nmap

Table of Content

  • [Scan OpenSSH server for Algorythims](#scan openssh server for algorythims)
  • [Scan Ports for Ciphers TLS Protokolls](#scan ports for ciphers tls protokolls)
  • [Scan Webserver for accessable files and directories](#scan webserver for accessable files and directories)
  • [Other usefull scanns](#other usefull scanns)

Scan OpenSSH server for Algorythims

To see what an OpenSSH server offers for algorythms you can use the following command:

$ nmap --script ssh2-enum-algos -sV -p <PORT> <IP -n/FQDN> -P
Nmap scan report for <FQDN> (<IP>)
Host is up (0.042s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH <VERSION> <OS VERSION> (protocol <VERSION>)
| ssh2-enum-algos:
|   kex_algorithms: (4)
|       curve25519-sha256@libssh.org
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group14-sha1
|       kex-strict-s-v00@openssh.com
|   server_host_key_algorithms: (5)
|       rsa-sha2-512
|       rsa-sha2-256
|       ssh-rsa
|       ssh-ed25519
|       ssh-ed25519-cert-v01@openssh.com
|   encryption_algorithms: (5)
|       chacha20-poly1305@openssh.com
|       aes256-gcm@openssh.com
|       aes128-gcm@openssh.com
|       aes256-ctr
|       aes128-ctr
|   mac_algorithms: (5)
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-512
|       hmac-sha2-256
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan Ports for Ciphers TLS Protokolls

To see which Ciphers and TLS versions are supported by an application you can use ssl-enum-ciphers:

$ nmap --script ssl-enum-ciphers -sV -p <PORT> <IP -n/FQDN> -P
Nmap scan report for <FQDN> (<IP>)
Host is up (0.042s latency).

PORT    STATE SERVICE  VERSION
<PORT>/tcp open  <SERVICE/PROTOKOLL> <APPLICATION VERSION>
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CCM (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
|       TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 4096) - A
|       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 4096) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (secp256r1) of lower strength than certificate key
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: client
|_  least strength: A
|_http-server-header: Apache

Scan Webserver for accessable files and directories

$ nmap --script http-enum -sV -p <PORT> <IP -n/FQDN> -P
Nmap scan report for <FQDN> (<IP>)
Host is up (0.0021s latency).

PORT    STATE SERVICE VERSION
<PORT>/tcp open  <SERVICE/PROTOKOLL> <APPLICATION VERSION>
|_http-server-header: <APPLICATION HEADER NAME>
| http-enum:
|_  /<DIR>/: Potentially interesting folder
|_  /<FILE>: Potentially interesting file

Other usefull scanns

CommandDescription
`nmap –script smb-os-discovery.nse -sV [IP -nFQDN] -P`
`nmap –script ftp-anon -sV -p [PORT] [IP -nFQDN] -P`
nmap --script vulners --script-args mincvss=5.0 [FQDN]scans for vulnerabilities on accessable ports
`nmap –script http-vuln-[CVE] -p [PORT] [IP -nFQDN] -P`
`nmap –script smb-enum-shares -p [PORT] [IP -nFQDN] -P`