Skip to content

Scanning

Stealth Scan

Automated Listen:
Log the following protocols with MITM HTTP, FTP, IMAP, POP3, IRC
Sniffs sensitive data from interface or pcap
Visualize network topologies

Packet Capturing:
Kernel level packet capture
MitM devices connection with the internet and log traffic
Man-in-the-middle TLS intercept proxy with tcpdumpable loopback
WireEdit First-Of-A-Kind and The Only Full Stack WYSIWYG Pcap Editor
Open Source Network Forensic Analysis Tool
A network sniffer that logs all DNS server replies
Scapy: the Python-based interactive packet manipulation program & library.

Active Scan

Automated Network Scan/Attacker

Easy automated vulnerability scanning, reporting and analysis
Automated Pentest Toolkit
Automated Penetration Testing Framework
Automated Mass Exploiter
Automated Pentest Recon Scanner
Ethercap autoexploit tool
Multi-purpose brute-forcer
SSH man-in-the-middle tool
Better Man in the Middle framework
Scan Website to check for default credential
Open Source Vulnerability Assessment and Management
An automated pentest tool of simple attacks
Dynamic Recon of UNKnown networks using ZMAP and NMAP
TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

Fingerprinting Servers
Scanner to search for SMB issues
Fast SNMP brute force, enumeration, CISCO config downloader and password cracking script

Test TOR Exit nodes
SNMPv3 User Enumerator and Attack tool
Android Network Pentesting

ZMAP:
Download Zmap
https://github.com/zmap/zgrab
https://github.com/zmap/zmap
https://github.com/zmap/ztag
https://github.com/zmap/zdns

Nmap:
vulscan - Vulnerability Scanning with Nmap
Nmap Script to user Version info to search for CVEs
Bruteforce from Nmap output
Nmap – Techniques for Avoiding Firewalls
Nmap Cheat Sheet
Automate Advanced Nmap Techniques

https://highon.coffee/docs/nmap/

SIP/VOIP
SIP-Based Audit and Attack Tool

Packet Crafting

A command-line network packet crafting and injection utility

Default NMAP Scan

nmap -Pn -sT -p- -sV -T4 -oN nmap/tcp_ports_scan $IP
nmap --privileged -Pn -sV -sU -p- -T4 -oN nmap/udp_ports_scan $IP

IP Discovery

netdiscover:

netdiscover -r 10.0.2.0/24

PingScan

nmap -sn 10.0.0.0/24

massscan:

masscan -p21,22,53,88,80,135,139,443,445,3389,8080 --rate=1000 -oX masscan-10.2.0.0-16 10.2.0.0/16

Service Discovery

All Server Versions for all ports:

sudo nmap 10.200.1.140 -p- -sSVC -T4 -Pn --version-all

Most common 1024 ports

nmap -A -oA "$targetip" "$targetip" | tee "$targetip"/quick-scan.txt

Most Common N ports:

nmap -sV --top-ports 100 -v -Pn -T4  "$targetip" -oA nmap/"$targetip"-top100

Full TCP scan

nmap -v -p- -sT "$targetip" | tee "$targetip"/tcp-scan.txt

Full Version TCP scan

nmap -sV --version-all -p- "$targetip" | tee "$targetip"/version-scan.txt

Full Version TCP Scan with Slow Services:

nmap -sV -p- -v -Pn -T4 --max-retries 1 --max-rtt-time 150ms "$targetip" -oA nmap/"$targetip"-allPorts_TCP

Searchsploit on Version results

searchsploit -w --nmap "$targetip"/version-scan-xml.xml

Nmap Services

Scan slow services:

nmap -v -sS -T4 -Pn -R --reason -p- --max-hostgroup=10 --stats-every=2m --host-timeout=20m -sV -iL input_d.txt -oA tcp-d-ports

SSH

Nmap SSH Script Scan

nmap --script=ssh* -p22 "$targetip" | tee "$targetip"/ssh-scripts.txt

HTTP

Enumerate Folders and Files

python3 /usr/bin/dirsearch-master/dirsearch.py -u http://"$targetip":$targetport -e $webfileextention --plain-text-report="$targetip"/dirsearch-report.txt --random-agents | tee -a "$targetip"/dirsearch_$targetport.txt

NMap HTTP Enumeration

nmap --script=http-enum "$targetip" | tee -a "$targetip"/http-enum$targetport.txt

Nikto Vulnerability Assessment

nikto -h http://"$targetip":$targetport | tee -a "$targetip"/nikto$targetport.txt

NMap HTTP Vulnerability Assessment

nmap --script=http-vuln* $1 | tee -a "$targetip"/http-vuln$targetport.txt

Get screenshots of Webpages:

docker run --rm -it -v ~/eyewitness:./eyewitness eyewitness --web --rdp -x masscan-192.168.1.1-16 --resolve -d ~/eyewitness/

