Basic Nmap scanning examples, often used at the first stage of enumeration.
Command Description

nmap -sP 10.0.0.0/24

Ping scans the network, listing machines that respond to ping.

nmap -p 1-65535 -sV -sS -T4 target

Full TCP port scan using with service version detection – usually my first scan, I find T4 more accurate than T5 and still “pretty quick”.

nmap -v -sS -A -T4 target

Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services.

nmap -v -sS -A -T5 target

Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services.

nmap -v -sV -O -sS -T5 target

Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection.

nmap -v -p 1-65535 -sV -O -sS -T4 target

Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan.

nmap -v -p 1-65535 -sV -O -sS -T5 target

Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan.
Agressive scan timings are faster, but could yeild inaccurate results!

T5 uses very aggressive scan timings and could lead to missed ports, T4 is a better compromise if you need fast results.
Nmap scan from file
Command Description

nmap -iL ip-addresses.txt

Scans a list of IP addresses, you can add options before / after.
Nmap output formats
Command Description

nmap -sV -p 139,445 -oG grep-output.txt 10.0.1.0/24

Outputs “grepable” output to a file, in this example Netbios servers.

E.g, The output file could be grepped for “Open”.

nmap -sS -sV -T5 10.0.1.99 –webxml -oX –
| xsltproc –output file.html –

Export nmap output to HTML report.
Nmap Netbios Examples
Command Description

nmap -sV -v -p 139,445 10.0.0.1/24

Find all Netbios servers on subnet

nmap -sU –script nbstat.nse -p 137 target

Nmap display Netbios name

nmap –script-args=unsafe=1 –script
smb-check-vulns.nse -p 445 target

Nmap check if Netbios servers are vulnerable to MS08-067

rpm -qa | grep yum
yum reinstall yum-utils-1.1.31-45.el7 – change to appropriate version number
package-cleanup –cleandupes
Once this is complete we shouldn’t see any more duplicates on the system.
package-cleanup –duped

If Satellite is not seeing a report from the server use the following command from the host to try and force a sync
puppet agent -tv

If you run into a lock issue where “puppet agent -tv” will not work, try the following:

systemctl stop puppet

rm /var/lib/puppet/state/agent_catalog_run.lock

systemctl start puppet

ps aux | grep puppet
root 26701 42.0 0.3 248764 41080 ? Ssl 10:14 0:01 /usr/bin/ruby /usr/bin/puppet agent –no-daemonize
root 26711 51.0 0.4 351092 56660 ? Sl 10:14 0:01 puppet agent: applying configuration

A couple of minutes later the “puppet agent: applying configuration” job completed. I was able to rerun “puppet agent -tv”.

Host:
yum install puppet -y

RHEL 7
echo “server = satelliteserver.yourdomain.com” >> /etc/puppet/puppet.conf;systemctl enable puppet ; systemctl start puppet

RHEL 6
echo “server = satelliteserver.yourdomain.com” >> /etc/puppet/puppet.conf;chkconfig puppet on ; service puppet start

Server:
puppet cert list

puppet cert sign -all

After you assign the host you can run “puppet agent -tv” to force a sync

Refresh satellites knowledge of the vm servers on the ESXI hosts
systemctl stop virt-who
virt-who --one-shot 
systemctl start virt-who

Configuration of virt-who on the satellite server:
/etc/virt-who.d/one.conf

[one]
type=esx
hypervisor_id=hostname
server=vcenter.companyname.com
username=domainname\username
encrypted_password=5cd54deb8b1ebfb61fa04a9512bd97ed
owner=OrganizationalNameUsedInSatellite
env=Library
filter_hosts=esxidev.companyname.com,esxidev2.companyname.com,esxidev3.companyname.com,esxidev4.companyname.com,esxidev5.companyname.com,esxidev6.companyname.com,esxiprod1,esxiprod2.companyname.com,esxiprod3,esxiprod4.companyname.com,esxiprod5.companyname.com,esxiprod6.companyname.com,esxidev.companyname.com,esxidev1.companyname.com
rhsm_hostname=servername.companyname.com
rhsm_username=admin
rhsm_encrypted_password=456adc0cafa8ed065c021ce32bf64273
rhsm_prefix=/rhsm