root@bt:~# nmap --iflist
Starting Nmap 6.25 at 2013-06-09 18:03 CEST
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
lo (lo) 127.0.0.1/8 loopback up 16436
lo (lo) ::1/128 loopback up 16436
eth0 (eth0) 192.168.1.202/24 ethernet up 1500 08:00:27:3D:AA:A8
eth0 (eth0) fe80::a00:2aff:aaad:cba8/64 ethernet up 1500 08:00:27:AA:AA:AA
**************************ROUTES**************************
DST/MASK DEV GATEWAY
192.168.1.0/24 eth0
0.0.0.0/0 eth0 192.168.1.1
::1/128 lo
fe80::000:2f7f:fa9d:c3b8/128 lo
fe80::/64 eth0
ff00::/8 eth0
Network Scan
root@bt:~# nmap 192.168.1.0/24 (or use 100-255 some range)
Starting Nmap 6.25 at 2013-06-09 16:47 CEST
Nmap scan report for Livebox (192.168.1.1)
Host is up (0.0046s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp closed msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
515/tcp open printer
MAC Address: 74:31:70:B1:43:77 (Arcadyan Technology)
Nmap scan report for 192.168.1.102
Host is up (0.017s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
MAC Address: 00:08:02:E1:73:11 (Hewlett-Packard Company)
Nmap done: 256 IP addresses (2 hosts up) scanned in 9.98 seconds
Only Ping
root@bt:~# nmap -sP 192.168.1.*
Starting Nmap 6.25 at 2013-06-09 16:53 CEST
Nmap scan report for 192.168.1.102
Host is up (0.0036s latency).
MAC Address: 00:08:02:E6:7B:A1 (Hewlett-Packard Company)
Nmap scan report for 192.168.1.105
Host is up (0.23s latency).
Nmap done: 107 IP addresses (2 hosts up) scanned in 3.66 seconds
More Information About OS
root@bt:~# nmap -sS -P0 -sV -O 192.168.1.0/24
Nmap scan report for 192.168.1.102
Host is up (0.0041s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Service
MAC Address: 00:08:02:E4:7B:A1 (Hewlett-Packard Company)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2000|XP
OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 2000 SP4, Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
Service Info: OS: Windows
Nmap scan report for 192.168.1.202
Host is up (0.000082s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.2
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 256 IP addresses (2 hosts up) scanned in 29.77 seconds
Fast Information About Top Ports
root@bt:~# nmap --top-ports 20 192.168.1.0/24
Starting Nmap 6.25 at 2013-06-09 17:25 CEST
Nmap scan report for 192.168.1.102
Host is up (0.0081s latency).
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp closed telnet
25/tcp filtered smtp
53/tcp filtered domain
80/tcp filtered http
110/tcp filtered pop3
111/tcp filtered rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp filtered imap
443/tcp filtered https
445/tcp filtered microsoft-ds
993/tcp filtered imaps
995/tcp filtered pop3s
1723/tcp filtered pptp
3306/tcp filtered mysql
3389/tcp open ms-wbt-server
5900/tcp filtered vnc
8080/tcp filtered http-proxy
MAC Address: 00:08:02:E3:7B:B1 (Hewlett-Packard Company)
Scan Individual Port
root@bt:~# nmap -sT -p80 192.168.1.102
Starting Nmap 6.25 at 2013-06-09 17:33 CEST
Nmap scan report for 192.168.1.102
Host is up (0.0022s latency).
PORT STATE SERVICE
80/tcp closed http
MAC Address: 00:08:02:E3:4A:B1 (Hewlett-Packard Company)
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
root@bt:~# nmap --top-ports 20 192.168.1.0/24
Starting Nmap 6.25 at 2013-06-09 17:25 CEST
Nmap scan report for 192.168.1.102
Host is up (0.0081s latency).
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp closed telnet
25/tcp filtered smtp
53/tcp filtered domain
80/tcp filtered http
110/tcp filtered pop3
111/tcp filtered rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp filtered imap
443/tcp filtered https
445/tcp filtered microsoft-ds
993/tcp filtered imaps
995/tcp filtered pop3s
1723/tcp filtered pptp
3306/tcp filtered mysql
3389/tcp open ms-wbt-server
5900/tcp filtered vnc
8080/tcp filtered http-proxy
MAC Address: 00:08:02:E3:7B:B1 (Hewlett-Packard Company)
Scan Individual Port
root@bt:~# nmap -sT -p80 192.168.1.102
Starting Nmap 6.25 at 2013-06-09 17:33 CEST
Nmap scan report for 192.168.1.102
Host is up (0.0022s latency).
