Pentester's Promiscuous Notebook
TwitterGitHubBlogSponsor
Search
K
Links
Comment on page

Scanning

Host Discovery

ARP

arp-scan

Active:
$ sudo arp-scan -l [-s <SPOOFED_IP>] -v
$ sudo arp-scan -I eth0 192.168.0.0/24

netdiscover

Passive:
$ sudo netdiscover -i eth0 -r 192.168.0.0/24 -p
Active, sending 20 requests per IP:
$ sudo netdiscover -i eth0 -r 192.168.0.0/24 -c 20

Hunt for Subnets

Take 10.0.0.0/8 as an example:
$ sudo nmap -n -sn 10.0-255.0-255.1 -oA subnets/gateways -PE [--min-rate 10000 --min-hostgroup 10000]
$ grep 'Up' subnets/gateways.gnmap | cut -d' ' -f2 > subnets/ranges.txt
$ sed -i subnets/ranges.txt -e 's/$/\/24/'

Ping Sweep

Bash:
$ NET="0.0.0"; for i in $(seq 1 254); do (ping -c1 -W1 $NET.$i > /dev/null && echo "$NET.$i" | tee -a sweep.txt &); done
Or
$ NET="0.0.0"; for i in $(seq 1 254); do (ping -c1 -W1 "$NET.$i" | grep 'bytes from' | cut -d' ' -f4 | cut -d':' -f1 | tee -a sweep.txt &); done
$ sort -u -t'.' -k4,4n sweep.txt > hosts/targets.txt && rm sweep.txt
Batch:
Cmd > set "NET=10.5.5" && for /L %i in (1,1,255) do @ping -n 1 -w 200 %NET%.%i > nul && echo %NET%.%i > sweep.txt
PowerShell (option 1):
PS > echo "[*] Scanning in progress...";1..254 |ForEach-Object {Get-WmiObject Win32_PingStatus -Filter "Address='10.10.100.$_' and Timeout=50 and ResolveAddressNames='false' and StatusCode=0" |select ProtocolAddress* |Out-File -Append -FilePath .\sweep.txt};echo "[+] Live hosts:"; Get-Content -Path .\sweep.txt | ? { $_ -match "10.10.100" }; echo "[*] Done.";del .\sweep.txt
PowerShell (option 2):
PS > $NET="192.168.0";for($i=1;$i -lt 255;$i++){$command="ping -n 1 -w 100 $NET.$i > nul 2>&1 && echo $NET.$i";start-process -nonewwindow cmd -argumentlist "/c $command" -redirectstandardoutput "tmp$i.txt"};cat tmp*.txt > sweep.txt
PS > rm tmp*.txt
Nmap:
$ sudo nmap -n -sn -iL subnets/ranges.txt -oA hosts/pingsweep -PS22,443 -PA21,80 -PE -PP
$ grep 'Up' hosts/pingsweep.gnmap | cut -d' ' -f2 | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n > hosts/targets.txt

RMI Sweep

Remote Management Interfaces:
Port
Service
22
SSH
3389
RDP
2222
SSH?
5900
VNC
5985
WinRM
5986
WinRM over SSL/TLS
Nmap:
$ sudo nmap -n -Pn -iL subnets/ranges.txt -oA hosts/rmisweep -p22,3389,2222,5900,5985,5986 [--min-rate 1280 --min-hostgroup 256]
$ grep 'open' hosts/rmisweep.gnmap | cut -d' ' -f2 | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n >> hosts/targets.txt

Services

Raw Identification

$ nc -nv 10.10.13.37 4444 [-C]

Nmap XML Parsers

parsenmap.rb

$ git clone https://github.com/R3dy/parsenmap-rb ~/tools/parsenmap-rb && cd ~/tools/parsenmap-rb
$ bundle install && ln -s ~/tools/parsenmap-rb/parsenmap.rb /usr/local/bin/parsenmap.rb && cd -
$ parsenmap.rb --help
Examine version scan:
$ parsenmap.rb services/alltcp-versions.xml > services/alltcp-versions.csv
Split version scan by service names:
$ parsenmap.py -i services/alltcp-versions.xml

nmaptocsv

$ git clone https://github.com/maaaaz/nmaptocsv ~/tools/nmaptocsv && cd ~/tools/nmaptocsv
$ python3 -m pip install -r requirements.txt csvkit && ln -s ~/tools/nmaptocsv/nmaptocsv.py /usr/local/bin/nmaptocsv.py && cd -
$ nmaptocsv.py --help
Examine version scan:
$ nmaptocsv.py -x services/alltcp-versions.xml -d',' -f ip-fqdn-port-protocol-service-version-os > services/alltcp-versions.csv

