Muhtasari wa Nmap (ESP)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks 
nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24

Vigezo

IPs za kuchanganua

  • <ip>,<net/mask>: Taja IPs moja kwa moja
  • -iL <ips_file>: list_IPs
  • -iR <number>: Idadi ya IP za nasibu, unaweza kutoa IPs zinazoweza kutumika kwa --exclude <Ips> au --excludefile <file>.

Gundua vifaa

Kwa default Nmap inaendesha hatua ya kugundua ikiyoenda kama: -PA80 -PS443 -PE -PP

  • -sL: Si ya kuvamia, inaorodhesha malengo kwa kufanya maombi ya DNS kutatua majina. Inafaa kujua kama kwa mfano www.prueba.es/24 IP zote ni malengo yetu.
  • -Pn: Hakuna ping. Hii inafaa ikiwa unajua kuwa wote wako hai (vinginevyo unaweza kupoteza muda mwingi, lakini chaguo hili pia huleta false negatives ikisema hayako hai), inazuia hatua ya kugundua.
  • -sn : Hakuna skani ya bandari. Baada ya hatua ya reconnaissance, hairudi kuskani bandari. Ni kiasi ya kimya, na inaruhusu skani ndogo ya mtandao. Kwa vibali inatuma ACK (-PA) kwa 80, SYN(-PS) kwa 443 na echo request na Timestamp request; bila vibali daima inakamilisha muunganisho. Ikiwa lengo ni mtandao, inatumia tu ARP(-PR). Ikitumika pamoja na chaguo jingine, tu vifurushi vya chaguo jingine vinapitwa.
  • -PR: Ping ARP. Inatumiwa kwa default wakati wa kuchambua kompyuta ndani ya mtandao wetu, ni haraka kuliko kutumia pings. Ikiwa hautaki kutumia vifurushi vya ARP tumia --send-ip.
  • -PS <ports>: Inatuma vifurushi vya SYN ambavyo kama vinajibu SYN/ACK vinaonyesha wazi (vikiwa na RST ili kutokumaliza muunganisho), kama vinajibu RST vinafunga na kama havijibu ni visivyofikiwa. Bila vibali, muunganisho kamili hutumika. Ikiwa hakuna bandari zilizotajwa, inatumia 80.
  • -PA <ports>: Kama ile ya awali lakini kwa ACK, kuunganisha zote mbili kunatoa matokeo bora.
  • -PU <ports>: Lengo ni kinyume, hutumwa kwenye bandari zinazotarajiwa kuwa zifungwa. Baadhi ya firewalls huangalia tu muunganisho za TCP. Ikiwa imefungwa inajibiwa na port unreachable, ikiwa inajibiwa na ICMP nyingine au haijibiwi hupigwa kama destination unreachable.
  • -PE, -PP, -PM : ICMP PINGS: echo reply, timestamp na addresmask. Zinatumwa kugundua kama lengo liko hai.
  • -PY<ports>: Inatuma probes za SCTP INIT kwa 80 kwa default, INIT-ACK(open) au ABORT(closed) au hakuna au ICMP unreachable(inactive) inaweza kujibiwa.
  • -PO <protocols>: Protocol imeainishwa kwenye headers, kwa default 1(ICMP), 2(IGMP) na 4(Encap IP). Kwa ICMP, IGMP, TCP (6) na UDP (17) headers za protocol hutumwa, kwa nyingine tu header ya IP hutumwa. Kusudi ni kwa sababu ya uharibifu wa headers, Protocol unreachable au majibu ya protocol ile ile hurejeshwa kujua kama iko juu.
  • -n: Hakuna DNS
  • -R: DNS kila wakati
  • --system-dns: Lazimisha OS resolver badala ya stub resolver ya Nmap. Inafaa wakati /etc/hosts, split-DNS, au resolver plugins zinatoa data ambazo maswali ya moja kwa moja ya Nmap hayaonyeshi. Ni polepole zaidi, na tangu Nmap 7.96 forward lookups zimeshakuwa parallelized, kwa kawaida inahitajika tu kwa ulinganisho wa resolver.
  • --dns-servers <server[,server],...>: Lazimisha DNS servers maalum kwa reverse lookups. Inafaa katika tathmini za ndani kuuliza authoritative au resolvers za ndani moja kwa moja, au kuweka trafiki ya -sL/reverse-DNS mbali na resolvers za default za mtihani.

