NMAP

  • Post category:CEH

A tool used to discover information and vulnerabilities of a device.

HOST DISCOVERY (ARP Scan)

Send ARP request to local LAN segment to elicit a response from the live host.  This usually cannot be blocked.  Note: TCP scan will be performed if command is not run as root.  The packets exchanged-

Live hosts:
Attacker ————–ARP————->Host
Attacker<——–ARP Response——- Host

Command:  sudo  nmap -P -sn <ip address range>

Use NMAP to generate ethernet frames for faster results:

Command:  sudo  nmap -P -sn –send-eth <ip address range>

Send ICMP echo packets to hosts on the local LAN segment:

Command:  sudo  nmap -P -sn –send-ip <ip address range>

Example:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -P -sn 192.168.168.0/24

Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-15 21:04 EDT
Nmap scan report for 192.168.168.1
Host is up (0.0016s latency).
MAC Address: A0:40:A0:95:75:01 (Netgear)
Nmap scan report for 192.168.168.2
Host is up (0.21s latency).
MAC Address: 32:60:4B:49:54:99 (Unknown)
Nmap scan report for 192.168.168.3
Host is up (0.070s latency).
MAC Address: E0:63:E5:E9:9D:29 (Sony)
Nmap scan report for 192.168.168.4
Host is up (0.0011s latency).
MAC Address: 02:FF:60:79:AA:60 (Unknown)
Nmap scan report for 192.168.168.5
Host is up (0.0011s latency).
MAC Address: 00:0C:29:25:43:EF (VMware)
Nmap scan report for 192.168.168.6
Host is up (0.066s latency).
MAC Address: 7C:DB:98:B1:82:25 (Askey Computer)
Nmap scan report for 192.168.168.8
Host is up (0.072s latency).
MAC Address: 90:CC:DF:F4:01:C8 (Intel Corporate)
Nmap scan report for 192.168.168.9
Host is up (0.00097s latency).
MAC Address: 50:65:F3:4A:DF:A8 (Hewlett Packard)
Nmap scan report for 192.168.168.11
Host is up (0.000063s latency).
MAC Address: B4:A9:FC:E4:62:FD (Quanta Computer)
Nmap scan report for 192.168.168.12
Host is up (0.00079s latency).
MAC Address: 00:A0:98:04:9F:61 (NetApp)
Nmap scan report for 192.168.168.16
Host is up (0.00091s latency).
MAC Address: 40:A8:F0:3E:13:D6 (Hewlett Packard)
Nmap scan report for 192.168.168.17
Host is up (0.00086s latency).
MAC Address: 00:0C:29:A1:33:B7 (VMware)
Nmap scan report for 192.168.168.99
Host is up (0.0015s latency).
MAC Address: 50:00:00:09:00:00 (Unknown)
Nmap scan report for 192.168.168.150
Host is up (0.00030s latency).
MAC Address: 00:0C:29:C9:71:A6 (VMware)
Nmap scan report for 192.168.168.201
Host is up (0.0012s latency).
MAC Address: 3C:A8:2A:A0:2B:85 (Hewlett Packard)
Nmap scan report for 192.168.168.254
Host is up (0.021s latency).
MAC Address: 94:A6:7E:72:7B:44 (Netgear)
Nmap scan report for 192.168.168.15
Host is up.
Nmap done: 256 IP addresses (17 hosts up) scanned in 2.80 seconds

HOST DISCOVERY (ICMP Scan)

Send ICMP echo request to hosts.  The packets exchanged-

Live hosts:
Attacker ——– ICMP(echo request)———>Host
Attacker<——–ICMP(echo reply)————- Host

