Disclaimer: Please only use these commands if you have permission to use them on the IP address of your choice.
Nmap is an easy to use tool for port scanning. I won't go into much detail here. Rather this is a place for me to document helpful commands and tool tips.
The most basic command is the following (exchange ip with the target IP address).
sudo nmap -v ip
Relevant output:
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https
Three ports are open in this case.
To get more information, we add the flag -sC (script scan):
sudo nmap -sC -v ip
Relevant output:
PORT STATE SERVICE 22/tcp open ssh |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) 80/tcp open http |_http-title: 404 Not Found 443/tcp open https | http-methods: |_ Supported Methods: GET HEAD |_http-title: 400 The plain HTTP request was sent to HTTPS port
We can add the -sV (version detection) flag as well:
sudo nmap -sC -sV -v ip
Relevant output (i removed some information and replaced it with "..."):
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 ... (ECDSA) |_ 256 ...(ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: 404 Not Found |_http-server-header: nginx/1.18.0 (Ubuntu) 443/tcp open ssl/http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=....de | Subject Alternative Name: DNS:....de | Issuer: commonName=R3/organizationName=Let's Encrypt/countryName=US | Public Key type: ec | Public Key bits: 256 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2023-04-10T16:12:50 | Not valid after: 2023-07-09T16:12:49 | MD5: ... |_SHA-1: ... | http-methods: |_ Supported Methods: GET HEAD |_http-title: 400 The plain HTTP request was sent to HTTPS port Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Sometimes nmap does not work and within the error message it will suggest to add the -Pn flag
sudo nmap -sC -sV -v -Pn ip
Brute force SSH connections (Only to use if you have permission to do so! Replace ip with the target machines IP address):
nmap ip -p 22 -Pn --script ssh-brute --script-args userdb=/usr/share/wordlists/metasploit/common_roots.txt,passdb=/usr/share/wordlists/nmap.lst
You can specify any user name and password list. Output may look like:
PORT STATE SERVICE 22/tcp open ssh | ssh-brute: | Accounts: No valid accounts found |_ Statistics: Performed 3834 guesses in 903 seconds, average tps: 4.3Nmap done: 1 IP address (1 host up) scanned in 909.99 seconds