Mbinu za skanning za bandari

  • -sS: Haiwezi kumaliza muunganisho hivyo haiacha alama nyingi, nzuri ikiwa inaweza kutumika.(vibali) Ni ile inayotumika kwa default.
  • -sT: Inakamilisha muunganisho, hivyo inaacha alama, lakini inaweza kutumika bila shaka. Kwa default bila vibali.
  • -sU: Polepole, kwa UDP. Kawaida: DNS(53), SNMP(161,162), DHCP(67 na 68), (-sU53,161,162,67,68): open(reply), closed(port unreachable), filtered (another ICMP), open/filtered (hakuna). Wakati wa open/filtered, -sV hutuma maombi mengi kugundua aina ambazo nmap inaunga mkono na inaweza kubaini hali halisi. Inaongeza sana muda.
  • -sY: SCTP protocol inashindwa kuanzisha muunganisho, hivyo hakuna logs, inafanya kazi kama -PY
  • -sN,-sX,-sF: Null, Fin, Xmas, zinaweza kupenya baadhi ya firewalls na kutoa taarifa. Zinategemea kwamba mashine zinazofuata standard zinapaswa kujibu kwa RST ombi zote ambazo hazina SYN, RST au ACK ishara: open/filtered(hakuna), closed(RST), filtered (ICMP unreachable). Haziwezi kutegemewa kwenye Windows, Cisco, BSDI na OS/400. Kwa unix ndiyo.
  • -sM: Maimon scan: Inatuma bendera FIN na ACK, ilitumike kwa BSD, kwa sasa itarudisha zote kama closed.
  • -sA, sW: ACK na Window, inatumika kugundua firewalls, kujua kama bandari zimefiltar au la. -sW hutofautisha kati ya open/closed kwa sababu zilizo wazi zinajibu na thamani tofauti ya window: open (RST na window tofauti na 0), closed (RST window = 0), filtered (ICMP unreachable au hakuna). Si kompyuta zote zinafanya hivi, hivyo ikiwa zote zinaonekana closed, haifanyi kazi, ikiwa ni chache wazi, inafanya kazi vizuri, na ikiwa ni nyingi wazi na chache closed, inafanya kazi kinyume.
  • -sI: Idle scan. Kwa visa ambavyo kuna firewall hai lakini tunajua haitofilter kwa IP fulani (au tunataka tu utambulisho), tunaweza kutumia zombie scanner (inafanya kazi kwa bandari zote), kutafuta zombies tumia script ipidseq au exploit auxiliary/scanner/ip/ipidseq. Scanner hii inategemea nambari ya IPID ya vifurushi vya IP.
  • --badsum: Inatuma checksum mbaya, mashine zingepuuza vifurushi, lakini firewalls zinaweza kujibu kitu, inatumiwa kugundua firewalls.
  • -sZ: “Weird” SCTP scanner, wakati kutuma probes na cookie echo fragments zinapaswa kupigwa kama wazi au kujibiwa na ABORT ikiwa zimefungwa. Inaweza kupita kupitia firewalls ambazo init haipiti, kibaya ni kwamba haiwezi kutofautisha kati ya filtered na open.
  • -sO: Protocol Ip scan. Inatuma headers mbaya na tupu ambazo wakati mwingine hata protocol haiwezi kutofautishwa. Ikiwa inakuja ICMP unreachable protocol ni closed, ikiwa inakuja unreachable port ni open, ikiwa hitilafu nyingine inakuja, filtered, ikiwa hakuna inakuja, open|filtered.
  • -b <server>: FTPhost–> Inatumiwa kuskani host kutoka kwa host mwingine, hii hufanywa kwa kuunganisha kwenye ftp ya mashine nyingine na kuomba itume faili kwa bandari unazotaka kuskani kutoka kwa mashine nyingine, kulingana na majibu tutajua kama zina wazi au la. [<user>:<password>@]<server>[:<port>] Karibu all ftp servers haziruhusu tena hili na kwa hivyo ni chache matumizi ya vitendo.

