Nmap

Découverte d'un réseau

Lister les hosts d'un réseau (résolution DNS, pas de ping, donc les hosts sont peut être inactifs)

 nmap -sL 192.168.1.0/24

Lister les hosts actifs

 nmap -sP 192.168.1.0/24 (scan ping, envoie une requête d'echo ICMP et un paquet TCP sur le port par défaut (80))
 nmap -PS 192.168.1.0/24 (-PS [portlist](Ping TCP SYN))
 nmap -PA 192.168.1.0/24 (-PA [portlist](Ping TCP ACK))
 nmap -PU 192.168.1.0/24 (-PU [portlist](Ping UDP))
 nmap -PE 192.168.1.0/24 (-PE; -PP; -PM(Types de ping ICMP))
 nmap -PR 192.168.1.0/24 (-PR(Ping ARP))
 nmap -PO 192.168.1.0/24 -PO[protolist] (IP Protocol Ping)

-n(Pas de résolution DNS) Gagne du temps

---

nmap -sS -P0 -O -T5 ip -d -n -vv

82.11.28.6

Nmap 4.20ALPHA4 ( http://www.insecure.org/nmap/ ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION:

 Can pass hostnames, IP addresses, networks, etc.
 Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
 -iL <inputfilename>: Input from list of hosts/networks
 -iR <num hosts>: Choose random targets
 --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
 --excludefile <exclude_file>: Exclude list from file

HOST DISCOVERY:

 -sL: List Scan - simply list targets to scan
 -sP: Ping Scan - go no further than determining if host is online
 -P0: Treat all hosts as online -- skip host discovery
 -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
 -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
 -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
 --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
 --system-dns: Use OS's DNS resolver

SCAN TECHNIQUES:

 -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
 -sN/sF/sX: TCP Null, FIN, and Xmas scans
 --scanflags <flags>: Customize TCP scan flags
 -sI <zombie host[:probeport]>: Idlescan
 -sO: IP protocol scan
 -b <ftp relay host>: FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

 -p <port ranges>: Only scan specified ports
   Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
 -F: Fast - Scan only the ports listed in the nmap-services file)
 -r: Scan ports consecutively - don't randomize

SERVICE/VERSION DETECTION:

 -sV: Probe open ports to determine service/version info
 --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
 --version-light: Limit to most likely probes (intensity 2)
 --version-all: Try every single probe (intensity 9)
 --version-trace: Show detailed version scan activity (for debugging)

OS DETECTION:

 -O: Enable OS detection (try 2nd generation, then 1st if that fails)
 -O1: Only use the old (1st generation) OS detection system
 -O2: Only use the new OS detection system (no fallback)
 --osscan-limit: Limit OS detection to promising targets
 --osscan-guess: Guess OS more aggressively

TIMING AND PERFORMANCE:

 Options which take  are in milliseconds, unless you append 's'
 (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
 -T[0-5]: Set timing template (higher is faster)
 --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
 --min-parallelism/max-parallelism : Probe parallelization
 --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
     probe round trip time.
 --max-retries <tries>: Caps number of port scan probe retransmissions.
 --host-timeout : Give up on target after this long
 --scan-delay/--max-scan-delay : Adjust delay between probes

FIREWALL/IDS EVASION AND SPOOFING:

 -f; --mtu <val>: fragment packets (optionally w/given MTU)
 -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
 -S <IP_Address>: Spoof source address
 -e <iface>: Use specified interface
 -g/--source-port <portnum>: Use given port number
 --data-length <num>: Append random data to sent packets
 --ttl <val>: Set IP time-to-live field
 --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
 --badsum: Send packets with a bogus TCP/UDP checksum

OUTPUT:

 -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
    and Grepable format, respectively, to the given filename.
 -oA <basename>: Output in the three major formats at once
 -v: Increase verbosity level (use twice for more effect)
 -d[level]: Set or increase debugging level (Up to 9 is meaningful)
 --packet-trace: Show all packets sent and received
 --iflist: Print host interfaces and routes (for debugging)
 --log-errors: Log errors/warnings to the normal-format output file
 --append-output: Append to rather than clobber specified output files
 --resume <filename>: Resume an aborted scan
 --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
 --webxml: Reference stylesheet from Insecure.Org for more portable XML
 --no-stylesheet: Prevent associating of XSL stylesheet w/XML output

MISC:

 -6: Enable IPv6 scanning
 -A: Enables OS detection and Version detection
 --datadir <dirname>: Specify custom Nmap data file location
 --send-eth/--send-ip: Send using raw ethernet frames or IP packets
 --privileged: Assume that the user is fully privileged
 -V: Print version number
 -h: Print this help summary page.

EXAMPLES:

 nmap -v -A scanme.nmap.org
 nmap -v -sP 192.168.0.0/16 10.0.0.0/8
 nmap -v -iR 10000 -P0 -p 80

SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

Scripts nmap

 /usr/share/nmap/scripts/