For more see Web_scanning.md

FTP

Nmap Safe Scan

nmap --script=*ftp* --script-args=unsafe=0 -p 20,21 "$targetip"

Nmap Unsafe Scan

nmap --script=*ftp* --script-args=unsafe=1 -p 20,21 "$targetip"

NFS

List the NFS file systems

nmap -sV --script=nfs-ls "$targetip" | tee "$targetip"/nfs-ls.nse.txt

nfs-showmount.nse

nmap --script nfs-showmount.nse "$targetip" | tee "$targetip"/nfs-showmount.nse.txt

nfs-statfs.nse

nmap --script nfs-statfs.nse "$targetip" | tee "$targetip"/nfs-statfs.nse.txt

Enumerate NFS shares

showmount -e 192.168.56.103

Full NFS scan

nmap -sV --script=nfs-* $targetip

Mount NTFS share
mount -t nfs 192.168.1.72:/home/vulnix /tmp/mnt -nolock

If you see any NFS related ACL port open, see /etc/exports
2049/tcp nfs_acl
/etc/exports: the access control list for filesystems which may be exported to NFS clients. See exports(5).

RPC

rpcinfo -p 192.x.x.x
rpcclient -I 192.x.x.x

Read


https://pentestlab.blog/tag/rpc/

Scan SMB

Discovering Sensitive Information in File Shares

Enumerate Shares

./enum4linux-ng.py -a $targetip

Scan Individually

locate "*.nse" | grep smb | xargs -0 -I % nmap -p 139,445 --script=% $targetip

Search for scripts and scan IPs

smbscripts = $(locate "*.nse" | grep smb | paste -s -d "," -)
nmap -p 139,445 --script=$smbscripts $targetip

SMB unsafe scripts

smbscripts = $(locate "*.nse" | grep smb | paste -s -d "," -)
nmap -p 139,445 --script=$smbscripts --script-args=unsafe=1 $targetip

Get SMB Version

msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version
msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.31.142
RHOSTS => 192.168.31.142
msf auxiliary(scanner/smb/smb_version) > run
[*] 192.168.31.142:139    - Host could not be identified: Unix (Samba 2.2.1a)

SMB BruteForce

msf auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_login
msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.31.142
RHOSTS => 192.168.31.142
msf auxiliary(scanner/smb/smb_version) > run

SMB UID BruteForce

msf auxiliary(scanner/smb/smb_lookupsid) > use auxiliary/scanner/smb/smb_lookupsid
msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.31.142
RHOSTS => 192.168.31.142
msf auxiliary(scanner/smb/smb_lookupsid) > run
[*] 192.168.31.142:139    - PIPE(LSARPC) LOCAL(MYGROUP - 5-21-4157223341-3243572438-1405127623) DOMAIN(MYGROUP - )
[*] 192.168.31.142:139    - TYPE=0 NAME=Administrator rid=500

Upload files

smbclient //192.168.31.142/ADMIN$ -U "nobody"%"somepassword" -c "put 40280.py"

MSSQL

Nmap Scan MSSQL

nmap -p 1433 --script ms-sql* --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $targetip

NMAP Scripts

nmap -v -d1 -sV  --script-args=unsafe=1 --script-args=unsafe  --script "(auth or brute or discovery or exploit or external or fuzzer or intrusive or malware or safe or version or vuln) and not(smb-brute or http-slowloris or http-brute or http-enum or http-form-fuzzer or broadcast-avahi-dos or smb-flood or dns-fuzz or http-form-brute or http-iis-short-name-brute or http-fileupload-exploiter or vnc-brute or http-fileupload-exploiter or dos)" -oA nse_full_try2 25.0.0.151

SNMP

Using SNMP Walk:

targetip="192.168.1.1"

#snmp-check
snmp-check "$targetip" |tee "$targetip"/snmpchk.txt
 
#Enumerating the entire MIB Tree
snmpwalk -c public -v1 "$targetip" | tee "$targetip"/snmpwalk.txt
 
#Enumerate Windows Users
snmpwalk -c public -v1 "$targetip" 1.3.6.1.4.1.77.1.2.25 | tee "$targetip"/snmpwalk_users.txt
 
#Enumerate Open TCP Ports
snmpwalk -c public -v1 "$targetip" 1.3.6.1.2.1.6.13.1.3 | tee "$targetip"/snmpwalk_tcp_ports.txt
 
#Enumerate installed Software
snmpwalk -c public -v1 "$targetip" 1.3.6.1.2.1.25.6.3.1.2 | tee "$targetip"/snmpwalk_software.txt

#Enumerate Running Windows Processes
snmpwalk -c public -v1 "$targetip" 1.3.6.1.2.1.25.4.2.1.2 | tee "$targetip"/snmpwalk_processes.txt

