Primary stage

I Host discovery

Four layer transmission (TCP+UDP protocol)

nmap -sP -PS[Port 1, port 2...Or port range][target](TCP SYN Ping)
nmap -sP -PY[Port 1, port 2][target](SCTP INIT Ping)
nmap -sP -PA[Port 1, port 2][target](TCP ACK Ping)
nmap -sP -PU[Port 1, port 2][target](UDP Ping)Send empty UDP To ports 31 and 338, 40125 port is used by default

II Port scan

Port range (0 ~ 65535)

0~1023	Some systems can be changed, and some system protocols are fixed	
Features: some systems can be changed, and some system protocols are fixed
WWW Default port 80; FTP Default port 21; 139 dedicated to NetBIOS And TCP/IP Communication between

1024~49151 	
Features: generally, a certain service is not allocated fixedly, but applied according to the procedure	

49152~65535	
Features: the process is mainly the application installed by the user	

Basic knowledge

TCP	FTP data connection 
TCP	FTP Control connection
TCP|UDP	Secure Shell(SSH)service
TCP	Telnet Service (remote login)
TCP	Simple Mail Transfer Protocol(SMTP，Simple Mail Transfer Protocol)
TCP|UDP	Windows Internet Name Service(WINS,Windows Network name service)
TCP|UDP	Domain Name System(DNS，Domain name system)
UDP	DHCP service
UDP	DHCP client
UDP	Trivial File Transfer Protocol(TFTP，Common file transfer protocol)
TCP|UDP	Hypertext Transfer Protocol(HTTP，Hypertext Transfer Protocol)
TCP	Post Office Protocol3(POP3，Post office protocol (version 3)
TCP	Network News Transfer Protocol(NNTP，Network news transmission protocol)
UDP	Network Time Protocol(NTP，Network Time Protocol)
TCP|UDP	Microsoft RPC
TCP|UDP	NetBIOS Name Service(NetBIOS Name Service)
TCP|UDP	NetBIOS Datagram Service(NetBIOS Data flow service)
TCP|UDP	NetBIOS Session Service(NetBIOS Session service)
TCP|UDP	Interent Message Access Protocol(IMAP，Internet Mail Access Protocol)
TCP|UDP	Simple Network Management Protocol(SNMP，Simple network management protocol)
TCP|UDP	Simple Network Management Protocol Trap(SNMP (TRAP)
TCP|UDP	Lightweight Directory Access Protocol(LDAP，Lightweight Directory Access Protocol)
TCP|UDP	Hypertext Transfer Protocol over TLS/SSL(HTTPS，HTTP (secure version of)
TCP	Server Message Block(SMB，Service information block)
TCP|UDP	Lightweight Directory Access Protocol over TLS/SSL(LDAPS)
TCP	Remote File Synchronization Protocol(rsync，Remote file synchronization protocol)
TCP	Interent Message Access Protocol over TLS/SSL(IMAPS)
TCP	Post Office Protocol3 over TLS/SSL(POP3S)
TCP	Microsoft SQL Server Database
TCP	Oracle database
TCP	MySQL database
TCP	Microsoft Terminal Server/Remote Desktop Protocol(RDP)
TCP	Virtual Network Computing web interface(VNC，Virtual network computer web Interface)
TCP	Virtual Network Computing Remote desktop(VNC，Virtual network computer (remote interface)

nmap port scanning principle

implementation TCP Connection scan	'-sT'Indicates implementation TCP Connection scanning;'-p-'Indicates to scan all ports;'-PN'Indicates not to proceed Ping scanning
TCP SYN Scanning (semi open scanning)	This scanning method generally does not leave host records;'-s'express nmap Which type of scan to run;'-S'Indicates execution TCP SYN scanning
TCP Window scanning (different from others; on: Return RST Package; Off: do not return package)	Some systems may not support this scanning method, and an error will be reported;'-sW'Indicates implementation TCP Window scan
TCP Maimon Scanning (same as covert scanning)	'-sM'Indicates use TCP Maimon scanning
TCP ACK Scan (different from others; on: Return TCP RST Package; Off: do not return package)	'-sA'Indicates implementation TCP ACK scanning
 custom TCP scanning	'--scanflags'You can specify any TCP Flag bit can also be set TCP Scan type; Example:--scanflags SYNURG[target] (Indicates the setting SYN and URG Flag bit of)
IP Protocol scanning	'-sO'Indicates use IP Protocol scanning;

Covert scanning mode: (it can avoid packet filtering and detect access to restricted ports) SYN (package)	
1.TCP FIN scanning	
2.TCP Xmas Tree(Tree scan( FIN,PSH,URG (mark on)	
3.TCP Null(Empty scan (as opposed to tree scan without any markers)	

