bash/nmap.sh at master · buuren/bash · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
nmap scripts

1) mostly needs root access
2) hashcat - decrypt passwords
3) Sniffing - passive / active


on server (192.168.10.10): tcpdump -i eth0 host 192.168.10.10 and tcp portrange 1-1024

from client to server: telnet 192.168.10.10

save to pcap -> import in wireshark. Analyze!


TYPES OF SCANNING:


nmap -sS: SYN
TCP-SYN - default type.
1) Fast. Can scan a lot of ports in short time. No full TCP connection. Any TCP stack. No hardware dependant.
Is port closed/open/filtltered?
Send TCP-SYN -< SYN-ACK = OPEN
Send TCP-SYN -< RST = CLOSED
Send TCP-SYN -< no reply? filtered. (ICMP unreachable)

nmap -sT: Connect (in case you cant use raw socket or IPv6)
Use system call. Full TCP connection. Can be traced (more info in the logs)