Information Technology Grimoire

Version .0.0.1

IT Notes from various projects because I forget, and hopefully they help you too.

nmap

Top 100 Ports

nmap -F 192.168.1.1

OS Fingerprint and Service ID

nmap -sV -O 192.168.1.1

Polite Scans

  • -p- flag will scan all ports
  • -sS is a SYN scan, which is faster and more stealthy
  • -T2 using polite timing template
  • –max-rate 10 limits to 10 packets per second
  • –scan-delay 1s limits to 1s per port
  • –randomize-hosts randomizes the order of the scanned ports in an attempt to evade detection a bit longer

Pretty much any scan you do will be detected by any modern SIEM. But you can be polite in your scans to avoid thrashing your network and DOS’ing the machine you are scanning. This can, as written will take many hours, and is only documented for reference. Typically you scan top ports, scan faster, and/or some combination of speeding up your scans.

nmap -p- -sS -T2 --max-rate 10 192.168.1.1

Default Scan

This is what works for me when investigating a host, most of the time. The –max-rate 100 is very high and could be lowered, but this is for tryhackme labs where a SIEM is not going to care. YOu could go faster with T4 or T5 too and these will likely interfere with your server somehow in a production environment.

sudo nmap -p- -sS -sV -T3 --max-rate 100 --scan-delay 50ms 192.168.1.1

Production Scan

This is the scan I would use when I have permission but want to be somewhat polite.

sudo nmap -p- -sS -sV -T3 --max-rate 50 --scan-delay 20ms 192.168.1.1

Comprehensive Scan

Check specifically for vulns

nmap -sV --script vuln 192.168.1.1

or general overview default scripts

nmap -sC -sV 192.168.1.1

TCP Connect Scan

nmap -sT 192.168.1.1

Users

https://nmap.org/nsedoc/scripts/http-wordpress-users.html This script attempts to enumerate WordPress usernames by exploiting the WordPress REST API and other known vulnerabilities or misconfigurations.

Scan port 80 only using the http-wordpress-users NSE Script

nmap -p80 --script http-wordpress-users 192.168.1.1

Scan all ports, but limit to 50 users in the enumeration

nmap -sV --script http-wordpress-users --script-args limit=50 192.168.1.1

Themes and Plugins

https://nmap.org/nsedoc/scripts/http-wordpress-enum.html Enumerates themes and plugins of Wordpress installations. The script can also detect outdated plugins by comparing version numbers with information pulled from api.wordpress.org.

The script works with two separate databases for themes (wp-themes.lst) and plugins (wp-plugins.lst). The databases are sorted by popularity and the script will search only the top 100 entries by default. The theme database has around 32,000 entries while the plugin database has around 14,000 entries.

nmap -sV --script http-wordpress-enum 192.168.1.1
nmap --script http-wordpress-enum --script-args check-latest=true,search-limit=10 192.168.1.1
nmap --script http-wordpress-enum --script-args type="themes" 192.168.1.1

Active IP and Scan

Scans network for active IPs, note only the top 1000 ports are scanned.

nmap 192.168.1.0/24

Nmap scan report for 192.168.1.18
Host is up (0.0045s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT      STATE SERVICE
80/tcp    open  http
443/tcp   open  https
631/tcp   open  ipp
20005/tcp open  btx

Nmap scan report for 192.168.1.19
Host is up (0.0033s latency).
All 1000 scanned ports on 192.168.9.189 are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)

Nmap scan report for 8018232F1L12 (192.168.1.94)
Host is up (0.0054s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Active IP on Certain Open Ports

the -sV flag will try to identify what is running on that open port too.

nmap -sV -p 20005 192.168.1.18/24 --open

Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-07 17:40 CDT
Nmap scan report for 192.168.1.18
Host is up (0.0020s latency).

PORT      STATE SERVICE VERSION
20005/tcp open  btx?

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.94 seconds

Active IP up/down status

nmap -sn 192.0.0.0/24

Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-07 17:44 CDT
Nmap scan report for 192.168.1.1
Host is up (0.0053s latency).
Nmap scan report for 192.168.1.10
Host is up (0.093s latency).
Nmap scan report for 192.168.1.8
Host is up (0.0037s latency).
Nmap scan report for 192.168.1.18
Host is up (0.046s latency).
Nmap scan report for 192.168.1.19
Host is up (0.081s latency).
Nmap scan report for 8018232F1L12 (192.168.1.14)
Host is up (0.0092s latency).
Nmap done: 256 IP addresses (6 hosts up) scanned in 3.87 seconds

Brute force Passwords

https://nmap.org/nsedoc/scripts/http-wordpress-brute.html

You will need a list of usernames, and a list of passwords, but nmap can brute force for you.

nmap -sV --script http-wordpress-brute 192.168.1.1
nmap -sV --script http-wordpress-brute 
--script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com,http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.1.1
nmap -sV --script http-wordpress-brute --script-args 'http-wordpress-brute.uri=/wordpress/wp-login.php' 192.168.1.50

