One of the most useful and widely used tools by pentesters, network admins, and engineers alike. Nmap is a network scanner that is used for host discovery, port scanning, version detection, fingerprinting, as well as a vulnerability scanner and exploitation toolkit.

Nmap keeps a very detailed set of documentation on its website that you can access HERE.

This is the basic Nmap

nmap <option> <flag> <value>

nmap -Pn -p 80,443 -v -oA output_file

Basic Nmap command that I use for scanning targets

sudo nmap -Pn -A -vvv -T4 -iL targets.txt -oA scan_results

This command makes use of the following flags:

  • -Pn (This option skips the host discovery portion and treats all hosts as being online)
  • -A (This option combines multiple flags together instead of having to call them specifically)
    • -O (this option performs OS fingerprinting)
    • -sV (This option performs service version detection)
    • -sC (this option performs default Nmap script scanning)
    • –traceroute (shows the trace hop paths to each host)
  • -vvv (This option increases the verbosity of the scan to its fullest, this helps show what Nmap is doing while it is running)
  • -T4 (This option increases the speed of the scan. Its not entirely stealthy but it helps speed up the process)
  • -iL (This is the input file there I keep my hosts. Its a lot easier to update this than it is to individually list every IP, subnet, or hostname)
  • -oA (This option combines 3 different outputs)
    • -oN (This option creates an Nmap output file which lists details of the scan in plaintext)
    • -oX (This option creates an Nmap output file in XML format)
    • -oG (This option creates an Nmap output file that is easily greppable)
openNmap is able to access the port and determine the application and service using the port.
Finding open ports is ultimate goal of Nmap.
closedNmap is able to access the port but there is no application listening on it.
filteredNmpa is unable to determine the state of the port due to packet filtering preventing the port from being reached.
unfilteredNmap is unable to access the port.
open | filteredNmap is unable to determine if the port is open or filtered.
If the port is open, this is from not receiving a response.
closed | filteredNmap is unable to determine if the port is closed or filtered.

There are WAY TOO many options and flags to go over them all here. Probably one of the silliest questions I see is “what is the best Nmap scan script”. the answer is, each option has its purpose and a good pentester with a lot of experience will know when and how to use Nmap with time and experience.

Metasploit Framework is an extremely useful free tool for vulnerability scanning and exploitation. This tool provides exploits for commonly known vulnerabilities as well as tools for testing for vulnerabilities.

EXPLOITCode that is used to execute a vulnerability against a targeted host
PAYLOADCode that runs on the targeted host after successful exploitation
AUXILIARYModules that provide additional functions such as scanning, sniffing, and fuzzing
ENCODERUsed to obfuscate modules against IDS/IPS, AV, and firewalls
METERPRETERPayload that provides and interactive shell to execute code against the targeted host

searchLook for a specific modulesearch eternalblue
useSelect the module to useuse exploit/windows/smb/ms17_010_eternalblue
showList available modules based on the defined parametershow auxiliary
show payloads
show exploits
optionsList options for a specific moduleoptions
set / setgSet a value to an object / set a value to an object globally that will remain the same even if you change modulesset RHOST
set VERBOSE true
set RPORT 8080
runRun the auxiliary module selectedrun
exploitRun the exploit module selectedexploit
infoList the info based on the selected exploit/module/auxiliaryinfo
info exploit/windows/smb/ms17_010_eternalblue
sessionsList available sessions

echo "What is the hash type?" && read -p "i.e. 1000, 2100, 5600, etc. " HASH && read -ep "File location of the hashes? " FILE && read -ep "File location of the rule? " RULE && read -ep "File location of the wordlist? " WORD && sudo hashcat -a0 -m $HASH -w3 -O $FILE $WORD -r $RULE

1000  | NTLV
2100  | Domain Cached Credentials 2 (DCC2), MS Cache 2
5600  | NetNTLMv2
27000 | MultiBit HD (scrypt)
13100 | Kerberos 5, etype 23, TGS-REP


I start off with creating 1 or 2 different files:

  • hosts.txt – a list of networks, subnets, IP ranges etc.
  • targets.txt – A list of confirmed hosts to target (IP addresses, domains, etc.)

Broad testing is done using the hosts.txt file with the goal to find live hosts and add them to targets.txt for further testing.

