Nmap - The network security scanner

How to enumerate the subdomains of a domain ?

nmap -p80,443 --script dns-brute example.com
This will try a word list on example.com and return those replying to probes
nmap -p80,443 --script dns-brute --script-args dns-brute.threads=25,dns-brute.hostlist=path/to/customSubdomainWordlist.txt example.com
Use 25 concurrent threads instead of the default (5) and use a custom wordlist.

Nmap complains : route_dst_netlink: can't find interface "venet0"

Situation :

When trying any nmap command, while running this on a virtual machine (don't know if this is linked or not), I just get route_dst_netlink: can't find interface "venet0".

Details :

Here's what I've tried (source) :
nmap -sT target.host.IP.address
Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-12 08:49 CEST
route_dst_netlink: can't find interface "venet0"
nmap -e venet0 -sT target.host.IP.address
Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-12 08:49 CEST
I cannot figure out what source address to use for device venet0, does it even exist?
QUITTING!
ifconfig
venet0		Link encap:UNSPEC	HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
		inet addr:127.0.0.2	P-t-P:127.0.0.2	Bcast:0.0.0.0	Mask:255.255.255.255
		inet6 addr: 1234:abcd:12:123::1234/56 Scope:Global
		UP BROADCAST POINTOPOINT RUNNING NOARP	MTU:1500	Metric:1
		(...)
		RX bytes:275006352 (262.2 MiB)	TX bytes:2082405468 (1.9 GiB)

venet0:0	Link encap:UNSPEC	HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
		inet addr:VM.public.IP.address	P-t-P:VM.public.IP.address	Bcast:VM.public.IP.broadcastAddress	Mask:255.255.255.0
		UP BROADCAST POINTOPOINT RUNNING NOARP	MTU:1500	Metric:1
So : yes, they exist, dude !
nmap -e venet0:0 -sT target.host.IP.address
Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-12 08:49 CEST
I cannot figure out what source address to use for device venet0:0, does it even exist?
QUITTING!
nmap --iflist
Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-12 08:50 CEST
INTERFACES: NONE FOUND(!)
ROUTES: NONE FOUND(!)
nmap --iflist --unprivileged
Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-12 08:50 CEST
INTERFACES: NONE FOUND(!)
ROUTES: NONE FOUND(!)
nmap -sT target.host.IP.address --unprivileged
Well, seems to work normally !

Solution :

The --unprivileged seems to do the trick.

nmap

Declaring targets :

target by IP by name
single host 192.168.0.1 www.example.com
multiple hosts
  • list : 192.168.0.1 192.168.0.2 192.168.0.3
  • range : 192.168.0.1-3
  • last octet of IP : 192.168.0.1,2,3
foo.tld bar.tld baz.tld
subnet
  • with IP and mask : 192.168.1.0/24
  • with wildcard : 192.168.3.*

Flags :

Option Usage
Host discovery
-n / -R disable / force Reverse DNS lookup (default is "sometimes")
-P0 -PN replaced by -Pn
-Pn Treat all hosts as online, i.e. skip host discovery
-sL List hosts of a subnet and perform DNS resolution when possible.
This method doesn't ping / scan any host.
-sn Ping scan, disable port scan
-sP replaced by -sn
Scan techniques
-sA TCP ACK scan
-sO (uppercase o) IP Protocol scan : report about supported IP protocols rather than listening ports
Requires root privileges
-sT TCP connect() scan, used to check for open TCP ports
TCP SYN -sS (if available) is usually a better choice
-sU UDP scan
Port specification and scan order
-p portNumber probe the portNumber port
  • ports list : -p list,of,ports
  • ports range : -p start-stop
OS detection
-O (uppercase o) Enable OS detection
Output
--open Only show open (or possibly open) ports
-v -vv increase verbosity

Example :

List + TCP scan + OS fingerprint hosts of a LAN :

  • nmap -PR 192.168.1.0/24
  • nmap -O -v 192.168.1.0/24