Nmap Usage
Nmap needs the following information port number, script name, any script arguments (optional), and the IP of the target.
nmap -p <port> –script <script-same> –script-args <script arguemens> <target IP>
SMB OS discovery
nmap -p 139,445 –script smb-os-discovery 192.168.2.66
Using the smb-os-discovery script we can collect information about the operating system from the SMB service.
SMB signing check
nmap -p137,139,445 –script smb-security-mode 192.168.2.66
Using the smb-security-mode script we can see that the message_signing is disabled.
IIS web server name disclosure
nmap -p 80 –script http-iis-short-name-brute 192.168.2.66
MS08-067 (netapi) vulnerability check
nmap -p 445 –script smb-vuln-ms08-067 192.168.2.66
Checking all smb vulnerability scripts
nmap -p 445 –script smb-vuln-* 192.168.2.66
Using a wildcard character we can call all the scripts that start with “smb-vuln-.”
Netbios and MAC address lookup
nmap -sU -p137 –script nbstat 192.168.2.66
The nbstatscript reveals the NetBIOS name and the mac address.
Enumerating user accounts
nmap -p 139,445 –script smb-enum-users 192.168.2.66
Enumerating window shares
nmap -p 139,445 –script smb-enum-shares –script-args smbusername=vagrant,smbpassword=vagrant 192.168.2.66
Using the smb-enum-shares with valid credentials we can see what smb shares are open, the directory the shares points to and our permissions for the shares.
SMB loging brute force
nmap -p 445 –script smb-brute –script-args userdb=unamelist.txt,passdb=testlist.txt 192.168.2.66
Finding domain controllers
nmap -p 389 -sV <target>
Detecting shadow brokers double pulsar smb
nmap -p 445 –script smb-double-pulsar-backdoor
Resources:
https://nmap.org/nsedoc/scripts
Book: Nmap: Network Exploration and Security Auditing Cookbook ISBN 978-1-78646-745-4