Add IP Routes

Adding IP routes to connect to multiple networks from one IP subnet. Use the command below to add the “hosts.txt” file to ip routes.

echo "set network interface" && ip -o link show | awk -F': ' '{print $2}' && read -p ">> " IFACE && SUBNET=$(ip addr list $IFACE | awk '/inet.*brd/ {print $2}') && IP=$(nmap -sL $SUBNET | sed -n '3p' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') && while IFS= read -r LINE; do sudo ip r add $LINE via $IP; done < hosts.txt

while IFS= read -r LINE; do ping -c 1 $LINE; done < targets.txt

Using Screen with Linux

Screen is a terminal multiplexer that allows you to start virtual terminal sessions inside a since terminal session.

This is INCREDIBLY useful for instances where you may be testing remotely and then, for whatever reason, the session is terminated or disconnected. Screen ensures that even if the host terminal session is canceled that the virtual terminal sessions continue to run. Super useful for longer scans or continual passive reconnaissance.

Check to make sure that screen is installed and if not, install it:

screen --version

sudo apt update
 && sudo apt install screen

I create a file with names of the different screen sessions I want to make (Its important to add that last bit into the file if you enjoy scrolling:

screen -t name1
screen -t name2
screen -t name3

termcapinfo xterm* ti@:te@

Next execute this command:

  • -d (This says to detach the screen session from anywhere else)
  • -R (This says to reattach the screen session)
  • -c (This specifies the file that contains the )
screen -d -R <session_name> -c <file/location>

You can get a list of screen sessions:

screen ls

Kill screen sessions with:

pkill screen

If you have a hosts.txt file, you need to generate a list of targets to scan. This can be generated quickly using an nmap ping scan (NOTE: it is important to use sudo for ping scanning):

sudo nmap -n -sn -vvv --script-args http.useragent="Mozilla 42" -iL hosts.txt -oG scan_ping.gnmap

Once the ping scan file is completed, parse through the file with the following command to look for up hosts. This command will grep for “up” hosts, pull the IP address, append it to the targets.txt file, then clean up targets.txt by sorting IPs, and removing duplicate entries.

cat scan_pin.gnmap | grep -i 'status: up' | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" >> targets.txt | cat targets.txt | sort -uV | tee targets.txt

While a ping scan is a good option to get started right away, some hosts may not respond to a ping. For this, we need to run nmap skipping the enumeration step. This will take longer so its good to get start this after the ping scan. There is no “best” way to scan with nmap. Each network is different and will respond differently to scanning. This is a good command to start off with however might need some tweaking.

nmap --open -Pn -n -iL hosts.txt -vvv --script-args http.useragent="Mozilla 42" -T5 -oG scan_enum.gnmap

To parse through this list and add targets to the targets.txt file, perform the following:

cat scan_enum.gnmap | grep -E -o -"(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" >> targets.txt | cat targets.txt | sort -uV | tee targets.txt

Run Responder to Check for LLMNR NBT-NS Poisoning

LLMNR NBT-NS Poisoning is a very easily exploited vulnerability with a high success rate. In order to take advantage of this, you want to run this at the beginning of the test to collect as many hashes and then attempt to crack them with something like hashcat.

FIRST you need to move any old Responder logs and hashes to an archived location

read -p "What is the name of the client folder to archive to? " CLIENT && sudo mkdir /usr/share/responder/logs/archive/$CLIENT ; sudo mv /usr/share/responder/logs/* /usr/share/responder/logs/archive/$CLIENT

Now run Responder.

sudo hashcat -a0 -m <num> -w3 -O <file> -r <rule>

echo "set network interface" && ip -o link show | awk -F': ' '{print $2}' && read -p ">> " IFACE && sudo responder -I $IFACE -wvFP

Periodically check responder logs for NTLMv2 hashes and attempt to crack them with hashcat.

Responder logs are located in the following directory


Here is useful way to pull usernames:

echo "File string" && ls | grep txt && read -p ">> " STR && cat *$STR* | sed 's/\:\:.*/::/' | sed '/^=/d' | sed 's/\:\://' | sort -uV

Network Fingerprinting with Nmap

Enumeration scanning with Nmap is just the first step, Nmap is a great tool to run to look for services, open ports, hardware info, vulnerabilities and more.

