Archive for the ‘Geek Stuff’ Category

In this guide, I’ll walk you through setting up a pentesting USB drive that also works well for other IT professionals.

Fortunately, the days of carrying around a CD binder full of your various tools are long gone. With the lower prices of USB drives and their increased capacity, you can easily keep a large number of tools at your disposal.

About this Guide: This guide is intended for educational purposes only. The author of this guide is not responsible for misuse, damaged, loss, altered, files and hardware.

What You’ll Need:

  • A USB drive (The larger the better. You can occasionally find a 128 GB drive for as little as £25)
  • Internet connection (Which I am going to assume that you have if you are reading this)

First let’s head over to grab Yumi. Yumi is a multi-boot loader for USB drives and the primary tool we’ll be using. Yumi allows you to easily add and remove programs without having to wipe out your drive.

Download Yumi at:

Next, plug in your USB drive into your computer and launch Yumi

Click on the “I Agree”

Click on the down arrow and select your drive
step 2_zpspjunqz10

On the right side of the menu, we have the option of formatting the USB drive, View, ADD, or Remove distributions. I’m going to assume you have a clean USB drive.

Next, we’re going to click the drop-down arrow listed on Yumi’s “Step 2”. As we can see, there are a large number of programs listed here.

step 12_zpscby51rjc

As this is going to be my penetration testing USB toolkit, and I’m a big fan of Kali Linux, so that’s what I’m going to select first.

With Yumi, you have two options to install these programs to your drive. You can either download the ISO ahead of time, or for convenience, you can click the “open download link” option. This will obviously open the program’s download link for you, saving you time searching for it.

One we have our ISO downloaded click on the “Browse” button:

Click on ISO

Click “Open”

Click the “Create” button

“Yes”to get started

Depending on how large the ISO will determine how much time it takes. You should see a dialogue box telling you how the install is progressing.

Once your ISO is ready, click “Next”

From here, you’ll have the option to load additional ISO’s to your drive. If you decide to load additional programs, simply follow the above steps.

Another great feature about Yumi is that if you have a particular ISO that you want loaded and it’s not listed in their menu, it’s no problem! Follow the instructions as if you were going to install any other ISO, when it’s time to select your ISO scroll to the bottom of the list. The option that I normally select is “Try Unlisted ISO (via SYSLINUX).

We have all the programs we want loaded by way of Yumi. What’s next? Well, we have a pretty good toolset now, but there is always room for improvement.

Keeping with the idea of a portable toolset and keeping the entire thing free (minus the cost of your USB drive), our next stop is Portable apps

If you never have used this program or heard of it before, Portable apps, as the name implies, is a set of portable tools that can be launched from your USB drive. The great thing about this is you can take all of your favorite apps to another person’s computer without installing it to their machine.

After downloading Portable apps let’s go ahead and launch it.

The initial install is pretty straight forward, so simply click through.

When we reach the “Install Type,” we’re going to choose “Custom Install”.

The next option gives us a wide range of locations to install to.

For this guide, we’re going to choose the first option, “Portable”.

Make sure you have your USB drive selected and click “Next” and “Install” (You may need to turn your anti-virus off for this if it’s set to block autorun.)

After the program installs you will be presented with a list of software. Simply select which programs that you want to install and click “Next”.

To launch the application, open your USB drive and click on “Start”

The last program that we’re going to install is similar to Portable apps. This one is called NirLauncher. The reason I include this one (in addition to Portable apps) is that it has a number of tools that can be useful for penetration testing. It’s also free and updated frequently.

You can download the software at:

This one is far easier and faster to setup since the installer has all of the programs pre-installed. Simply download the program and unzip it to your USB drive.

To launch NirLauncher simply open your USB drive and click on “NirLauncher”

step 17_zpsnbnlrzlo

We’ve seen how to launch the other 2 programs; let’s take a look at booting our primary drive. Plug your USB drive into the computer you want to boot off of and have it boot from the USB drive. Depending on how the BIOS is configured, you may need to interrupt the boot sequence and select the drive. If your drive still does not show up or is not a option, you’ll probably need to login to the BIOS and make sure that USB boot is not disabled.