Uchambuzi wa Kuzingatia

-p: Inatumika kubainisha bandari za kuskani. Kuchagua bandari zote 65,335: -p- au -p all. Nmap ina upangaji wa ndani kulingana na umaarufu. Kwa default, inatumia top 1000 ports. Kwa -F (fast scan) inachunguza top 100. Kwa –top-ports inachunguza idadi hiyo ya top ports (kutoka 1 hadi 65,335). Inakagua bandari kwa mpangilio wa nasibu; kuzuia hili, tumia -r. Pia tunaweza kuchagua bandari maalum: 20-30,80,443,1024- (hii ya mwisho inamaanisha kutazama kutoka 1024 na juu). Tunaweza pia kujumlisha bandari kwa protocols: U:53,T:21-25,80,139,S:9. Tunaweza pia kuchagua anuwai ndani ya popular ports za Nmap: -p [-1024] inachunguza hadi port 1024 kutoka zile zilizo kwenye nmap-services. –port-ratio Inachunguza bandari maarufu ndani ya uwiano kati ya 0 na 1

-sV Version scanning, msongamano unaweza kudhibitiwa kutoka 0 hadi 9, default ni 7.

–version-intensity Tunaregulisha msongamano, kadri ni ndogo, ndivyo itakayotuma probes zenye uwezekano mkubwa tu, lakini si zote. Kwa hili, tunaweza kukata sana muda wa skani ya UDP

–version-light Kielezo cha --version-intensity 2. Inafaa sana kwa pass ya kwanza dhidi ya ranges kubwa au huduma za UDP polepole.

–version-all Kielezo cha --version-intensity 9. Inalazimisha probes zote na inafaa wakati huduma inajibu tu probes chache.

–allports Lazimisha ugundaji wa version kwenye bandari zilizoachwa na nmap-service-probes (hasa TCP/9100). Angalia: kwenye baadhi ya printers au raw socket listeners hii inaweza kuifanya ichapishe probe data.

-O Utambuzi wa OS

–osscan-limit Kwa skanning sahihi ya host, inahitaji angalau port moja wazi na port moja iliyofungwa. Ikiwa sharti hili halikufikiwa na tumetaja hili, haitajaribu utabiri wa OS (inaokoa muda)

–osscan-guess Wakati utambuzi wa OS haukamiliki, hili linajitahidi zaidi

Scripts

–script |||[,…]

Ili kutumia scripts za default, tumia -sC au –script=default

Aina zinazopatikana ni: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, na vuln

  • Auth: inatekeleza scripts zote za authentication zilizopo
  • Default: inatekeleza scripts za zana za msingi
  • Discovery: inachukua taarifa kutoka kwa lengo au mwathiriwa
  • External: script ya kutumia rasilimali za nje
  • Intrusive: inatumia scripts zinazoonekana intrusive kwa mwathiriwa au lengo
  • Malware: huchunguza kwa muunganisho uliotokea na code ya hatari au backdoors
  • Safe: inatekeleza scripts zisizovamia
  • Vuln: hugundua udhaifu unaojulikana zaidi
  • All: inatekeleza kabisa NSE scripts zote zinazopatikana

Kutafuta scripts:

nmap –script-help=“http-*” -> Those starting with http-

nmap –script-help=“not intrusive” -> All except those

nmap –script-help=“default or safe” -> Those in either or both

nmap –script-help=“default and safe” –> Those in both

nmap –script-help=“(default or safe or intrusive) and not http-*”

–script-args =,={=},={,}

–script-args-file

–script-help ||||all[,…]

–script-trace —> Inatoa taarifa jinsi script inavyoendelea

–script-updatedb

Ili kutumia script, andika tu: nmap –script Script_Name target –> Unapotumia script, script na scanner zote zitatekelezwa, hivyo chaguo za scanner pia zinaweza kuongezwa. Tunaweza kuongeza “safe=1” kutekeleza zile salama pekee.

Udhibiti wa Wakati

Nmap inaweza kubadilisha muda kwa sekunde, dakika, ms: –host-timeout arguments 900000ms, 900, 900s, and 15m yote hufanya kitu kimoja.

