Link to this headingStealth Scan

Automated Listen:
Log the following protocols with MITM HTTP, FTP, IMAP, POP3, IRC
Sniffs sensitive data from interface or pcap
Visualize network topologies

Packet Capturing:
Kernel level packet capture
MitM devices connection with the internet and log traffic
Man-in-the-middle TLS intercept proxy with tcpdumpable loopback
WireEdit First-Of-A-Kind and The Only Full Stack WYSIWYG Pcap Editor
Open Source Network Forensic Analysis Tool
A network sniffer that logs all DNS server replies
Scapy: the Python-based interactive packet manipulation program & library.

Link to this headingActive Scan

Link to this headingAutomated Network Scan/Attacker

Easy automated vulnerability scanning, reporting and analysis
Automated Pentest Toolkit
Automated Penetration Testing Framework
Automated Mass Exploiter
Automated Pentest Recon Scanner
Ethercap autoexploit tool
Multi-purpose brute-forcer
SSH man-in-the-middle tool
Better Man in the Middle framework
Scan Website to check for default credential
Open Source Vulnerability Assessment and Management
An automated pentest tool of simple attacks
Dynamic Recon of UNKnown networks using ZMAP and NMAP
TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

Fingerprinting Servers
Scanner to search for SMB issues
Fast SNMP brute force, enumeration, CISCO config downloader and password cracking script

Test TOR Exit nodes
SNMPv3 User Enumerator and Attack tool
Android Network Pentesting

ZMAP:
Download Zmap
Fast Go Application Scanner
ZMap is a fast single packet network scanner designed for Internet-wide network surveys.
Fast DNS Lookup Library and CLI Tool

Nmap:
vulscan - Vulnerability Scanning with Nmap
Nmap Script to user Version info to search for CVEs
Bruteforce from Nmap output
Nmap – Techniques for Avoiding Firewalls
Nmap Cheat Sheet
Automate Advanced Nmap Techniques
Nmap Cheat Sheet: Commands, Flags, Switches & Examples (2024)

SIP/VOIP
SIP-Based Audit and Attack Tool

Link to this headingPacket Crafting

A command-line network packet crafting and injection utility

Link to this headingDefault NMAP Scan

nmap -Pn -sT -p- -sV -T4 -oN nmap/tcp_ports_scan $IP nmap --privileged -Pn -sV -sU -p- -T4 -oN nmap/udp_ports_scan $IP

Link to this headingIP Discovery

netdiscover:

netdiscover -r 10.0.2.0/24

PingScan

nmap -sn 10.0.0.0/24

massscan:

masscan -p21,22,53,88,80,135,139,443,445,3389,8080 --rate=1000 -oX masscan-10.2.0.0-16 10.2.0.0/16

Link to this headingService Discovery

All Server Versions for all ports:

sudo nmap 10.200.1.140 -p- -sSVC -T4 -Pn --version-all

Most common 1024 ports

nmap -A -oA "$targetip" "$targetip" | tee "$targetip"/quick-scan.txt

Most Common N ports:

nmap -sV --top-ports 100 -v -Pn -T4 "$targetip" -oA nmap/"$targetip"-top100

Full TCP scan

nmap -v -p- -sT "$targetip" | tee "$targetip"/tcp-scan.txt

Full Version TCP scan

nmap -sV --version-all -p- "$targetip" | tee "$targetip"/version-scan.txt

Full Version TCP Scan with Slow Services:

nmap -sV -p- -v -Pn -T4 --max-retries 1 --max-rtt-time 150ms "$targetip" -oA nmap/"$targetip"-allPorts_TCP

Searchsploit on Version results

searchsploit -w --nmap "$targetip"/version-scan-xml.xml

Link to this headingNmap Services

Scan slow services:

nmap -v -sS -T4 -Pn -R --reason -p- --max-hostgroup=10 --stats-every=2m --host-timeout=20m -sV -iL input_d.txt -oA tcp-d-ports

Link to this headingSSH

Nmap SSH Script Scan

nmap --script=ssh* -p22 "$targetip" | tee "$targetip"/ssh-scripts.txt

Link to this headingHTTP

Enumerate Folders and Files

python3 /usr/bin/dirsearch-master/dirsearch.py -u http://"$targetip":$targetport -e $webfileextention --plain-text-report="$targetip"/dirsearch-report.txt --random-agents | tee -a "$targetip"/dirsearch_$targetport.txt

NMap HTTP Enumeration

nmap --script=http-enum "$targetip" | tee -a "$targetip"/http-enum$targetport.txt

Nikto Vulnerability Assessment

nikto -h http://"$targetip":$targetport | tee -a "$targetip"/nikto$targetport.txt

NMap HTTP Vulnerability Assessment

nmap --script=http-vuln* $1 | tee -a "$targetip"/http-vuln$targetport.txt

Get screenshots of Webpages:

docker run --rm -it -v ~/eyewitness:./eyewitness eyewitness --web --rdp -x masscan-192.168.1.1-16 --resolve -d ~/eyewitness/

