Using Nmap

Nmap is a network mapping utility that is extremely useful in trying to figure out what is on the network you are currently looking at. The scan that I will initially use to see what is there is this: nmap -Pn IP_ADDRESS(ES) or NETWORK.

The -Pn will scan the computer and assuming it's on. This is used to try and scan Windows machines since the computer will not return anything if you ping it by default.

Once I have the list of machines that are returned from the original scan, I will then do a more intensive san to get more information. This command looks like this: nmap -sV -sC -p- -oA FILE_NAME IP_ADDRESS(ES). You can also include the -Pn flag to ignore the ping fail and scan all ports.  Keep in mind this will take a LONG time to run since you are scanning all 65535 ports on each machine.

The -sV will tell nmap to try to get version information from the service that is listening on the port. -sC tells it to use default scripts when it is scanned. -p- will scan all ports on the machine and finally -oA will save the output in all formats to a file name that you specify.

This should give some more information that you can use to scan the machine with more targeted scripts. nmap --script smb-vuln*  IP_ADDRESS. That command scans a computer with scripts targeting any smb vulnerability scripts that are on the machine. These scripts can tell you if the machine is vulnerable to specific CVE vulnerabilities.

These are not the be all or end all of the possibilities of nmap but it is extremely useful in some of the machines on TryHackMe, HacktheBox, etc.

As with all other closing sentences, if you have any question, comments or suggestions please email feedback@markschindel.com.