“#nmap -A” Doesn’t Cover Everything.

In my OSCP adventures, I’ve found a number of tools wonderfully helpful in learning about target computers. In a penetration test environment, the first thing I want to know is what kind of system we’re dealing with - what it’s likely function is, what ports and services are open on it, what it’s operating system is. Most of the time, I can get a nice snapshot of the target machine using #nmap -A. The flag set gives me the following benefits, on top of telling me which ports are open: "-A: Enable OS detection, version detection, script scanning, and traceroute."

Now, why the title? Because in the OffSec lab yesterday, I came across a machine with ports 22, 80 and 3709 open. However, #nmap -A only gave me the first two. That’s because by default, nmap will only scan the first 1000 ports. After modifying the command to be # nmap -p1-32000 -A did it show me the full picture. (The 32k figure is just an arbitrary limit, but should give you a really good idea of what ports are or aren’t open.)

Or, I could have just used the onetwopunch.sh.

Lesson Learned: Make sure you’re scanning all the ports, not just the top 1000. i.e.: #nmap -p1-54321 -A #

 
0
Kudos
 
0
Kudos

Now read this

Drink Coffee, Then Post: Greetings!

My previous post is roughly an accurate representation of how I’d like to conduct this blog. I will keep posts mostly related to my current projects, and will more than likely be IT-focused. For those who don’t know, I’m a network... Continue →