PORT STATE SERVICE
80/tcp closed http
MAC Address: 00:08:02:E3:4A:B1 (Hewlett-Packard Company)
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
Scan Network Or Host Using Fake Source IP Address (Hide Original Source Address)
root@bt:~# nmap -sS 192.168.1.1 -D 192.168.1.50,192.168.1.55
Where 192.168.1.50 and 192.168.1.55 will be Fake Source Addresses
Starting Nmap 6.25 at 2013-06-09 17:41 CEST
Nmap scan report for Livebox (192.168.1.1)
Host is up (0.0061s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp closed msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
515/tcp open printer
MAC Address: 74:31:74:C1:2A:27 (Arcadyan Technology)
Nmap done: 1 IP address (1 host up) scanned in 4.88 seconds
Some More Information About Host Using -v
root@bt:~# nmap -v 192.168.1.102
Starting Nmap 6.25 at 2013-06-09 17:46 CEST
Initiating ARP Ping Scan at 17:46
Scanning 192.168.1.102 [1 port]
Completed ARP Ping Scan at 17:46, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:46
Completed Parallel DNS resolution of 1 host. at 17:46, 0.07s elapsed
Initiating SYN Stealth Scan at 17:46
Scanning 192.168.1.102 [1000 ports]
Discovered open port 3389/tcp on 192.168.1.102
Completed SYN Stealth Scan at 17:46, 4.78s elapsed (1000 total ports)
Nmap scan report for 192.168.1.102
Host is up (0.0026s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
MAC Address: 00:08:02:B3:3A:B1 (Hewlett-Packard Company)
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.00 seconds
Raw packets sent: 2002 (88.072KB) | Rcvd: 4 (160B)
root@bt:~# nmap -sS 192.168.1.1 -D 192.168.1.50,192.168.1.55
Where 192.168.1.50 and 192.168.1.55 will be Fake Source Addresses
Starting Nmap 6.25 at 2013-06-09 17:41 CEST
Nmap scan report for Livebox (192.168.1.1)
Host is up (0.0061s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp closed msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
515/tcp open printer
MAC Address: 74:31:74:C1:2A:27 (Arcadyan Technology)
Nmap done: 1 IP address (1 host up) scanned in 4.88 seconds
Some More Information About Host Using -v
root@bt:~# nmap -v 192.168.1.102
Starting Nmap 6.25 at 2013-06-09 17:46 CEST
Initiating ARP Ping Scan at 17:46
Scanning 192.168.1.102 [1 port]
Completed ARP Ping Scan at 17:46, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:46
Completed Parallel DNS resolution of 1 host. at 17:46, 0.07s elapsed
Initiating SYN Stealth Scan at 17:46
Scanning 192.168.1.102 [1000 ports]
Discovered open port 3389/tcp on 192.168.1.102
Completed SYN Stealth Scan at 17:46, 4.78s elapsed (1000 total ports)
Nmap scan report for 192.168.1.102
Host is up (0.0026s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
MAC Address: 00:08:02:B3:3A:B1 (Hewlett-Packard Company)
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.00 seconds
Raw packets sent: 2002 (88.072KB) | Rcvd: 4 (160B)
Scan Network and Exclude some IP Addresses
root@bt:~# nmap -sS 192.168.1.0/24
Starting Nmap 6.25 at 2013-06-09 17:51 CEST
Nmap scan report for Livebox (192.168.1.1)
Host is up (0.0031s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp closed msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
515/tcp open printer
MAC Address: 74:31:70:C2:2F:67 (Arcadyan Technology)
Nmap scan report for 192.168.1.102
Host is up (0.0048s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
MAC Address: 00:08:02:A3:23:B1 (Hewlett-Packard Company)
root@bt:~# nmap -sS 192.168.1.0/24 --exclude 192.168.1.1
(Can use , f.e 192.168.1.1,192.168.1.20)
Nmap scan report for 192.168.1.102
Host is up (0.0066s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
MAC Address: 00:08:02:EE:7D:AA (Hewlett-Packard Company)
Some More Information About Host Using Default Script
Some More Information About Host Using Script
Some More Information About Host Using -A
root@bt:~# nmap -A -T4 192.168.1.200
Starting Nmap 6.25 at 2013-06-09 20:53 CEST
Nmap scan report for 192.168.1.200
Host is up (0.013s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
2869/tcp closed icslap
MAC Address: 00:19:21:AA:AA:AA (Elitegroup Computer System Co.)