Nmap scanning is not a “one size fits all” approach. Each network is different and will respond differently to network scanning.

sudo nmap -Pn -vvv --script-args http.useragent="Mozilla 42" -A -iL targets.txt -oA scan_quick

For a more detailed scan on every port use the following:

sudo nmap -Pn -vvv --script-args http.useragent="Mozilla 42" -A -p- -iL targets.txt -oA scan_full

Vulnerability Scanning with Nmap

NSE Script Categories:

  • auth
  • broadcast
  • brute
  • default
  • discovery
  • dos
  • exploit
  • external
  • fuzzer
  • intrusive
  • malware
  • safe
  • version
  • vuln

Vulners queries the ExploitDB every time it is performed

sudo nmap -Pn -vvv -sV --script vulners -oA scan_vulners -iL targets.txt

Vuln looks for certain specified vulnerabilities

sudo nmap -Pn -vvv -sV --script vuln -oA scan_vuln -iL targets.txt

Vulscan queries a local database on the machine that is preconfigured before the scan starts.

sudo nmap -Pn -vvv -sV --script vulscan -oA scan_vulscan -iL targets.txt

Configure the database:

cd /usr/share/nmap/scripts/
git clone
ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan

Update the database:

cd vulscan/utilities/updater/
chmod +x

SSL/TLS Scanning


nmap -Pn -vvv --script-args http.useragent="Mozilla 42" --script ssl-cert,ssl-enum-ciphers -p 443,8443 -iL targets.txt -oA scan_ssl


sslscan --targets=targets.txt --verbose --xml=sslscan.xml > scan_sslscan.txt


sslyze --targets_in targets.txt > scan_sslyze.txt


  • TLSv1.0 + CBC = BEAST

See SSL/TLS Vulnerabilites for more informaiton on exploitation.

For exploitation there are a few resources I use:

  • Metasploit (msfconsole in Kali)
  • ExploitDB (using searchsploit Kali)
  • Looking for POC exploits on Github


Metasploit is by far the most popular tool used for exploiting vulnerabilities identified during a test.

Initiate Metasploit


Search for an exploit:

search <name>

Use an exploit:

use <name>

You will need to set certain basic options (such as RHOST).

I also personally prefer to set VERBOSE to true. (You can also set options globally with the setg option)

set <OPTION> <name>

setg <OPTION> <name>

Then run the exploit



Scan hosts identified in “targets.txt”

nmap -Pn -vvv -p 80,81,443,591,8008,8080,8443 --open -iL targets.txt -oA webscan

Generate the webhosts.txt file from the nmap scan

cat webscan.gnmap | awk '/Up$/{print $2}' | tee -a webhosts.txt && cat webhosts.txt | sort -uV | tee webhosts.txt

HTTP ENUM scan with nmap

nmap -n -p 80 --script http-enum -vvv -iL targets.txt

Run Nikto for webserver vulnerability analysis

nikto -Display V -h webhosts.txt -o nikto.txt -p 80,81,443,591,8008,8080,8443

Run WhatWeb for webserver intelligence

whatweb -i webhosts.txt -v --log-verbose=whatweb.txt --log-xml=whatweb.xml --log-json=whatweb.json

Scan webservers for WordPress installed using WhatWeb

whatweb -p WordPress -v -i webhosts.txt --log-json=wp_scan.json && grep -i wordpress | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" >> wphosts.txt && cat wphosts.txt | sort -uV | tee wphosts.txt


read -p "API Token >> " TOKEN && while IFS= read -r LINE; do wpscan --verbose --user-agent "Mozilla 42" --url $LINE --api-token $TOKEN | tee -a wpscan.txt; done < wphosts.txt


LLMNR / NBT-NS Poisoning

LLMNR is an extremely successful and highly exploitable attack used for internal penetration testing. LLMNR (Link-Local Multicast Name Resolution) formally NBT-NS (NetBIOS Name Service) are both used to identify hosts when DNS fails. These services are able to identify hosts through the use of NTLM/NTLMv2 hashes. Its the NTLM hash that we are ultimately after as these are the exploitable factor in what makes LLMNR/NBT-NS vulnerable.

LLMNR / NBT-NS Poisoning / Spoofing Attack - Aptive
LLMNR / NBT-NS Poisoning Chart

The chart above should be pretty easy to follow but what basically happens is when a share is unable to be resolved, the victim machine (making the request) will broadcast the request when DNS is unable to resolve. The attacker will then quickly respond essentially volunteering to connect to the share in exchange for an NTLM hash. This hash then either be cracked using something like Hashcat or used in a Relay Attack. The tool that is used to exploit this vulnerability is called Responder.