Command:  sudo  nmap -PE -sn <ip address range>

Example:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -PE -sn 10.8.2.1-10 -v
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-17 03:53 EDT
Initiating Ping Scan at 03:53
Scanning 10 hosts [1 port/host]
Completed Ping Scan at 03:53, 0.38s elapsed (10 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 03:53
Completed Parallel DNS resolution of 2 hosts. at 03:53, 0.00s elapsed
Nmap scan report for 10.8.2.1
Host is up (0.17s latency).
Nmap scan report for 10.8.2.2
Host is up (0.0012s latency).
Nmap scan report for 10.8.2.3 [host down]
Nmap scan report for 10.8.2.4 [host down]
Nmap scan report for 10.8.2.5 [host down]
Nmap scan report for 10.8.2.6 [host down]
Nmap scan report for 10.8.2.7 [host down]
Nmap scan report for 10.8.2.8 [host down]
Nmap scan report for 10.8.2.9 [host down]
Nmap scan report for 10.8.2.10 [host down]
Nmap done: 10 IP addresses (2 hosts up) scanned in 0.45 seconds
Raw packets sent: 19 (532B) | Rcvd: 3 (84B)

FULL SCAN (TCP Connetion Scan)

Send a TCP SYN packet to a host for a range of ports.  The packets exchanged-

Open ports:
Attacker ————-SYN———–>Host
Attacker<———SYN/ACK——— Host
Attacker————ACK/RST——–>Host

 Closed ports:
Attacker ————-SYN———–>Host
Attacker<———RST/ACK——— Host

Command:    nmap -sT <ip address>

Example:

┌──(kali㉿kali)-[~]
└─$ nmap -sT  192.168.168.150
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-25 01:25 EDT
Nmap scan report for 192.168.168.150
Host is up (0.46s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
5357/tcp open  wsdapi

Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds

HALF OPEN SCAN (Stealth Scan)

Send a TCP SYN packet to a host for a range of ports.  The packets exchanged-

Open ports:
Attacker ————-SYN———–>Host
Attacker<———SYN/ACK——— Host
Attacker————- RST———–>Host

Closed ports:
Attacker ————-SYN———–>Host
Attacker<———RST/ACK——— Host

Command:    nmap -sT <ip address>

Example:

┌──(kali㉿kali)-[~]
└─$ nmap -sS 192.168.168.150
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-25 02:06 EDT
Nmap scan report for 192.168.168.150
Host is up (0.0044s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
MAC Address: 00:0C:29:C9:71:A6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds

XMAS SCAN (Non Windows Targets)

Send a TCP packet with FIN,URG, PUSH flags to a host for a range of ports.  The packets exchanged-

Open ports:
Attacker ——-FIN/URG/PSH—–>Host
Attacker<——— Nothing Sent—- Host

Closed ports:
Attacker ——-FIN/URG/PSH—–>Host
Attacker<———-RST/ACK——– Host

Command:    nmap -sX <ip address>

Example:

──(kali㉿kali)-[~]
└─nmap -sX 192.168.168.33
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-25 03:11 EDT
Nmap scan report for 192.168.168.33
Host is up (0.0028s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE              SERVICE
21/tcp   open|filtered    ftp
22/tcp   open|filtered    ssh
23/tcp   open|filtered    telnet
25/tcp   open|filtered    smtp
53/tcp   open|filtered    domain
80/tcp   open|filtered    http
111/tcp open|filtered    rpcbind
139/tcp open|filtered    netbios-ssn
445/tcp open|filtered    microsoft-ds
512/tcp open|filtered    exec
513/tcp open|filtered    login
514/tcp open|filtered    shell
1099/tcp open|filtered  rmiregistry
1524/tcp open|filtered  ingreslock
2049/tcp open|filtered  nfs
2121/tcp open|filtered  ccproxy-ftp
3306/tcp open|filtered  mysql
5432/tcp open|filtered  postgresql
5900/tcp open|filtered  vnc
6000/tcp open|filtered  X11
6667/tcp open|filtered  irc
8009/tcp open|filtered  ajp13
8180/tcp open|filtered  unknown
MAC Address: 00:0C:29:C5:74:EC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.65 seconds