Specify scan port: Destination UDP Ports 53 and 111, TCP Port 21-25 And 80	'-sU'In existing scanning UDP Scan again TCP When used;'-p'Used to specify the scanning port;'-sS'Indicates use TCP SYN scanning
 Fast scanning: only scan more than 100 ports, which is fast	
Not in random order	

implementation UDP Port scan	'-sU'express UDP Port scan

III fingerprint identification

Identify operating system instructions

1.nmap -O[target]	
Identify the target operating system

2.nmap -O --osscan-guess or--fuzzy[target]	
Speculative operating system

3.nmap -O/-A --osscan-limit[target]	
Specify the operating system that identifies a target host (condition: there must be one on and one off on the target) TCP Port)

Identify firewall instructions

1.nmap -sA[target]	
Implementation of objectives ACK Scan (determine whether the firewall is on and off)

2.nmap -sS[target]	
Implementation of objectives SYN Scan (determine whether the firewall is on and off)

IV Firewall and IDS circumvention

Circumvent scan instructions

(1) Fragmentation (the possibility of detection by firewall and IDS decreases after fragmentation)

1.nmap -f[target]	
Divide the packet into each small packet. The upper limit of bytes of the small packet is 8. For example, a 20 byte packet is divided into three packets, two 8 bytes and one 4 bytes

2.nmap --send-eth[target]	
avoid IP Layer and send the original Ethernet frame directly
nmap -mtu[number][target]	
Custom offset size, offset'number'Must be a multiple of 8
 Example: nmap -f 192.168.1.103	To target 192.168.1.103 Implement slice scanning
    nmap -mtu 16 192.168.1.103	To target 192.168.1.103 Implement slice scanning with an offset of 16

(2) IP decoy (the decoy host must be in working state, otherwise it will cause denial of service attack. The decoy is applicable to PING scanning and - O, not version detection or TCP scanning)

nmap -D[decoy1，decoy2...|RND:number][target]	
'-D'Indicates that one or more decoys are specified IP Address;'RND'Indicates that several addresses are randomly generated as bait;
Example: nmap -D RND:10 192.168.1.102	Randomly generate 10 addresses as bait to target 192.168.1.102 Scan
    nmap -D 192.168.1.103，192.168.1.109，ME 192.168.1.102	103 and 109 are designated as decoys to implement target 192.168.1.102 Scanning of, ME The representative can receive the designation

(3) IP camouflage (refers to scanning the target host through any address)

nmap -e[Interface] -S[IP_Address] -Pn[target]	
'-e'Indicates the network interface used to specify the sending data packet;'-S'Used to specify camouflage IP Address;'-Pn'Used to indicate not to proceed PING scanning
 Example: nmap -e eth0 -S 192.168.1.103 -Pn 192.168.1.102	With 192.178.1.103 Target 192 for masquerading address.168.1.102 of eth0 Interface to send packets and implement non Ping scanning

(4) Specify the source port (the open port on the target is specified as the source port)

nmap --source-port[port]or-g[port][target]	
'--source-port'and'-g'Options are used to specify the source port for sending packets
 Example: nmap -g 22 -O 192.168.1.103	Specify port 22 as the source port to target port 192.168.1.103 Operating system identification

(5) Scanning delay (delay can reduce the intensity of firewall review and avoid)

nmap --scan-delay[time][target]	 
'time'Represents the time delay, for example: nmap --scan-delay 5s scanme.insecure.org	
To target scanme.insecure.org Scan with a delay of 5 seconds

Other circumvention methods

1.Specify the length of the sending packet (attach random data to the original message to slow down the processing and avoid the firewall and IDS)	
nmap --data-length[number][target]	'number'Refers to the specified additional packet length, in bytes
 Example: nmap --data-length 25 192.168.1.102	To target 192.168.1.102 Send an additional 25 byte packet

2.camouflage MAC Address (specified) MAC Address for scanning)	
nmap --spoof-mac [mac address/vendor/0 name][target]	'--spoof-mac'Used to designate camouflage MAC Address, the optional parameters include 0 (randomly generated one) MAC Address), MAC Address(Manually generate a MAC Address) and Vendor Name(The manufacturer generates a MAC (address)
Example: nmap -sT -PN --spoof-mac 0 192.168.1.1	Randomly generate one MAC Address, to target 192.168.1.1 implementation TCP scanning