Nmap hugawa jumla ya hosts za kuskani katika vikundi na kuchunguza vikundi hivi kwa hatua, kwa hivyo haendi kwa block inayofuata hadi zote zimechunguzwa (na mtumiaji hapati masasisho hadi block imalizike). Kwa hilo, ni bora kwa Nmap kutumia vikundi vikubwa. Kwa default katika class C, inatumia 256.

Hii inaweza kubadilishwa na –min-hostgroup ; –max-hostgroup (Rekebisha ukubwa wa vikundi vya skani sambamba)

Unaweza kudhibiti idadi ya scanners sambamba lakini bora usifanye hivyo (Nmap tayari ina udhibiti wa moja kwa moja kulingana na hali ya mtandao): –min-parallelism ; –max-parallelism

Tunaweza kubadilisha timeout ya RTT, lakini kwa kawaida si lazima: –min-rtt-timeout , –max-rtt-timeout , –initial-rtt-timeout

Tunaweza kubadilisha idadi ya jaribio: –max-retries

Tunaweza kubadilisha muda wa skanning wa host: –host-timeout

Tunaweza kubadilisha muda kati ya kila jaribio ili kuharakisha au kupunguza: –scan-delay ; –max-scan-delay

Tunaweza kubadilisha idadi ya vifurushi kwa sekunde: –min-rate ; –max-rate

Bandari nyingi huchukua muda mrefu kujibu wakati zimetenganishwa au zimefungwa. Ikiwa tunavutiwa tu na zilizofunguka, tunaweza kwenda haraka zaidi na: –defeat-rst-ratelimit

Ili kuonyesha jinsi tunavyotaka Nmap iwe kali: -T paranoid|sneaky|polite|normal|aggressive|insane

-T (0-1)

-T0 –> Inascan tu 1 port kwa wakati na inasubiri 5min hadi ifuatayo

-T1 na T2 –> Kunafanana sana lakini inasubiri 15 na 0.4sec mtawalia kati ya kila jaribio

-T3 –> Uendeshaji wa default, unajumuisha skani sambamba

-T4 –> –max-rtt-timeout 1250ms –min-rtt-timeout 100ms –initial-rtt-timeout 500ms –max-retries 6 –max-scan-delay 10ms

-T5 –> –max-rtt-timeout 300ms –min-rtt-timeout 50ms –initial-rtt-timeout 250ms –max-retries 2 –host-timeout 15m –max-scan-delay 5ms

Firewall/IDS

Hawaruhusu ufikiaji wa bandari na huchambua vifurushi.

-f Kugawanya vifurushi, kwa default hutenganisha katika 8bytes baada ya header, kubainisha ukubwa tunatumia ..mtu (kwa hili, usitumiie -f), offset lazima iwe mutumbukio wa 8. Version scanners na scripts hazitumiwi na fragmentation

-D decoy1,decoy2,ME Nmap inatuma scanners lakini na anwani IP za wengine kama chanzo, kama hivi wanakuficha. Ukimuweka ME kwenye orodha, Nmap itakuweka hapo, bora kuweka 5 au 6 kabla yako ili kukuficha kabisa. IP za nasibu zinaweza kuzalishwa na RND: Kuzaa ya IP nasibu. Hazifanyi kazi na TCP version detectors bila muunganisho. Ikiwa uko ndani ya mtandao, unataka kutumia IP zinazoendesha, vinginevyo itakuwa rahisi kugundua kuwa wewe wewe ndio pekee hai.

Kutumia IP nasibu: nmap -D RND:10 Target_IP

-S IP Wakati Nmap haikutambui IP yako lazima uipe. Pia inasaidia kuwasababisha wadhani tuko lengo lingine linawaskania.