Brute Force Script

	Starting Nmap 6.25 ( http://nmap.org ) at 2013-10-30 10:15 EST
	Stats: 0:05:08 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
	NSE Timing: About 33.33% done; ETC: 10:30 (0:10:06 remaining)
	Nmap scan report for 192.168.1.50
	Host is up (0.0000050s latency).
	Not shown: 996 closed ports
	PORT     STATE SERVICE         VERSION
	80/tcp   open  http            Apache httpd 2.2.22 ((Ubuntu))
	| http-wordpress-brute: 
	|   Accounts
	|     No valid accounts found
	|   Statistics
	|_    Performed 244 guesses in 605 seconds, average tps: 0
	443/tcp  open  ssl             SSLv3
	902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
	3000/tcp open  ntop-http       Ntop web interface 4.99.3

TCP Scan

If you need to check details of a service, and you know the host and service are up, but do not want to do the ICMP ping first to verify (as this is sometimes blocked), you can just directly scan:

  • Host Discovery Bypass: The -PN option (or -Pn in newer versions) disables host discovery, treating the target as up. Use this when you know the target is up or when you want to avoid being blocked by firewalls that might drop ICMP requests.
  • Version Detection: The -sV option is useful when you need to identify the exact service and version running on the specified port.
sudo nmap -PN -p 514 -sV 192.168.1.14

If you want verbose information, operating system identification, TCP and UDP scans of the top 1000 ports:

sudo nmap -vv -O -sTUV --top-ports 1000 192.168.1.1

Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-18 13:19 CDT
Nmap scan report for 192.168.1.14
Host is up (0.0025s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
514/tcp open  shell?
MAC Address: 00:26:B9:EA:EE:7F (Dell)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.79 seconds

UDP Scan

UDP scans can be harder to detect, but are not invisible, version intensity of 0 will send fewer probes to try and id the OS. T4 is a timing, which is faster than normal.

To ID and scan UDP services:

sudo nmap -sU -sV 192.168.1.1

To ID and scan a specific UDP service:

sudo nmap -p 514 -sUV --version-intensity 0 192.168.1.14

Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-18 13:25 CDT
Nmap scan report for 192.168.1.14
Host is up (0.0024s latency).

PORT    STATE         SERVICE    VERSION
514/udp open|filtered tcpwrapped
MAC Address: 00:26:B9:EA:EE:7F (Dell)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds

Vulnerabilities / CVE

If you know a port is open and want to see what vulnerabilities are known for that port and the -Pn flag will skip doing the discovery phase, which sometimes is blocked or unresponsive. If you know the host is up, you can skip the discovery phase.

nmap -Pn -sV --script=vulners 127.0.0.1 -p22
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-05 22:39 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000058s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:9.2p1: 
|     	SSV:92579	7.5	https://vulners.com/seebug/SSV:92579	*EXPLOIT*
|     	PRION:CVE-2023-38408	7.5	https://vulners.com/prion/PRION:CVE-2023-38408
|     	PRION:CVE-2023-28531	7.5	https://vulners.com/prion/PRION:CVE-2023-28531
|     	PACKETSTORM:173661	7.5	https://vulners.com/packetstorm/PACKETSTORM:173661	*EXPLOIT*
|     	F0979183-AE88-53B4-86CF-3AF0523F3807	7.5	https://vulners.com/githubexploit/F0979183-AE88-53B4-86CF-3AF0523F3807	*EXPLOIT*
|     	CVE-2023-38408	7.5	https://vulners.com/cve/CVE-2023-38408
|     	CVE-2023-28531	7.5	https://vulners.com/cve/CVE-2023-28531
|     	B8190CDB-3EB9-5631-9828-8064A1575B23	7.5	https://vulners.com/githubexploit/B8190CDB-3EB9-5631-9828-8064A1575B23	*EXPLOIT*
|     	1337DAY-ID-26576	7.5	https://vulners.com/zdt/1337DAY-ID-26576	*EXPLOIT*
|     	PRION:CVE-2023-51385	6.4	https://vulners.com/prion/PRION:CVE-2023-51385
|     	CVE-2023-51385	6.4	https://vulners.com/cve/CVE-2023-51385
|     	PRION:CVE-2023-51767	3.5	https://vulners.com/prion/PRION:CVE-2023-51767
|     	CVE-2023-51767	3.5	https://vulners.com/cve/CVE-2023-51767
|     	PRION:CVE-2023-48795	2.6	https://vulners.com/prion/PRION:CVE-2023-48795
|     	CVE-2023-48795	2.6	https://vulners.com/cve/CVE-2023-48795
|     	PRION:CVE-2023-51384	1.7	https://vulners.com/prion/PRION:CVE-2023-51384
|     	CVE-2023-51384	1.7	https://vulners.com/cve/CVE-2023-51384
|_    	PACKETSTORM:140261	0.0	https://vulners.com/packetstorm/PACKETSTORM:140261	*EXPLOIT*
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

WAF Protection Detection

nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro,http-waf-detect.detectBodyChanges" example.com

Firewall Evasion

On certain firewalls you can use a decoy address to obfuscate the reasl source of the scan.

nmap -D RND:10 192.168.1.1

some Firewalls from 1800s might not notice if you use this scan (FIN scan)

nmap -sF 192.168.1.1

use Custom DNS

Don’t want your scans to show up in specific DNS servers?

nmap --dns-servers <DNS_server1>,<DNS_server2> 192.168.1.1

YOLO

sudo nmap -A -p- 192.168.1.1

and detailed info gathering

nmap -sC -sV 192.168.1.1

FW Ruleset Map

nmap -sA 192.168.1.1

Determine HTTP Methods

nmap --script http-methods --script-args http-methods.url-path='/login' 192.168.1.1