2016-07-16 at 19.52.17

Screen Shot 2016-07-16 at 19.53.01

Screen Shot 2016-07-16 at 20.02.48

Screen Shot 2016-07-17 at 11.26.32

Screen Shot 2016-07-17 at 11.27.01

Screen Shot 2016-07-17 at 11.29.23

Screen Shot 2016-07-17 at 11.30.02

Screen Shot 2016-07-17 at 11.30.28

Screen Shot 2016-07-17 at 11.31.33

Screen Shot 2016-07-17 at 11.31.53

Screen Shot 2016-07-17 at 11.32.34

Screen Shot 2016-07-17 at 11.32.46

Screen Shot 2016-07-17 at 11.33.58

Screen Shot 2016-07-17 at 11.38.16

Screen Shot 2016-07-17 at 11.39.10

Screen Shot 2016-07-17 at 11.39.45

Screen Shot 2016-07-17 at 11.40.47

Screen Shot 2016-07-17 at 11.44.09

Screen Shot 2016-07-17 at 11.49.56

Screen Shot 2016-07-17 at 11.50.59

Screen Shot 2016-07-17 at 11.52.12

Screen Shot 2016-07-17 at 11.52.31

Screen Shot 2016-07-17 at 11.52.50

Screen Shot 2016-07-17 at 11.56.01

Screen Shot 2016-07-17 at 11.56.50

Screen Shot 2016-07-17 at 11.57.50

Screen Shot 2016-07-17 at 11.58.14

Screen Shot 2016-07-17 at 11.58.45

Screen Shot 2016-07-17 at 11.59.40

Screen Shot 2016-07-17 at 12.00.00

Screen Shot 2016-07-17 at 12.05.21

Screen Shot 2016-07-17 at 12.05.54

Screen Shot 2016-07-17 at 12.06.47

Screen Shot 2016-07-17 at 12.07.24

Screen Shot 2016-07-17 at 12.07.55

Screen Shot 2016-07-17 at 12.18.22

Screen Shot 2016-07-17 at 12.19.19

Screen Shot 2016-07-17 at 12.21.56

Screen Shot 2016-07-17 at 12.22.29

Screen Shot 2016-07-17 at 12.23.01

Screen Shot 2016-07-17 at 15.38.39

Screen Shot 2016-07-17 at 15.38.54

Screen Shot 2016-07-17 at 15.39.15

Screen Shot 2016-07-17 at 15.40.34

Screen Shot 2016-07-17 at 15.40.38

Screen Shot 2016-07-17 at 15.41.41

Screen Shot 2016-07-17 at 15.42.45

Screen Shot 2016-07-17 at 15.43.43

Screen Shot 2016-07-17 at 15.43.53

Screen Shot 2016-07-17 at 15.44.55

Screen Shot 2016-07-17 at 15.45.17

Screen Shot 2016-07-17 at 15.45.56

Screen Shot 2016-07-17 at 15.46.06

Screen Shot 2016-07-17 at 15.48.15

Screen Shot 2016-07-17 at 15.48.43

Screen Shot 2016-07-17 at 15.51.42

Screen Shot 2016-07-17 at 15.52.20

Screen Shot 2016-07-17 at 15.52.32

Screen Shot 2016-07-17 at 15.54.03

Screen Shot 2016-07-17 at 15.54.43

Screen Shot 2016-07-17 at 15.55.07

Screen Shot 2016-07-17 at 15.55.55

Screen Shot 2016-07-17 at 15.56.37

Screen Shot 2016-07-17 at 15.58.45

Screen Shot 2016-07-17 at 15.59.38

Screen Shot 2016-07-17 at 15.59.46

Screen Shot 2016-07-17 at 16.00.33

Screen Shot 2016-07-17 at 16.01.03

Screen Shot 2016-07-17 at 16.01.24

Screen Shot 2016-07-17 at 16.01.33

Screen Shot 2016-07-17 at 16.02.04

Screen Shot 2016-07-17 at 16.02.32

Screen Shot 2016-07-17 at 17.30.30

Screen Shot 2016-07-17 at 17.31.34

Screen Shot 2016-07-17 at 17.32.26Screen Shot 2016-07-17 at 17.32.37

Screen Shot 2016-07-17 at 17.32.59

Screen Shot 2016-07-17 at 17.33.37

Screen Shot 2016-07-17 at 17.34.42

Screen Shot 2016-07-17 at 17.35.26

Screen Shot 2016-07-17 at 17.36.15

Screen Shot 2016-07-17 at 17.36.38

Screen Shot 2016-07-17 at 17.39.58

Screen Shot 2016-07-17 at 17.40.41

Screen Shot 2016-07-17 at 17.44.13

Screen Shot 2016-07-17 at 17.44.44

Screen Shot 2016-07-17 at 17.45.45

Screen Shot 2016-07-17 at 19.46.40

Screen Shot 2016-07-17 at 19.47.40

Screen Shot 2016-07-17 at 19.48.10

Screen Shot 2016-07-17 at 19.48.36

Screen Shot 2016-07-17 at 19.49.24

Screen Shot 2016-07-17 at 19.49.58