Using Nmap:

nmap -sU -p 161 --script=*snmp* 192.168.1.200

Using Metasploit:

msf >  use auxiliary/scanner/snmp/snmp_login
msf > use auxiliary/scanner/snmp/snmp_enum

snmp-check 192.168.1.2 -c public
snmpget -v 1 -c public IP
snmpwalk -v 1 -c public IP
snmpbulkwalk -v2c -c public -Cn0 -Cr10 IP
onesixtyone -c /usr/share/wordlists/dirb/small.txt 192.168.1.200 // find communities with bruteforce

for i in $(cat /usr/share/wordlists/metasploit/unix_users.txt);do snmpwalk -v 1 -c $i 192.168.1.200;done| grep -e "Timeout" // find communities with bruteforce

SMTP

SMTP Script

#SMTP-Brute
nmap --script smtp-brute.nse -p25 $targetip | tee $targetip/smtp-brute.nse.txt

# smtp-commands.nse
nmap --script smtp-commands.nse -p25 $targetip | tee $targetip/smtp-commands.nse.txt

# smtp-enum-users.nse
nmap --script smtp-enum-users.nse -p25 $targetip | tee $targetip/smtp-enum-users.nse.txt

# smtp-ntlm-info.nse
nmap --script smtp-ntlm-info.nse -p25 $targetip | tee $targetip/smtp-ntlm-info.nse.txt

# smtp-open-relay.nse
nmap --script smtp-open-relay.nse -p25 $targetip | tee $targetip/smtp-open-relay.nse.txt

# smtp-strangeport.nse
nmap --script smtp-strangeport.nse -p25 $targetip | tee $targetip/smtp-strangeport.nse.txt

# smtp-vuln-cve2010-4344.nse
nmap --script smtp-vuln-cve2010-4344.nse -p25 $targetip | tee $targetip/smtp-vuln-cve2010-4344.nse.txt

# smtp-vuln-cve2011-1720.nse
nmap --script smtp-vuln-cve2011-1720.nse -p25 $targetip | tee $targetip/smtp-vuln-cve2011-1720.nse.txt

# smtp-vuln-cve2011-1764.nse
nmap --script smtp-vuln-cve2011-1764.nse -p25 $targetip | tee $targetip/smtp-vuln-cve2011-1764.nse.txt

smtp-user-enum //in Kali
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 10.11.1.22

SMTP sendmail commands:

bash-2.05a$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 barry ESMTP Sendmail 8.11.6/8.11.6; Sun, 20 Aug 2017 00:01:02 +0300
help
214-2.0.0 This is sendmail version 8.11.6
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP ".
214-2.0.0 To report bugs in the implementation send email to
214-2.0.0 [email protected].
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
AUTH
503 5.3.3 AUTH mechanism not available
EHLO barry
250-barry Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ONEX
250-ETRN
250-XUSR
250 HELP
AUTH LOGIN

POP

POP Script

# Pop Brute
nmap --script pop3-brute.nse -p110 $targetip | tee $targetip/pop3-brute.nse.txt

# pop3-capabilities.nse
nmap --script pop3-capabilities.nse -p110 $targetip | tee $targetip/pop3-capabilities.nse.txt

# pop3-ntlm-info.nse
nmap --script pop3-ntlm-info.nse -p110 $targetip | tee $targetip/pop3-ntlm-info.nse.txt

Telnet

nmap -p 23 --script telnet-brute --script-args userdb=/usr/share/metasploit-framework/data/wordlists/unix_users,passdb=/usr/share/wordlists/rockyou.txt,telnet-brute.timeout=20s 10.11.1.22

== metasploit ==
1. telnet bruteforce

use auxiliary/scanner/telnet/telnet_login
msf auxiliary(telnet_login) > set BLANK_PASSWORDS false
BLANK_PASSWORDS => false
msf auxiliary(telnet_login) > set PASS_FILE passwords.txt
PASS_FILE => passwords.txt
msf auxiliary(telnet_login) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(telnet_login) > set THREADS 254
THREADS => 254
msf auxiliary(telnet_login) > set USER_FILE users.txt
USER_FILE => users.txt
msf auxiliary(telnet_login) > set VERBOSE false
VERBOSE => false
msf auxiliary(telnet_login) > run

msf auxiliary(telnet_login) > sessions -l // to see the sessions that succeded

  1. telnet version
    use auxiliary/scanner/telnet/telnet_version
    msf auxiliary(telnet_version) > set RHOSTS 192.168.1.0/24
    RHOSTS => 192.168.1.0/24
    msf auxiliary(telnet_version) > set THREADS 254
    THREADS => 254
    msf auxiliary(telnet_version) > run

Auto Scanners

Rapidscan:

docker run -t --rm -v $(pwd)/reports:/reports kanolato/rapidscan example.com