“#nmap -A” Doesn’t Cover Everything.

In my OSCP adventures, I’ve found a number of tools wonderfully helpful in learning about target computers. In a penetration test environment, the first thing I want to know is what kind of system we’re dealing with - what it’s likely function is, what ports and services are open on it, what it’s operating system is. Most of the time, I can get a nice snapshot of the target machine using #nmap -A. The flag set gives me the following benefits, on top of telling me which ports are open: "-A: Enable OS detection, version detection, script scanning, and traceroute."

Now, why the title? Because in the OffSec lab yesterday, I came across a machine with ports 22, 80 and 3709 open. However, #nmap -A only gave me the first two. That’s because by default, nmap will only scan the first 1000 ports. After modifying the command to be # nmap -p1-32000 -A did it show me the full picture. (The 32k figure is just an arbitrary limit, but should give you a really good idea of what ports are or aren’t open.)

Or, I could have just used the onetwopunch.sh.

Lesson Learned: Make sure you’re scanning all the ports, not just the top 1000. i.e.: #nmap -p1-54321 -A #

 
0
Kudos
 
0
Kudos

Now read this

PowerShell, SSCP and Other Things To Learn

Greetings again, techie folks. Let’s talk about things I’m not familiar enough with! Powershell # I’m not much of a programmer - I can noodle my way through a script but writing them from scratch is not my forte. But recently I’ve found... Continue →