-e Kuchagua interface

Wadau wengi huacha bandari za kuingia wazi ili kila kitu kifanye kazi vizuri na ni rahisi kwao kuliko kutafuta suluhisho nyingine. Hizi zinaweza kuwa bandari za DNS au FTP… kugundua udhaifu huu Nmap ina: –source-port ;-g Zinafanana

–data Kutuma hex: –data 0xdeadbeef na –data \xCA\xFE\x09

–data-string Kutuma maandishi ya kawaida: –data-string “Scan conducted by Security Ops, extension 7192”

–data-length Nmap inatuma headers pekee, kwa hii tunaongeza idadi ya bytes zaidi (zitakazotengenezwa kwa nasibu)

Kuunda packet ya IP kikamilifu tumia –ip-options

Ikiwa unataka kuona chaguzi kwenye vifurushi vilivyotumwa na vilivyopokelewa, bainisha –packet-trace. Kwa taarifa zaidi na mifano ya kutumia IP options na Nmap, angalia http://seclists.org/nmap-dev/2006/q3/52.

–ttl

–randomize-hosts Kufanya shambulio kuwa lisiloonekana

–spoof-mac <MAC address, prefix, or vendor name> Kubadilisha MAC mifano: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, na Cisco

–proxies Kutumia proxies, wakati mwingine proxy haideni muunganisho nyingi wazi kama Nmap inataka hivyo parallelism itahitaji kurekebishwa: –max-parallelism

-sP Kugundua hosts katika mtandao wetu kwa ARP

Wadau wengi huunda rule ya firewall ambayo inaruhusu vifurushi vyote vinavyotoka kwenye port fulani kupita (kama 20,53 na 67), tunaweza kusema Nmap itume vifurushi vyetu kutoka port hizi: nmap –source-port 53 IP

Matokeo

-oN file Matokeo ya kawaida

-oX file Matokeo ya XML

-oS file Script kiddies output

-oG file Greppable output. Inaendelea kufanya kazi, lakini imeachwa; XML ni format bora kwa automation kwa sababu vipengele vipya vya Nmap vinapojumishwa hapo kwanza. Endelea kutumia -oN ikiwa unataka --resume, na ridhika kutumia -oX/-oA kwa parsing ya mashine.

-oA file Yote isipokuwa -oS

–webxml Inabadilisha marejeo ya stylesheet ya XML hadi https://nmap.org/svn/docs/nmap.xsl, kufanya XML iwe rahisi kufunguliwa kama HTML kwenye mashine nyingine.

–stylesheet <path|url> Tumia XSL stylesheet yako. --webxml ni njia fupi tu ya stylesheet rasmi iliyohifadhiwa.

-v level ufasiri zaidi

-d level debugging

–reason Sababu ya hali ya host

–stats-every time Kila muda huo inaarifu maendeleo

–packet-trace Kuona vifurushi vinavyoenda nje, filters zinaweza kutajwa kama: –version-trace au –script-trace

–open inaonyesha open, open|filtered na unfiltered

–resume file Rudi skani iliyokatizwa kutoka kwa output ya kawaida (-oN) au grepable (-oG). Katika workflows za sasa ni kawaida kuweka -oN kwa resumability na -oX kwa parsing.

Example for parsing/HTML conversion workflows:

# Send only XML to stdout for tooling
nmap -sV -oX - 10.10.10.0/24

# Portable HTML-friendly XML
nmap -sV --webxml -oX scan.xml 10.10.10.10

Mengine

-6 Inaruhusu IPv6

-A ni sawa na -O -sV -sC –traceroute

Wakati wa utekelezaji

Wakati Nmap inapoendesha tunaweza kubadilisha chaguzi:

v / V Ongeza / punguza kiwango cha verbosity

d / D Ongeza / punguza kiwango cha debugging

p / P Washa / zima packet tracing

? Chapisha skrini ya msaada ya mwingiliano wakati wa utekelezaji

Vulscan

Script ya Nmap inayotazama matoleo ya huduma zilizopatikana katika hifadhidata isiyokuwa mtandaoni (iliyopakuliwa kutoka kwa zingine muhimu sana) na inarudisha udhaifu unaowezekana

Hifadhidata (DBs) zinazotumika ni:

  1. Scipvuldb.csv | http://www.scip.ch/en/?vuldb
  2. Cve.csv | http://cve.mitre.org
  3. Osvdb.csv | http://www.osvdb.org
  4. Securityfocus.csv | http://www.securityfocus.com/bid/
  5. Securitytracker.csv | http://www.securitytracker.com
  6. Xforce.csv | http://xforce.iss.net
  7. Exploitdb.csv | http://www.exploit-db.com
  8. Openvas.csv | http://www.openvas.org

Kupakua na kusanidi katika folda ya Nmap:

wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar -czvf nmap_nse_vulscan-2.0.tar.gz vulscan/ && sudo cp -r vulscan/ /usr/share/nmap/scripts/

Pia utahitaji kupakua vifurushi vya DB na kuviweka katika /usr/share/nmap/scripts/vulscan/

Matumizi:

Ili kutumia zote: sudo nmap -sV –script=vulscan HOST_TO_SCAN

Ili kutumia DB maalum: sudo nmap -sV –script=vulscan –script-args vulscandb=cve.csv HOST_TO_SCAN

Ikiwa una ufikiaji wa Internet, script rasmi ya Nmap vulners NSE kawaida ni mbadala iliyoendelezwa kwa haraka zaidi kwa uboreshaji unaotegemea matoleo:

nmap -sV --script vulners --script-args mincvss=7.0 <IP>

This script belongs to the safe, external, and vuln categories. Because it depends on how accurate -sV was, validate hits manually when the service banner is generic or proxied.

Vidokezo vya Kivitendo vya Hivi Karibuni (7.94+)

  • Tangu Nmap 7.94, skana ya bandari za UDP (-sU) na ugundaji wa toleo (-sV) vinatumia chanzo kimoja cha payload cha nmap-service-probes. Majibu ya UDP kutoka hatua ya skani yanaweza mara moja kutoa mechi za toleo, hivyo -sU -sV --version-light sasa ni njia nzuri ya kwanza dhidi ya anuwai kubwa au zinazoonyesha upotevu wa pakiti.
  • Tangu Nmap 7.94, -sV pia inaweza kupima huduma za UDP zilizofichwa nyuma ya DTLS, jambo linalofaa kwa vifaa vya kisasa vya management/ICS vinavyofunika protokoli za UDP ndani ya DTLS.
  • Nmap 7.95 iliongeza kundi kubwa la fingerprints za huduma mpya, ikijumuisha grpc, mysqlx, remotemouse, na tuya, pamoja na coverage mpya ya NSE inayolenga ICS kama hartip-info na iec61850-mms. Ikiwa unaskana estates za OT au embedded, kusasisha Nmap ni muhimu zaidi kuliko kuongeza probes za kawaida mapema.
  • Tangu Nmap 7.96, lookup za DNS za mbele pia zinaendeshwa kwa parallel. Orodha kubwa za hostname sasa zinakuwa haraka zaidi, kwa hivyo --system-dns mara nyingi inapaswa kuhifadhiwa kwa masuala ya compatibility badala ya utendaji.

Speed Up Nmap Service scan x16

According to this post you can speed up the nmap service analysis by modifying all the totalwaitms values in /usr/share/nmap/nmap-service-probes to 300 and tcpwrappedms to 200.

Moreover, probes which do not have a specifically defined servicewaitms use a default value of 5000. Therefore, we can either add values to each of the probes, or we can compile nmap ourselves and change the default value in service_scan.h.

If you don’t want to change the values of totalwaitms and tcpwrappedms at all in the /usr/share/nmap/nmap-service-probes file, you can edit the parsing code such that these values in the nmap-service-probes file are completely ignored.

Jenga Nmap static kwa mazingira yaliyofungiwa

Katika mazingira ya Linux yaliyolindwa au minimal (containers, appliances), binaries za Nmap zinazofungamana secara dynamic mara nyingi hufeli kutokana na kukosa runtime loaders au maktaba za shared (mfano, /lib64/ld-linux-x86-64.so.2, libc.so). Kujenga Nmap yako mwenyewe iliyounganishwa statically na kuunganisha data za NSE pamoja na binary kunaruhusu utekelezaji bila kusakinisha packages za mfumo.