When the drive does boot, you’ll see the menu screen. Simply navigate to the program you want to run and hit the “Enter” key.

Bonus – Customizing Yumi

If you wish to create a custom image for the Yumi menu, open your USB drive and then open the “multiboot” folder. There, you’ll find a .png file called “yumi”. Edit this file however you wish. Make sure the resolution, name and extension match the original.

Yumi is a very powerful tool. We can use it to boot to our own custom OS without touching the host machine. We can use it for data recovery, forensics, password hacking, hardware scanning, etc. – all for the cost of a single USB drive.

Image result for python logo

If you are involved in vulnerability research, reverse engineering or penetration testing, I suggest to try out the Python programming language. It has a rich set of useful libraries and programs. This page lists some of them.
Most of the listed tools are written in Python, others are just Python bindings for existing C libraries, i.e. they make those libraries easily usable from Python programs.
Some of the more aggressive tools (pentest frameworks, bluetooth smashers, web application vulnerability scanners, war-dialers, etc.) are left out. This list is clearly meant to help whitehats, and for now I prefer to err on the safe side.


  • ScapyScapy3k: send, sniff and dissect and forge network packets. Usable interactively or as a library
  • pypcapPcapy and pylibpcap: several different Python bindings for libpcap
  • libdnet: low-level networking routines, including interface lookup and Ethernet frame transmission
  • dpkt: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols
  • Impacket: craft and decode network packets. Includes support for higher-level protocols such as NMB and SMB
  • pynids: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection
  • Dirtbags py-pcap: read pcap files without libpcap
  • flowgrep: grep through packet payloads using regular expressions
  • Knock Subdomain Scan, enumerate subdomains on a target domain through a wordlist
  • SubBrute, fast subdomain enumeration tool
  • Mallory, extensible TCP/UDP man-in-the-middle proxy, supports modifying non-standard protocols on the fly
  • Pytbull: flexible IDS/IPS testing framework (shipped with more than 300 tests)
  • Spoodle: A mass subdomain + poodle vulnerability scanner
  • SMBMap: enumerate Samba share drives across an entire domain

Debugging and reverse engineering

  • Paimei: reverse engineering framework, includes PyDBG, PIDA, pGRAPH
  • Immunity Debugger: scriptable GUI and command line debugger
  • PyCommand for Immunity Debugger that replaces and improves on pvefindaddr
  • IDAPython: IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro
  • PyEMU: fully scriptable IA-32 emulator, useful for malware analysis
  • pefile: read and work with Portable Executable (aka PE) files
  • pydasm: Python interface to the libdasm x86 disassembling library
  • PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine
  • uhooker: intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory
  • diStorm: disassembler library for AMD64, licensed under the BSD license
  • python-ptrace: debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python
  • vdb / vtrace: vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it
  • Androguard: reverse engineering and analysis of Android applications
  • Capstone: lightweight multi-platform, multi-architecture disassembly framework with Python bindings
  • Keystone: lightweight multi-platform, multi-architecture assembler framework with Python bindings
  • PyBFD: Python interface to the GNU Binary File Descriptor (BFD) library
  • CHIPSEC: framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components.


  • afl-python: enables American fuzzy lop fork server and instrumentation for pure-Python code
  • Sulley: fuzzer development and fuzz testing framework consisting of multiple extensible components
  • Peach Fuzzing Platform: extensible fuzzing framework for generation and mutation based fuzzing (v2 was written in Python)
  • antiparser: fuzz testing and fault injection API
  • TAOF, (The Art of Fuzzing) including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer
  • untidy: general purpose XML fuzzer
  • Powerfuzzer: highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer)
  • Mistress: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns
  • Fuzzbox: multi-codec media fuzzer
  • Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
  • Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
  • WSBang: perform automated security testing of SOAP based web services
  • Construct: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner
  • (feliam): simple fuzzer by Felipe Andres Manzano
  • Fusil: Python library used to write fuzzing programs