Ports

Scan with echo:
$ IP="0.0.0.0"; for p in $(seq 1 49151); do (timeout 1 bash -c "echo '.' >/dev/tcp/$IP/$p && echo OPEN:$p" >> hosts/ports.txt &) 2>/dev/null; done
$ sort -u -t':' -k1,1n hosts/ports.txt > hosts/echo-ports.txt && rm hosts/ports.txt
Scan with nc:
$ seq 1 49151 | xargs -n1 | xargs -P0 -I {} nc -nzv -w1 0.0.0.0 {} 2>&1 | grep -vE "timed out|now in progress|Connection refused"
$ for i in `prips 192.168.1.0/24`; do proxy nc -nvzw1 $i 445 |& grep open | tee -a 445.txt; sleep 1; done
Top TCP ports:
Port
Service
21
FTP
22,2222
SSH
23
Telnet
25
SMTP
53
DNS
80,8080
HTTP
88
KDC
111
SUNRPC
135
MSRPC
137
NetBIOS
139,445
SMB over NetBIOS,SMB over TCP/IP
389,636
LDAP,LDAP over SSL/TLS
443,8443
SSL/TLS
593
HTTP RPC Endpoint Mapper
623
IPMI
873
RSYNC
1090,1098,1099,4444,11099,47001,47002,10999
Java RMI
1433
MS SQL
1521
Oracle
1947
HASP License Manager
2049
NFS
2375
Docker
3268,3269
Microsoft Global Catalog
3306
MySQL/MariaDB
3389
RDP
4786
Cisco Smart Install
4848
GlassFish
4990
Atlassian Crowd
5432
PostgreSQL
5555,5556
HP Data Protector
5900
VNC
5985,5986
WinRM,WinRM over SSL/TLS
6066
Apache Spark
6379
Redis
7000-7004,8000-8003,9000-9003,9503,7070,7071
WebLogic
8081,8082
JFrog Artifactory
8088
Apache Hadoop
8383
Zoho Manageengine Desktop
8500
Hashicorp Consul
8686,9012,50500
JMX
8880
IBM WebSphere
8888
Tornado
8983
Apache Solr
9000
Portainer
9100
TCP/IP Printing
9200
Elasticsearch
9389
Active Directory Web Services
11111,4444,4445
jBoss
27017
MongoDB
45000,45001
JDWP
TCP one-liner:
ports_tcp="21,22,23,25,53,80,88,111,135,137,139,389,443,445,593,623,636,873,1090,1098,1099,1433,1521,1947,2049,2222,2375,3268,3269,3306,3389,4444,4445,4786,4848,4990,5432,5555,5556,5900,5985,5986,6066,6379,7000,7001,7002,7003,7004,7070,7071,8000,8001,8002,8003,8080,8081,8082,8088,8383,8443,8500,8686,8880,8888,8983,9000,9001,9002,9003,9012,9100,9200,9389,9503,10999,11099,11111,27017,45000,45001,47001,47002,50500"
Top UDP ports:
Port
Service
53
DNS
67
DHCP
69
TFTP
88
KDC
123
NTP
137
NetBIOS
161
SNMP
500
IKE
623
IPMI
3391
RD Gateway
UDP one-liner:
ports_udp="53,67,69,88,123,137,161,500,623,3391"

Nmap

Flag -A:
nmap -A ... == nmap -sC -sV -O --traceroute ...
Host discovery flag:
nmap -sn ... == nmap -PS443 -PA80 -PE -PP ...
-PS/PA/PU/PY [portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO [protocol list]: IP protocol ping
Search for Nmap NSE scripts:
$ find /usr/share/nmap/scripts/ -type f | grep smb
Or
$ sudo nmap --script-updatedb
$ cat /usr/share/nmap/scripts/script.db | grep smb
Configure Nmap to run as unprivileged user by setting Linux capabilities:
$ sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip `which nmap`
$ nmap --privileged ...
Grep only numbers to get a comma-separated list of ports:
$ cat nmap/initial.nmap | egrep -o '^[0-9]{1,5}' | awk -F/ '{ print $1 }' ORS=','; echo
Define which NSE scripts were ran:
$ grep '|_' services/alltcp-versions.nmap | cut -d'_' -f2 | cut -d' ' -f1 | sort -u | grep ':'
Look at HTTP titles:
$ grep -i 'http-title' services/alltcp-versions.nmap
Fast port discovery with Masscan + versions and scripts with Nmap (TCP):
$ sudo masscan --rate 1000 -e tun0 -p1-65535,U:0-65535 127.0.0.1 > masscan/ports
$ ports=`cat masscan/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVC [-sT] [-A] [--reason] -oA nmap/tcp 127.0.0.1 -p$ports
Fast port discovery with Nmap + versions and scripts with Nmap (TCP & UDP):
$ sudo nmap -n -Pn --min-rate 1000 -T4 127.0.0.1 -p- -v --open | tee nmap/ports_tcp
$ ports_tcp=`cat nmap/ports_tcp | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVC [-sT] [-A] [--reason] -oA nmap/tcp 127.0.0.1 -p$ports_tcp
$ sudo nmap -n -Pn -sU [--max-retries 1] 127.0.0.1 -v --open | tee nmap/ports_udp
$ ports_udp=`cat nmap/ports_udp | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVCU [--reason] -oA nmap/udp 127.0.0.1 -p$ports_udp
Fast UDP:
$ sudo nmap -iL hosts.txt -oA report_udp -sUVC --script-timeout 500 -p53,69,161,500,4500,623,5351,443,55777
Nmap a single host helper (full TCP), output is placed in CWD:
nmap_single_host.sh
#!/usr/bin/env bash
# Usage: ./nmap_single_host.sh <IP>
IP="$1"
OUT="${IP//./-}"
quick_ports_scan="sudo nmap -n -Pn --min-rate 1000 -T4 $IP -p1-65535 --open -v | tee ${OUT}_alltcp_sweep.txt"
echo -e "\033[0;31m########## \033[1;32m${quick_ports_scan}\033[0;31m ##########\033[0m"
eval ${quick_ports_scan}
ports_tcp=`cat "${OUT}_alltcp_sweep.txt" | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`
versions_and_scripts_scan="sudo nmap -Pn -sVC -O -oA ${OUT} $IP -p$ports_tcp"
echo -e "\033[0;31m########## \033[1;32m${versions_and_scripts_scan}\033[0;31m ##########\033[0m"
eval ${versions_and_scripts_scan}
Visualizes a grepable Nmap output in terminal (run the scan with --open):
nmap_visualize.sh
#!/bin/bash
# Usage: ./nmap_visualize.sh <NMAP_OUT.GNMAP>
INPUT=$1
IFS=$'\n'
for line in `grep "Ports:" $INPUT`; do
echo $line | cut -d ' ' -f 2
for j in `echo $line | grep -oE "Ports\:.*" | cut -d " " -f 2- | sed 's/, /\n/g'`; do
PORT=`echo $j | cut -d "/" -f 1,3`
SERVICE=`echo $j | cut -d "/" -f 7`
if [ -z "$SERVICE" ]
then
SERVICE=`echo $j | cut -d "/" -f 5`
fi
echo " |___$PORT ( $SERVICE )"
done
echo ""
done
unset $IFS
A tuned initial recon in a large range (stolen from here):
$ sudo nmap -vv -n -Pn --min-rtt-timeout 275ms --max-rtt-timeout 350ms --max-retries 0 --max-scan-delay 0 --min-hostgroup 128 -iL ranges.txt -oA tuned -p 21-23,25,53,111,137,139,445,80,443,3389,5900,8080,8443

