Skip to content

CLI

Jump to bottom
@trimstray edited this page May 23, 2018 · 8 revisions

Welcome to the Sandmap wiki!

You can file an issue about it and ask that it be added.

Sandmap provides simple and intuitive cli that supports the entire reconnaissance process using the built-in Nmap options.

Command line consists of two levels:

  • cli(main)> - the main level by means of which we can set and display session parameters, display information about modules, obtain a list of profiles in a given module, enable a given module and manipulate a temporary command stack.
  • cli(module_name)> - level of the module that provides many commands available in the main menu. The main differences are the ability to run scan profiles and add them to the temporary stack of commands, as well as displaying the description of each profile.

help

A standard command displaying help.

If you are in the space of the module, you can display its help using this command. If you provide an argument that is the name of the NSE module, its help will be displayed (using nmap --script-help = <nse_module_name>).

cli(main)> help Main Commands ------------- help <module> show cli help or module help list show available modules show <module [key]> show info about modules and profiles config <key>|<module [key]> show global or module configuration set <key>|<module [key]> set global or module variable value use <module> use module (changed env) pushd init|show|flush command line commands stack search <key> search key in all commands reload <modules|config> reload all modules cache or configuration banner show banner nmap <nmap_params> pure nmap engine Options: <module> module name <key> key value Module Commands --------------- help <module> display module or NSE help show <key> display module or profile info config <key> show module configuration set <key> set module variable value use <module> reuse module (changed env) pushd <key>|init|show|flush command line commands stack (experimental) search <key> search key in all commands init <alias|id> [--args] run profile Examples -------- show sample show 'sample' module info config terminal show 'terminal' key value use sample use 'sample' module search http search 'http' in all commands

list

This parameter displays all available modules along with the number of profiles and a short description.

cli(main)> list Module Profiles Description ------ -------- ----------- awesome 3 Awesome Nmap predefined commands module host_discovery 12 Nmap Host Discovery module nse_broadcast 19 NSE Broadcast Module nse_citrix 5 NSE Citrix Service Module nse_databases 31 NSE Databases Service Module nse_dns-dhcp 27 NSE DNS and DHCP Module nse_external 6 NSE External scripts (eg. from github) nse_ftp 9 NSE FTP Service Module nse_hadoop 7 NSE Hadoop Services Module nse_http-cve 22 NSE HTTP Vulnerability CVE Module nse_http-protocol 50 NSE HTTP Protocol Module nse_http-services 28 NSE HTTP Services Module nse_mail 15 NSE Mail Services Module nse_oracle 6 NSE Oracle Services Module nse_other-auth 3 NSE Other Auth Module nse_other-discovery 3 NSE Other Discovery Module nse_other-network 38 NSE Other Network Module nse_other-services 54 NSE Other Services Module nse_other-version 1 NSE Other Version Module nse_remote-access 16 NSE Remote Access Module nse_smb 23 NSE SMB Protocol Module nse_smb-vuln 11 NSE SMB Protocol Vulnerability Module nse_snmp 12 NSE SNMP Protocol Module nse_socks 3 NSE SOCKS Module nse_ssl 16 NSE SSL Protocol Module nse_vuln-scanners 7 NSE Vulnerability Scanners Module nse_whois 2 NSE Whois Database Module os_detection 4 Nmap OS Detection module port_scan 11 Nmap Port Scan types module service_detection 5 Service and Version Detection module zenmap 10 Zenmap module All Modules: 31 All Profiles: 459

show

This option show information about the module or module profile. These are the identifier and profile alias that we can use to determine the scanning technique and the parameters used by the profile. In addition, this command allows you to display information about a specific profile.

The parameter of this option is the name of the module and name of the profile.

cli(main)> show host_discovery ID Alias Nmap Parameters -- ----- --------------- 0 list_scan -sL 1 no_port_scan -sn 2 no_ping -Pn 3 tcp_syn_ping -PS -p 4 tcp_ack_ping -PA -p 80 5 udp_ping -PU -p 80 6 sctp_init_ping -PY -p 80 7 arp_ping -PR 8 icmp_ping-1 -PE 9 icmp_ping-2 -PP 10 icmp_ping-3 -PM cli(main)> show nse_ssl ssl-dh-params ID Alias Nmap Parameters -- ----- --------------- 104 ssl-dh-params --script ssl-dh-params Description: https://nmap.org/nsedoc/scripts/ssl-dh-params.html

config

The config parameter displays information about session variables. With their help, We can define the purpose or objectives of the scan, enable the transmission of traffic through the TOR network, set the type of output and specify additional parameters.