FIN SCAN (Non Windows Targets)

Send a TCP packet with FIN flag to a host for a range of ports.  The packets exchanged-

Open ports:
Attacker ————-FIN————>Host
Attacker<——— Nothing Sent—- Host

Closed ports:
Attacker ————–FIN———–>Host
Attacker<———-RST/ACK——– Host

Command:    nmap -sF <ip address>

Example:

┌──(kali㉿kali)-[~]
└─$ nmap -sF 192.168.168.33
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-25 03:29 EDT
Nmap scan report for 192.168.168.33
Host is up (0.0025s latency).
Not shown: 977 closed tcp ports (reset)
PORT   STATE             SERVICE
21/tcp  open|filtered   ftp
22/tcp  open|filtered   ssh
23/tcp  open|filtered   telnet
25/tcp  open|filtered   smtp
53/tcp  open|filtered   domain
80/tcp  open|filtered   http
111/tcp open|filtered  rpcbind
139/tcp open|filtered  netbios-ssn
445/tcp open|filtered  microsoft-ds
512/tcp open|filtered  exec
513/tcp open|filtered  login
514/tcp open|filtered  shell
1099/tcp open|filtered rmiregistry
1524/tcp open|filtered ingreslock
2049/tcp open|filtered nfs
2121/tcp open|filtered ccproxy-ftp
3306/tcp open|filtered mysql
5432/tcp open|filtered postgresql
5900/tcp open|filtered vnc
6000/tcp open|filtered X11
6667/tcp open|filtered irc
8009/tcp open|filtered ajp13
8180/tcp open|filtered unknown
MAC Address: 00:0C:29:C5:74:EC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.64 seconds

NULL SCAN (Linux and Unix Targets)

Send a TCP packet with no flags to a host for a range of ports.  The packets exchanged-

Open ports:
Attacker ————-“No Flags’————>Host
Attacker<——— Nothing Sent—- Host

Closed ports:
Attacker ————–‘No Flags’———–>Host
Attacker<———-RST/ACK——– Host

Command:    nmap -sN <ip address>

Example:

┌──(kali㉿kali)-[~]
└─$ nmap -sN 192.168.168.33
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-25 03:39 EDT
Nmap scan report for 192.168.168.33
Host is up (0.0025s latency).
Not shown: 977 closed tcp ports (reset)
PORT   STATE             SERVICE
21/tcp  open|filtered   ftp
22/tcp  open|filtered   ssh
23/tcp  open|filtered   telnet
25/tcp  open|filtered   smtp
53/tcp  open|filtered   domain
80/tcp  open|filtered   http
111/tcp open|filtered  rpcbind
139/tcp open|filtered  netbios-ssn
445/tcp open|filtered  microsoft-ds
512/tcp open|filtered  exec
513/tcp open|filtered  login
514/tcp open|filtered  shell
1099/tcp open|filtered rmiregistry
1524/tcp open|filtered ingreslock
2049/tcp open|filtered nfs
2121/tcp open|filtered ccproxy-ftp
3306/tcp open|filtered mysql
5432/tcp open|filtered postgresql
5900/tcp open|filtered vnc
6000/tcp open|filtered X11
6667/tcp open|filtered irc
8009/tcp open|filtered ajp13
8180/tcp open|filtered unknown
MAC Address: 00:0C:29:C5:74:EC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.64 seconds

 

UDP SCAN

Send a UDP packet to a host for a range of ports.  The packets exchanged-

Open ports:
Attacker ————-UDP————>Host
Attacker<——— Nothing Sent—- Host

Closed ports:
Attacker ————–UDP———–>Host
Attacker<—–ICMP Port Unreachable—– Host

Command:    nmap -sU <ip address>

Example:

