Host Discovery
ARP
arp-scan
Active:
$ sudo arp-scan -l [-s <SPOOFED_IP>] -v
$ sudo arp-scan -I eth0 192.168.0.0/24
netdiscover
Passive:
$ sudo netdiscover -i eth0 -r 192.168.0.0/24 -p
Active, sending 20 requests per IP:
$ sudo netdiscover -i eth0 -r 192.168.0.0/24 -c 20
Hunt for Subnets
Take 10.0.0.0/8
as an example:
$ sudo nmap -n -sn 10.0-255.0-255.1 -oA subnets/gateways -PE [--min-rate 10000 --min-hostgroup 10000]
$ grep 'Up' subnets/gateways.gnmap | cut -d' ' -f2 > subnets/ranges.txt
$ sed -i subnets/ranges.txt -e 's/$/\/24/'
Ping Sweep
Bash:
$ NET="0.0.0"; for i in $(seq 1 254); do (ping -c1 -W1 $NET.$i > /dev/null && echo "$NET.$i" | tee -a sweep.txt &); done
Or
$ NET="0.0.0"; for i in $(seq 1 254); do (ping -c1 -W1 "$NET.$i" | grep 'bytes from' | cut -d' ' -f4 | cut -d':' -f1 | tee -a sweep.txt &); done
$ sort -u -t'.' -k4,4n sweep.txt > hosts/targets.txt && rm sweep.txt
Batch:
Cmd > set "NET=10.5.5" && for /L %i in (1,1,255) do @ping -n 1 -w 200 %NET%.%i > nul && echo %NET%.%i > sweep.txt
PowerShell (option 1):
PS > echo "[*] Scanning in progress...";1..254 |ForEach-Object {Get-WmiObject Win32_PingStatus -Filter "Address='10.10.100.$_' and Timeout=50 and ResolveAddressNames='false' and StatusCode=0" |select ProtocolAddress* |Out-File -Append -FilePath .\sweep.txt};echo "[+] Live hosts:"; Get-Content -Path .\sweep.txt | ? { $_ -match "10.10.100" }; echo "[*] Done.";del .\sweep.txt
PowerShell (option 2):
PS > $NET="192.168.0";for($i=1;$i -lt 255;$i++){$command="ping -n 1 -w 100 $NET.$i > nul 2>&1 && echo $NET.$i";start-process -nonewwindow cmd -argumentlist "/c $command" -redirectstandardoutput "tmp$i.txt"};cat tmp*.txt > sweep.txt
PS > rm tmp*.txt
Nmap:
$ sudo nmap -n -sn -iL subnets/ranges.txt -oA hosts/pingsweep -PS22,443 -PA21,80 -PE -PP
$ grep 'Up' hosts/pingsweep.gnmap | cut -d' ' -f2 | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n > hosts/targets.txt
RMI Sweep
Remote Management Interfaces:
Nmap:
$ sudo nmap -n -Pn -iL subnets/ranges.txt -oA hosts/rmisweep -p22,3389,2222,5900,5985,5986 [--min-rate 1280 --min-hostgroup 256]
$ grep 'open' hosts/rmisweep.gnmap | cut -d' ' -f2 | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n >> hosts/targets.txt
Services
Raw Identification
$ nc -nv 10.10.13.37 4444 [-C]
Nmap XML Parsers
parsenmap.rb
$ git clone https://github.com/R3dy/parsenmap-rb ~/tools/parsenmap-rb && cd ~/tools/parsenmap-rb
$ bundle install && ln -s ~/tools/parsenmap-rb/parsenmap.rb /usr/local/bin/parsenmap.rb && cd -
$ parsenmap.rb --help
Examine version scan:
$ parsenmap.rb services/alltcp-versions.xml > services/alltcp-versions.csv
Split version scan by service names:
$ parsenmap.py -i services/alltcp-versions.xml
nmaptocsv
$ git clone https://github.com/maaaaz/nmaptocsv ~/tools/nmaptocsv && cd ~/tools/nmaptocsv
$ python3 -m pip install -r requirements.txt csvkit && ln -s ~/tools/nmaptocsv/nmaptocsv.py /usr/local/bin/nmaptocsv.py && cd -
$ nmaptocsv.py --help
Examine version scan:
$ nmaptocsv.py -x services/alltcp-versions.xml -d',' -f ip-fqdn-port-protocol-service-version-os > services/alltcp-versions.csv
Ports
Scan with echo
:
$ IP="0.0.0.0"; for p in $(seq 1 49151); do (timeout 1 bash -c "echo '.' >/dev/tcp/$IP/$p && echo OPEN:$p" >> hosts/ports.txt &) 2>/dev/null; done
$ sort -u -t':' -k1,1n hosts/ports.txt > hosts/echo-ports.txt && rm hosts/ports.txt
Scan with nc
:
