-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathnmap_auto.ini
87 lines (66 loc) · 6 KB
/
nmap_auto.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
[host-discovery-icmp]
desc=Discover hosts by sending ICMP packets.
args=-sn -n -PE -PP -PM --reason
[host-discovery-tcp-syn]
desc=Discover hosts by sending empty TCP packets with the SYN flag set to the top 100 ports.
args=-sn -n -PS7,9,13,21-23,25-26,37,53,79,80-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543,544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080,8081,8443,8888,9100,9999,10000,32768,49152-49157 --reason
[host-discovery-udp]
desc=Discover hosts by sending UDP packets to the top 25 ports.
args=-sn -n -PU53,67,68-69,111,123,135,137-139,161-162,445,500,514,520,631,998,1434,1701,1900,4500,5353,49152,49154 --reason
[host-discovery-proto]
desc=Discover hosts by sending IP packets with a specific protocol numbers (ICMP, IGMP, IP-in-IP) set in the IP header.
args=-sn -n -PO --reason
[portscan-tcp-syn-stage1]
desc=Enumerate common web server (80/tcp, 443/tcp) and application server (1088/tcp, 1617/tcp, 5005/tcp, 7001/tcp, 7002/tcp, 8080/tcp, 8880/tcp, 9080/tcp, 16200/tcp) ports.
args=-Pn -sS -sV -sC -T4 -n --reason --min-hostgroup=255 -p80,443,1088,1617,5005,7001,7002,8080,8880,9080,16200
[portscan-tcp-syn-stage2]
desc=Enumerate common Windows (135/tcp, 137/tcp, 139/tcp, 445/tcp) and database (1433/tcp, 1521/tcp, 3306/tcp, 5432/tcp, 5984/tcp, 6379/tcp, 27017/tcp) ports.
args=-Pn -sS -sV -sC -T4 -n --reason --min-hostgroup=255 -p135,137,139,445,1433,1521,3306,5432,5984,6379,27017
[portscan-tcp-syn-stage3]
desc=Enumerate common remote access (22/tcp, 23/tcp, 512/tcp, 3389/tcp), file transfer (21/tcp, 111/tcp, 2049/tcp), and mail server (25/tcp, 110/tcp) ports.
args=-Pn -sS -sV -sC -T4 -n --reason --min-hostgroup=255 -p21,22,23,25,110,111,514,2049,3389
[portscan-tcp-syn-stage4]
desc=Enumerate TCP ports up to 1024 that haven't been included in stage 1, 2, or 3.
args=-Pn -sS -sV -sC -T4 -n --reason --min-hostgroup=255 -p80,0-20,24,26-79,81-109,112-134,136,138,140-442,444,446-513,515-1024
[portscan-tcp-syn-stage5]
desc=Enumerate TCP ports up to 5004 that haven't been included in stage 1, 2, 3, or 4.
args=-Pn -sS -sV -sC -T4 -n --reason --min-hostgroup=255 -p80,1025-1087,1089-1432,1434-1520,1522-1616,1618-2048,2050-3305,3307-3388,3390-5004
[portscan-tcp-syn-stage6]
desc=Enumerate TCP ports up to 10050 that haven't been included in stage 1, 2, 3, 4, or 5.
args=-Pn -sS -sV -sC -T4 -n --reason --min-hostgroup=255 -p80,5006-5431,5433-5983,5985-6378,6380-7000,7003-8079,8081-8879,8881-9079,9081-10050
[portscan-tcp-syn-stage7]
desc=Enumerate TCP ports between 10051 and 29999 (excl. 16200, 27017).
args=-Pn -sS -sV -sC -T4 -n --reason --min-hostgroup=255 -p80,10051-16199,16201-27016,27018-29999
[portscan-tcp-syn-stage8]
desc=Enumerate TCP ports between 30000 and 65535.
args=-Pn -sS -sV -sC -T4 -n --reason --min-hostgroup=255 -p80,30000-65535
[portscan-tcp-syn-all]
desc=Enumerate all 65535 ports.
