Basic Scan
nmap -n -T4 -sS -sV -sU -O –max-scan-delay 20 -p T:1-65535,U:161 -iL [IP List] -oA [scan_results]
FTP
nmap -sV -Pn -vv -p 20,21 –script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oA [scan results] [ip]
SQL
MSSQL
nmap -sV -Pn -p 1433 –script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes –script-args=mssql.instance-port=1433,smsql.username-sa,mssql.password-sa -oN [scan results] [IP]
nmap -sV -Pn -p 1433 –script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes –script-args=mssql.instance-port=1433,smsql.username-sa,mssql.password-sa -oN [scan results] [IP]
SMB
nmap -p 139,445 –script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse [IP] -oA [scan_results]
NullSession
enum4linux [ip] > enum4linux.txt
Share Enumeration
smbclient -L \\SERVER -I [IP] -N
NullSession
enum4linux [ip] > enum4linux.txt
Share Enumeration
smbclient -L \\SERVER -I [IP] -N
- -I = IP
- -N = no pass
- -L = host
SMTP
nmap -sV -Pn -p 25 –script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -oA [scan_results] [IP]
SNMP
Snmp-Check
snmp-check [IP]
snmp-check [IP]
Resources:
http://carnal0wnage.attackresearch.com/2007/07/over-in-lso-chat-we-were-talking-about.html
http://carnal0wnage.attackresearch.com/2007/07/over-in-lso-chat-we-were-talking-about.html