“#nmap -A” Doesn’t Cover Everything.

In my OSCP adventures, I’ve found a number of tools wonderfully helpful in learning about target computers. In a penetration test environment, the first thing I want to know is what kind of system we’re dealing with - what it’s likely function is, what ports and services are open on it, what it’s operating system is. Most of the time, I can get a nice snapshot of the target machine using #nmap -A. The flag set gives me the following benefits, on top of telling me which ports are open: "-A: Enable OS detection, version detection, script scanning, and traceroute."

Now, why the title? Because in the OffSec lab yesterday, I came across a machine with ports 22, 80 and 3709 open. However, #nmap -A only gave me the first two. That’s because by default, nmap will only scan the first 1000 ports. After modifying the command to be # nmap -p1-32000 -A did it show me the full picture. (The 32k figure is just an arbitrary limit, but should give you a really good idea of what ports are or aren’t open.)

Or, I could have just used the onetwopunch.sh.

Lesson Learned: Make sure you’re scanning all the ports, not just the top 1000. i.e.: #nmap -p1-54321 -A #

 
0
Kudos
 
0
Kudos

Now read this

Best Method of Learning

The best thing I’ve ever been told when it comes to learning something is to figure it out yourself. Ask as few questions as possible, because you’ll probably teach yourself more than you could be told, by diving in. Relevant to the... Continue →