3.appoint TTL(Used to specify IP The maximum number of network segments that a packet is allowed to pass through before being discarded by the router)	
nmap --ttl[val][target]	'val'Represents the specified TTL Value, TTL The range of values is 0~255
 Example: nmap --ttl 20 scanme.insecure.org	Through the specified TTL A value of 20 scans the target host scanme.insecure.org

4.Use error checksums (error checksums can cause poor systems to respond)	
nmap --badsum[target]	'--badsum'Represents the use of error checksum instructions
 Example: nmap --badsum 192.168.1.103	Scan target 192 with error checksum.168.1.103

V nmap extension

Scan with NES script

nmap --script[script.nse][target]	
'script.nse'It refers to the script used to specify scanning. Multiple scripts can be specified at the same time, or the type of script can be specified to perform scanning. Each script is separated by commas
 Example: nmap --script vuln 102.168.1.103	use nes To target 192.168.1.103 Scan for vulnerabilities in

Service enumeration tool Amap

nmap -bq 192.168.41.13650-100	 Specify port 50-100 Between, test target 192.168.41.136 Applications running on 

Advanced

I Basic network services:

DHCP service class (Dynamic Host Configuration Protocol)

DHCP default port: 67

			
1.radio broadcast DHCP Request packet (send broadcast packet to all hosts in LAN)	
nmap --script broadcast-dhcp-discover.nse				
use broadcast-dhcp-discover Send script to LAN DHCP Request Request package

2.DHCP find
nmap -sU -p 67 --script=dhcp-discover 192.168.1.1				
send out DHCPINFORM Request to router UDP Port 67, get all local configuration parameters

3.IGMP Protocol discovery				(IGMP: Group management agreement)
nmap --script broadcast-igmp-discovery				
Scan local area network IGMP agreement
nmap --script broadcast-igmp-discovery --script-args 'broadcast-igmp-discovery.version=all'
Specify all contract agreements (used) IGMPv1 Version (send packet)

DNS service class (domain name resolution protocol)

DNS default port: 53

1.obtain DNS Information (use) dns-nsid Script sending ID (request)				(DNS: Domain name resolution)
nmap -sSU -p 53 --script dns-nsid 192.168.1.104				
Get 192.168.1.104 host RHEL6.4 Upper DNS Information(-sSU Indicates progress UDP and TCP SYN (scan)

2.DNS Service discovery protocol (use) broadcast-dns-service-discovery Script sending DNS-SD Broadcast package)				
nmap --script=broadcast-dns-service-discovery				
use broadcast-dns-service-discovery Script sending DNS-SD Broadcast package access service list

3.Detect whether the host allows DNS Recursive query (using dns-recursion Script query recursion)				
nmap -sU -p 53 --script=dns-recursion 192.168.1.104				
Detection target 192.168.1.104 host RHEL6.4 Allow or not DNS Recursive query( recursion)

4.enumeration DNS Host name of the server (using dns-brute Script enumeration DNS Server host name)				
nmap --script dns-brute www.baidu.com				
enumeration DNS The server www.baidu.com Host name of

5.DNS Cache probe (use) dns-cache-snoop Script probe DNS Cache)				
nmap -sU -p 53 --script=dns-cache-snoop.nse 192.168.1.104				
Detection target 192.168.1.104 host RHEL6.4 Upper DNS cache line 

6.Detect whether the host supports blacklist list (using dns-blacklist Script view (support blacklist)				
nmap -sn --script dns-blacklist 192.168.1.104				
Detection target 192.168.1.104 Is prevention supported DNS Anti garbage and open proxy Blacklist list

II WEB Services

HTTP service class (Hypertext Transfer Protocol)

Default port of HTTP service: 80

1 seek HTTP service				
nmap 192.168.1.102				
View target 192.168.1.102 Is it on HTTP service

2.distinguish HTTP edition				
nmap -sV -p 80 192.168.1.102				
Identify target host 192.168.1.102 of HTTP Service version

3.Basic certification information (use) http-auth Script (view authentication information)				
nmap --script http-auth 192.168.1.1				
Obtain the authentication information of the router

4.Default account (use) http-default-accounts Script check web Whether the service allows default account login)				
nmap --script http-default-accounts -p 8180 192.168.1.106				
Scan target host( Metasploit2)Upper web Does the program allow default account login

5.Method of checking whether there is risk (use) http-methods Script (method to view the possible risks of the server)				
nmap --script http-methods 192.168.1.102				
Scan target host 192.168.1.102 of RHEL6.4 Upper HTTP Is there a risk approach

6.Detect the time of visiting a web page				
nmap --script http-chrono -p 80 192.168.1.106				
Probe access target host RHEL6.4 upper Apache Service time

