NMAP snippets#
Finding IP behind WAF#
Enumerating dns records from hostname#
dnsrecon -t std -d <site>
subfinder -d <site> | httprobe
sslscan <site>
Recon suite for finding real IP#
Searchsploit#
Show EDB ID#
searchsploit --id ...
Have more detail by id#
searchsploit -p <EDB-ID>
Less into document#
searchsploit --examine <EDB-ID>
Pipe NMAP and searchsploit#
nmap -sV 192.168.0.15 -vvv -oX result.xml
searchsploit -x --nmap result.xml -v --id
Fast scan for host discovery#
nmap -sn 192.168.0.0/24 -vvv
Fast port scan#
nmap -F 192.168.0.0/24
Top ports scan#
nmap -top-ports 1000 192.168.0.0/24
Version detection#
nmap -sV 192.168.0.0/24
OS, version, script, traceroute#
nmap -A 192.168.0.0/24
OS#
nmap -O -osscan-guess 192.168.0.0/24
NSE Scripts#
Default NSE#
nmap -sC 192.168.0.0/24
HTTP scripts#
nmap -script=http* 192.168.0.0/24
Snippets#
Sitemap generator#
nmap -Pn -script=http-sitemap-generator scanme.nmap.org
Fast random web servers#
nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000
Brute forces DNS hostnames guessing subdomains#
nmap -Pn -script=dns-brute domain.com
Scan from spoofed ip’s#
nmap -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1
Stealth, list scan, with name resolution#
This doesn’t really scan, but gives a list of target to scan -sL.
This is useless on a subnet, but useful to discover WAN machines using a dns resolution.
nmap -sL 192.168.0.0/24 -vvv
nmap --dns-servers 8.8.4.4,8.8.8.8 -sL 209.132.183.105/24 -vvv
Detect if site protected by WAF#
A Web Application Firewall (WAF) is specifically designed to protect websites from SQL injection, cross-site scripting, malformed HTTP packets, etc.
nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro,http-waf-detect.detectBodyChanges" <site>