┌──(kali㉿kali)-[~]
└─$ nmap -sU 192.168.168.150
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-25 04:32 EDT
Nmap scan report for 192.168.168.150
Host is up (0.0040s latency).
Not shown: 973 closed udp ports (port-unreach)
PORT      STATE           SERVICE
53/udp   open             domain
88/udp   open|filtered kerberos-sec
123/udp open             ntp
137/udp open             netbios-ns
138/udp open|filtered netbios-dgm
389/udp open             ldap
464/udp open|filtered kpasswd5
500/udp open|filtered isakmp
3389/udp open|filtered ms-wbt-server
3702/udp open|filtered ws-discovery
4500/udp open|filtered nat-t-ike
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
57172/udp open|filtered unknown
57409/udp open|filtered unknown
57410/udp open|filtered unknown
57813/udp open|filtered unknown
57843/udp open|filtered unknown
57958/udp open|filtered unknown
57977/udp open|filtered unknown
58002/udp open|filtered unknown
58075/udp open|filtered unknown
58178/udp open|filtered unknown
58419/udp open|filtered unknown
58631/udp open|filtered unknown
58640/udp open|filtered unknown
58797/udp open|filtered unknown
MAC Address: 00:0C:29:C9:71:A6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1073.84 seconds

IDLE SCAN

Discover open ports on a target machine by spoofing the IP address of a Zombie(Idle machine).  The scan uses the IP ID of packets to determine if the port is open or closed on the target machine.  The packets exchanged-

 

Open ports:

1. Determine IP ID of Zombie
Attacker ————-SYN/ACK————>Zombie
Attacker<————RST (IP ID)———– Zombie

2. Test port
Attacker——-SYN(Zombie SRC IP)——->Target
Zombie<————-SYN/ACK————– Target
Zombie ———–RST (IP ID+1)———–>Target

3. Check new IP ID of Zombie
Attacker ————-SYN/ACK————>Zombie
Attacker<———-RST (IP ID+2)- ——– Zombie

Closed ports:

1. Determine IP ID of Zombie
Attacker ————-SYN/ACK————>Zombie
Attacker<————RST (IP ID)———– Zombie

2. Test port
Attacker——-SYN(Zombie SRC IP)——->Target
Zombie<—————RST—————— Target

3. Check new IP ID of Zombie
Attacker ————-SYN/ACK————>Zombie
Attacker<———-RST (IP ID+1)- ——– Zombie

 

Command:    nmap -Pn -sI <ip address of zombie> <ip address of target>

Example:

Step 1: Confirm host is a valid zombie –

┌──(kali㉿kali)-[~]
└─$ sudo nmap –script ipidseq.nse 192.168.168.16 -v
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 07:59 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:59
Completed NSE at 07:59, 0.00s elapsed
Initiating ARP Ping Scan at 07:59
Scanning 192.168.168.16 [1 port]
Completed ARP Ping Scan at 07:59, 0.12s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:59
Completed Parallel DNS resolution of 1 host. at 07:59, 0.02s elapsed
Initiating SYN Stealth Scan at 07:59
Scanning 192.168.168.16 [1000 ports]
Discovered open port 443/tcp on 192.168.168.16
Discovered open port 80/tcp on 192.168.168.16
Discovered open port 902/tcp on 192.168.168.16
Discovered open port 9080/tcp on 192.168.168.16
Discovered open port 8000/tcp on 192.168.168.16
Discovered open port 8300/tcp on 192.168.168.16
Discovered open port 427/tcp on 192.168.168.16
Completed SYN Stealth Scan at 07:59, 4.48s elapsed (1000 total ports)
NSE: Script scanning 192.168.168.16.
Initiating NSE at 07:59
Completed NSE at 07:59, 0.10s elapsed
Nmap scan report for 192.168.168.16
Host is up (0.0024s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
427/tcp open svrloc
443/tcp open https
902/tcp open iss-realsecure
5988/tcp closed wbem-http
5989/tcp closed wbem-https
8000/tcp open http-alt
8300/tcp open tmi
9080/tcp open glrpc
MAC Address: 40:A8:F0:3E:13:D6 (Hewlett Packard)

Host script results:
|_ipidseq: Incremental!