  • Requests: elegant and simple HTTP library, built for human beings
  • HTTPie: human-friendly cURL-like command line HTTP client
  • ProxMon: processes proxy logs and reports discovered issues
  • WSMap: find web service endpoints and discovery files
  • Twill: browse the Web from a command-line interface. Supports automated Web testing
  • webkit web client written in Python
  • Windmill: web testing tool designed to let you painlessly automate and debug your web application
  • FunkLoad: functional and load web tester
  • spynner: Programmatic web browsing module for Python with Javascript/AJAX support
  • python-spidermonkey: bridge to the Mozilla SpiderMonkey JavaScript engine; allows for the evaluation and calling of Javascript scripts and functions
  • mitmproxy: SSL-capable, intercepting HTTP proxy. Console interface allows traffic flows to be inspected and edited on the fly
  • pathod / pathoc: pathological daemon/client for tormenting HTTP clients and servers


  • Volatility: extract digital artifacts from volatile memory (RAM) samples
  • Rekall: memory analysis framework developed by Google
  • LibForensics: library for developing digital forensics applications
  • TrIDLib, identify file types from their binary signatures. Now includes Python binding
  • aft: Android forensic toolkit

Malware analysis

  • pyew: command line hexadecimal editor and disassembler, mainly to analyze malware
  • Exefilter: filter file formats in e-mails, web pages or files. Detects many common file formats and can remove active content
  • pyClamAV: add virus detection capabilities to your Python software
  • jsunpack-n, generic JavaScript unpacker: emulates browser functionality to detect exploits that target browser and browser plug-in vulnerabilities
  • yara-python: identify and classify malware samples
  • phoneyc: pure Python honeyclient implementation
  • CapTipper: analyse, explore and revive HTTP malicious traffic from PCAP file


  • peepdf: Python tool to analyse and explore PDF files to find out if they can be harmful
  • Didier Stevens’ PDF tools: analyse, identify and create PDF files (includes PDFiDpdf-parser and make-pdf and mPDF)
  • Opaf: Open PDF Analysis Framework. Converts PDF to an XML tree that can be analyzed and modified.
  • Origapy: Python wrapper for the Origami Ruby module which sanitizes PDF files
  • pyPDF2: pure Python PDF toolkit: extract info, spilt, merge, crop, encrypt, decrypt…
  • PDFMiner: extract text from PDF files
  • python-poppler-qt4: Python binding for the Poppler PDF library, including Qt4 support


  • InlineEgg: toolbox of classes for writing small assembly programs in Python
  • Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging
  • RevHosts: enumerate virtual hosts for a given IP address
  • simplejson: JSON encoder/decoder, e.g. to use Google’s AJAX API
  • PyMangle: command line tool and a python library used to create word lists for use with other penetration testing tools
  • Hachoir: view and edit a binary stream field by field
  • py-mangle: command line tool and a python library used to create word lists for use with other penetration testing tools
  • execute Powershell commands quickly and easily via WMI
  • Pentestly: Python and Powershell internal penetration testing framework

Other useful libraries and tools

  • IPython: enhanced interactive Python shell with many features for object introspection, system shell access, and its own special command system
  • Beautiful Soup: HTML parser optimized for screen-scraping
  • matplotlib: make 2D plots of arrays
  • Mayavi: 3D scientific data visualization and plotting
  • RTGraph3D: create dynamic graphs in 3D
  • Twisted: event-driven networking engine
  • Suds: lightweight SOAP client for consuming Web Services
  • M2Crypto: most complete OpenSSL wrapper
  • NetworkX: graph library (edges, nodes)
  • Pandas: library providing high-performance, easy-to-use data structures and data analysis tools
  • pyparsing: general parsing module
  • lxml: most feature-rich and easy-to-use library for working with XML and HTML in the Python language
  • Whoosh: fast, featureful full-text indexing and searching library implemented in pure Python
  • Pexpect: control and automate other programs, similar to Don Libes `Expect` system
  • Sikuli, visual technology to search and automate GUIs using screenshots. Scriptable in Jython
  • PyQt and PySide: Python bindings for the Qt application framework and GUI library



Cyborg Linux, based on ubuntu, was developed by Team Cyborg, led by Vaibhav Singh and Shahnawaz Alam from Ztrela Knowledge Solutions. Cyborg Hawk has more than 700 tools, the most complete tool, can be used for network security and auditing and digital forensics, but also for mobile security and wireless network security testing. Cyborg Hawk’s interface is also quite beautiful, and is considered to be the most advanced, powerful and beautiful penetration test release ever.