This option can be called without parameters and specify the name of the session variable. The initial values of variables are specified in the file etc/main.cfg.

cli(main)> config Description: Destination Examples: '127.0.0.1 example.com' { "dest":"127.0.0.1" } Description: Global parameters Examples: '-sV -p 443' { "params":"" } Description: Report type Examples: 'nmap|xml|grep' { "report":"" } Description: Pass through TOR Examples: 'true|false' { "tor":"" } Description: Terminal type Examples: 'internal|external' { "terminal":"internal" }

set

By config We display the values of session variables and use the set command to specify their new values.

The parameters of this command are the name of the variable and the new value. Specifying an empty value resets the value of the variable.

cli(main)> set dest 192.168.252.1 cli(main)> config dest Description: Destination Examples: '127.0.0.1,example.com' { "dest":"192.168.252.1" }

use

Activates the given module and goes to its space.

The parameters of this option is the module name.

cli(main)> use nse_mail cli(nse_mail)>

pushd

This command provides a local stack for storing multiple commands that can be used with one scan.

The parameters of this option are the profile alias or identifier. Additionally, you can display the contents of the stack (show), reset its contents ( flush) or initiate a scan (init).

cli(zenmap_scan)> pushd ping_scan cli(zenmap_scan)> pushd show pushd: -sn cli(zenmap_scan)> main cli(main)> pushd init terminal: > internal command: > nmap -sn 127.0.0.1 Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-27 07:25 CEST Nmap scan report for localhost (127.0.0.1) Host is up. Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds Result: pass cli(main)> pushd flush stdout: pushd flushed cli(main)> pushd show stdout: pushd empty

search

Allows you to search for profiles in the database.

The parameter of this command is the string of characters in the profile name.

cli(main)> search rsa-vuln Module Alias Nmap Parameters ------ ----- --------------- nse_ssl rsa-vuln-roca --script rsa-vuln-roca

reload

This option allows you to reload the configuration and modules.

The parameters of this command are config or modules.

cli(main)> config terminal Description: Terminal type Examples: 'internal|external' { "terminal":"internal" } cli(main)> set terminal external cli(main)> config terminal Description: Terminal type Examples: 'internal|external' { "terminal":"external" } cli(main)> reload config stdout: config reloaded cli(main)> config terminal Description: Terminal type Examples: 'internal|external' { "terminal":"internal" }

init

This option is available only from the level of a given module. If you want to use scan with multiple profiles, use the pushd mechanism at the same time.

The parameters of this option are the profile alias or identifier.

cli(zenmap)> init 4 terminal: > internal command: > nmap -sn 127.0.0.1 Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-07 11:14 CEST Nmap scan report for localhost (127.0.0.1) Host is up. Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds Result: pass

In addition (since version v1.2.0) the --args parameters accepts the arguments of the script (only for NSE).

The default options are only given as information. By pressing the enter key, we assign an empty value to an argument that is not used.

cli(nse_broadcast)> show 13 ID Alias Nmap Parameters -- ----- --------------- 13 broadcast-ping --script=broadcast-ping Script arguments: broadcast-ping.timeout = '3s' broadcast-ping.num_probes = '1' broadcast-ping.interface = '' Description: https://nmap.org/nsedoc/scripts/broadcast-ping.html cli(nse_broadcast)> init 13 --args broadcast-ping.timeout (3s): 1s broadcast-ping.num_probes (1): 5 broadcast-ping.interface (): terminal: > internal command: > nmap --script=broadcast-ping --script-args broadcast-ping.timeout="1s",broadcast-ping.num_probes="5" 127.0.0.1 Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-19 16:34 CEST Nmap scan report for localhost (127.0.0.1) Host is up (0.000010s latency). Not shown: 988 closed ports PORT STATE SERVICE 53/tcp open domain 5432/tcp open postgresql 5900/tcp open vnc 5901/tcp open vnc-1 8000/tcp open http-alt 8001/tcp open vcom-tunnel 8002/tcp open teradataordbms 9000/tcp open cslistener 9001/tcp open tor-orport 9002/tcp open dynamid 9003/tcp open unknown 9900/tcp open iua Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds Result: pass

Sandmap

Clone this wiki locally