Scanning
AutoRecon
autorecon -ct 2 -cs 2 -vv -o outputdir 192.168.1.100 192.168.1.1/30 localhost
autorecon 10.200.97.200
autorecon -t targets.txt — only-scans-dir-ct(concurrent targets)-ocustom output directory location.-cslimits the number of concurent scans per targetAuto recon will create and store the results in the
/resultsdirectory.
General Enumeration Figure out the Hosts and Services Running
NetDiscover
Netdiscover is an active/passive reconnaissance tool that uses ARP to find live hosts on a local network.
Netdiscover actively searches for live hosts on the network by broadcasting ARP requests like a router.
By default netdiscover operates in active mode, however you can use it in passive mode with
-p. With passive move it will not broadcast anything.Note: ARP is unable to cross network boundaries or over any VPN connection
netdiscover -r 10.11.1.0/24Nmap
I have no time to read, just give me the nmap scanning meta.
nmap -sS x.x.x.x -p- --min-rate 10000
nmap -A -T5 x.x.x.x -p- -vv
nmap --script=scriptname.nse x.x.x.x -vvPing Scan -sn Option
-sn tells nmap to perform host discovery only without any additional port scanning and prints out details of any hosts that responded.
nmap -sn 10.11.1.0/24nmap also has the -Pn option which will disable the host discovery stage altogether on a scan. The -Pn option is best used in combination with other scans.
TCP Connect Scan
The TCP connect scan in Nmap is the alternative TCP scan to use when a SYN scan is not an option.
TCP connect scan should be used when nmap does not have raw packet privileges which is required for a SYN scan.
nmap -sT [target host]TCP SYN Scan
Does not complete the 3 way handshake
nmap -sS [target host]UDP Port Scanning
Always check for UDP ports will pick up DNS, NTP, SNMP
nmap -sU [target host]
nmap -sU -F [target host]Fingerprint Services
To figure out what services are running on target ports we use:
nmap -sV [target ip address]The following command will use nmap port scan to detect the service and OS:
nmap -sV -O [target ip address]Can also use the -A option in Nmap. The A stands for aggressive scan options and enables OS detection, script scanning and traceroute.
nmap -A [target ip address]Scanning port ranges with Nmap
By default nmap will only scan the most 1000 common ports. To override the default use the -p
nmap -p 1-100 [target host]
nmap -p 137-139,445 [target host]NSE
Web Application Vulnerability scan:
nmap --script=http-vuln* 10.10.10.10Location of scripts
/usr/share/nmap/scriptsScripts are sorted by protocol, can sort by service
ls -l /usr/share/nmap/scripts/ftp*Nmap script help
nmap --script-help ftp-anonNmap script execution
nmap --script=[script name] [target host]The following command executes a script names http-robots.txt on port 80:
nmap --script=http-robots.txt.nse [target host]Detecting Linux Version from nmap SSH output
If ssh is running on the target, and it can fingerprint the service you have a good chance of detecting the operating system version:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)
| 256 80:a4:c5:2e:9a:b1:ec:da:27:64:39:a4:08:97:3b:ef (ECDSA)
|_ 256 f5:90:ba:7d:ed:55:cb:70:07:f2:bb:c8:91:93:1b:f6 (ED25519)
Take a look at the part
4ubuntu0.5If you google that and select the
launchpad.netlink it will tell you the OS version
Vulnerability Scanning
Good nmap command
nmap -T4 -n -sC -sV -p- -oN nmap-versions --script='*vuln*' [ip]nmap -p 80 --script=all $ip - Scan a target using all NSE scripts. May take an hour to complete.
nmap -p 80 --script=*vuln* $ip - Scan a target using all NSE vuln scripts.
nmap -p 80 --script=http*vuln* $ip - Scan a target using all HTTP vulns NSE scripts.
nmap -p 21 --script=ftp-anon $ip/24 - Scan entire network for FTP servers that allow anonymous access.
nmap -p 80 --script=http-vuln-cve2010-2861 $ip/24 - Scan entire network for a directory traversal vulnerability. It can even retrieve admin's password hash.Last updated