Device type: general purpose|media device|printer
Running (JUST GUESSING): Microsoft Windows XP|2003|2000 (94%), Sony embedded (88%), Ricoh embedded (86%), IBM AIX 6.X (85%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_2000::sp4 cpe:/h:sony:bravia_kdl-40x4500 cpe:/h:ricoh:aficio_sp_c210sf cpe:/o:ibm:aix:6
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 (90%), Microsoft Windows 2000 SP4 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows Server 2003 SP2 (90%), Microsoft Windows XP (90%), Microsoft Windows XP SP2 (firewall disabled) (88%), Sony Bravia KDL-40X4500 TV (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE
HOP RTT ADDRESS
1 13.11 ms 192.168.1.200
Nmap done: 1 IP address (1 host up) scanned in 30.42 seconds
root@bt:~# nmap -sS 192.168.1.0/24
Starting Nmap 6.25 at 2013-06-09 17:51 CEST
Nmap scan report for Livebox (192.168.1.1)
Host is up (0.0031s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp closed msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
515/tcp open printer
MAC Address: 74:31:70:C2:2F:67 (Arcadyan Technology)
Nmap scan report for 192.168.1.102
Host is up (0.0048s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
MAC Address: 00:08:02:A3:23:B1 (Hewlett-Packard Company)
root@bt:~# nmap -sS 192.168.1.0/24 --exclude 192.168.1.1
(Can use , f.e 192.168.1.1,192.168.1.20)
Nmap scan report for 192.168.1.102
Host is up (0.0066s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
MAC Address: 00:08:02:EE:7D:AA (Hewlett-Packard Company)
Some More Information About Host Using Default Script
root@bt:~# nmap -sC 192.168.1.200
or
root@bt:~# nmap --script=default 192.168.1.200
Starting Nmap 6.25 at 2013-06-09 20:13 CEST
Nmap scan report for 192.168.1.200
Host is up (0.11s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2869/tcp closed icslap
MAC Address: 00:19:21:44:AA:02 (Elitegroup Computer System Co.)
Host script results:
|_nbstat: NetBIOS name: SERVER, NetBIOS user: <unknown>, NetBIOS MAC: 00:19:21:44:aa:02 (Elitegroup Computer System Co.)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: server
| NetBIOS computer name: SERVER
| Workgroup: INICIOMS
|_ System time: 2013-06-09T20:13:37+02:00
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
or
root@bt:~# nmap --script=default 192.168.1.200
Starting Nmap 6.25 at 2013-06-09 20:13 CEST
Nmap scan report for 192.168.1.200
Host is up (0.11s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2869/tcp closed icslap
MAC Address: 00:19:21:44:AA:02 (Elitegroup Computer System Co.)
Host script results:
|_nbstat: NetBIOS name: SERVER, NetBIOS user: <unknown>, NetBIOS MAC: 00:19:21:44:aa:02 (Elitegroup Computer System Co.)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: server
| NetBIOS computer name: SERVER
| Workgroup: INICIOMS
|_ System time: 2013-06-09T20:13:37+02:00
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
Some More Information About Host Using Script
root@bt:~# nmap --script "safe or default" 192.168.1.200
Starting Nmap 6.25 at 2013-06-09 20:28 CEST
<Lines Omitted>
Pre-scan script results:
| broadcast-dhcp-discover:
| IP Offered: 192.168.1.111
| Server Identifier: 192.168.1.1
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
|_ Domain Name Server: 192.168.1.1
| broadcast-eigrp-discovery:
|_ ERROR: Couldn't get an A.S value.