NSE: Script Post-scanning.
Initiating NSE at 07:59
Completed NSE at 07:59, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.03 seconds
Raw packets sent: 1997 (87.852KB) | Rcvd: 11 (456B)

Step 2: Perform scan against target –

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -sI 192.168.168.16 -v 192.168.168.150
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 07:58 EDT
Initiating ARP Ping Scan at 07:58
Scanning 192.168.168.150 [1 port]
Completed ARP Ping Scan at 07:58, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:58
Completed Parallel DNS resolution of 1 host. at 07:58, 0.02s elapsed
Initiating idle scan against 192.168.168.150 at 07:58
Idle scan using zombie 192.168.168.16 (192.168.168.16:80); Class: Incremental
Discovered open port 135/tcp on 192.168.168.150
Discovered open port 3389/tcp on 192.168.168.150
Discovered open port 445/tcp on 192.168.168.150
Discovered open port 53/tcp on 192.168.168.150
Discovered open port 139/tcp on 192.168.168.150
Discovered open port 88/tcp on 192.168.168.150
Discovered open port 593/tcp on 192.168.168.150
Discovered open port 636/tcp on 192.168.168.150
Discovered open port 5357/tcp on 192.168.168.150
Discovered open port 389/tcp on 192.168.168.150
Discovered open port 464/tcp on 192.168.168.150
Discovered open port 3268/tcp on 192.168.168.150
Discovered open port 3269/tcp on 192.168.168.150
Completed idle scan against 192.168.168.150 at 07:59, 17.84s elapsed (1000 ports)
Nmap scan report for 192.168.168.150
Host is up (0.055s latency).
Not shown: 987 closed|filtered tcp ports (no-ipid-change)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
MAC Address: 00:0C:29:C9:71:A6 (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 17.98 seconds
Raw packets sent: 3254 (143.160KB) | Rcvd: 317 (12.668KB)

Decoy SCAN

Discover open ports on a target machine by flooding the target with packets using a number of packets with spoofed source IP addresses so that the target cannot easily identify the real IP of the attacker.  The packets exchanged-

Open ports:

Attacker(decoy)—————-SYN—————>Target
Attacker————————SYN—————>Target
Attacker(decoy)<———–SYN/ACK————- Target
Attacker<——————-SYN/ACK————- Target

Closed ports:

Attacker(decoy)—————-SYN—————>Target
Attacker————————SYN—————>Target
Attacker(decoy)<———–SYN/ACK————- Target
Attacker<——————-SYN/ACK————- Target

Command:    nmap -D <ip address of decoy1>, <ip address of decoy2> -v <ip address of target>

Example:

──(kali㉿kali)-[~]
└─$ sudo nmap -D 192.168.168.16 -v 192.168.168.150

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-13 00:23 EDT
Initiating ARP Ping Scan at 00:23
Scanning 192.168.168.150 [1 port]
Completed ARP Ping Scan at 00:23, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:23
Completed Parallel DNS resolution of 1 host. at 00:23, 0.02s elapsed
Initiating SYN Stealth Scan at 00:23
Scanning 192.168.168.150 [1000 ports]
Discovered open port 3389/tcp on 192.168.168.150
Discovered open port 53/tcp on 192.168.168.150
Discovered open port 139/tcp on 192.168.168.150
Discovered open port 445/tcp on 192.168.168.150
Discovered open port 135/tcp on 192.168.168.150
Discovered open port 88/tcp on 192.168.168.150
Discovered open port 593/tcp on 192.168.168.150
Discovered open port 5357/tcp on 192.168.168.150
Discovered open port 389/tcp on 192.168.168.150
Discovered open port 464/tcp on 192.168.168.150
Discovered open port 3268/tcp on 192.168.168.150
Discovered open port 3269/tcp on 192.168.168.150
Discovered open port 636/tcp on 192.168.168.150
Completed SYN Stealth Scan at 00:23, 1.37s elapsed (1000 total ports)
Nmap scan report for 192.168.168.150
Host is up (0.0023s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
MAC Address: 00:0C:29:C9:71:A6 (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds
Raw packets sent: 2057 (90.492KB) | Rcvd: 1001 (40.080KB)