args=-Pn -sS -sV -sC -T4 -n --reason --min-hostgroup=255 -p-
[portscan-tcp-metasploit]
desc=Enumerate TCP ports that are applicable to metasploit modules.
args=-Pn -sS -sV -sC -T4 -n --reason --min-hostgroup=255 -p1,19,21,22,23,25,42,49,53,69,79,80,81,85,105,110,111,113,123,135,137,139,143,161,264,389,402,407,443,444,445,446,502,512,513,514,515,523,524,548,554,617,623,631,689,705,783,831,873,888,902,910,912,921,998,1000,1099,1100,1128,1158,1211,1220,1241,1434,1521,1533,1581,1582,1604,1720,1723,1755,1811,1900,2000,2001,2049,2067,2100,2103,2207,2362,2380,2381,2525,2940,2947,2967,3000,3037,3050,3057,3128,3200,3217,3299,3306,3460,3465,3500,3628,3632,3690,3780,3790,3817,4000,4322,4444,4659,4672,4679,4848,5000,5038,5040,5051,5060,5061,5093,5168,5227,5250,5405,5432,5466,5498,5554,5555,5560,5631,5632,5666,5800,5814,5900,5920,5984,6000,6050,6060,6070,6080,6101,6106,6112,6161,6379,6405,6502,6503,6504,6542,6660,6661,6667,6905,6988,7000,7001,7021,7071,7144,7181,7210,7272,7414,7426,7443,7510,7579,7580,7770,7777,7778,7787,8000,8001,8008,8014,8020,8023,8028,8030,8080,8082,8086,8087,8090,8095,8101,8161,8180,8222,8300,8400,8443,8503,8787,8800,8812,8834,8888,8899,8980,9000,9002,9080,9084,9090,9100,9200,9256,9390,9391,9495,9788,9855,9999,10000,10001,10008,10050,10051,10080,10202,10203,10616,10628,11000,11211,11234,12174,12203,12221,12345,12397,12401,13364,13500,16102,17185,18881,19810,20010,20031,20034,20101,20111,20171,20222,22222,23472,26000,26122,27000,27015,27017,27960,28784,30000,30718,31001,32764,34205,34443,37777,38080,38292,40007,41025,41080,41523,41524,44334,44818,46823,46824,49152,50000,50001,50013,52869,55553,57772,62514,65535
[portscan-udp-top50]
desc=Enumerate the top 50 UDP ports
args=-Pn -sU -sV -T4 -n --reason --min-hostgroup=255 --top-ports 50
[portscan-udp-top250]
desc=Enumerate the top 250 UDP ports
args=-Pn -sU -T4 -n --reason --min-hostgroup=255 --top-ports 250
[portscan-tcp-segregation-top250]
desc=Custom portscan to check segregation between networks
args=-Pn -sS -T4 -n --reason --min-hostgroup=1024 --top-ports 250 --traceroute
[portscan-tcp-segregation-custom]
desc=Custom portscan to check segregation between networks, needs editing prior to use
args=-Pn -sS -T4 -n --reason --min-hostgroup=255 -p1049,1051,1052,1054,1057,1059,1061,1063,1064,1067,1069,1072,1076,111,115,121,1234,135,139,1433,1600,1947,2000,2001,2002,2003,2004,21,22,2291,23,2410,2967,3389,3872,3900,3910,3911,4030,4092,427,443,445,4506,4513,4989,5000,5001,5002,5003,5004,5005,5006,5227,5800,5900,5902,5903,5904,5988,5989,6000,6001,6002,631,664,6839,7435,80,8080,81,8194,9010,9011,9100,9150,9151,9152,9220,9923
[ms-sql-empty-password]
desc=Check for MSSQL instances with empty passwords
args=-p 1433 --script ms-sql-empty-password
[smb-enum-users]
desc=Attempt user enumeration via SMB
args=-sU -sS -p U:137,T:139,T:445 --script smb-enum-users
[snmp-win32-users]
desc=Attempt user enumeration via SNMP
args=-sU -p U:161,8161 --script snmp-win32-users
[citrix-enum-apps]
desc=Attempt Citrix Application Enumeration
args=-sU -p U:1604 --script citrix-enum-apps