|
5 | 5 | ```sh |
6 | 6 | nmap --script rtsp-url-brute -p 554 <ip> |
7 | 7 | ``` |
| 8 | + |
| 9 | +## Detect Sniffers on a Network (host with NIC in promiscuous mode) |
| 10 | + |
| 11 | +```sh |
| 12 | +nmap -sV --script=sniffer-detect <target> |
| 13 | +``` |
| 14 | + |
| 15 | + |
| 16 | +## Other Common Scripts |
| 17 | + |
| 18 | +- dns-blacklist |
| 19 | + Check if host is blacklisted by DNS servers |
| 20 | + |
| 21 | +- dns-zeustracker |
| 22 | + Check if host is a part of Zeus botnet |
| 23 | + |
| 24 | +- http-config-backup |
| 25 | + Search form CMS config backups |
| 26 | + |
| 27 | +- http-wordpress-enum |
| 28 | + Enumerate WordPress plugins |
| 29 | + check-latest - check if pluigns are up to date |
| 30 | + root - base path of root installation |
| 31 | + |
| 32 | +- mysql-empty-password |
| 33 | + Check for anonymous MySQL login |
| 34 | + |
| 35 | +- mysql-users |
| 36 | + List SQL users on host |
| 37 | + |
| 38 | +- address-info |
| 39 | + Extract information about IPv6 address |
| 40 | + |
| 41 | +- krb5-enum-users |
| 42 | + Enumerate Kerberos usernames |
| 43 | + * .realm - domain name |
| 44 | + * userdb - usernames file |
| 45 | + |
| 46 | +- traceroute-geolocation |
| 47 | + Perform geolocation (requires --traceroute flag) |
| 48 | + * .kmlfile - name of the KML file to write to |
| 49 | + |
| 50 | +- fingerprint-strings |
| 51 | + Print readable banner strings from unknown services |
| 52 | + * n - number of characters to print |
| 53 | + |
| 54 | +- ftp-bounce |
| 55 | + Check if server allows bounce scanning |
| 56 | + |
| 57 | +- hddtemp-info |
| 58 | + Retrieve information from hddtemp service |
| 59 | + |
| 60 | +- ipidseq |
| 61 | + Classify host's IP ID sequence |
| 62 | + * probeport - destination port to probe |
| 63 | + |
| 64 | +- modbus-discover |
| 65 | + Enumerate SCADA slaves and get information about deFanavice and firmware |
| 66 | + * aggressive - enumerate all slaves (not only first sid) |
| 67 | + |
| 68 | +- path-mtu |
| 69 | + Check the maximum length of non-fragmented packets |
| 70 | + |
| 71 | +- qscan |
| 72 | + Probe ports to obtain round-trip time value and search forn anomalies |
| 73 | + * numclosed - max number of closed ports to probe (default: 1, negaive to disable the limit) |
| 74 | + * numopen - maximum number of opened ports to probe (default: 8) |
| 75 | + * numtrips - number of RTTs to get |
| 76 | + * delay - average delay between packets (default: 200ms) |
| 77 | + |
| 78 | +- reverse-index |
| 79 | + Show which host runs particular serice |
| 80 | + * mode - [horizontal|vertical] |
| 81 | + * names - index by service names rather than ports |
| 82 | + |
| 83 | + |
| 84 | +- smb-os-discovery |
| 85 | + Pull host info (OS, workgroup etc.) |
| 86 | + |
| 87 | +- sniffer-detect |
| 88 | + Check if target has network card in promiscous mode |
| 89 | + |
| 90 | +- targets-sniffer |
| 91 | + Sniff the network for hosts and add them to scanning queue |
| 92 | + * iface - interface used for sniffing |
| 93 | + * timeout - listening time (default: 10s) |
| 94 | + * newtargets - add found targets to scan queue |
| 95 | + |
| 96 | +- unusual-port |
| 97 | + Report deviations if service is running on uncommon port |
| 98 | + |
| 99 | +- xmlrpc-methods |
| 100 | + List available XMLRPC methods |
| 101 | + |
| 102 | +- snmp-[interfaces|netstat] |
| 103 | + Extract info from SNMP service |
| 104 | + |
| 105 | +- ldap-search |
| 106 | + Perform queries against LDAP protocol |
| 107 | + * ldap.username, ldap.password - credentials to use |
| 108 | + * ldap.qfilter - quick filter to use [all|ad_dcs|users|computers|custom] |
| 109 | + * ldap.attrib - comma-separated LDAP attributes to pull, enclosed with curly brackets |
| 110 | + Set this to ms-Mcs-AdmPwd to extract cleartext passwords from LAPS |
| 111 | + * ldap.savesearch - file prefix to save gathered data to, constructed as <prefix>_<ip>_<port>.csv |
0 commit comments