For more see [Web Scanning.md](/Web Exploitation/Web Scanning)

Link to this headingFTP

Nmap Safe Scan

nmap --script=*ftp* --script-args=unsafe=0 -p 20,21 "$targetip"

Nmap Unsafe Scan

nmap --script=*ftp* --script-args=unsafe=1 -p 20,21 "$targetip"

Link to this headingNFS

List the NFS file systems

nmap -sV --script=nfs-ls "$targetip" | tee "$targetip"/nfs-ls.nse.txt

nfs-showmount.nse

nmap --script nfs-showmount.nse "$targetip" | tee "$targetip"/nfs-showmount.nse.txt

nfs-statfs.nse

nmap --script nfs-statfs.nse "$targetip" | tee "$targetip"/nfs-statfs.nse.txt

Enumerate NFS shares

showmount -e 192.168.56.103

Full NFS scan

nmap -sV --script=nfs-* $targetip

Mount NTFS share
mount -t nfs 192.168.1.72:/home/vulnix /tmp/mnt -nolock

If you see any NFS related ACL port open, see /etc/exports
2049/tcp nfs_acl
/etc/exports: the access control list for filesystems which may be exported to NFS clients. See exports(5).

Link to this headingRPC

rpcinfo -p 192.x.x.x
rpcclient -I 192.x.x.x

READ:
RPC Service Exploitation in Windows XP

Link to this headingScan SMB

Discovering Sensitive Information in File Shares

Enumerate Shares

./enum4linux-ng.py -a $targetip

Scan Individually

locate "*.nse" | grep smb | xargs -0 -I % nmap -p 139,445 --script=% $targetip

Search for scripts and scan IPs

smbscripts = $(locate "*.nse" | grep smb | paste -s -d "," -) nmap -p 139,445 --script=$smbscripts $targetip

SMB unsafe scripts

smbscripts = $(locate "*.nse" | grep smb | paste -s -d "," -) nmap -p 139,445 --script=$smbscripts --script-args=unsafe=1 $targetip

Get SMB Version

msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.31.142 RHOSTS => 192.168.31.142 msf auxiliary(scanner/smb/smb_version) > run [*] 192.168.31.142:139 - Host could not be identified: Unix (Samba 2.2.1a)

SMB BruteForce

msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_login msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.31.142 RHOSTS => 192.168.31.142 msf auxiliary(scanner/smb/smb_version) > run

SMB UID BruteForce

msf auxiliary(scanner/smb/smb_lookupsid) > use auxiliary/scanner/smb/smb_lookupsid msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.31.142 RHOSTS => 192.168.31.142 msf auxiliary(scanner/smb/smb_lookupsid) > run [*] 192.168.31.142:139 - PIPE(LSARPC) LOCAL(MYGROUP - 5-21-4157223341-3243572438-1405127623) DOMAIN(MYGROUP - ) [*] 192.168.31.142:139 - TYPE=0 NAME=Administrator rid=500

Upload files

smbclient //192.168.31.142/ADMIN$ -U "nobody"%"somepassword" -c "put 40280.py"

Link to this headingMSSQL

Nmap Scan MSSQL

nmap -p 1433 --script ms-sql* --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $targetip

Link to this headingNMAP Scripts

nmap -v -d1 -sV --script-args=unsafe=1 --script-args=unsafe --script "(auth or brute or discovery or exploit or external or fuzzer or intrusive or malware or safe or version or vuln) and not(smb-brute or http-slowloris or http-brute or http-enum or http-form-fuzzer or broadcast-avahi-dos or smb-flood or dns-fuzz or http-form-brute or http-iis-short-name-brute or http-fileupload-exploiter or vnc-brute or http-fileupload-exploiter or dos)" -oA nse_full_try2 25.0.0.151

Link to this headingSNMP

Using SNMP Walk:

targetip="192.168.1.1" #snmp-check snmp-check "$targetip" |tee "$targetip"/snmpchk.txt #Enumerating the entire MIB Tree snmpwalk -c public -v1 "$targetip" | tee "$targetip"/snmpwalk.txt #Enumerate Windows Users snmpwalk -c public -v1 "$targetip" 1.3.6.1.4.1.77.1.2.25 | tee "$targetip"/snmpwalk_users.txt #Enumerate Open TCP Ports snmpwalk -c public -v1 "$targetip" 1.3.6.1.2.1.6.13.1.3 | tee "$targetip"/snmpwalk_tcp_ports.txt #Enumerate installed Software snmpwalk -c public -v1 "$targetip" 1.3.6.1.2.1.25.6.3.1.2 | tee "$targetip"/snmpwalk_software.txt #Enumerate Running Windows Processes snmpwalk -c public -v1 "$targetip" 1.3.6.1.2.1.25.4.2.1.2 | tee "$targetip"/snmpwalk_processes.txt

