“#nmap -A” Doesn’t Cover Everything.

In my OSCP adventures, I’ve found a number of tools wonderfully helpful in learning about target computers. In a penetration test environment, the first thing I want to know is what kind of system we’re dealing with - what it’s likely function is, what ports and services are open on it, what it’s operating system is. Most of the time, I can get a nice snapshot of the target machine using #nmap -A. The flag set gives me the following benefits, on top of telling me which ports are open: "-A: Enable OS detection, version detection, script scanning, and traceroute."

Now, why the title? Because in the OffSec lab yesterday, I came across a machine with ports 22, 80 and 3709 open. However, #nmap -A only gave me the first two. That’s because by default, nmap will only scan the first 1000 ports. After modifying the command to be # nmap -p1-32000 -A did it show me the full picture. (The 32k figure is just an arbitrary limit, but should give you a really good idea of what ports are or aren’t open.)

Or, I could have just used the onetwopunch.sh.

Lesson Learned: Make sure you’re scanning all the ports, not just the top 1000. i.e.: #nmap -p1-54321 -A #

 
0
Kudos
 
0
Kudos

Now read this

A Thought About Work

I recently had a nice revelation about work and careers in general. It seems to me that the most satisfying and most meaningful work, in my experience, looks to be the jobs that make you and your position invisible when done correctly.... Continue →