"Hidden" Features
of the Tools We All Love
Vlad Styran

Plan
• Nmap stuff
– Running modes
– Timing
– Reporting
– Scaling
– Troubleshooting
• Other stuff (if any time left)

Nmap running modes
• Root vs User
– sudo to -sS; don’t sudo to -sT
– sudo --unprivileged to -sT
• Port groups
– --top-ports, --port-ratio, -p-
• Nmap Scripting Engine
– default (-sC), ssl-cert,ssl-date,ssl-known-key,’http-*
and discovery and safe’, ‘vuln and safe’ etc.
• Stats monitoring and debug level

Nmap timing
• -T3 by default
– paranoid|sneaky|polite|normal|aggressive|insane
• --minhostgroup 4 by default
• --min-parallelism, --max-parallelism
• --host-timeout, --script-timeout
• --min-rate, --max-rate

Nmap reporting
• Always save all reports (-oA)
– To have complete track and output
– To be able to resume scans
• XML is your friend. Seriously. I mean it.
– https://github.com/sapran/nmap-xsl
$ xsltproc report.xml > report.html
$ xsltproc template.xsl report.xml

Nmap reporting
• Join XML reports
$ head -8 results.xml-00 > results.xml
$ cat results.xml-* | grep -v '<!DOCTYPE' | grep -v '<?xml' |
grep -v '<!--' | grep -v '<nmaprun' | grep -v '<scaninfo' |
grep -v '<verbose' | grep -v '<debugging' | grep -v
'<runstats' | grep -v '</runstats>' | grep -v '</nmaprun>' >>
results.xml
$ tail -3 results.xml-00 >> results.xml

Nmap scaling
• Taras Bobalo’s talk
– Application Security Automation with DevOps
Tools and Clouds
https://www.youtube.com/watch?v=EYEwhwsVjJ0
• Distributed Nmap Framework (dnmap)
– https://sourceforge.net/p/dnmap/wiki/Home/
• Docker
– instrumentisto/nmap

Nmap troubleshooting
• 99% of the time – it ’hangs’
• Change debug level: d = up, shift+d = down
• Press any key for stats incl. NSE scripts
• Restart with --resume from XML results
• Use timing optimization
– --script-timeout, --host-timeout,
– --min-rate, --max-retries
• https://secwiki.org/w/FAQ_long_running

CLI stuff
• more, less, tail -f
• openssl s_client
• ncat
• for u in $(cat usrl.lst); do curl -x
127.0.0.1:8080 $u > /dev/null & done
• You name it!