Nmap Fundamentals
1
Building Nmap’s source code
2
NMAP – Finding online hosts
3
NMAP – Listing open ports on a target
4
NMAP – Fingerprinting OSes and services running on a target
5
NMAP – Using NSE scripts against a target host
6
NMAP – Scanning random targets on the internet
7
NMAP – Collecting signatures of web servers
8
NMAP – Scanning with Rainmap Lite
Getting Familiar with Nmap's Family
1
Monitoring servers remotely with Nmap and Ndiff
2
NMAP – Crafting ICMP echo replies with Nping
3
NMAP – Managing multiple scanning profiles with Zenmap
4
NMAP – Running Lua scripts against a network connection with Ncat
5
NMAP – Discovering systems with weak passwords with Ncrack
6
Using Ncat to diagnose a network client
7
Defending against Nmap service detection scans
Network Scanning
1
Discovering hosts with TCP SYN ping scans
2
Discovering hosts with TCP ACK ping scans
3
Discovering hosts with UDP ping scans
4
Discovering hosts with ICMP ping scans
5
Discovering hosts with SCTP INIT ping scans
6
Discovering hosts with IP protocol ping scans
7
Discovering hosts with ARP ping scans
8
Performing advanced ping scans
9
Discovering hosts with broadcast ping scans
10
NMAP – Scanning IPv6 addresses
11
NMAP – Spoofing the origin IP of a scan
12
NMAP – Using port scanning for host discovery
Reconnaissance Tasks
1
NMAP – Performing IP address geolocation
2
NMAP – Getting information from WHOIS records
3
NMAP – Obtaining traceroute geolocation information
4
NMAP – Querying Shodan to obtain target information
5
NMAP – Collecting valid email accounts and IP addresses from web servers
6
NMAP – Discovering hostnames pointing to the same IP address
7
NMAP – Discovering hostnames by brute-forcing DNS records
8
NMAP – Matching services with public vulnerability advisories and picking the low-hanging fruit
Scanning Web Servers
1
NMAP – Listing supported HTTP methods
2
NMAP – Discovering interesting files and folders on web servers
3
NMAP – Brute forcing HTTP authentication
4
NMAP – Brute forcing web applications
5
NMAP – Detecting web application firewalls
6
NMAP – Detecting possible XST vulnerabilities
7
NMAP – Detecting XSS vulnerabilities
8
NMAP – Finding SQL injection vulnerabilities
9
NMAP – Finding web applications with default credentials
10
NMAP – Detecting insecure cross-domain policies
11
NMAP – Detecting exposed source code control systems
12
NMAP – Auditing the strength of cipher suites in SSL servers
Scanning Databases
1
NMAP – Listing MySQL databases
2
NMAP – Listing MySQL users
3
NMAP – Listing MySQL variables
4
NMAP – Brute-forcing MySQL passwords
5
NMAP – Finding root accounts with an empty password in MySQL servers
6
NMAP – Detecting insecure configurations in MySQL servers
7
NMAP – Brute forcing Oracle passwords
8
NMAP – Brute forcing Oracle SID names
9
NMAP – Retrieving information from MS SQL servers
10
NMAP – Brute forcing MS SQL passwords
11
NMAP – Dumping password hashes of MS SQL servers
12
NMAP – Running commands through xp_cmdshell in MS SQL servers
13
NMAP – Finding system administrator accounts with empty passwords in MS SQL servers
14
NMAP – Obtaining information from MS SQL servers with NTLM enabled
15
NMAP – Retrieving MongoDB server information
16
NMAP – Detecting MongoDB instances with no authentication enabled
17
NMAP – Listing MongoDB databases
18
NMAP – Listing CouchDB databases
19
NMAP – Retrieving CouchDB database statistics
20
NMAP – Detecting Cassandra databases with no authentication enabled
21
NMAP – Brute forcing Redis passwords
Scanning Mail Servers
1
NMAP – Detecting SMTP open relays
2
NMAP – Brute-forcing SMTP passwords
3
NMAP – Detecting suspicious SMTP servers
4
NMAP – Enumerating SMTP usernames
5
NMAP – Brute-forcing IMAP passwords
6
NMAP – Retrieving the capabilities of an IMAP server
7
NMAP – Brute-forcing POP3 passwords