Masscan

$ sudo masscan [-e eth0] --rate 1000 -iL hosts.txt --open -p$ports --resume paused.conf >> masscan.out
$ mkdir services && for p in `echo $ports | tr ',' ' '`; do grep "port $p/tcp" masscan.out | awk -F' ' '{print $6}' | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n > "services/port$p.txt"; done

RustScan

$ sudo rustscan -b 1000 -t 2000 -u 5000 -a hosts.txt -r $ports -g --no-config --scan-order "Random" > rustscan.out
Scan Nmap top 1000 TCP ports:
$ sudo wget https://gist.github.com/snovvcrash/8b85b900bd928493cd1ae33b2df318d8/raw/fe8628396616c4bf7a3e25f2c9d1acc2f36af0c0/rustscan-ports-top1000.toml -O /root/.rustscan.toml
$ sudo rustscan -a 10.10.13.37 --top

Naabu

$ sudo naabu [-interface eth0] -iL hosts.txt -s s -rate 1000 -p - -silent [-nmap-cli 'sudo nmap -v -Pn -sVC -O -oA naabutest']
$ sudo naabu -host 10.10.13.37 -top-ports 1000

Invoke-Portscan

PS > Invoke-Portscan -Hosts 127.0.0.0/24 -sn -noProgressMeter -oA sweep
PS > Invoke-Portscan -Hosts 127.0.0.0/24 -T 4 -TopPorts 25 -oA top25
PS > Invoke-Portscan -HostFile .\hosts.txt -Ports 22,80,443,445

PowerShell_IPv4 Scanner

Hunt for Gateways & NICs

Search for gateways and dual-homed hosts.

gateway-finder-imp

$ python3 gateway-finder-imp.py -d 8.8.8.8 -m de:ad:be:af:de:ad -i eth0
$ python3 gateway-finder-imp.py -D file_with_dst_IPs.txt -M file_with_nex_hop_MACs.txt -i eth0 -p 80 443 22 23 8080

tracebuster

$ python3 tracebuster.py 4 udp 192.168.1.0/24 53 2>/dev/null

NetBIOS

nbtscan

$ sudo nbtscan -r 10.10.10.0/24

nbname (MSF)

msf > use auxiliary/scanner/netbios/nbname
msf > set RHOSTS file:hosts.txt
msf > run

nextnet

$ ./nextnet -rate 1000 192.168.1.0/24 | grep nets

RPC via IOXIDResolver

PingCastle

Double click > scanner > oxidbindings > all.

SharpOxidResolver

Cmd > .\OxidResolver.exe # query all domain computers
Cmd > .\OxidResolver.exe <IP/HOSTNAME>

Tools

AutoRecon

legion

nmapAutomator

Install:
$ git clone https://github.com/21y4d/nmapAutomator ~/tools/nmapAutomator && cd ~/tools/nmapAutomator
$ sudo ln -vs `pwd`/nmapAutomator/nmapAutomator.sh /usr/local/bin/
Run:
$ nmapAutomator.sh --host 10.1.1.1 --type All
Last modified 13d ago