FRAGMENTATION SCAN

Discover open ports on a target machine by breaking up a TCP SYN packet into small pieces and sending them separately to avoid detection.  The packets exchanged-

Open ports:

Attacker—————-SYN(Fragment1)—————>Target
Attacker—————-SYN(Fragment2)—————>Target
Attacker<——————-SYN/ACK——————– Target
Attacker————————RST———————> Target

Closed ports:

Attacker—————–SYN(Fragment1)—————>Target
Attacker—————–SYN(Fragment2)—————>Target
Attacker<——————–RST/ACK——————– Target

Command:    nmap -f  -v <ip address of target>

Example:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -f -v 192.168.168.150

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-13 02:24 EDT
Initiating ARP Ping Scan at 02:24
Scanning 192.168.168.150 [1 port]
Completed ARP Ping Scan at 02:24, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:24
Completed Parallel DNS resolution of 1 host. at 02:24, 0.04s elapsed
Initiating SYN Stealth Scan at 02:24
Scanning 192.168.168.150 [1000 ports]
Discovered open port 53/tcp on 192.168.168.150
Discovered open port 139/tcp on 192.168.168.150
Discovered open port 3389/tcp on 192.168.168.150
Discovered open port 445/tcp on 192.168.168.150
Discovered open port 135/tcp on 192.168.168.150
Discovered open port 593/tcp on 192.168.168.150
Discovered open port 636/tcp on 192.168.168.150
Discovered open port 389/tcp on 192.168.168.150
Discovered open port 464/tcp on 192.168.168.150
Discovered open port 3268/tcp on 192.168.168.150
Discovered open port 88/tcp on 192.168.168.150
Discovered open port 5357/tcp on 192.168.168.150
Discovered open port 3269/tcp on 192.168.168.150
Completed SYN Stealth Scan at 02:24, 1.34s elapsed (1000 total ports)
Nmap scan report for 192.168.168.150
Host is up (0.0038s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
MAC Address: 00:0C:29:C9:71:A6 (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds
Raw packets sent: 1016 (44.688KB) | Rcvd: 1001 (40.080KB)

OS DETECTION

Perform fingerprinting of a host.

Command:    nmap -O -v <target>

Example:

──(kali㉿kali)-[~]
└─$ nmap -O -v 192.168.168.15
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-15 07:59 EDT
Initiating ARP Ping Scan at 07:59
Scanning 192.168.168.15 [1 port]
Completed ARP Ping Scan at 07:59, 0.14s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:59
Completed Parallel DNS resolution of 1 host. at 07:59, 0.02s elapsed
Initiating SYN Stealth Scan at 07:59
Scanning 192.168.168.15 [1000 ports]
Discovered open port 135/tcp on 192.168.168.15
Discovered open port 445/tcp on 192.168.168.15
Discovered open port 3389/tcp on 192.168.168.15
Discovered open port 139/tcp on 192.168.168.15
Discovered open port 554/tcp on 192.168.168.15
Discovered open port 5357/tcp on 192.168.168.15
Discovered open port 10243/tcp on 192.168.168.15
Discovered open port 2869/tcp on 192.168.168.15
Completed SYN Stealth Scan at 07:59, 4.81s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.168.15
Nmap scan report for 192.168.168.15
Host is up (0.0029s latency).
Not shown: 992 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
554/tcp open rtsp
2869/tcp open icslap
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
10243/tcp open unknown
MAC Address: 00:0C:29:62:20:7A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|phone
Running: Microsoft Windows 2008|8.1|7|Phone|Vista
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
OS details: Microsoft Windows Server 2008 R2 or Windows 8.1, Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
Uptime guess: 13.033 days (since Tue May 2 07:11:57 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental

Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.93 seconds
Raw packets sent: 2031 (91.202KB) | Rcvd: 19 (1.158KB)

SERVICE VERSION DETECTION

Perform fingerprinting of a host.