7.extract HTTP Annotation information( http-comments-displayer Script from HTTP Extract from response HTML (note)				
nmap -p 80 --script http-comments-displayer.nse 192.168.1.104				
Detection target 192.168.1.104 upper RHEL6.4 upper Apache Service time

8.From class HTTP Service acquisition time( http-date Scripts can be from classes HTTP Get time on service)				
nmap -p 80 --script http-date 192.168.1.104				
From target 192.168.1.104 upper RHEL6.4 Upper Apache Get service time

9.enumeration HTTP Service page directory				
nmap --script http-enum 192.168.1.104 -p 80				
Enumeration target 192.168.1.104 upper Apache Web directory of services

10.Get the error page for accessing the website( http-errors Scripts are accessed by crawling http (error page for)				
nmap --script http-errors 192.168.1.104 -p 80				
Get target 192.168.1.104 of http Error page

11.obtain HTTP Header information( http-headers Script acquisition HTTP Header information)				
nmap -sV --script http-headers 192.168.1.104 -p 80				
Get target 192.168.1.104 of http Header information, where-sV The representative displays the service version information

12.obtain HTTP Directory structure of( http-sitemap-generator Script acquisition HTTP Directory structure)				
nmap  --script http-sitemap-generator -p www.baidu.com				
Get the directory structure of Baidu website( other-other; gif-Pictures; html-html Webpage; png-Pictures; css-Page; xml-Page; svg-Scalable vector graphics)

13.Detect whether it is enabled TRACE Method( http-trace Script sending HTTP TRACE (request)				
nmap --script http-trace -d 192.168.1.104 -p 80				
Get target 192.168.1.104 Open or not trace method;-d Indicates if trace When on, the header field information of the file will be displayed

14.Detect whether the host is allowed to crawl( http-useragent-tester Script to see if web crawlers are allowed)				
(It's best to see whether crawling is allowed first. If not, get HTTP Header information and directory structure cannot be realized)
nmap -p 80 --script http-useragent-tester.nse 192.168.1.104				
Look at target 192.168.1.104 Is crawling allowed

15.search WEB Virtual host( http-vhosts Script sending HEAD Request, search web Virtual host)				
nmap --script http-vhosts www.baidu.com				
Search Baidu's virtual host

16.probe web Is the service vulnerable slowloris DoS Attack (slow attack) slowhttptest (a way of)				
nmap --script http-slowloris --max-parallelism 400 192.168.1.104				
Detection target 192.168.1.104 upper RHEL6.4 upper web Is it vulnerable slowloris DoS attack

17.Get route tracking information( targets-traceroute Script can get the path)				
(newtargets Indicates the number of hops to the target host displayed in the output result)
nmap --script targets-traceroute --script-args newtargets --traceroute 192.168.1.104 -p 80				Get the route tracking information of port 80 on the target

18.Route tracking location( traceroute-geolocation The script lists the address location of each hop)				
nmap --traceroute --script traceroute-geolocation www.baidu.com				
Detect route tracking location information of Baidu server

AJP service (Apache JServ Protocol directional package protocol)

AJP service default port: 8009

1.obtain AJP Header information of the service				
nmap -sV --script=ajp-headers -p 8009 192.168.1.106				
Get host Metasploitable2 upper AJP Header information of the service

2.stay AJP Request connection on Service				
nmap -sV --script=ajp-request -p 8009 192.168.1.106				
To the host Metasploitable2 upper AJP Service request one URL

SSL/TLS protocol (man in the middle hijacking / ARP hijacking) intranet (SSL: Secure Socket Layer TLS: Transport Layer Security)

The default port of ssl service is 443

1.enumeration SSL Secret key				
nmap --script ssl-enum-ciphers www.baidu.com -p 443				Enumerate the supported by Baidu server SSL Protocol secret key algorithm
2.obtain SSL certificate				
nmap --script ssl-cert，ssl-google-cert-catalog -p 443 www.baidu.com				adopt ssl-enum-ciphers Script query google Certificate directory of Baidu SSL certificate

III Remote service

Telnet service class (remote login service)

telnet service default port: 23

1.probe Telnet Does the service support encryption( telnet-encryption Script probe (encrypted)				
nmap -p 23 --script telnet-encryption 192.168.104				
Target detection RHEL6.4 upper Telnet Does the service support encryption

2.Crack Telnet Service password(telnet-brute Script cracking password)				
nmap -p 23 --script telnet-brute 192.168.104				
Crack the on the target host Metasploitable2 Upper Telnet password

SSH service class (containment protocol)

