“#nmap -A” Doesn’t Cover Everything.

In my OSCP adventures, I’ve found a number of tools wonderfully helpful in learning about target computers. In a penetration test environment, the first thing I want to know is what kind of system we’re dealing with - what it’s likely function is, what ports and services are open on it, what it’s operating system is. Most of the time, I can get a nice snapshot of the target machine using #nmap -A. The flag set gives me the following benefits, on top of telling me which ports are open: "-A: Enable OS detection, version detection, script scanning, and traceroute."

Now, why the title? Because in the OffSec lab yesterday, I came across a machine with ports 22, 80 and 3709 open. However, #nmap -A only gave me the first two. That’s because by default, nmap will only scan the first 1000 ports. After modifying the command to be # nmap -p1-32000 -A did it show me the full picture. (The 32k figure is just an arbitrary limit, but should give you a really good idea of what ports are or aren’t open.)

Or, I could have just used the onetwopunch.sh.

Lesson Learned: Make sure you’re scanning all the ports, not just the top 1000. i.e.: #nmap -p1-54321 -A #

 
0
Kudos
 
0
Kudos

Now read this

Accidentally Mean IT Guy, That’s Me.

Did yet another unintentional act of IT-guy jerkiness: The “did you try turning it off and turning it back on again?” I swear, it’s not my fault! But sometimes I’ll get a call later in the afternoon with a simple issue like “my USB... Continue →