High-level approach

  • Tumia builder safi ya amd64 Ubuntu kupitia Docker.
  • Jenga OpenSSL na PCRE2 kama maktaba static.
  • Jenga Nmap ukiunganisha statically na kutumia libpcap/libdnet zilizojumuishwa ili kuepuka deps za dynamic.
  • Paka NSE scripts na directories za data pamoja na binary.

Discover target architecture (example)

uname -a
# If building from macOS/ARM/etc., pin the builder arch:
docker run --rm --platform=linux/amd64 -v "$(pwd)":/out -w /tmp ubuntu:22.04 bash -lc 'echo ok'

Hatua 1 — Tayarisha toolchain

set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update && apt-get install -y --no-install-recommends \
build-essential ca-certificates curl bzip2 xz-utils pkg-config perl python3 file git \
automake autoconf libtool m4 zlib1g-dev

Hatua 2 — Jenga OpenSSL (1.1.1w) ya statiki

OSSL="1.1.1w"
curl -fsSLO "https://www.openssl.org/source/openssl-$OSSL.tar.gz"
tar xzf "openssl-$OSSL.tar.gz" && cd "openssl-$OSSL"
./Configure no-shared no-zlib linux-x86_64 -static --prefix=/opt/ossl
make -j"$(nproc)" && make install_sw
cd /tmp

Hatua 3 — Jenga PCRE2 statiki (10.43)

PCRE2=10.43
curl -fsSLO "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-$PCRE2/pcre2-$PCRE2.tar.bz2"
tar xjf "pcre2-$PCRE2.tar.bz2" && cd "pcre2-$PCRE2"
./configure --disable-shared --enable-static --prefix=/opt/pcre2
make -j"$(nproc)" && make install
cd /tmp

Hatua 4 — Jenga Nmap isiyobadilika (7.98)

NMAP=7.98
curl -fsSLO "https://nmap.org/dist/nmap-$NMAP.tar.bz2"
tar xjf "nmap-$NMAP.tar.bz2" && cd "nmap-$NMAP"
export CPPFLAGS="-I/opt/ossl/include -I/opt/pcre2/include"
export LDFLAGS="-L/opt/ossl/lib -L/opt/pcre2/lib -static -static-libstdc++ -static-libgcc"
export LIBS="-lpcre2-8 -ldl -lpthread -lz"
./configure \
--with-openssl=/opt/ossl \
--with-libpcre=/opt/pcre2 \
--with-libpcap=included \
--with-libdnet=included \
--without-zenmap --without-ndiff --without-nmap-update
# Avoid building shared libpcap by accident
sed -i -e "s/^shared: /shared: #/" libpcap/Makefile || true
make -j1 V=1 nmap
strip nmap

Vidokezo muhimu

  • -static, -static-libstdc++, -static-libgcc hufanya kuunganisha kuwa static.
  • Kutumia –with-libpcap=included/–with-libdnet=included huzuia system-shared libs.
  • Urekebisho wa sed hufanya target ya shared libpcap isifanye kazi ikiwa ipo.

Hatua 5 — Pakia pamoja binary na data za NSE

mkdir -p /out/nmap-bundle/nmap-data
cp nmap /out/nmap-bundle/nmap-linux-amd64-static
cp -r scripts nselib /out/nmap-bundle/nmap-data/
cp nse_main.lua nmap-services nmap-protocols nmap-service-probes \
nmap-mac-prefixes nmap-os-db nmap-payloads nmap-rpc \
/out/nmap-bundle/nmap-data/ 2>/dev/null || true

tar -C /out -czf /out/nmap-linux-amd64-static-bundle.tar.gz nmap-bundle

Uhakiki na vidokezo vya ops

  • Tumia file kwenye artifact ili kuthibitisha kuwa ni statically linked.
  • Weka data ya NSE pamoja na binary ili kuhakikisha parity ya script kwenye hosts ambazo hazina Nmap.
  • Hata kwa binary ya static, utekelezaji unaweza kuzuiwa na AppArmor/seccomp/SELinux; DNS/egress bado lazima ifanye kazi.
  • Deterministic builds hupunguza hatari za mnyororo wa usambazaji ikilinganishwa na kupakua “static” binaries zisizo wazi.

