Nmap - The network security scanner

mail

How to enumerate the subdomains of a domain ?

nmap -p80,443 --script dns-brute example.com
This will try a word list on example.com and return those replying to probes
nmap -p80,443 --script dns-brute --script-args dns-brute.threads=25,dns-brute.hostlist=path/to/customSubdomainWordlist.txt example.com
Use 25 concurrent threads instead of the default (5) and use a custom wordlist.
mail

Nmap complains : route_dst_netlink: can't find interface "venet0"

Situation

When trying any nmap command, while running this on a virtual machine (don't know if this is linked or not), I just get route_dst_netlink: can't find interface "venet0".

Details

Here's what I've tried (source) :
nmap -sT target.host.IP.address
Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-12 08:49 CEST
route_dst_netlink: can't find interface "venet0"
nmap -e venet0 -sT target.host.IP.address
Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-12 08:49 CEST
I cannot figure out what source address to use for device venet0, does it even exist?
QUITTING!
ifconfig
venet0		Link encap:UNSPEC	HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
		inet addr:127.0.0.2	P-t-P:127.0.0.2	Bcast:0.0.0.0	Mask:255.255.255.255
		inet6 addr: 1234:abcd:12:123::1234/56 Scope:Global
		UP BROADCAST POINTOPOINT RUNNING NOARP	MTU:1500	Metric:1
		(...)
		RX bytes:275006352 (262.2 MiB)	TX bytes:2082405468 (1.9 GiB)

venet0:0	Link encap:UNSPEC	HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
		inet addr:VM.public.IP.address	P-t-P:VM.public.IP.address	Bcast:VM.public.IP.broadcastAddress	Mask:255.255.255.0
		UP BROADCAST POINTOPOINT RUNNING NOARP	MTU:1500	Metric:1
So : yes, they exist, dude !
nmap -e venet0:0 -sT target.host.IP.address
Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-12 08:49 CEST
I cannot figure out what source address to use for device venet0:0, does it even exist?
QUITTING!
nmap --iflist
Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-12 08:50 CEST
INTERFACES: NONE FOUND(!)
ROUTES: NONE FOUND(!)
nmap --iflist --unprivileged
Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-12 08:50 CEST
INTERFACES: NONE FOUND(!)
ROUTES: NONE FOUND(!)
nmap -sT target.host.IP.address --unprivileged
Well, seems to work normally !

Solution

The --unprivileged seems to do the trick.
mail

nmap

Installed with the Debian package

nmap

Usage

Declaring targets :

target by IP by name
single host 192.168.0.1 www.example.com
multiple hosts
  • list : 192.168.0.1 192.168.0.2 192.168.0.3
  • range : 192.168.0.1-3
  • last octet of IP : 192.168.0.1,2,3
foo.tld bar.tld baz.tld
subnet
  • with IP and mask : 192.168.1.0/24
  • with wildcard : 192.168.3.*

Flags

Option Obsolete option Usage
Host discovery (1, 2)
-n / -R disable / force Reverse DNS lookup (default is "sometimes")
-Pn (1, 2) -P0 -PN Treat all hosts as online, i.e. skip host discovery
-PR ARP scan. This method is useful because upon receiving answers to ARP requests, nmap knows an online host is there and need not pinging it (which may be blocked/disabled anyway)
-sL (1) List hosts of a subnet and perform DNS resolution when possible.
This method doesn't ping / scan any host.
-sn (1, 2) -sP No port scan, i.e. discover hosts but do not run a port scan afterwards. This method :
  • is often called the "ping scan", which is inexact since this sends ICMP echo requests among other types of requests ( for full details)
  • can be used to detect the online hosts
Scan techniques
-sA TCP ACK scan
-sO (uppercase o) IP Protocol scan : report about supported IP protocols rather than listening ports
Requires root privileges
-sT TCP connect() scan, used to check for open TCP ports
TCP SYN -sS (if available) is usually a better choice
-sU UDP scan
Port specification and scan order
-p portNumber probe the portNumber port
  • ports list : -p list,of,ports
  • ports range : -p start-stop
OS detection
-O (uppercase o) Enable OS detection
Output
--open Only show open (or possibly open) ports
-v -vv increase verbosity

Example

List hosts of a LAN :

  • nmap -sL 192.168.1.* | grep -Ev '[0-9]$'
  • nmap -sn -PR 192.168.1.*
    as non-root :
    Nmap scan report for 192.168.1.1
    Host is up (0.0042s latency).
    
    
    Nmap scan report for 192.168.1.8
    Host is up (0.0089s latency).
    
    
    Nmap scan report for 192.168.1.103
    Host is up (0.000086s latency).
    
    Nmap done: 256 IP addresses (3 hosts up) scanned in 15.51 seconds
    as root :
    Nmap scan report for 192.168.1.1
    Host is up (0.0042s latency).
    MAC Address: 58:90:43:12:91:48 (Sagemcom Broadband SAS)
    
    Nmap scan report for 192.168.1.8
    Host is up (0.0064s latency).
    MAC Address: DC:A6:32:B8:03:7B (Raspberry Pi Trading)
    
    Nmap scan report for 192.168.1.103
    Host is up.
    
    Nmap done: 256 IP addresses (3 hosts up) scanned in 18.17 seconds
  • generate a report :
    nmap -sn -PR 192.168.1.* | sed -r 's/^(Nmap scan report)/\n\1/' > report.txt

List + TCP scan + OS fingerprint hosts of a LAN :

  • nmap -PR 192.168.1.0/24
  • nmap -O -v 192.168.1.0/24