  • More than 750+ penetration testing tools included.
  • Cyborg Hawk is totally Free and always will be.
  • Can be used as live OS with full capability.
  • Exploitation Toolkit, Stress Testing, Reverse Engineering, Forensics, Mobile Security & Wireless Security.
  • Full virtual machine support in version v1.1.
  • Now comes with its own repository.
  • Reliable and stable.
  • Various Wireless devices support.
  • Well sorted menu, everything organised in a logical manner.
  • The kernel is patched from injection.

Tool Categories

The 750 or so tools are grouped roughly in the menu in the following categories:

  • Information Gathering
  • Vulnerability Assessment
  • Exploitation
  • Privilege Escalation
  • Maintaining Access
  • Documentation & Reporting
  • Reverse Engineering
  • Stress Testing
  • Forensics
  • Wireless Security
  • Hardware Hacking
  • VoIP Analysis
  • Mobile Security
  • Malware Analysis

Download Cyborg 

Documentation Cyborg LINUX

Cyborg tutorials



What is patator?
It is a universal tool brute force, having on board a decent number of modules and the ability to fairly flexible settings. Patator is, as usual, a python script, management is made from cli.

Currently it supports the following modules:

* ftp_login : Brute-force FTP
* ssh_login : Brute-force SSH
* telnet_login : Brute-force Telnet
* smtp_login : Brute-force SMTP
* smtp_vrfy : Enumerate valid users using the SMTP VRFY command
* smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
* finger_lookup : Enumerate valid users using Finger
* http_fuzz : Brute-force HTTP/HTTPS
* ajp_fuzz : Brute-force AJP
* pop_login : Brute-force POP
* pop_passd : Brute-force poppassd (not POP3)
* imap_login : Brute-force IMAP
* ldap_login : Brute-force LDAP
* smb_login : Brute-force SMB
* smb_lookupsid : Brute-force SMB SID-lookup
* rlogin_login : Brute-force rlogin
* vmauthd_login : Brute-force VMware Authentication Daemon
* mssql_login : Brute-force MSSQL
* oracle_login : Brute-force Oracle
* mysql_login : Brute-force MySQL
* mysql_query : Brute-force MySQL queries
* rdp_login : Brute-force RDP (NLA)
* pgsql_login : Brute-force PostgreSQL
* vnc_login : Brute-force VNC
* dns_forward : Brute-force DNS
* dns_reverse : Brute-force DNS (reverse lookup subnets)
* ike_enum : Enumerate IKE transforms
* snmp_login : Brute-force SNMPv1/2 and SNMPv3
* unzip_pass : Brute-force the password of encrypted ZIP files
* keystore_pass : Brute-force the password of Java keystore files
* umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes


root@ddos:~/Desktop# git clone

root@ddos:~/Desktop# cd patator/

root@ddos:~/Desktop/patator# python

tv crime2

Recently I was asked how to deny navigation and download capabilities of a compromised machines on the local network.  Well this script by codepr performs an ARP poison attack and sending reset TCP packets to every request made to the router.


$ git clone
$ cd creak
$ python install

or simply clone the repository and run the after all requirements are installed:

$ git clone

It is required to have installed pcap libraries for raw packet manipulations and dpkt module, for dns spoofing options is required to have installed dnet module from libdnet package, do not confuse it with pydnet (network evaluation tool) module. It can use also scapy if desired, can just be set in the file.