SSH service default port: 22

1.see SSH Service key information( full-Complete key; bubble-Fuzzy output; visual-ASCII Code; all-(details)				
nmap --script ssh-hostkey --script-args ssh_hostkey=full 192.168.1.104 -p 22				View target host RHEL6.4 upper SSH Complete key information of the service
nmap --script ssh-hostkey --script-args ssh_hostkey='visual bubble' 192.168.1.104 -p 22				with visual and bubble Format output target SSH Service key information
2.see SSH2 Supported algorithms( ssh2-enum-alogs Script view ssh2 Service)				
nmap --script ssh2-enum-algos 192.168.1.104 -p 22				View target host RHEL6.4,SSH2 Protocol supported algorithms

VNC service (VNC: virtual network computer; VNC info script to view VNC information)

VNC service default port: 5900

1.View target metasploitable2 Medium VNC Service details				
nmap --script vnc-info -p 5900 192.168.1.103

IV Database service

MySQL database service class

MySQL service default port: 3306

1.inspect MySQL Empty password( mysql-empty-password Script check MySQL If there is a blank password, anyone can log in				
nmap --script mysql-empty-password 192.168.1.106				
Check target mysql Whether the service allows empty password access

2.obtain MySQL Password hash( mysql-dump-hashes Script acquisition MySQL of Hash)				
nmap -p 3306 192.168.1.103 --script mysql-dump-hashes --script-args='username=root，password=123456'				
Get target MySQL User's password hash( hash Value)

3.query MySQL Database information( mysql-query Script query mysql information,In fact, it is using the database)				
nmap -p 3306 --script mysql-query --script-args='query="select host,user from mysql.user",username=root,password=123456' 192.168.1.103				
query data base user In table host，user field value

4.query MySQL Users in the database( mysql-users Script query MySQL (users)				
nmap -sV -p 3306 --script=mysql-users --script-args=mysqluser=root 192.168.1.104				

5.Crack MySQL User password( mysql-brute Script cracking MySQL User password)				
nmap --script mysql-brute -p 3306 192.168.1.104				
Crack host RHEL6.4 upper MYSQL Password for database

6.enumeration MySQL User information( mysql-enum Script enumeration MySQL (user information)				
nmap --script=mysql-enum -p 3306 192.168.1.104				
Enumerate target hosts RHEL6.4 Upper Mysql User information

7.obtain MySQL Database information( mysql-info Scripts can connect MySQL)				
nmap --script mysql-info 192.168.1.104 -p 3306				
Probe the information of the database on the target host

MSSQL Server (sqlserver) database service class

MSSQL Server service default port: 1433

1.Crack MS SQL Server Database user name and password( ms-sql-brute Script cracking MS SQL Server User name (password)				
nmap -p 1433 --script ms-mysql-brute --script-args userdb=/root/user.txt,passdb=/root/pass.txt 192.168.1.108				
Crack windows7 upper MS SQL Server Database user name and password

2.obtain MS SQL Server Database information( ms-sql-info Script cracking MS SQL Server Database information)				
nmap -p 1433 --script ms-mysql-info --script-args mssql.instance-port=1433 192.168.1.108				
Crack windows7 upper MS SQL Server Database service information

3.query MS SQL Server Database instance( ms-sql-config Script query MS SQL Server Database instance)				
nmap -p 1433 --script ms-sql-config --script-args mssql.username=sa,mssql.password=123456 192.168.1.108				
query windows7 upper MS SQL Server Database instance information

4.query MS SQL Server Database entry( ms-sql-query Script query MS SQL Server Database entries, in fact, use the database)				
nmap -p 1433 --script ms-mysql-query --script-args mssql.username=sa，mssql.password=123456,ms-sql-query.query="SELECT*FROM master..syslogins" 192.168.1.108				
query destination SQL Server in master In database syslogins Table information

LDAP database service (LDAP: Lightweight Directory Access Protocol)

LDAP service default port: 389

1.obtain LDAP root DSE entry(ldap-rootdse Script acquisition LDAP root directory DSE entry)				
nmap -p 389 --script ldap-rootdse 192.168.1.103				
Get target host LDAP Root of service DSE entry

2.LDAP Inquiry( ldap-search Script query LDAP)				
nmap -p 389 --script ldap-search 192.168.1.103				
Query host LDAP Entries in services

CN: user name	OU: Organizational unit	DC: organization	

V Other services

FTP service class (Text Transfer Protocol)

FTP service default port 21

1.seek FTP service				
nmap 192.168.1.102				
Whether the scan is enabled on the target host FTP service
2.distinguish FTP Service version				
nmap -sV -p 21 192.168.1.102 				
Scan target host FTP Service version
3.inspect FTP Anonymous login( ftp-anon Script to check whether it is allowed FTP Anonymous login)				
nmap --script ftp-anon 192.168.1.102				
Check whether the target host is allowed ftp Anonymous login