Screen Shot 2016-07-17 at 19.50.50

Screen Shot 2016-07-17 at 19.51.24

Screen Shot 2016-07-17 at 19.52.02

Screen Shot 2016-07-17 at 19.53.12

Screen Shot 2016-07-17 at 19.53.49

Screen Shot 2016-07-17 at 19.55.32

Screen Shot 2016-07-17 at 19.56.39

Screen Shot 2016-07-17 at 19.57.26

Screen Shot 2016-07-17 at 19.57.54

Screen Shot 2016-07-17 at 19.58.21

Screen Shot 2016-07-17 at 19.59.32

Screen Shot 2016-07-17 at 20.00.19

Screen Shot 2016-07-17 at 20.01.56

Screen Shot 2016-07-17 at 20.02.40

Screen Shot 2016-07-17 at 20.05.13

Screen Shot 2016-07-17 at 20.05.55

Screen Shot 2016-07-17 at 20.07.28

Screen Shot 2016-07-17 at 20.08.15

Screen Shot 2016-07-17 at 20.08.55

Screen Shot 2016-07-17 at 20.09.23

Screen Shot 2016-07-17 at 20.09.59

Screen Shot 2016-07-17 at 20.12.41

Screen Shot 2016-07-17 at 20.13.19

Screen Shot 2016-07-17 at 20.15.05

Screen Shot 2016-07-17 at 20.15.52

Screen Shot 2016-07-17 at 20.16.07

Screen Shot 2016-07-17 at 20.16.25

Screen Shot 2016-07-17 at 20.16.53

Screen Shot 2016-07-17 at 20.17.57

Screen Shot 2016-07-17 at 20.19.20

Screen Shot 2016-07-17 at 20.21.15

Screen Shot 2016-07-17 at 20.21.52

Screen Shot 2016-07-17 at 20.22.28

Screen Shot 2016-07-17 at 20.23.18

Screen Shot 2016-07-17 at 20.28.12

Screen Shot 2016-07-17 at 20.28.52

Screen Shot 2016-07-17 at 20.30.23

Screen Shot 2016-07-17 at 20.33.06

Screen Shot 2016-07-17 at 20.33.44

Screen Shot 2016-07-17 at 20.34.12

Screen Shot 2016-07-17 at 20.35.00

Screen Shot 2016-07-17 at 20.35.23

Screen Shot 2016-07-17 at 20.35.41

Screen Shot 2016-07-17 at 20.37.13

Screen Shot 2016-07-17 at 20.37.34

Screen Shot 2016-07-17 at 20.38.15

Screen Shot 2016-07-17 at 20.39.48

Screen Shot 2016-07-17 at 20.42.40

Screen Shot 2016-07-18 at 10.42.54

Screen Shot 2016-07-18 at 10.43.29

Screen Shot 2016-07-18 at 10.44.40

Screen Shot 2016-07-18 at 10.45.08

Screen Shot 2016-07-18 at 10.45.59

Screen Shot 2016-07-18 at 10.48.53

Screen Shot 2016-07-18 at 10.49.21

Screen Shot 2016-07-18 at 10.50.46

Screen Shot 2016-07-18 at 10.52.46

Screen Shot 2016-07-18 at 10.53.25

Screen Shot 2016-07-18 at 10.54.03

Screen Shot 2016-07-18 at 10.56.56

Screen Shot 2016-07-18 at 10.57.23

Screen Shot 2016-07-18 at 10.57.55

Screen Shot 2016-07-18 at 11.09.10

Screen Shot 2016-07-18 at 11.10.22

Screen Shot 2016-07-18 at 11.11.11

Screen Shot 2016-07-18 at 11.13.07

Screen Shot 2016-07-18 at 11.13.33Screen Shot 2016-07-18 at 11.13.48

Screen Shot 2016-07-18 at 11.14.31

Screen Shot 2016-07-18 at 11.15.19

Screen Shot 2016-07-18 at 11.16.08

Screen Shot 2016-07-18 at 11.16.28

Screen Shot 2016-07-18 at 11.17.04

Screen Shot 2016-07-18 at 11.17.21

Screen Shot 2016-07-18 at 11.17.44

Screen Shot 2016-07-18 at 11.18.25

Screen Shot 2016-07-18 at 11.23.07

Screen Shot 2016-07-18 at 11.23.20

Screen Shot 2016-07-18 at 11.23.44

Screen Shot 2016-07-18 at 11.25.00

Screen Shot 2016-07-18 at 11.25.24

Screen Shot 2016-07-18 at 11.25.50

Screen Shot 2016-07-18 at 11.27.05

Screen Shot 2016-07-18 at 11.27.15

Screen Shot 2016-07-18 at 11.28.02

Screen Shot 2016-07-18 at 11.28.22

Screen Shot 2016-07-18 at 11.28.54

Screen Shot 2016-07-18 at 11.29.14

Screen Shot 2016-07-18 at 11.29.52

Screen Shot 2016-07-18 at 11.30.21

Screen Shot 2016-07-18 at 11.30.43

Screen Shot 2016-07-18 at 11.31.17

Screen Shot 2016-07-18 at 11.31.29

