Nmap

Host Discovery

# ping sweep (no port scanning)
sudo nmap -sn 172.16.10.0/24
# extract IPs
sudo nmap -sn 172.16.10.0/24 | grep 'report' | awk '{print $NF}'

Banner Grabbing

nmap -sV --script=banner.nse -iL live_hosts | grep "|_banner\||_http-server-header"

Exclude IPs

sudo nmap -iL live_hosts -A --open --exclude 172.16.10.1

nmap-scan

Script

nmap-scan.sh

IP="${1}"

if [[ -n "${IP}" ]]; then
  # create a directory for scan results
  echo "Creating directory..."
  sudo mkdir scans && sudo chmod +777 scans
  # initial scan
  echo "Performing initial scan..."
  sudo nmap -T4 -open -p- --min-rate=10000 -oA scans/initial_port-scan "${IP}" 1>/dev/null
  # extract ports in a single comma-seperated line
  echo "Extracting ports..."
  grep -E '^[0-9]+/tcp' scans/initial_port-scan.nmap | awk '{print $1}' | grep -oE '[0-9]+' | tr "\n" "," > scans/open_ports
  # perform an aggresive scan on open ports
  echo "Performing an aggresive scan on open ports..."
  sudo nmap -T4 --min-rate=10000 -A -p "$(cat scans/open_ports)" -oA scans/aggressive_scan "${IP}" 1>/dev/null
  echo "All done! See results: less scans/aggressive_scan.nmap"
else
  # print error message
  echo "Missing IP address!"
  echo "Usage: nmap-flow <IP-ADDRESS>"
  # exit script
  exit 1
fi

Execution

nmap-flow 10.10.11.231
Creating directory...
Performing initial scan...
Extracting ports...
Performing an aggresive scan on open ports...
All done! See results: less scans/aggressive_scan.nmap

Output

$ tree
.
└── scans
    ├── aggressive_scan.gnmap
    ├── aggressive_scan.nmap
    ├── aggressive_scan.xml
    ├── initial_port-scan.gnmap
    ├── initial_port-scan.nmap
    ├── initial_port-scan.xml
    └── open_ports
    
$ cat scans/initial_port-scan.nmap
# Nmap 7.94SVN scan initiated Thu Apr  4 21:04:26 2024 as: nmap -T4 -open -p- --min-rate=10000 -oA scans/initial_port-scan 10.10.11.231
Nmap scan report for 10.10.11.231
Host is up (0.027s latency).
Not shown: 60892 closed tcp ports (reset), 4620 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49673/tcp open  unknown
49682/tcp open  unknown
49683/tcp open  unknown
49684/tcp open  unknown
49689/tcp open  unknown
49696/tcp open  unknown
49803/tcp open  unknown

# Nmap done at Thu Apr  4 21:04:35 2024 -- 1 IP address (1 host up) scanned in 9.87 seconds

$ cat scans/open_ports
53,88,135,139,445,464,593,3268,3269,5985,9389,47001,49664,49665,49666,49667,49673,49682,49683,49684,49689,49696,49803,

$ cat scans/aggressive_scan.nmap
# Nmap 7.94SVN scan initiated Thu Apr  4 21:04:36 2024 as: nmap -T4 --min-rate=10000 -A -p 53,88,135,139,445,464,593,3268,3269,5985,9389,47001,49664,49665,49666,49667,49673,49682,49683,49684,49689,49696,49803, -oA scans/aggressive_scan 10.10.11.231
Nmap scan report for 10.10.11.231
Host is up (0.029s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-04-05 03:04:44Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-05T03:05:43+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-05T03:05:43+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.rebound.htb
| Not valid before: 2023-08-25T22:48:10
|_Not valid after:  2024-08-24T22:48:10
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49683/tcp open  msrpc         Microsoft Windows RPC
49684/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
49803/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-04-05T03:05:34
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr  4 21:05:42 2024 -- 1 IP address (1 host up) scanned in 66.42 seconds