On November 24, 2021, a vulnerability was discovered in the Java logging library log4j. A malicious adversary could take advantage of this zero day vulnerability to perform remote code execution(RCE) on the affected server. This would allow


MITRE – CVE-2021-4104 –
MITRE – CVE-2021-44228 –
MITRE – CVE-2021-45046 –


EternalBlue NSA Exploit Becomes Commodity Hacking Tool, Spreads to Other  Malware


EternalBlue is the name of a software vulnerability in Microsoft’s Windows operating systems as well as a tool developed by the NSA to exploit the discovered vulnerability. This tool was released by the Shadow Brokers as part of a series of leaks on the NSA. A number of malicious software leverage the EternalBlue exploit such as WannaCry and NotPetya.

Use Nmap to check for servers with the vulnerability:

nmap  -Pn -vv -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 -iL targets.txt -oA nmap_eternalblue

TLS / SSL Vulnerabilities

Over the past few years, attacks against the deprecated versions of TLS, including both SSL version 2 and version 3, have become more numerous and increasingly easier to accomplish. However, since successful attacks against SSL require advanced capabilities and network visibility, the risk rating is reduced, despite the availability of numerous attack methods. Current industry best practice is to disable all support for SSL version 2 and 3, as well as TLS v1.0. TRUE rates these issues as minimal and recommends Webair disable these older protocols in the near future.

Testing SSL/TLS


nmap -Pn -vvv --script ssl-cert,ssl-enum-ciphers -p 443,8443 -iL targets.txt -oA scan_ssl


sslscan --targets=targets.txt --verbose --xml=sslscan.xml > sslscan.txt


SSL Version 2, 3, or TLS v1 Enabled


The service accepts connections encrypted using SSLv2, SSLv3 or TLSv1, which reportedly suffer from several cryptographic flaws and have been deprecated for several years. This usage should be discontinued in favor of more modern secure protocols such as TLSv1.2 or TLSv1.3. No vendor patch is available for this issue.


Disable the use of older versions of SSL/TLS (SSLv2, SSLv3, and TLSv1) and instead using protocols such as TLSv1.2 and TLSv1.3


HeartBleed (OpenSSL Memory Leak)


In April 2014, versions of OpenSSL (before v1.0.1) were discovered to contain a memory leak flaw in the software that deals with health check messages sent from a client to the affected server. A malicious adversary would be able to exploit this memory leak vulnerability by sending specially crafted packets to the host that would result in information discloser of data stored in memory. This information could be payment information, passwords, and other sensitive or personal information. The vendor has released security patches on the date the vulnerability was publicly disclosed.


For HeartBleed affected locations, RTC recommends upgrading to the latest release of OpenSSL (1.1.1n or 3.0.2) and disable all support for SSL version 2 and 3, as well as TLS v1.0 and v1.1.


There are currently 2 Metasploit modules for HeartBleed:

  • auxiliary/server/openssl_heartbeat_client_memory
  • auxiliary/scanner/ssl/openssl_heartbleed

SWEET32 (Birthday Attack)


Legacy block ciphers having block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode. All versions of the TLS protocol supporting cipher suites which use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher are affected.



3SHAKE (TLS Triple Handshake)


TLS uses handshakes to first authenticate connections being made with hosts then negotiate and establish a share secret (Master Secret) that both of the hosts use to encrypt and decrypt traffic being sent. The TLS Triple Handshake attack takes advantage of a weakness in the TLS key negotiation which does not guarantee that keys used in communication will be unique. As a result, if connected to a malicious server, the attacker would be able to intercept the traffic and pass it to the legitimate server. The attacker could then force both the target and the legitimate server to use the same Master Secret.


For 3SHAKE affected locations, RTC recommends increasing the strength of the deviation of the master secret by including the handshake hash or by strengthening the abbreviated handshake.





MITRE – CVE-2020-1968 –
Raccoon Attack –

CRIME (Compression Ratio Info-leak Made Easy)


MITRE – CVE-2012-4929 –

POODLE (Padded Oracle on Downgrade Legacy Encryption)


SSL 3.0 and TLS implementations that are backwards compatible with SSL 3.0 with cipher-block chaining (CBC) are vulnerable to an attack that leverages weaknesses found in the protocol version negotiation built into SSL/TLS that forces connection using SSL 3.0. Data is then able to be decrypted selectively 1 byte at a time which creates a long list of connections during data transfer.


BEAST (Browser Exploit Against SSL/TLS)


Versions of TLS 1.0 and earlier are vulnerable to a security flaw found in the Oracle/Java software framework. This exploit targets the Cipher Block Chaining (CBC) against the Predictable Initialization Vector (IV). By controlling part of the data being encrypted and predicting the IV being used, the attacker would then be able to decrypt some of the encrypted data being transferred.