SMB service class (information service block, file sharing and printer functions)

SMB service default ports 445137 (UDP port), 139 (TCP port)

1.SMB Security information mode( smb-security-mode Script acquisition SMB Security information mode)				
nmap --script smb-security-mode.nse -p 445 192.168.1.108				
Scan target host SMB Security mode information of the service

2.Enable SMBv2 Agreement( smbv2-enabled Whether script detection is supported SMBv2 (agreement)				
nmap --script smbv2-enabled.nse -p 445 192.168.1.108				
Detect target host windows7 Is it supported on SMBv2 agreement

3.obtain windows Information( smb-mbenum Script can get management information for users)				
nmap -p 445 --script smb-mbenum 192.168.1.109				
obtain windowsXP Management information on

4.Get shared files( smb-enum-shares Script acquisition SMB (shared files)				
nmap --script smb-enum-shares.nse -p 445 192.168.1.109				
Get the details of the shared files and files on the target

5.Enumerate system domain names( smb-enum-domains Script enumeration (system domain name)				
nmap --script smb-enum-domains -p 445 192.168.1.109				
Enumerate the domain names in the target

6.Check for SMB Loopholes( smb-vuln-cve2009-3130 Script check for presence cve2009-3130 Vulnerability)				
139 Port is NetBIOS Provided Samba Services for sharing
nmap --script=smb-vuln-cve2009-3130.nse -p 139 192.168.1.102				
Check whether the target exists cve2009-3130 loophole

7.enumeration Samba User( smb-enum-users Script check Samba (user)				
nmap --script smb-enum-users 192.168.1.102				
Enumerate all hosts on the target Samba user

8.SMB Service password cracking( smb-brute Script cracking SMB Service password)				
nmap --script smb-brute.nse -p 445 192.168.1.102				
Crack target host Metasploitable upper SMB Password for the service

SMTP service (Simple Mail Transfer Protocol)

SMTP service default port 25

1.Enumerate mail users( smtp-enum-users Script (used to enumerate all users of the remote system)				
nmap --script smtp-enum-users.nse -p 25 192.168.1.104				
Enumerate mail service users on the target host

2.Collect email addresses( http-grep Script can be used for web crawler and email address collection)				
nmap --script=http-grep -p 80 192.168.1.103				
adopt HTTP80 The port implements a web crawler to collect e-mail addresses for the target

3.Collect data supported by the target host SMTP Command( smtp-commands The script can collect data supported by the target SMTP (command)				
nmap --script smtp-commands.nse -p T:25 192.168.1.103				
Collect data supported by the target host SMTP command	

SNMP service (Simple Network Management Protocol)

SNMP service default port 161

1.Enumerate network interfaces( snmp-interfaces Script pass SNMP Protocol enumeration (network interface)				
nmap -sU -p 161 --script=snmp-interfaces 192.168.1.108				
Enumerate the network interface information on the target host

2.Get network connection status( snmp-netstat Script (view network connection status)				
nmap -sU -p 161 --script=snmp-netstat 192.168.1.108				
obtain windows7 Network connection status in

3.Enumerate the processes of the target host program( snmp-processes View host program (process)				
nmap -sU -p 161 --script=snmp-processes 192.168.1.108				
enumeration windows7 Process number of all running programs on

4.Extract system information( snmp-sysdescr Script (extract system information)				
nmap -sU -p 161 --script=snmp-sysdescr 192.168.1.108				
Extract system information

5.enumeration Windows Service( snmp-win32-services Script enumeration Windows Service)				
nmap -sU -p 161 --script=snmp-win32-services 192.168.1.108				
enumeration Windows7 Services on the system

6.enumeration Windows User( snmp-win32-users Script enumeration Windows (user)				
nmap -sU -p 161 --script=snmp-win32-users 192.168.1.108				
enumeration Windows7 Users on the system

7.enumeration Windows Shared files( snmp-win32-shares Script enumeration share Windows (file)				
nmap -sU -p 161 --script=snmp-win32-shares 192.168.1.108				
enumeration Windows7 Shared files on the system

8.enumeration Windows Installed software( snmp-win32-software Script enumeration (installed software)				
nmap -sU -p 161 --script=snmp-win32-software 192.168.1.108				
enumeration Windows7 Software on the system

9.SNMP Service password cracking( snmp-brute Script cracking SNMP Service password, SNMP Default password public)				
nmap -sU --script=snmp-brute 192.168.1.108				
Crack system Windows7 Upper SNMP Service password	

