Nmap Scripting Engine – Windows Scans

Nmap Usage

Nmap needs the following information port number, script name, any script arguments (optional), and the IP of the target.

nmap -p <port> –script <script-same> –script-args <script arguemens> <target IP>

SMB OS discovery

nmap -p 139,445 –script smb-os-discovery 192.168.2.66

Using the smb-os-discovery script we can collect information about the operating system from the SMB service.

SMB signing check

nmap -p137,139,445 –script smb-security-mode 192.168.2.66

Using the smb-security-mode script we can see that the message_signing is disabled.

IIS web server name disclosure

nmap -p 80 –script http-iis-short-name-brute 192.168.2.66

MS08-067 (netapi) vulnerability check

nmap -p 445 –script smb-vuln-ms08-067 192.168.2.66

Checking all smb vulnerability scripts

nmap -p 445 –script smb-vuln-* 192.168.2.66

Using a wildcard character we can call all the scripts that start with “smb-vuln-.”

Netbios and MAC address lookup

nmap -sU -p137 –script nbstat 192.168.2.66

The nbstatscript reveals the NetBIOS name and the mac address.

Enumerating user accounts

nmap -p 139,445 –script smb-enum-users 192.168.2.66

Enumerating window shares

nmap -p 139,445 –script smb-enum-shares –script-args smbusername=vagrant,smbpassword=vagrant 192.168.2.66

Using the smb-enum-shares with valid credentials we can see what smb shares are open, the directory the shares points to and our permissions for the shares.

SMB loging brute force

nmap -p 445 –script smb-brute –script-args userdb=unamelist.txt,passdb=testlist.txt 192.168.2.66

Finding domain controllers

nmap -p 389 -sV <target>

Detecting shadow brokers double pulsar smb

nmap -p 445 –script smb-double-pulsar-backdoor

Resources:
https://nmap.org/nsedoc/scripts
Book: Nmap: Network Exploration and Security Auditing Cookbook ISBN 978-1-78646-745-4