MITRE – CVE-2011-3389 –

Weak Cipher (RC4/ARC4/ARCFOUR)


RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR) is a stream cipher that was adapted by SSL in 1995 and TLS in 1999. Originally designed as a simple, lightweight and quick cipher, this has since become deprecated and multiple flaws have been discovered with the cipher. RC4 was used notably as a solution to BEAST and Lucky13 attacks though multiple vulnerabilities were later disclosed with RC4. Since then, TLSv1.2 and TLSv1.3 have addressed the security issues of BEAST and Lucky13 and use of RC4 is highly discouraged.


RTC recommends avoiding the use of RC4 cipher on the affected server vulnerable to BEAST and ARCFOUR.


MITRE – CVE-2013-2566 –
MITRE – CVE-2015-2808 –

Logjam (Diffie-Hellman Vulnerabilities)


There exists a vulnerability in the Diffie-Hellman key exchange that allows attackers to downgrade TLS connections. Using a Man-in-the-Middle attack, an attacker can modify or alter data passed between the server and the client.




Software (Outdate/EOL/Update Required)

Software updates are an important part of the software development lifecycle in which developers will identify bugs in the program and apply patch updates. This type of maintenance is critical in ensuring that the software runs as indented by the vendor and prevents catastrophic events from occurring in user environments. Applying software updates is an important part of network maintenance and when scheduled updates are not performed, system efficiency can deteriorate overtime. Additionally, when software reaches the end of its life, vendors are no longer providing updates. This can be a result of a new version push or abandonment of the project entirely. When security vulnerabilities are disclosed, vendors work to quickly to patch the issue and push the change. Some of these patches are done outside of the scheduled version release and occur as part of a critical to protect the software integrity.

Apache Server

An Apache server has been identified with multiple security vulnerabilities

When software reaches the end of its life, vendors are no longer providing updates for the software. Over time, the software can become incompatible on the system or bugs can cause . Additionally, critical security vulnerabilities can be reported with no fixes issued by vendor.



RTC recommends upgrading to the latest stable release of jQuery (v3.6.0) and configuring scheduled updates to the system.

jQuery – Downloads –

Microsoft IIS


RTC recommends upgrading to the latest stable release of Microsoft IIS (IIS 10 [for server Server2019, Server2016, Windows10], IIS 8.5 [for Server2012, or Windows8.5] , or IIS 8 for Server2012).

Microsoft – IIS Release Information –

Microsoft Server

The current instances of Microsoft Server that have been detected on the network are running outdated versions that are no longer supported by the vendor. The versions running have been identified with several vulnerabilities that affect the security of the system and the data stored on it.

RTC recommends upgrading to the latest stable release of Microsoft Windows Server (Windows Server 2022, v20H2, v1909, 2019v1809, or 2016v1607).

Microsoft – Windows Server Release Information –

Microsoft SQL Server


RTC recommends upgrading to the latest stable release of Microsoft SQL Server (SQL Server 2019, 2017, 2016, 2014, or Azure SQL Database).

Microsoft – SQL Server Release Information –


PHP Server


RTC recommends upgrading to the latest stable release of PHP (v8.1.5, v8.0.18, or v7.4.29) and configuring scheduled updates to the system.

PHP – Downloads –

Plaintext Authentication Accepted

Encryption allows communication between a client and a server to remain secure. This happens by changing human readable plaintext into unreadable ciphertext. In order to decrypt the communication, a cipher and the proper secret is required. Hackers are able to perform man-in-the-middle (MITM) attacks in order to intercept this data. Information such as login credentials, payment information or other sensitive data is readily available to malicious adversaries. Services exist that use insecure methods of data transmission from before when data security was not a primary concern. These services should be replaced with more secure methods of communication that enforce encryption by default.


RTC discovered a host running an ftp server. This plaintext protocol allows for unencrypted authentication and communication between a vulnerable client and server.

RTC recommends using encrypted methods of communication (such as SFTP, FTPS, and FTP over SSH) for accessing and transferring files and in some cases (HTTPS) when accessing FTP servers from a web interface.


Telnet (SSH)

RTC discovered a host running a telnet server. This plaintext protocol allows for unencrypted authentication and communication between a vulnerable client and server.

RTC recommends using encrypted methods of communication (such as SSH) when accessing remote hosts from a command line interface.



RTC discovered a host running an HTTP server. This plaintext protocol allows for unencrypted authentication and communication between a vulnerable client and server.

RTC recommends using encrypted methods of communication (such as HTTPS) for accessing web services and applications.