| DHCP
| srv ip cli ip mask gw dns
| 192.168.1.1 192.168.1.107 255.255.255.0 192.168.1.1 192.168.1.1
| 192.168.1.106 urn:schemas-upnp-org:device:InternetGatewayDevice:1
| DHCP
| srv ip cli ip mask gw dns
| 192.168.1.1 192.168.1.107 255.255.255.0 192.168.1.1 192.168.1.1
| 192.168.1.1 192.168.1.111 255.255.255.0 192.168.1.1 192.168.1.1
| ether
| ARP Request
| sender ip sender mac target ip
| 192.168.1.1 74:31:70:C2:AA:AA 192.168.1.107
| 192.168.1.105 74:2F:68:66:AA:AA 192.168.1.1
| 192.168.1.106 94:DB:C9:03:AA:AA 192.168.1.1
| EIGRP Update
Starting Nmap 6.25 at 2013-06-09 20:28 CEST
<Lines Omitted>
Pre-scan script results:
| broadcast-dhcp-discover:
| IP Offered: 192.168.1.111
| Server Identifier: 192.168.1.1
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
|_ Domain Name Server: 192.168.1.1
| broadcast-eigrp-discovery:
|_ ERROR: Couldn't get an A.S value.
| DHCP
| srv ip cli ip mask gw dns
| 192.168.1.1 192.168.1.107 255.255.255.0 192.168.1.1 192.168.1.1
| 192.168.1.106 urn:schemas-upnp-org:device:InternetGatewayDevice:1
| DHCP
| srv ip cli ip mask gw dns
| 192.168.1.1 192.168.1.107 255.255.255.0 192.168.1.1 192.168.1.1
| 192.168.1.1 192.168.1.111 255.255.255.0 192.168.1.1 192.168.1.1
| ether
| ARP Request
| sender ip sender mac target ip
| 192.168.1.1 74:31:70:C2:AA:AA 192.168.1.107
| 192.168.1.105 74:2F:68:66:AA:AA 192.168.1.1
| 192.168.1.106 94:DB:C9:03:AA:AA 192.168.1.1
| EIGRP Update
Nmap scan report for 192.168.1.200
Host is up (0.15s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2869/tcp closed icslap
MAC Address: 00:19:21:AA:AA:AA (Elitegroup Computer System Co.)
|_nbstat: NetBIOS name: SERVER, NetBIOS user: <unknown>, NetBIOS MAC: 00:19:21:AA:AA:AA (Elitegroup Computer System Co.)
|_path-mtu: PMTU == 1500
| qscan:
| PORT FAMILY MEAN (us) STDDEV LOSS (%)
| 139 0 19650.90 24007.03 0.0%
| 445 0 12878.60 2893.24 0.0%
|_2869 0 12474.70 2690.24 0.0%
| smb-mbenum:
|_ ERROR: Call to Browser Service failed with status = 71
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: server
| NetBIOS computer name: SERVER
| Workgroup: INICIOMS
|_ System time: 2013-06-09T20:29:47+02:00
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| unusual-port:
|_ WARNING: this script depends on Nmap's service/version detection (-sV)
Post-scan script results:
| reverse-index:
| 139/tcp: 192.168.1.200
|_ 445/tcp: 192.168.1.200
Nmap done: 1 IP address (1 host up) scanned in 40.95 seconds
Some More Information About Host Using -A
Starting Nmap 6.25 at 2013-06-09 20:53 CEST
Nmap scan report for 192.168.1.200
Host is up (0.013s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
2869/tcp closed icslap
MAC Address: 00:19:21:AA:AA:AA (Elitegroup Computer System Co.)
Device type: general purpose|media device|printer
Running (JUST GUESSING): Microsoft Windows XP|2003|2000 (94%), Sony embedded (88%), Ricoh embedded (86%), IBM AIX 6.X (85%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_2000::sp4 cpe:/h:sony:bravia_kdl-40x4500 cpe:/h:ricoh:aficio_sp_c210sf cpe:/o:ibm:aix:6
Aggressive OS guesses: Microsoft Windows XP SP3 (94%), Microsoft Windows Server 2003 (90%), Microsoft Windows 2000 SP4 (90%), Microsoft Windows XP Professional SP3 (90%), Microsoft Windows XP SP2 (90%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows Server 2003 SP2 (90%), Microsoft Windows XP (90%), Microsoft Windows XP SP2 (firewall disabled) (88%), Sony Bravia KDL-40X4500 TV (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE
HOP RTT ADDRESS
1 13.11 ms 192.168.1.200
Nmap done: 1 IP address (1 host up) scanned in 30.42 seconds
##########################################################################################################
