Initial Enumeration Tool (noisy as heck)

Piranha.sh | Performs NMAP Intense scan, runs tools based on results

https://github.com/jaxparr0w/auto_enum

NMAP

My usual nmap starter scan for CTF, when stealth isn’t a requirement

nmap -v -A -oA intense <target>

A FEW OTHERS nmap scans

Full TCP port scan using with service version detection.

nmap -p 1-65535 -sV -T4 <target> -v

More about service discovery

nmap -p <port> -sV --version-intensity "level" -o <filename> <target> -v

Set from 0 (light) to 9 (try all probes)

--version-trace

TARGETS

Quickly Scan a range of IPs

nmap -v -T4 192.168.1.1-255

Scan a subnet

nmap -v 192.168.1.0/24

Scan targets from a text file

nmap -iL list-of-ips.txt -v

NSE Scripts

Get help for a script

nmap --script-help=ssl-heartbleed -v

Scan using a specific NSE script

nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1 -v

Scan with a set of scripts

nmap -sV --script=smb* 192.168.1.1 -v

Show script options

--script-help=$scriptname

To get an easy list of the installed scripts try

locate nse | grep script.

HTTP Service Information

Gather page titles from HTTP services

nmap --script=http-title 192.168.1.0/24 -v

Get HTTP headers of web services

nmap --script=http-headers 192.168.1.0/24 -v

Find web apps from known paths

nmap --script=http-enum 192.168.1.0/24 -v

There are many HTTP information gathering scripts, here are a few that are simple but helpful when examining larger networks. Helps in quickly identifying what the HTTP service is that is running on the open port. Note the http-enumscript is particularly noisy. It is similar to Nikto in that it will attempt to enumerate known paths of web applications and scripts. This will inevitably generated hundreds of 404 HTTP responses in the web server error and access logs.

SMB

nmap -v -p 138,445 --script=smb-vuln* <target>

IP Address information

Find Information about IP address

nmap --script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24 -v

Gather information related to the IP address and netblock owner of the IP address. Uses ASN, whois and geoip location lookups. See the IP Tools for more information and similar IP address and DNS lookups.

SNMP

The entire MIB tree

snmpwalk -c public -v1

Windows Users:

snmpwalk -c public -v1 <target>1.3.6.1.4.1.77.1.2.25

Running Windows Processes:

snmpwalk -c public -v1 <target> 1.3.6.1.2.1.25.4.2.1.2

Open TCP Ports:

 snmpwalk -c public -v1 <target> 1.3.6.1.2.1.6.13.1.3

 Installed Software:

snmpwalk -c public -v1 <target> 1.3.6.1.2.1.25.6.3.1.2

Reference

https://highon.coffee/blog/nmap-cheat-sheet/