# Scanning
### Nmap
#### Scan all ports
```shell
nmap 192.168.1.1 -p-
```
```
┌──(root㉿INE)-[~]
└─# nmap demo.ine.local -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-04 19:08 IST
Nmap scan report for demo.ine.local (192.233.140.3)
Host is up (0.000028s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
6421/tcp open nim-wan
41288/tcp open unknown
55413/tcp open unknown
MAC Address: 02:42:C0:E9:8C:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 3.08 seconds
```
#### Service detection
```shell
nmap 192.168.1.1 -sV
```
```
┌──(root㉿INE)-[~]
└─# nmap -Pn -sV -p 80 demo.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-04 11:02 IST
Nmap scan report for demo.ine.local (10.5.31.252)
Host is up (0.0021s latency).
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.37 seconds
```
#### Faster scan with aggressive scan and on all ports **(best of CTFs)**
```shell
nmap -T5 -A -p- --min-rate=500 10.129.187.71
```
Useful Flags
* -v to show the current results with scan
* -A Enables OS detection, version detection, script scanning, and traceroute
* **-**sV Probe open ports to determine service/version info
* -sC Default script sets
* \--script vuln To test for vulnerabilities
* -sU UDP scan
#### Scan if Ping/ ICMP is blocked
```
nmap -Pn demo.ine.local
```
#### UDP Scan
```
┌──(root㉿INE)-[~]
└─# nmap demo.ine.local -p 1-250 -sU
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-04 19:16 IST
Stats: 0:01:14 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 29.92% done; ETC: 19:20 (0:02:53 remaining)
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 30.32% done; ETC: 19:20 (0:02:52 remaining)
Nmap scan report for demo.ine.local (192.119.106.3)
Host is up (0.00011s latency).
Not shown: 247 closed udp ports (port-unreach)
PORT STATE SERVICE
134/udp open|filtered ingres-net
177/udp open|filtered xdmcp
234/udp open|filtered unknown
MAC Address: 02:42:C0:77:6A:03 (Unknown)
```
### Nmap scripts
scripts can be found at fol location
```
ls -la /usr/share/nmap/scripts
```
#### Getting Help about the scripts
#### Running complete category of scripts
```
┌──(root㉿INE)-[~]
└─# nmap demo.ine.local -p 134 -sUV --script=discovery
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-04 19:23 IST
Pre-scan script results:
| broadcast-igmp-discovery:
| 10.1.0.1
| Interface: eth0
| Version: 2
| Group: 224.0.0.106
| Description: All-Snoopers (rfc4286)
| 192.119.106.1
| Interface: eth1
| Version: 2
| Group: 224.0.0.106
| Description: All-Snoopers (rfc4286)
|_ Use the newtargets script-arg to add the results as targets
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
```
#### Running all scripts belonging to a name
```
mmartiger_1@htb[/htb]$ sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-21 00:53 CEST
Nmap scan report for 10.129.14.128
Host is up (0.00021s latency).
PORT STATE SERVICE VERSION
3306/tcp open nagios-nsca Nagios NSCA
| mysql-brute:
| Accounts:
| root: - Valid credentials
|_ Statistics: Performed 45010 guesses in 5 seconds, average tps: 9002.0
|_mysql-databases: ERROR: Script execution failed (use -d to debug)
|_mysql-dump-hashes: ERROR: Script execution failed (use -d to debug)
| mysql-empty-password:
|_ root account has empty password
| mysql-enum:
| Valid usernames:
| root: - Valid credentials
| netadmin: - Valid credentials
| guest: - Valid credentials
| user: - Valid credentials
| web: - Valid credentials
| sysadmin: - Valid credentials
| administrator: - Valid credentials
| webadmin: - Valid credentials
| admin: - Valid credentials
| test: - Valid credentials
|_ Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
| mysql-info:
| Protocol: 10
| Version: 8.0.26-0ubuntu0.20.04.1
| Thread ID: 13
| Capabilities flags: 65535
| Some Capabilities: SupportsLoadDataLocal, SupportsTransactions, Speaks41ProtocolOld, LongPassword, DontAllowDatabaseTableColumn, Support41Auth, IgnoreSigpipes, SwitchToSSLAfterHandshake, FoundRows, InteractiveClient, Speaks41ProtocolNew, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsCompression, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: YTSgMfqvx\x0F\x7F\x16\&\x1EAeK>0
|_ Auth Plugin Name: caching_sha2_password
|_mysql-users: ERROR: Script execution failed (use -d to debug)
|_mysql-variables: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:00:00:00:00:00 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.21 seconds
```
#### Enumerating OS details with nmap script over smb
```
sudo nmap --script smb-os-discovery.nse 192.168.18.110
```
```
┌──(root㉿INE)-[~]
└─# nmap --script smb-os-discovery.nse -p 445 demo.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-16 19:49 IST
Nmap scan report for demo.ine.local (192.220.40.3)