8
NMAP – Retrieving the capabilities of a POP3 server
9
NMAP – Retrieving information from SMTP servers with NTLM authentication
Scanning Windows Systems
1
NMAP – Obtaining system information from SMB
2
NMAP – Detecting Windows clients with SMB signing disabled
3
NMAP – Detecting IIS web servers that disclose Windows 8.3 names
4
NMAP – Detecting Windows hosts vulnerable to MS08-067 and MS17-010
5
NMAP – Retrieving the NetBIOS name and MAC address of a host
6
NMAP – Enumerating user accounts of Windows targets
7
NMAP – Enumerating shared folders
8
NMAP – Enumerating SMB sessions
9
NMAP – Finding domain controllers
10
NMAP – Detecting the Shadow Brokers’ DOUBLEPULSAR SMB implants
11
NMAP – Listing supported SMB protocols
12
NMAP – Detecting vulnerabilities using the SMB2/3 boot-time field
13
NMAP – Detecting whether encryption is enforced in SMB servers
Scanning ICS/SCADA Systems
1
NMAP – Finding common ports used in ICS/SCADA systems
2
NMAP – Finding HMI systems
3
NMAP – Enumerating Siemens SIMATIC S7 PLCs
4
NMAP – Enumerating Modbus devices
5
NMAP – Enumerating BACnet devices
6
NMAP – Enumerating Ethernet/IP devices
7
NMAP – Enumerating Niagara Fox devices
8
NMAP – Enumerating ProConOS devices
9
NMAP – Enumerating Omrom PLC devices
10
NMAP – Enumerating PCWorx devices
Scanning Mainframes
1
NMAP – Listing CICS transaction IDs in IBM mainframes
2
NMAP – Enumerating CICS user IDs for the CESL/CESN login screen
3
NMAP – Brute-forcing z/OS JES NJE node names
4
NMAP – Enumerating z/OS TSO user IDs
5
NMAP – Brute-forcing z/OS TSO accounts
6
NMAP – Listing VTAM application screens
Optimizing Scans
1
NMAP – Skipping phases to speed up scans
2
NMAP – Selecting the correct timing template
3
NMAP – Adjusting timing parameters
4
NMAP – Adjusting performance parameters
5
NMAP – Adjusting scan groups
6
NMAP – Distributing a scan among several clients using dnmap
Generating Scan Reports
1
NMAP – Saving scan results in a normal format
2
NMAP – Saving scan results in an XML format
3
NMAP – Saving scan results to a SQLite database
4
NMAP – Saving scan results in a grepable format
5
NMAP – Generating a network topology graph with Zenmap
6
NMAP – Generating HTML scan reports
7
NMAP – Reporting vulnerability checks
8
NMAP – Generating PDF reports with fop
9
NMAP – Saving NSE reports in Elasticsearch
10
NMAP – Visualizing Nmap scan results with IVRE
Writing Your Own NSE Scripts
1
NMAP – Making HTTP requests to identify vulnerable Supermicro IPMI/BMC controllers
2
NMAP – Sending UDP payloads using NSE sockets
3
NMAP – Generating vulnerability reports in NSE scripts
4
NMAP – Exploiting an SMB vulnerability
5
NMAP – Writing brute-force password auditing scripts
6
NMAP – Crawling web servers to detect vulnerabilities
7
NMAP – Working with NSE threads, condition variables, and mutexes in NSE
8
NMAP – Writing a new NSE library in Lua
9
NMAP – Writing a new NSE library in C/C plus plus
10
NMAP – Getting your scripts ready for submission
Exploiting Vulnerabilities with the Nmap Scripting Engine
1
NMAP – Generating vulnerability reports in NSE scripts
2
NMAP – Writing brute-force password auditing scripts
3
NMAP – Crawling web servers to detect vulnerabilities
4
NMAP – Exploiting SMB vulnerabilities
Productivity Hacks to Get More Done in 2018
— 28 February 2017
- Facebook News Feed Eradicator (free chrome extension) Stay focused by removing your Facebook newsfeed and replacing it with an inspirational quote. Disable the tool anytime you want to see what friends are up to!
- Hide My Inbox (free chrome extension for Gmail) Stay focused by hiding your inbox. Click "show your inbox" at a scheduled time and batch processs everything one go.
- Habitica (free mobile + web app) Gamify your to do list. Treat your life like a game and earn gold goins for getting stuff done!