Using Nmap:

nmap -sU -p 161 --script=*snmp* 192.168.1.200

Using Metasploit:

msf > use auxiliary/scanner/snmp/snmp_login msf > use auxiliary/scanner/snmp/snmp_enum
snmp-check 192.168.1.2 -c public snmpget -v 1 -c public IP snmpwalk -v 1 -c public IP snmpbulkwalk -v2c -c public -Cn0 -Cr10 IP onesixtyone -c /usr/share/wordlists/dirb/small.txt 192.168.1.200 // find communities with bruteforce for i in $(cat /usr/share/wordlists/metasploit/unix_users.txt);do snmpwalk -v 1 -c $i 192.168.1.200;done| grep -e "Timeout" // find communities with bruteforce

Link to this headingSMTP

SMTP Script

#SMTP-Brute nmap --script smtp-brute.nse -p25 $targetip | tee $targetip/smtp-brute.nse.txt # smtp-commands.nse nmap --script smtp-commands.nse -p25 $targetip | tee $targetip/smtp-commands.nse.txt # smtp-enum-users.nse nmap --script smtp-enum-users.nse -p25 $targetip | tee $targetip/smtp-enum-users.nse.txt # smtp-ntlm-info.nse nmap --script smtp-ntlm-info.nse -p25 $targetip | tee $targetip/smtp-ntlm-info.nse.txt # smtp-open-relay.nse nmap --script smtp-open-relay.nse -p25 $targetip | tee $targetip/smtp-open-relay.nse.txt # smtp-strangeport.nse nmap --script smtp-strangeport.nse -p25 $targetip | tee $targetip/smtp-strangeport.nse.txt # smtp-vuln-cve2010-4344.nse nmap --script smtp-vuln-cve2010-4344.nse -p25 $targetip | tee $targetip/smtp-vuln-cve2010-4344.nse.txt # smtp-vuln-cve2011-1720.nse nmap --script smtp-vuln-cve2011-1720.nse -p25 $targetip | tee $targetip/smtp-vuln-cve2011-1720.nse.txt # smtp-vuln-cve2011-1764.nse nmap --script smtp-vuln-cve2011-1764.nse -p25 $targetip | tee $targetip/smtp-vuln-cve2011-1764.nse.txt
smtp-user-enum //in Kali smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 10.11.1.22 SMTP sendmail commands: bash-2.05a$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 barry ESMTP Sendmail 8.11.6/8.11.6; Sun, 20 Aug 2017 00:01:02 +0300 help 214-2.0.0 This is sendmail version 8.11.6 214-2.0.0 Topics: 214-2.0.0 HELO EHLO MAIL RCPT DATA 214-2.0.0 RSET NOOP QUIT HELP VRFY 214-2.0.0 EXPN VERB ETRN DSN AUTH 214-2.0.0 STARTTLS 214-2.0.0 For more info use "HELP <topic>". 214-2.0.0 To report bugs in the implementation send email to 214-2.0.0 [email protected]. 214-2.0.0 For local information send email to Postmaster at your site. 214 2.0.0 End of HELP info AUTH 503 5.3.3 AUTH mechanism not available EHLO barry 250-barry Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ONEX 250-ETRN 250-XUSR 250 HELP AUTH LOGIN

Link to this headingPOP

POP Script

# Pop Brute nmap --script pop3-brute.nse -p110 $targetip | tee $targetip/pop3-brute.nse.txt # pop3-capabilities.nse nmap --script pop3-capabilities.nse -p110 $targetip | tee $targetip/pop3-capabilities.nse.txt # pop3-ntlm-info.nse nmap --script pop3-ntlm-info.nse -p110 $targetip | tee $targetip/pop3-ntlm-info.nse.txt

Link to this headingTelnet

nmap -p 23 --script telnet-brute --script-args userdb=/usr/share/metasploit-framework/data/wordlists/unix_users,passdb=/usr/share/wordlists/rockyou.txt,telnet-brute.timeout=20s 10.11.1.22

telnet bruteforce:

use auxiliary/scanner/telnet/telnet_login msf auxiliary(telnet_login) > set BLANK_PASSWORDS false BLANK_PASSWORDS => false msf auxiliary(telnet_login) > set PASS_FILE passwords.txt PASS_FILE => passwords.txt msf auxiliary(telnet_login) > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf auxiliary(telnet_login) > set THREADS 254 THREADS => 254 msf auxiliary(telnet_login) > set USER_FILE users.txt USER_FILE => users.txt msf auxiliary(telnet_login) > set VERBOSE false VERBOSE => false msf auxiliary(telnet_login) > run msf auxiliary(telnet_login) > sessions -l // to see the sessions that succeded

Get Telnet Version:

use auxiliary/scanner/telnet/telnet_version msf auxiliary(telnet_version) > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf auxiliary(telnet_version) > set THREADS 254 THREADS => 254 msf auxiliary(telnet_version) > run

Link to this headingAuto Scanners

Rapidscan:

docker run -t --rm -v $(pwd)/reports:/reports kanolato/rapidscan example.com