Target.Network.Scanning.txt

`` Host discovery

    `` ARP

        ~$ arp -a
        ~$ arp-scan VAR_TARGET_CIDR -I eth0
        ~$ fping -ar

    `` TCP/IP

        -- Set some variables first
        ~$ export VAR_TARGET_CIDR=10.10.10.0/24
        ~$ export VAR_FILENAME=${VAR_TARGET_CIDR::${#VAR_TARGET_CIDR}-3}
        ~$ export VAR_TARGET_HOSTS=$VAR_FILENAME-hosts.txt

        -- Ping scan only, no DNS resolution
        ~$ nmap -sn -n -oA $VAR_FILENAME-ping-basic $VAR_TARGET_CIDR

        -- When ICMP not available, yet not complete and mostly for internal networks
        ~# nmap -sn -n -v -PA21,22,80,111,139,161,162,389,443,445 -PS21,22,80,111,139,161,162,389,443,445 -PU69,161,162,111,123,500 -oA $VAR_FILENAME-ping-fast $VAR_TARGET_CIDR

        -- A more in-depth discovery
        @ ~/lib/pentesting-cookbook/bin/scan_top.sh

        -- In case the scan fails:
        - Change source port, e.g. -g53 or -g88
        - Add --randomize-hosts
        - Change -PA to -PS
        - Run with --unprivileged

        -- Discovery using TCP over socks
        ~$ proxychains -q nmap -sn -n -PA21,22,23,80,111,123,137,138,139,161,389,443,445 VAR_TARGET_CIDR

        ~$ nbtscan -r VAR_TARGET_CIDR
        ~$ netdiscover -i eth1 -P -N -r VAR_TARGET_CIDR
        ~$ for i in $(seq 1 254); do ip_address="192.168.1.$i"; ping -c 1 -W 1 $ip_address | grep "bytes from" >/dev/null && echo "$ip_address :)" || echo -n "."; done

        `` Nmap ping scan types (root only)

            ~# nmap -sn -n -PE VAR_TARGET_CIDR

            PS - TCP SYN (default at port 80)
            PA - TCP ACK (default at port 80)
            PU - UDP
            PY - SCTP INIT
            PE - ICMP Echo
            PP - ICMP timestamp
            PM - ICMP address mask
            PO - Other IP protocol
            PR - ARP scan

    `` Data processing

        ~$ grep "Status: Up" $VAR_FILENAME-*.gnmap | cut -d" " -f2 | sort | uniq > $VAR_TARGET_HOSTS

`` Service discovery

    -- Using input from network scanning: $VAR_TARGET_HOSTS

    `` Basic (with default nmap top ports)

        -- Basic approach, assume all hosts are up ($VAR_TARGET_HOSTS is "verified" already)
        ~$ nmap -Pn -n -v --top-ports 300 -iL $VAR_TARGET_HOSTS -oA $VAR_FILENAME-ports-top-300

        -- Another run this time with SYN scan
        ~$ nmap -sS -Pn -n -v --top-ports 300 -iL $VAR_TARGET_HOSTS -oA $VAR_FILENAME-ports-top-300-syn

    `` It's very likely nmap will be stuck due to disabling discovery stage (-Pn) in case of large scans, custom probes can be used to improve (only if not using $VAR_TARGET_HOSTS):

        ~$ nmap -n -v --top-ports 300 -PE -PP -PM -PS110,111,113,137,138,139,143,1433,1723,161,162,20,21,22,2001,2020,2222,23,2525,27017,3306,3389,389,4443,445,5020,5432,5061,587,5900,5901,636,6379,843,88,8000,8022,8080,8443,8888,993,995 -PU53,161,162,69,111,123,500 -iL $VAR_TARGET_CIDR -oA $VAR_FILENAME-ports-top-300-probes

    `` More intense, full port range

        -- In case the network might be monitored, light versioning, medium speed
        ~$ nmap -Pn -n -v -p- -sV --version-light -T3 -iL $VAR_TARGET_HOSTS -oA $VAR_FILENAME-ports-all

        -- In case the network is not monitored, full service and OS discovery, higher speed
        ~$ nmap -Pn -n -v -p- -sV -O -T4 -iL $VAR_TARGET_HOSTS

    `` Stealthy

        `` Scanning large network and trying to avoid detection, top ports, something between T3/T4, one host and probe at a time

