Network
Nmap
Scan Popular Port
nmap --top-ports 5000 ip
Fast scan
nmap -T4 -F ip
nmap -sV -T4 -O -F -A --version-light ip
Scan all port
nmap -p- -T4 -v ip
Scan With Script & Version
nmap -A -T4 -sC -sV ip
Scan All Local
nmap 192.168.1.1/24 -sn -T4 ip
Scan with scripts
nmap -sC ip
nmap --script "default,discovery,exploit,version,vuln" ip
nmap --script "default,discovery,exploit,version,vuln,servicetags,ntp-monlist,dns-recursion,snmp-sysdescr" ip
Scan udp
sudo nmap -sU -T4 ip
sudo nmap -sUV -T4 -F --version-intensity 0 ip
sudo nmap -sU -A -PN -n -pU:19,53,123,161 -script=ntp-monlist,dns-recursion,snmp-sysdescr ip
sudo nmap -sU -pU:19,53,123,161 -Pn -n --max-retries=0 ip
Scan SCTP
nmap -T4 -sY -n --open -Pn ip
Hardcore scan
sudo nmap -sS -sU -p- -PN -O -sV -sC --allports --version-all -T4 ip -vv
DNS
Port: 53
Domain Name System (DNS) is the hierarchical and distributed naming system used to identify computers reachable through the Internet. These are most commonly used to map human-friendly domain names to the numerical IP addresses computers need to locate services.
Any Information
dig ANY @dns_ip domain
Information
dig TXT @dns_ip domain
Tranfert Zone
dig axfr @dns_ip domain
Reverse Lookup
dig -x ip @dns_ip
Reverse All Address
dnsrecon -r 127.0.0.0/24 -n ip_dns
SNMP
Port: 161 / 162
SNMP is used to monitor the network, detect network faults, and sometimes even used to configure remote devices.
List devices
snmp-check ip
RPCBind
The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. - redhat
Port: 111
Info
rpcinfo -p ip
NFS
A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. - redhat
Port: 2049
To bypass permission change your uid
Show NFS
showmount -e squashed.htb
Mount
mount -t nfs squashed.htb:/ nsf_mount -o nolock
Scan Local Network
ARP Scannner Tools shows every active IPv4 device on your Subnet. Since ARP is non-routable, this type of scanner only works on the local LAN.
Address Resolution Protocol (ARP) is the Dynamic mapping technique used to map the logical address (IP) to a physical address (MAC).
Arp
sudo arp
Address HWtype HWaddress Flags Mask Iface
NameHost ether xx:xx:xx:xx:xx:xx C INTRFC
Netdiscover
netdiscover
Arp-scan
arp-scan -l
List opened port localy
SS
ss -lntu
Netstat
netstat -tulpn
Hydra
Proxy
export HYDRA_PROXY=connect://localhost:8080
Basic HTTP Auth
hydra -C wordlist.txt SERVER_IP -s PORT http-get /
Post HTTP Login
hydra -l admin -P wordlist.txt -f ip -s port http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"
SSH
hydra -L user.txt -P pass.txt -u -f -t 4 ssh://ip:port
FTP
hydra -l m.gates -P /usr/share/wordlists/rockyou.txt ftp://127.0.0.1
Packet Analyzer
Wireshark
Run
sudo wireshark
Get all Files
File > Export Object > HTTP
Rigth Click On request > Follow > TCP
Filters
smb || smb2 || http || tcp ||
ip.src == 1.1.1.1 && ip.dst == 1.1.1.1 && tcp.port == 80
TCPflow
Export File of pcap
tcpflow -r capture.pcap
Tcpdump
Basic
sudo tcpdump -i any
Max Argument
sudo tcpdump -i any -c <MAX_PACKETS> host 192.168.1.1 '&&' port 80 '&&' src 1.1.1.1
Print HTTP content
sudo tcpdump -i any -c10 -nn -A port 80
Save
sudo tcpdump -i any -w file.pcap
Python
from scapy.all import *
scapy_cap = rdpcap('file.pcap')
i = 0
for packet in scapy_cap:
if type(packet[TCP].payload) == scapy.packet.Raw:
try:
print(i, ':', packet[TCP].payload.load.decode())
except:
print(i, ':', packet[TCP].payload.load)
i += 1
Last updated