Skip to main content

nmap

It's fun to scan networks with nmap!

Find domain controllers and save to a text file

(See our page on nslookup)

Check if LDAPs is config'd on the domain controllers

nmap -Pn -sV -p636 -iL dcs.txt > ldaps.txt

Scan for UDP 623 (IPMI/ILO)

sudo nmap -sU -p623 --open -iL subnets.txt -oA ipmi -vvv

Find just the hosts with port 623 open

# Extract IPs from lines containing "Status: Up" and save to open.txt
grep "Status: Up" ipmi.gnmap | awk '{print $2}' > open.txt

# Sort the IPs and save the sorted list back to open.txt
sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 open.txt -o open.txt

Then you can potentially use metasploit to grab IPMI hashes and then hashcat to crack them.

Find domain controllers and save to a text file
Check if LDAPs is config'd on the domain controllers
Scan for UDP 623 (IPMI/ILO)
- Find just the hosts with port 623 open