$ seq 1 49151 | xargs -n1 | xargs -P0 -I {} nc -nzv -w1 0.0.0.0 {} 2>&1 | grep -vE "timed out|now in progress|Connection refused"
$ for i in `prips 192.168.1.0/24`; do proxy nc -nvzw1 $i 445 |& grep open | tee -a 445.txt; sleep $(($MIN+RANDOM % ($MAX-$MIN))); done
Scan with PowerShell:
$computers = @("PC01", "PC02", "PC03")
foreach ($comp in $computers)
{
try
{
$tcpClient = New-Object System.Net.Sockets.TcpClient
$tcpClient.Connect($comp, 445)
if ($tcpClient.Connected) { Write-Host "[+] ${comp}:445: OK" }
else { Write-Host "[-] ${comp}:445: FAIL" }
$tcpClient.Close()
}
catch
{
Write-Host "Error occurred while checking port on $comp"
}
}
Top TCP ports:
SMB over NetBIOS,SMB over TCP/IP
1090,1098,1099,4444,11099,47001,47002,10999
7000-7004,8000-8003,9000-9003,9503,7070,7071
Zoho Manageengine Desktop
Active Directory Web Services
TCP one-liner:
ports_tcp="21,22,23,25,53,80,88,111,135,137,139,389,443,445,593,623,636,873,1090,1098,1099,1433,1521,1947,2049,2222,2375,3268,3269,3306,3389,4444,4445,4786,4848,4990,5432,5555,5556,5900,5985,5986,6066,6379,7000,7001,7002,7003,7004,7070,7071,8000,8001,8002,8003,8080,8081,8082,8088,8383,8443,8500,8686,8880,8888,8983,9000,9001,9002,9003,9012,9100,9200,9389,9503,10999,11099,11111,27017,45000,45001,47001,47002,50500"
Top UDP ports:
UDP one-liner:
ports_udp="53,67,69,88,123,137,161,500,623,3391"
Nmap
Flag -A
:
nmap -A ... == nmap -sC -sV -O --traceroute ...
Host discovery flag:
nmap -sn ... == nmap -PS443 -PA80 -PE -PP ...
-PS/PA/PU/PY [portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO [protocol list]: IP protocol ping
Search for Nmap NSE scripts:
$ find /usr/share/nmap/scripts/ -type f | grep smb
Or
$ sudo nmap --script-updatedb
$ cat /usr/share/nmap/scripts/script.db | grep smb
Configure Nmap to run as unprivileged user by setting Linux capabilities:
$ sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip `which nmap`
$ nmap --privileged ...
Grep only numbers to get a comma-separated list of ports:
$ cat nmap/initial.nmap | egrep -o '^[0-9]{1,5}' | awk -F/ '{ print $1 }' ORS=','; echo
Define which NSE scripts were ran:
$ grep '|_' services/alltcp-versions.nmap | cut -d'_' -f2 | cut -d' ' -f1 | sort -u | grep ':'
Look at HTTP titles:
$ grep -i 'http-title' services/alltcp-versions.nmap
Fast port discovery with Masscan + versions and scripts with Nmap (TCP):
$ sudo masscan --rate 1000 -e tun0 -p1-65535,U:0-65535 127.0.0.1 > masscan/ports
$ ports=`cat masscan/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVC [-sT] [-A] [--reason] -oA nmap/tcp 127.0.0.1 -p$ports
Fast port discovery with Nmap + versions and scripts with Nmap (TCP & UDP):
$ sudo nmap -n -Pn --min-rate 1000 -T4 127.0.0.1 -p- -v --open | tee nmap/ports_tcp
$ ports_tcp=`cat nmap/ports_tcp | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVC [-sT] [-A] [--reason] -oA nmap/tcp 127.0.0.1 -p$ports_tcp
$ sudo nmap -n -Pn -sU [--max-retries 1] 127.0.0.1 -v --open | tee nmap/ports_udp
$ ports_udp=`cat nmap/ports_udp | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`
$ sudo nmap -n -Pn -sVCU [--reason] -oA nmap/udp 127.0.0.1 -p$ports_udp
Fast UDP:
$ sudo nmap -iL hosts.txt -oA report_udp -sUVC --script-timeout 500 -p53,69,161,500,4500,623,5351,443,55777
Nmap a single host helper (full TCP), output is placed in CWD:
#!/usr/bin/env bash
# Usage: ./nmap_single_host.sh <IP>
IP="$1"
OUT="${IP//./-}"