NetBIOS service (provides a unified command set for application programming interface (API) to request low-level services)

NetBIOS service default port 137

1.obtain NetBIOS Service name and MAC Address( nbstat Script get target NetBIOS Name and MAC (address)				
nmap -sU --script nbstat -p 137 192.168.1.108				
Get target host NetBIOS Name and MAC address

2.Browse broadcast package and discover host( broadcast-netbios-master-browser Script discovery (host in LAN)				
nmap --script=broadcast-netbios-master-browser				
Discover hosts in LAN

NTP service information (Network Time Protocol)

NTP service default port 123

1.from NTP Get basic information from the server( ntp-info (script)				
nmap -sU -p 123 --script ntp-info 192.168.1.108				
Implementation of objectives NTP Basic service information scanning

RPC service details (remote procedure call protocol; services that send requests to remote computers over the network)

RPC service default port 111

1.Scan target RPC Service information( rpcinfo (script)				
nmap -p 111 --script rpcinfo 192.168.1.103				
Scan target RPC Basic information of service
 Access to all open services( banner)	
			
2.Get open service information on all target hosts( banner (script)				
nmap -sV --script=banner 192.168.1.108				
Get all open service information on the target	

DICT service information (Dictionary network protocol)

DICT service default port 2628

1.View a dictionary service information( dict-info Script (view dictionary service information)				
nmap -p 2628 --script dict-info 216.18.20.172				
View the information of a dictionary service in the United States

IRC service information (online chat room)

IRC service default port: 6667

1.Get target IRC Service information( irc-info Script view IRC Service)				
Gets the on the target host IRC Service information
nmap --script irc-info 192.168.1.106 -p 6667	

Vi OS operating system

os operating system discovery: through SMB protocol

SMB service default port: 445

1.Operating system discovery( smb-os-discovery.nse Script discovery (operating system)				
nmap --script smb-os-discovery.nse -p 445 192.168.1.108				Discover target operating system

MTU discovery (maximum transmission unit MTU)

1.MTU Discover( path-mtu The script can discover the target (maximum transport unit value)				
nmap --script path-mtu 192.168.1.104				What is the maximum transmission unit found

Probe firewall rules

1.Rules for detecting firewalls( firewalk Scripts can detect firewall rules)				
nmap --script=firewalk --traceroute 192.168.1.104				Detect firewall rules on the target host

Wake up remote host

1.Wake up remote host( broadcast-wake-on-lan Script wake up (remote host)				
nmap --script broadcast-wake-on-lan --script-args broadcast-wake-on-lan.MAC='00:12:34:56:78:9A'				awaken MAC The address is 00:12:34:56:78:9A Host

WSDD service agreement

(web services dynamic protocol, WS discovery)

1.WSDD Service agreement( broadcast-wsdd-discover Script location web Service)				
nmap --script broadcast-wsdd-discover				Get LAN support web Service dynamic protocol device

Sniff target

1.Sniff the target and scan the active hosts in the LAN( targets-sniffer Script sniff target)				
nmap -sL --script=targets-sniffer --script-args=newtargets，targets-sniffer.timeout=5s,targets-sniffer.iface=eth0				Specify scan interface eth0，Scan time 5 s，Scan the active main sentences in the LAN

Monitor broadcast packet

1.Monitor the interface in LAN eth0 And decode the received packets( broadcast-listener Script listening (broadcast package)				
nmap --script broadcast-listener -e eth0				Monitor the interface in LAN eth0 And decode the received packets

VII MISC miscellaneous use and supporting tools of nmap

Probe tp link router for vulnerabilities

1.The detection model is WR1041N of TP-Link Is there a vulnerability in the wireless router(http-tplink-dir-traversal script)				
nmap -p 80 --script http-tplink-dir-traversal 192.168.1.1	
			
2.Exploit the vulnerability in the router to read the configuration file/etc/topology.conf Content in				
nmap -p 80 --script http-tplink-dir-traversal --script-args rfile=/etc/topology.conf 192.168.1.1					

Reverse index

(an index structure)

1.Scan the services running on the target with the reverse index( reverse-index Script (reverse index)				
nmap --script reverse-index 192.168.1.104				

unit testing

1.For all NSE Unit test library( unittest Scripts can be used for all NSE Unit test the library, unittest.run (test by representative)				
nmap --script unittest --script-args unittest.run				

VMWare authentication process cracking

VMware authd program port: 902

1.Crack windows7 upper VMWare-authd Authentication information of the program				
nmap -p 902 --script vmauthd-brute 192.168.1.100				