Command:    nmap -sV -v <target>

Example:

┌──(kali㉿kali)-[~]
└─$ nmap -sV -v 192.168.168.11
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-15 08:11 EDT
NSE: Loaded 45 scripts for scanning.
Initiating ARP Ping Scan at 08:11
Scanning 192.168.168.11 [1 port]
Completed ARP Ping Scan at 08:11, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:11
Completed Parallel DNS resolution of 1 host. at 08:11, 0.02s elapsed
Initiating SYN Stealth Scan at 08:11
Scanning 192.168.168.11 [1000 ports]
Discovered open port 25/tcp on 192.168.168.11
Discovered open port 139/tcp on 192.168.168.11
Discovered open port 23/tcp on 192.168.168.11
Discovered open port 53/tcp on 192.168.168.11
Discovered open port 22/tcp on 192.168.168.11
Discovered open port 111/tcp on 192.168.168.11
Discovered open port 3306/tcp on 192.168.168.11
Discovered open port 5900/tcp on 192.168.168.11
Discovered open port 21/tcp on 192.168.168.11
Discovered open port 445/tcp on 192.168.168.11
Discovered open port 5432/tcp on 192.168.168.11
Discovered open port 1524/tcp on 192.168.168.11
Discovered open port 1099/tcp on 192.168.168.11
Discovered open port 8009/tcp on 192.168.168.11
Discovered open port 512/tcp on 192.168.168.11
Discovered open port 6000/tcp on 192.168.168.11
Discovered open port 513/tcp on 192.168.168.11
Discovered open port 514/tcp on 192.168.168.11
Discovered open port 6667/tcp on 192.168.168.11
Discovered open port 8180/tcp on 192.168.168.11
Discovered open port 2049/tcp on 192.168.168.11
Completed SYN Stealth Scan at 08:11, 0.19s elapsed (1000 total ports)
Initiating Service scan at 08:11
Scanning 21 services on 192.168.168.11
Completed Service scan at 08:14, 163.98s elapsed (21 services on 1 host)
NSE: Script scanning 192.168.168.11.
Initiating NSE at 08:14
Completed NSE at 08:14, 0.10s elapsed
Initiating NSE at 08:14
Completed NSE at 08:14, 1.01s elapsed
Nmap scan report for 192.168.168.11
Host is up (0.0027s latency).
Not shown: 979 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd (Misconfigured)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp?
53/tcp open domain ISC BIND 9.4.2
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open tcpwrapped
445/tcp open tcpwrapped
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:C5:74:EC (VMware)
Service Info: Host: irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.88 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.112KB)

HOST ENUMERATION

Perform fingerprinting of a host.