quick_ports_scan="sudo nmap -n -Pn --min-rate 1000 -T4 $IP -p1-65535 --open -v | tee ${OUT}_alltcp_sweep.txt"
echo -e "\033[0;31m########## \033[1;32m${quick_ports_scan}\033[0;31m ##########\033[0m"
eval ${quick_ports_scan}
ports_tcp=`cat "${OUT}_alltcp_sweep.txt" | grep '^[0-9]' | awk -F "/" '{print $1}' | tr "\n" ',' | sed 's/,$//'`
versions_and_scripts_scan="sudo nmap -Pn -sVC -O -oA ${OUT} $IP -p$ports_tcp"
echo -e "\033[0;31m########## \033[1;32m${versions_and_scripts_scan}\033[0;31m ##########\033[0m"
eval ${versions_and_scripts_scan}
Visualizes a grepable Nmap output in terminal (run the scan with --open
):
#!/bin/bash
# Usage: ./nmap_visualize.sh <NMAP_OUT.GNMAP>
INPUT=$1
IFS=$'\n'
for line in `grep "Ports:" $INPUT`; do
echo $line | cut -d ' ' -f 2
for j in `echo $line | grep -oE "Ports\:.*" | cut -d " " -f 2- | sed 's/, /\n/g'`; do
PORT=`echo $j | cut -d "/" -f 1,3`
SERVICE=`echo $j | cut -d "/" -f 7`
if [ -z "$SERVICE" ]
then
SERVICE=`echo $j | cut -d "/" -f 5`
fi
echo " |___$PORT ( $SERVICE )"
done
echo ""
done
unset $IFS
A tuned initial recon in a large range (stolen from here):
$ sudo nmap -vv -n -Pn --min-rtt-timeout 275ms --max-rtt-timeout 350ms --max-retries 0 --max-scan-delay 0 --min-hostgroup 128 -iL ranges.txt -oA tuned -p 21-23,25,53,111,137,139,445,80,443,3389,5900,8080,8443
Masscan
$ sudo masscan [-e eth0] --rate 1000 -iL hosts.txt --open -p$ports --resume paused.conf >> masscan.out
$ mkdir services && for p in `echo $ports | tr ',' ' '`; do grep "port $p/tcp" masscan.out | awk -F' ' '{print $6}' | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n > "services/port$p.txt"; done
RustScan
$ sudo rustscan -b 1000 -t 2000 -u 5000 -a hosts.txt -r $ports -g --no-config --scan-order "Random" > rustscan.out
Scan Nmap top 1000 TCP ports:
$ sudo wget https://gist.github.com/snovvcrash/8b85b900bd928493cd1ae33b2df318d8/raw/fe8628396616c4bf7a3e25f2c9d1acc2f36af0c0/rustscan-ports-top1000.toml -O /root/.rustscan.toml
$ sudo rustscan -a 10.10.13.37 --top
Naabu
$ sudo naabu [-interface eth0] -iL hosts.txt -s s -rate 1000 -p - -silent [-nmap-cli 'sudo nmap -v -Pn -sVC -O -oA naabutest']
$ sudo naabu -host 10.10.13.37 -top-ports 1000
Invoke-Portscan
PS > Invoke-Portscan -Hosts 127.0.0.0/24 -sn -noProgressMeter -oA sweep
PS > Invoke-Portscan -Hosts 127.0.0.0/24 -T 4 -TopPorts 25 -oA top25
PS > Invoke-Portscan -HostFile .\hosts.txt -Ports 22,80,443,445
PowerShell_IPv4 Scanner
Hunt for Gateways & NICs
Search for gateways and dual-homed hosts.
gateway-finder-imp
$ python3 gateway-finder-imp.py -d 8.8.8.8 -m de:ad:be:af:de:ad -i eth0
$ python3 gateway-finder-imp.py -D file_with_dst_IPs.txt -M file_with_nex_hop_MACs.txt -i eth0 -p 80 443 22 23 8080
tracebuster
$ python3 tracebuster.py 4 udp 192.168.1.0/24 53 2>/dev/null
cornershot
NetBIOS
nbtscan
$ sudo nbtscan -r 10.10.10.0/24
nbname (MSF)
msf > use auxiliary/scanner/netbios/nbname
msf > set RHOSTS file:hosts.txt
msf > run
nextnet
$ ./nextnet -rate 1000 192.168.1.0/24 | grep nets
RPC via IOXIDResolver
PingCastle
Double click > scanner
> oxidbindings
> all
.
SharpOxidResolver
Cmd > .\OxidResolver.exe # query all domain computers
Cmd > .\OxidResolver.exe <IP/HOSTNAME>
Tools
AutoRecon
legion
nmapAutomator
Install:
$ git clone https://github.com/21y4d/nmapAutomator ~/tools/nmapAutomator && cd ~/tools/nmapAutomator
$ sudo ln -vs `pwd`/nmapAutomator/nmapAutomator.sh /usr/local/bin/
Run:
$ nmapAutomator.sh --host 10.1.1.1 --type All