Host is up (0.000055s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 02:42:C0:DC:28:03 (Unknown)
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: demo
| NetBIOS computer name: SAMBA-RECON\x00
| Domain name: ine.local
| FQDN: demo.ine.local
|_ System time: 2025-11-16T14:19:40+00:00
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
```
#### Enumerate NetBios
```
nmap -sV -v --script nbstat.nse 192.168.18.110
```
#### DNS service discovery
```
nmap --script=broadcast-dns-service-discovery zonetransfer.me
```
#### DNS brute force
```
nmap -T5 -p 53 --script dns-brute zonetransfer.me
```
#### common services DNS records
```
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='zonetransfer.me'"
```
#### Http enumeration
```
nmap --script http-enum -sV -p 80 demo.ine.local
──(root㉿INE)-[~]
└─# nmap --script http-enum -sV -p 80 demo.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-29 19:09 IST
Nmap scan report for demo.ine.local (10.5.23.28)
Host is up (0.0034s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-enum:
|_ /webdav/: Potentially interesting folder (401 Unauthorized)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.95 seconds
```
### Avoiding Firewall
#### Fraqmentation
```
nmap -Pn -sS -sV -p80,445,3389 -f 10.4.27.83
```
* `-Pn`: (Firewall Bypass) Tells `nmap` to skip the ping test. It assumes the host is online. This is crucial for scanning hosts that are configured to block pings (which is very common).
* `-sS`: (Stealth Scan) This is a "TCP SYN Scan." It's called "stealthy" because it doesn't complete the full TCP connection, which makes it less likely to be logged by applications. It's the default (and most popular) scan type when running `nmap` as root.
* `-sV`: (Service & Version Scan) This is the enumeration part. Instead of just reporting a port as "open," it probes that port to determine the exact service and software version (e.g., `Microsoft Windows RDP` or `Apache httpd 2.4.41`).
* `-p80,445,3389`: (Targeted Ports) This is what makes the scan *focused*. You are *only* checking these three specific ports, which are strong indicators of a Windows machine:
* `80`: Standard port for HTTP (Web Server).
* `445`: The modern port for SMB (Windows File Sharing).
* `3389`: The standard port for RDP (Remote Desktop Protocol).
* `-f`: (Firewall Evasion) This tells `nmap` to fragment its packets. It splits the scan probes into smaller pieces, which can sometimes confuse or bypass simple firewalls and Intrusion Detection Systems (IDS).
### mtu (Maximum transmitted Unit)
```
nmap -Pn -sS -sV -p80,445,3389 --mtu 24 10.4.27.83
```
* `nmap`: The tool.
* `-Pn`: Assumes the host is online (skips the ping test).
* `-sS`: Uses a stealthy TCP SYN scan.
* `-sV`: Performs a service and version scan.
* `-p80,445,3389`: Scans *only* these three common Windows ports.
* `--mtu 24`: This is the new flag.
* It sets the Maximum Transmission Unit (MTU) for the packets to 24 bytes.
* This forces `nmap` to break its scan probes (which are larger than 24 bytes) into multiple, tiny fragments.
* Important: The value (like `24`) must be a multiple of 8. So, 8, 16, 24, 32, etc., are all valid.
* `10.4.27.83`: Your target IP address.
#### example evasion
```
nmap -Pn -sS -sV -p445,3389 -f --data-length 200 -D 10.10.23.1,10.10.23.2 10.4.27.83
```
* `-Pn -sS -sV -p445,3389 -f`: This is the base of your previous scan: a fragmented stealth scan for Windows services (SMB and RDP) that bypasses ping-blocking firewalls.
**The New Evasion Techniques:**
* `--data-length 200`: (Evade Packet Inspection)
* This is a clever technique. It tells `nmap` to add 200 bytes of random data to the end of its scan packets.
* Why? Simple firewalls and IDS often have "signatures" to detect scans. They might be looking for a default `nmap` SYN packet, which has a specific, small size. By adding 200 bytes of junk data, you make your packet a non-standard length, which can cause it to "slip by" simple filters that are not advanced enough to look deeper.
* `-D 10.10.23.1,10.10.23.2`: (Evade Source IP-Blocking)
* This is a Decoy Scan, one of `nmap`'s most powerful evasion features.
* It makes the target think it is being scanned by multiple IP addresses at once.
* `nmap` will send scan packets where the "source" IP is spoofed to be `10.10.23.1` or `10.10.23.2`. It also sends packets from *your real IP* (which is hidden in this "crowd" of decoys).
* Why? If the target's security admin sees alerts, they will see scan traffic from 3 different IPs (the 2 decoys + you). This makes it much harder for them to determine which IP is the *real* attacker and which ones are just noise.
* `10.4.27.83`: This is your actual target.