Command:    nmap -A -v <target>

Example:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -A -v www.hackthissite.org
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-13 03:34 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Initiating Ping Scan at 03:34
Scanning www.hackthissite.org (137.74.187.103) [4 ports]
Completed Ping Scan at 03:34, 0.31s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:34
Completed Parallel DNS resolution of 1 host. at 03:34, 0.28s elapsed
Initiating SYN Stealth Scan at 03:34
Scanning www.hackthissite.org (137.74.187.103) [1000 ports]
Discovered open port 80/tcp on 137.74.187.103
Discovered open port 443/tcp on 137.74.187.103
Completed SYN Stealth Scan at 03:34, 16.84s elapsed (1000 total ports)
Initiating Service scan at 03:34
Scanning 2 services on www.hackthissite.org (137.74.187.103)
Completed Service scan at 03:34, 30.85s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against www.hackthissite.org (137.74.187.103)
Retrying OS detection (try #2) against www.hackthissite.org (137.74.187.103)
Initiating Traceroute at 03:34
Completed Traceroute at 03:35, 3.37s elapsed
Initiating Parallel DNS resolution of 13 hosts. at 03:35
Completed Parallel DNS resolution of 13 hosts. at 03:35, 0.58s elapsed
NSE: Script scanning 137.74.187.103.
Initiating NSE at 03:35
Completed NSE at 03:36, 71.63s elapsed
Initiating NSE at 03:36
Completed NSE at 03:36, 2.59s elapsed
Initiating NSE at 03:36
Completed NSE at 03:36, 0.00s elapsed
Nmap scan report for www.hackthissite.org (137.74.187.103)
Host is up (0.27s latency).
Other addresses for www.hackthissite.org (not scanned): 137.74.187.101 137.74.187.100 137.74.187.102 137.74.187.104 2001:41d0:8:ccd8:137:74:187:103 2001:41d0:8:ccd8:137:74:187:102 2001:41d0:8:ccd8:137:74:187:100 2001:41d0:8:ccd8:137:74:187:101 2001:41d0:8:ccd8:137:74:187:104
rDNS record for 137.74.187.103: hackthissite.org
Not shown: 995 filtered tcp ports (no-response), 1 filtered tcp ports (admin-prohibited)
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http-proxy HAProxy http proxy 1.3.1 or later
|_http-open-proxy: Proxy might be redirecting requests
113/tcp closed ident
443/tcp open ssl/http-proxy HAProxy http proxy 1.3.1 or later
| ssl-cert: Subject: commonName=hackthisjogneh42n5o7gbzrewxee3vyu6ex37ukyvdw6jm66npakiyd.onion
| Subject Alternative Name: DNS:hackthissite.org, DNS:www.hackthissite.org, DNS:hackthisjogneh42n5o7gbzrewxee3vyu6ex37ukyvdw6jm66npakiyd.onion
| Issuer: commonName=HARICA DV TLS RSA/organizationName=Hellenic Academic and Research Institutions CA/countryName=GR
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-04-03T06:47:49
| Not valid after: 2024-04-02T06:47:49
| MD5: 714c266a9a30f812b5c2caab8f5e2a63
|_SHA-1: 118ee2e8d1e733e57f2588028befd47f1bab2816
|_http-title: Hack This Site
|_http-server-header: HackThisSite
|_http-favicon: Unknown favicon MD5: 981F6562D0187DA82A837F37653AE807
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
OS fingerprint not ideal because: Didn’t receive UDP response. Please try again with -sSU
No OS matches for host
Network Distance: 20 hops
Service Info: Device: load balancer

TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 8.99 ms 192.168.168.1
2 36.17 ms 100.97.128.1
3 27.72 ms 180.150.0.235
4 31.43 ms be50-3999.cfl3.nextdc-s2.syd.aussiebb.net (180.150.2.96)
5 122.32 ms be3.core1.equinix-sg1.sin.aussiebb.net (180.150.2.85)
6 116.22 ms ae6-207.RT.EQX.SIN.SG.retn.net (87.245.238.226)
7 263.69 ms ae0-2.RT.IR9.AMS.NL.retn.net (87.245.232.123)
8 273.32 ms ams-gsa1-pb1-8k.nl.eu (54.36.50.30)
9 … 11
12 303.61 ms be104.rbx-g3-nc5.fr.eu (54.36.50.245)
13 268.32 ms vl12.mar-4-n5.fr.eu (91.121.215.183)
14 269.90 ms lil1-rbx1-vac1-a75-1-firewall.fr.eu (178.33.99.124)
15 272.40 ms lil1-rbx1-vac1-a75-2-shield.fr.eu (178.33.99.125)
16 274.48 ms rbx-vac1-a75-3.fr.eu (178.33.99.123)
17 … 19
20 270.17 ms hackthissite.org (137.74.187.103)