One-liner (Dockerized)

Jenga, pakia, na chapisha taarifa za artifact ```bash docker run --rm --platform=linux/amd64 -v "$(pwd)":/out -w /tmp ubuntu:22.04 bash -lc ' set -euo pipefail export DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \ build-essential ca-certificates curl bzip2 xz-utils pkg-config perl python3 file git \ automake autoconf libtool m4 zlib1g-dev

OSSL=“1.1.1w”; curl -fsSLO “https://www.openssl.org/source/openssl-$OSSL.tar.gz”
&& tar xzf “openssl-$OSSL.tar.gz” && cd “openssl-$OSSL”
&& ./Configure no-shared no-zlib linux-x86_64 -static –prefix=/opt/ossl
&& make -j“$(nproc)“ && make install_sw && cd /tmp

PCRE2=10.43; curl -fsSLO “https://github.com/PCRE2Project/pcre2/releases/download/pcre2-$PCRE2/pcre2-$PCRE2.tar.bz2”
&& tar xjf “pcre2-$PCRE2.tar.bz2” && cd “pcre2-$PCRE2”
&& ./configure –disable-shared –enable-static –prefix=/opt/pcre2
&& make -j“$(nproc)“ && make install && cd /tmp

NMAP=7.98; curl -fsSLO “https://nmap.org/dist/nmap-$NMAP.tar.bz2”
&& tar xjf “nmap-$NMAP.tar.bz2” && cd “nmap-$NMAP”
&& export CPPFLAGS=“-I/opt/ossl/include -I/opt/pcre2/include”
&& export LDFLAGS=“-L/opt/ossl/lib -L/opt/pcre2/lib -static -static-libstdc++ -static-libgcc”
&& export LIBS=“-lpcre2-8 -ldl -lpthread -lz”
&& ./configure –with-openssl=/opt/ossl –with-libpcre=/opt/pcre2 –with-libpcap=included –with-libdnet=included –without-zenmap –without-ndiff –without-nmap-update
&& sed -i -e “s/^shared: /shared: #/” libpcap/Makefile || true
&& make -j1 V=1 nmap && strip nmap

mkdir -p /out/nmap-bundle/nmap-data
&& cp nmap /out/nmap-bundle/nmap-linux-amd64-static
&& cp -r scripts nselib /out/nmap-bundle/nmap-data/
&& cp nse_main.lua nmap-services nmap-protocols nmap-service-probes nmap-mac-prefixes nmap-os-db nmap-payloads nmap-rpc /out/nmap-bundle/nmap-data/ 2>/dev/null || true
&& tar -C /out -czf /out/nmap-linux-amd64-static-bundle.tar.gz nmap-bundle
&& echo “===== OUTPUT =====”; ls -lah /out; echo “===== FILE TYPE =====”; file /out/nmap-bundle/nmap-linux-amd64-static || true ’

</details>

## Marejeo

- [Compiling static Nmap binary for jobs in restricted environments](https://www.pentestpartners.com/security-blog/compiling-static-nmap-binary-for-jobs-in-restricted-environments/)
- [Static Nmap Binary Generator (helper tool)](https://github.com/0x5ubt13/static_nmap_binary_generator)
- [OpenSSL sources](https://www.openssl.org/source/)
- [PCRE2 releases](https://github.com/PCRE2Project/pcre2/releases)
- [Nmap source tarballs](https://nmap.org/dist/)
- [Nmap Change Log](https://nmap.org/changelog.html)
- [Nmap Output Formats](https://nmap.org/book/man-output.html)


> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Vinjari [**katalogi kamili ya HackTricks Training**](https://hacktricks-training.com/courses/) kwa ajili ya njia za assessment (**ARTA/GRTA/AzRTA**) na [**Linux Hacking Expert (LHE)**](https://hacktricks-training.com/courses/lhe/).
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f), [**telegram group**](https://t.me/peass), **fuata** [**@hacktricks_live**](https://twitter.com/hacktricks_live) kwenye **X/Twitter**, au angalia [**LinkedIn page**](https://www.linkedin.com/company/hacktricks/) na [**YouTube channel**](https://www.youtube.com/@hacktricks_LIVE).
> - **Shiriki hacking tricks kwa kutuma PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>