Screen Shot 2016-07-18 at 11.31.49

Screen Shot 2016-07-18 at 11.44.38

Screen Shot 2016-07-18 at 11.44.55

Screen Shot 2016-07-18 at 11.46.06

Screen Shot 2016-07-18 at 11.47.12

Screen Shot 2016-07-18 at 11.47.41

Screen Shot 2016-07-18 at 11.47.59

Screen Shot 2016-07-18 at 11.48.06

Screen Shot 2016-07-18 at 11.48.32

Screen Shot 2016-07-18 at 11.49.21

Screen Shot 2016-07-18 at 11.49.32

Screen Shot 2016-07-18 at 11.49.46

Screen Shot 2016-07-18 at 11.50.37

Screen Shot 2016-07-18 at 11.50.49

Screen Shot 2016-07-18 at 11.51.06

Screen Shot 2016-07-18 at 11.51.53

Screen Shot 2016-07-18 at 11.52.55

Screen Shot 2016-07-18 at 11.53.27

Screen Shot 2016-07-18 at 11.54.25

Screen Shot 2016-07-18 at 11.55.06

Screen Shot 2016-07-18 at 12.08.34

Screen Shot 2016-07-18 at 12.08.57

Screen Shot 2016-07-18 at 12.10.23

Screen Shot 2016-07-18 at 12.10.33

Screen Shot 2016-07-18 at 12.10.41

Screen Shot 2016-07-18 at 12.11.01

Screen Shot 2016-07-18 at 12.11.30

Screen Shot 2016-07-18 at 12.12.03

Screen Shot 2016-07-18 at 12.12.56

Screen Shot 2016-07-18 at 12.13.35

Screen Shot 2016-07-18 at 12.14.10

Screen Shot 2016-07-18 at 12.14.22

Screen Shot 2016-07-18 at 12.41.52

Screen Shot 2016-07-18 at 12.42.14

Screen Shot 2016-07-18 at 12.42.54

Screen Shot 2016-07-18 at 12.44.48

Screen Shot 2016-07-18 at 12.45.28

Screen Shot 2016-07-18 at 12.45.41

Screen Shot 2016-07-18 at 12.46.00

Screen Shot 2016-07-18 at 12.46.39

Screen Shot 2016-07-18 at 12.48.12

Screen Shot 2016-07-18 at 12.48.22

Screen Shot 2016-07-18 at 12.48.51

Screen Shot 2016-07-18 at 14.32.54

Screen Shot 2016-07-18 at 14.33.01

Screen Shot 2016-07-18 at 14.33.16

Screen Shot 2016-07-18 at 14.33.32

Screen Shot 2016-07-18 at 14.33.47

Screen Shot 2016-07-18 at 14.33.56

Screen Shot 2016-07-18 at 14.34.16

Screen Shot 2016-07-18 at 14.34.25

Screen Shot 2016-07-18 at 14.34.39

Screen Shot 2016-07-18 at 14.35.24

Screen Shot 2016-07-18 at 14.36.34

Screen Shot 2016-07-18 at 14.37.03

Screen Shot 2016-07-18 at 14.37.37

Screen Shot 2016-07-18 at 14.37.55

Screen Shot 2016-07-18 at 14.39.11

Screen Shot 2016-07-18 at 14.39.42

Screen Shot 2016-07-18 at 14.40.32

Screen Shot 2016-07-18 at 14.41.12

Screen Shot 2016-07-18 at 14.41.24

Screen Shot 2016-07-18 at 14.42.59

Screen Shot 2016-07-18 at 14.44.06

Screen Shot 2016-07-18 at 14.45.47

Screen Shot 2016-07-18 at 16.27.43

Screen Shot 2016-07-18 at 16.28.54

Screen Shot 2016-07-18 at 16.29.18

Screen Shot 2016-07-18 at 16.29.34

Screen Shot 2016-07-18 at 16.30.03

Screen Shot 2016-07-18 at 16.30.24

Screen Shot 2016-07-18 at 16.31.03

Screen Shot 2016-07-18 at 16.31.32

Screen Shot 2016-07-18 at 16.32.11

Screen Shot 2016-07-18 at 16.33.03

Screen Shot 2016-07-18 at 16.33.45

Screen Shot 2016-07-18 at 16.52.58

Screen Shot 2016-07-18 at 16.53.54

Screen Shot 2016-07-18 at 16.54.25

Screen Shot 2016-07-18 at 16.55.55

Screen Shot 2016-07-18 at 16.56.10

Screen Shot 2016-07-18 at 16.56.29

Screen Shot 2016-07-18 at 16.57.21

Screen Shot 2016-07-18 at 16.58.35

Screen Shot 2016-07-18 at 16.59.13

Screen Shot 2016-07-18 at 17.03.00

Summary
Article Name
How to get the most out of Nmap
Description
A huge amount of deconstructed resources and books relating to the highly utilitarian Penetration Tool Nmap.
Author
Publisher Name
OIC Solutions

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close