            ~$ nmap -Pn -n -v --top-ports=800 --max-rtt-timeout=2000ms --min-rtt-timeout=300ms --initial-rtt-timeout=500ms --max-retries=2 --host-timeout=15m --max-parallelism=1 --max-hostgroup=1 -iL $VAR_TARGET_HOSTS

        `` Firewall bypassing

            ~$ nmap -T4 -sS -v -Pn -g 443 -n --top-ports 1500 -iL $VAR_TARGET_HOSTS

        `` Bypassing Windows IPsec filter

            ~$ nmap -sS -v -v -Pn -g 88 -O -A -p- -iL $VAR_TARGET_HOSTS

        `` Using zombies

            ~$ nmap -T2 --packet-trace -D RND,RND,RND,RND,RND,ME -Pn -v -sI VAR_ZOMBIE_HOST:443 --data-length -f --mtu 24 -iL $VAR_TARGET_HOSTS

        `` FTP bounce scanning

            ~$ nmap -b VAR_FTP_HOST -P0 -g 88 -n -v -sV -A --top-ports 500 -iL $VAR_TARGET_HOSTS

    `` Scanning over a SOCKS proxy

        ~$ proxychains -q nmap -sT -Pn -n -v $VAR_TARGET_CIDR

    `` PowerShell

        `` With simple range-based port scanning

            >$ 1..254 | % { $a = $_; 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open!"} 2>$null}

        `` With simple list-based port scanning

            >$ 1..254 | % { $a = $_; write-host "------"; write-host "192.168.1.$a"; 22,53,80,445 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open!"} 2>$null}

    `` TCP

        ~$ hping3 -S -8 1-65535 VAR_TARGET_HOST | grep -v 'Not responding'
        ~$ hping3 -S -c 3 -s 53 -p 80 VAR_TARGET_HOST
        ~$ proxychains -q nmap -T4 -Pn -sT -A -n -v --top-ports 2500 VAR_TARGET_HOST
        ~$ nc -vvn -w 1 -z VAR_TARGET_HOST 1-65535
        ~$ unicornscan -H -msf -Iv VAR_TARGET_HOST -p 1-65535

    `` UDP

        ~$ nmap -nv -sU -sV -Pn -p- --reason --stats-every 60s --max-rtt-timeout=150ms --max-retries=1 VAR_TARGET_HOST
        ~$ nc -nnvu -w 1 -z VAR_TARGET_HOST 1-65535
        ~$ unicornscan -H -mU -Iv VAR_TARGET_HOST -p 1-65535

    `` Fingerprinting

        ~$ amap -A VAR_TARGET_HOST VAR_TARGET_PORT
        ~$ nmap -A -sV -Pn -n -v VAR_TARGET_HOST -p VAR_TARGET_PORT
        ~$ nmap -A -sV -Pn -n -v --version-all VAR_TARGET_HOST -p VAR_TARGET_PORT

    `` Scripts

        `` PowerShell

            @ snippets/windows/utils/PortScanning.ps1

        `` Port knocking

            ~$ for x in 7000 8000 9000; do nmap -Pn --host-timeout 201 --max-retries 0 -p $x VAR_TARGET_HOST; done

    `` Looking for information useful in further network penetration

        `` FTP

            ~$ nmap -PS21 --open -v -n -p21 --script ftp-anon -oA $VAR_FILENAME-tcp-21.txt $VAR_TARGET_CIDR

        `` NFS

            ~$ nmap -PS2049 --open -v -n -p2049 -oA $VAR_FILENAME-tcp-2049.txt $VAR_TARGET_CIDR
            ~$ nmap -PU2049 --open -v -n -sU -p2049 -oA $VAR_FILENAME-udp-2049.txt $VAR_TARGET_CIDR

        `` TFTP

            ~$ nmap -PU69 --open -v -n -sU -p69 -oA $VAR_FILENAME-tcp-69.txt $VAR_TARGET_CIDR

        `` SMB

            ~$ nmap -PS445 --open -v -n -p445 -oA $VAR_FILENAME-tcp-445.txt $VAR_TARGET_CIDR
            ~$ nmap --script smb-enum-shares -p445 -v -n --open -oA $VAR_FILENAME-smb-shares.txt $VAR_TARGET_CIDR

        `` SNMP

            ~$ nmap -sU --open -p161 $VAR_TARGET_CIDR

        `` HTTP / NAS

            - Run HTTP discovery with `pukpuk`, search for keywords in responses.