Usage: [options] dev

  -h, --help           show this help message and exit
  -1, --sessions-scan  Sessions scan mode
  -2, --dns-spoof      Dns spoofing
  -x, --spoof          Spoof mode, generate a fake MAC address to be used
                       during attack
  -m MACADDR           Mac address octet prefix (could be an entire MAC
                       address in the form AA:BB:CC:DD:EE:FF)
  -M MANUFACTURER      Manufacturer of the wireless device, for retrieving a
                       manufactur based prefix for MAC spoof
  -s SOURCE            Source ip address (e.g. a class C address like
              usually the router address
  -t TARGET            Target ip address (e.g. a class C address like
  -p PORT              Target port to shutdown
  -a HOST              Target host that will be redirect while navigating on
                       target machine
  -r REDIR             Target redirection that will be fetched instead of host
                       on the target machine
  -v, --verbose        Verbose output mode
  -d, --dotted         Dotted output mode


Most basic usage: Deny all traffic to the target host

$ python -t wlan0

Set a different gateway:

$ python -s -t wlan0

Set a different mac address for the device:

$ python -m 00:11:22:33:44:55 -t wlan0

Spoof mac address generating a fake one:

$ python -x -t wlan0

Spoof mac address generating one based on manufacturer(e.g Xeros):

$ python -x -M xeros -t wlan0

DNS spoofing using a fake MAC address, redirecting ab.xy to cd.xz(e.g. localhost):

$ python -x -M xeros -t -a www.ab.xy -r wlan0



Nmap is a powerful network scanner used to identify systems and services. nmap was originally developed with network security in mind, it is a tool that was designed to find vulnerabilities within a network. nmap is more than just a simple port scanner though, you can use nmap to find specific versions of services, certain OS types, or even find that pesky printer someone put on your network without telling you.

nmap can be used for good and for evil, today we will cover some common situations where nmap makes life easier for sysadmins which is generally good. Even if some Sysadmins are evil…

Discover IP’s in a subnet (no root)

 $ nmap -sP
 Starting Nmap 7.30 ( ) at 2016-10-12 21:12 GMT
 Nmap scan report for
 Host is up (0.0013s latency).
 Nmap scan report for
 Host is up (0.0032s latency).
 Nmap scan report for
 Host is up (0.0011s latency).

This is one of the simplest uses of nmap. This command is commonly refereed to as a “ping scan”, and tells nmap to send an icmp echo request, TCP SYN to port 443, TCP ACK to port 80 and icmp timestamp request to all hosts in the specified subnet. nmap will simply return a list of ip’s that responded. Unlike many nmap commands this particular one does not require root privileges, however when executed by root nmap will also by default send arp requests to the subnet.

Scan for open ports (no root)

 $ nmap
 Starting Nmap 7.30 ( ) at 2016-10-12 21:20 GMT
Nmap scan report for Host is up (0.0043s latency). Not shown: 998 closed ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 

This scan is the default scan for nmap and can take some time to generate. With this scan nmap will attempt a TCP SYN connection to 1000 of the most common ports as well as an icmp echo request to determine if a host is up. nmap will also perform a DNS reverse lookup on the identified ip’s as this can sometimes be useful information.

Identify the Operating System of a host (requires root)

 # nmap -O
 Starting Nmap 7.30 ( ) at 2016-10-12 21:35 GMT
 Nmap scan report for
 Host is up (0.00032s latency).
 Not shown: 996 closed ports
 88/tcp open kerberos-sec
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 631/tcp open ipp
 MAC Address: 00:00:00:00:00:00 (Unknown)
 Device type: general purpose
 Running: Apple Mac OS X 10.5.X
 OS details: Apple Mac OS X 10.5 - 10.6 (Leopard - Snow Leopard) (Darwin 9.0.0b5 - 10.0.0)
 Network Distance: 1 hop

With the -O option nmap will try to guess the targets operating system. This is accomplished by utilizing information that nmap is already getting through the TCP SYN port scan. This is usually a best guess but can actually be fairly accurate. The operating system scan however does require root privileges.

Identify Hostnames (no root)

 $ nmap -sL
 Starting Nmap 7.30 ( ) at 2016-10-12 21:35 GMT
 Nmap scan report for
 Nmap scan report for router.local (
 Nmap scan report for fake.local (
 Nmap scan report for another.fake.local (

This is one of the most subtle commands of nmap, the -sL flag tells nmap to do a simple DNS query for the specified ip. This allows you to find hostnames for all of the ip’s in a subnet without having send a packet to the individual hosts themselves.