Detect whether IP forwarding is enabled for the target

1.Whether the detection target is turned on IP Forward( ip-forwarding (script)				
nmap -sn --script ip-forwarding --script-args='target=mail.benet.com'192.168.1.104				

Get ASN list

Describes a data format that represents, encodes, transmits, and decodes data

1.obtain ASN List( targets-asn Script acquisition ASN (list)				
nmap --script targets-asn --script targets-asn.asn=32					

Enumerate authentication methods provided by EAP

EAP wireless network or point-to-point connection authentication framework

1.enumeration EAP Authentication method provided( eap-info Script for enumerating eap (certified)				
nmap -e wlan2 --script eap-info		

Enumerating services

DNS enumeration (domain name resolution)

1.DNSenum	
Query domain names through Google and dictionary	
dnsenum --enum benet.com	
use dnsenum Tool inspection DNS enumeration	'--threads[number]': Set the number of processes that the user runs at the same time
		'-r': Allow users to enable recursive queries
		'-d': Allow user settings WHOIS Number of time delays between requests
		'-o': Allows the user to specify the output location
		'-w': Allow users to enable WHOIS request

2.fierce	
Scanning sub domain names and collecting information	fierce You can get all the information on a target host IP Address and host information
fierce -dns baidu.com	
Check Baidu's IP Address and host information	

SNMP enumeration (Simple Network Management Protocol)

1.Snmpwalk	
use GETNEXT Request, query OID The number information is displayed to the user
snmpwalk -c public[target] -v 2c	use snmpwalk Command test host

2.snmpcheck	
Output the results in a readable manner
snmpcheck [target]	use snmpcheck Get host information

SMTP enumeration (Simple Mail Transfer Protocol)

1.smtp-user-enum	
in the light of SMTP Port 25 of the protocol to detect existing mailbox users
smtp-user-enum -M VRFY -U /tmp/users.txt -t 192.168.41.138	
Scan 192.168.41.138 Host details

Test network scope

Test network scope
0	    Maximum number of networks         	IP Address range	       Maximum hosts
A Class address	126(2^7-2)	0.0.0.0-127.255.255.255	   16777214
B Class address	16384(2^14)  	128.0.0.0-191.255.255.255  	65534
C Class address	2097152(2^21)	192.0.0.0-223.255.255.255  	254
D Class address			
E Class address			

Domain name query tool DMitry

Used to query IP Or domain name WHOIS information
dmitry -wnpb rzchina.net	
use DMitry collect rzchina.net Information
netmask -s rzchina.net	
use netmask Convert domain names to standard subnet mask format

Trace routing tool

Packet sniffing, network scanning, network discovery, contracting, packet response feedback

1.start-up scapy tool
ans，unans=sr(IP(dst="www.rzchina.net/30"，ttl=(1,6))/TCP())	
2.use sr()Function to send and receive data packets
ans.make_table(lambda(s,r):(s.dst,s.ttl,r.src))	
3.View the packet sending status in the form of a table
res，unans=traceroute(["www.google.com","www.kali.org","www.rzchina.net"],dport=[80,443],maxttl=20,retry=2)	
4.use scapy see TCP Route tracking information
res，graph()	
5.use res.graph()Function displays the result in the form of a graph
res，graph(target=">/tmp/graph.svg")	
6.The image saved will be displayed/tmp/graph.svg In the directory
exit()perhaps Crtl+D	
7.sign out scapy program

Analyze password

ettercap: create a spoofed packet, bind the listening data to a local port, etc

locate etter.conf	
1.Found Ettercap Save location of configuration file

vi /etc/ettercap/etter.conf	
2.use Vim Editor edit etter.conf Configuration file, will ec_uid and ec_gid Modify the configuration item to 0 and Linux part IPTABLES Remove comments from line
ettercap -G	

3.start-up Ettercap

4.Use man in the middle attack to collect all kinds of important information on the target

metasploit(msf): search_ email_ The collector module can collect email information through Google, Bing and Yahoo to help crack

msfconsole	
1.open msfconsole
search email_collector	
2.query search_email_collector modular
use auxiliary/gather/search_email_collector	
3.Using auxiliary modules search_email_collector
show options	
4.see search_email_collector Valid options under module
set DOMAIN gmail.com	
5.gmail.com It is the email address to be retrieved. Now it is configured DOMAIN option
gmail.com	
set outfile /root/email.txt	
6.set up OUTFILE Option to save the searched email address in email.txt In the file
/root/email.txt	
run	
7.Implement penetration attack (the address of all mail sending records of the target mailbox will be displayed and the information will be saved in email.txt (in file)
remarks:	Error reporting may occur, because it is the use of foreign websites to collect information, which can be linked VPN To achieve