Scan for SMB hosts

  • nmap -sS -p 139,445 target-ip/range

Run nbtscan to obtain netbios info

  • nbtscan -v target-ip

* smbmap -H ip -u anonymous
* smbmap -H ip -u anonymous -r –depth 5
* smbmap -d domain -u user -p password -H x.x.x.x
* smbmap -d domain -u user -p password -H x.x.x.x -R sharename (list files in share)

* smbclient -c “recurse;ls” //x.x.x.x/SYSVOL -U domain\\user%password
* smbclient -L //ip
* smbclient \\\\IP\\ADMIN$ -U user
* get filename

* Copy Folders
smbclient ‘\\server\share’
mask “”
recurse ON
prompt OFF
cd ‘path\to\remote\dir’
lcd ‘~/path/to/download/to/’
mget *


NIKTO (web)

nikto -h ip -p 80

nmap Pentest


* nmap –script-updatedb
* nmap -p 1-65535 -T4 -A -v
* nmap -p 1-65535 -sV -sS -T4 IP
* nmap -sC -sV -oA name ip
* nmap -T4 -A -sV -v3 -d -oA output –script all target


Ping scan on the local LAN

nmap -sn -n

Service scan on the alive hosts

nmap -Pn -sV -n,126 --script=smb-os-discovery.nse


less name.nmap

  • nmap -sS tcp sync
  • nmap -sT full tcp
  • nmap -sU udp
  • nmap -oX output xml format
  • xsltproc portscan.xml -o portscan.html

Zombie Scan

  1. find incremental fragmentation IP ID +1
  2. nmap -O -v -n ip
  3. if IP ID Sequence is incremental host is good

Use Zombie to scan other host

1.nmap -Pn -sI zombieip:openport targetip -p23 -v

ARP network discovery
sudo netdiscover -i tap0 -r
sudo nmap -PR -sn 172.16.5.*

Scan for DNS servers

sudo nmap -sT -p53
sudo nmap -sU -p53

sudo nmap -sV –script /usr/share/nmap/scripts/nmap-vulners.nse