Hostname information can tell you a lot more about a network than you would think, for instance if you labeled your Active Directory Servers with you shouldn’t be surprised if someone guesses its use.

TCP Syn and UDP Scan (requires root)

 # nmap -sS -sU -PN
 Starting Nmap 7.30 ( ) at 2016-10-12 21:12 GMT
 Nmap scan report for
 Host is up (0.00029s latency).
 Not shown: 1494 closed ports, 496 filtered ports
 88/tcp open kerberos-sec
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 631/tcp open ipp
 88/udp open|filtered kerberos-sec
 123/udp open ntp
 137/udp open netbios-ns
 138/udp open|filtered netbios-dgm
 631/udp open|filtered ipp
 5353/udp open zeroconf

The TCP SYN and UDP scan will take a while to generate but is fairly unobtrusive and stealthy. This command will check about 2000 common tcp and udp ports to see if they are responding. When you use the -Pn flag this tells nmap to skip the ping scan and assume the host is up. This can be useful when there is a firewall that might be preventing icmp replies.

TCP SYN and UDP scan for all ports (requires root)

 # nmap -sS -sU -PN -p 1-65535
 Starting Nmap 7.30 ( ) at 2016-10-12 21:36 GMT
 Nmap scan report for
 Host is up (0.00021s latency).
 Not shown: 131051 closed ports
 88/tcp open kerberos-sec
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 631/tcp open ipp
 17500/tcp open unknown
 88/udp open|filtered kerberos-sec
 123/udp open ntp
 137/udp open netbios-ns
 138/udp open|filtered netbios-dgm
 631/udp open|filtered ipp
 5353/udp open zeroconf
 17500/udp open|filtered unknown
 51657/udp open|filtered unknown
 54658/udp open|filtered unknown
 57798/udp open|filtered unknown
 58488/udp open|filtered unknown
 60027/udp open|filtered unknown

This command is the same as above however by specifying the full port range from 1 to 65535 nmap will scan to see if the host is listening on all available ports. You can use the port range specification on any scan that performs a port scan.

TCP Connect Scan (no root)

 $ nmap -sT
 Starting Nmap 7.30 ( ) at 2016-10-12 21:40 GMT
 Nmap scan report for
 Host is up (0.0015s latency).
 Not shown: 964 closed ports, 32 filtered ports
 88/tcp open kerberos-sec
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 631/tcp open ipp

This command is similar to the TCP SYN scan however rather than sending a SYN packet and reviewing the headers it will ask the OS to establish a TCP connection to the 1000 common ports.

Aggressively Scan Hosts (no root)

 $ nmap -T4 -A
 Nmap scan report for
 Host is up (0.00060s latency).
 Not shown: 996 closed ports
 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)
 | ssh-hostkey: 1024 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:6c (DSA)
 |_2048 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:6c (RSA)
 80/tcp open http nginx 1.1.19
 |_http-title: 403 Forbidden
 |_http-methods: No Allow or Public header in OPTIONS response (status code 405)
 111/tcp open rpcbind
 | rpcinfo:
 | program version port/proto service
 | 100000 2,3,4 111/tcp rpcbind
 | 100000 2,3,4 111/udp rpcbind
 | 100003 2,3,4 2049/tcp nfs
 | 100003 2,3,4 2049/udp nfs
 | 100005 1,2,3 46448/tcp mountd
 | 100005 1,2,3 52408/udp mountd
 | 100021 1,3,4 35394/udp nlockmgr
 | 100021 1,3,4 57150/tcp nlockmgr
 | 100024 1 49363/tcp status
 | 100024 1 51515/udp status
 | 100227 2,3 2049/tcp nfs_acl
 |_ 100227 2,3 2049/udp nfs_acl
 2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
 Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Unlike some of the earlier commands this command is very aggressive and very obtrusive. The -A simply tells nmap to perform OS checking and version checking. The -T4 is for the speed template, these templates are what tells nmap how quickly to perform the scan. The speed template ranges from 0 for slow and stealthy to 5 for fast and obvious.

Fast Scan (no root)

 $ nmap -T4 -F
 Starting Nmap 7.30 ( ) at 2016-10-12 21:48 GMT
 Nmap scan report for
 Host is up (0.00047s latency).
 Not shown: 96 closed ports
 88/tcp open kerberos-sec
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 631/tcp open ipp

This scan limits the scan to the most common 100 ports, if you simply want to know some potential hosts with ports open that shouldn’t be this is a quick and dirty command to use.


 $ nmap -T4 -A -v
 Starting Nmap 7.30 ( ) at 2016-10-12 21:50 GMT
 NSE: Loaded 93 scripts for scanning.
 NSE: Script Pre-scanning.
 Initiating Ping Scan at 21:50
 Scanning [2 ports]
 Completed Ping Scan at 21:50, 0.00s elapsed (1 total hosts)
 Initiating Parallel DNS resolution of 1 host. at 21:50
 Completed Parallel DNS resolution of 1 host. at 21:50, 0.01s elapsed
 Initiating Connect Scan at 21:50
 Scanning [1000 ports]
 Discovered open port 139/tcp on
 Discovered open port 445/tcp on
 Discovered open port 88/tcp on
 Discovered open port 631/tcp on
 Completed Connect Scan at 21:50, 5.22s elapsed (1000 total ports)
 Initiating Service scan at 21:50
 Scanning 4 services on
 Completed Service scan at 21:51, 11.00s elapsed (4 services on 1 host)
 NSE: Script scanning
 Initiating NSE at 21:51
 Completed NSE at 21:51, 12.11s elapsed
 Nmap scan report for
 Host is up (0.00026s latency).
 Not shown: 996 closed ports
 88/tcp open kerberos-sec Mac OS X kerberos-sec
 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
 631/tcp open ipp CUPS 1.4
 | http-methods: GET HEAD OPTIONS POST PUT
 | Potentially risky methods: PUT
 | http-robots.txt: 1 disallowed entry
 Service Info: OS: Mac OS X; CPE: cpe:/o:apple:mac_os_x

By adding verbose to a majority of the commands above you get a better insight into what nmap is doing; for some scans verbosity will provide additional details that the report does not provide.
While these are 10 very useful nmap commands I am sure there are some more handy nmap examples out there. If you have one to add to this list feel free to drop it into a comment.

Performing a nMap Scan

Researchers have disclosed a critical zero-day vulnerability in the JPEG 2000 image file format parser implemented in OpenJPEG library, which could allow an attacker to remotely execute arbitrary code on the affected systems.

Discovered by security researchers at Cisco Talos group, the zero-day flaw, assigned as TALOS-2016-0193/CVE-2016-8332, could allow an out-of-bound heap write to occur that triggers the heap corruption and leads to arbitrary code execution.

OpenJPEG is an open-source JPEG 2000 codec. Written in C language, the software was developed for coding and encoding JPEG2000 images, a format that is often used for tasks like embedding image files within PDF documents through popular software including PdFium, Poppler, and MuPDF.Hackers can exploit the security vulnerability by tricking the victim into opening a specially crafted, malicious JPEG2000 image or a PDF document containing that malicious file in an email.
The hacker could even upload the malicious JPEG2000 image file to a file hosting service, like Dropbox or Google Drive, and then send that link to the victim.
Once downloaded to the system, it would create a way for hackers to remotely execute malicious code on the affected system.The flaw was caused “due to an error while parsing mcc records in the jpeg2000 file,…resulting in an erroneous read and write of adjacent heap area memory,” Cisco explained in its advisory.

Careful manipulation of heap layout and can lead to further heap metadata process memory corruption ultimately leading to code execution under attacker control.“The researchers successfully tested the JPEG 2000 image exploit on the OpenJPEG openjp2 version 2.1.1. The flaw was discovered by Aleksandar Nikolic from the Cisco Talos Security team.

The team reported the zero-day flaw to OpenJPEG developers in late July, and the company patched the flaw last week with the release of version 2.1.2.

The vulnerability has been assigned a CVSS score of 7.5, categorizing it as a high-severity bug.