Hacknetics
  • Hacknetics
  • Active Directory Management
    • How to Join a Windows 11 PC to a Domain
    • Allow RDP in the domain
  • Active Directory AD Attacks
    • Bloodhound
      • Bloodhound Cypher Queries
    • Impacket-install
    • Kerberos cheatsheet
    • Domain Controllers
    • Overpass The Hash/Pass The Key (PTK)
    • Bloodhound Python
    • Rubeus to Ccache
    • Silver Ticket
    • Golden Ticket
    • Abusing GPO Permissions
    • AppLocker Bypasses
    • SharpView Enumeration
    • DonPapi
    • AD Overview
    • Enumerating Forests
    • NOPAC Priv esc
  • buffer-overflows
    • Buffer Overflows
  • c2-frameworks
    • Sliver
    • Powershell Empire
      • IronPython Empire
    • Metasploit
      • Metasploit Basics
      • Custom MSF Resource Scripts
      • Meterpreter Device Survey
      • Paranoid Mode
    • Pwncat-cs
    • Cobalt Strike
    • Dcrat
      • Modules
      • Builder
      • Dcrat AV Evasion
      • C2 Comms
    • FFM Documentation
  • covering-tracks
    • Evading Logging and Monitoring
    • Linux Logging
    • Tor
    • Windows Log Clearing
    • Ghost Writing Binaries
    • Backdoor Linux Commands
  • Data Exfiltration
  • Exploit Development
    • ROP Finding the vulnerable function
    • Useful Tools for Exploit Dev
    • ropeme
    • Obtaining MSFT Patches for Analysis
    • Mutiny Fuzzer
    • GDB
  • file-transfers
    • Transfering Files
  • lateral-movement
    • Pivoting Enumeration
      • Proxychains and FoxyProxy
      • SSH Tunneling and Port Forwarding
      • Plink.exe
      • socat
      • Chisel
      • SShuttle
  • lin-priv-esc
    • Linux Privilege Escalation
    • Bash Jails
    • ssh agent
  • Things I have Pwn'd before
    • Tomcat
    • Jenkins
  • persistence
    • Linux Persistence
    • Windows Persistence
      • Assign Group Memberships
      • Guest Windows Account Persistence
      • WMI Persist With Event Filters
      • SAM SYSTEM Exfil / Pass The Hash
      • Backdoor Executable
      • Special Privileges and Security Descriptors
      • RID Hijacking
      • Task Scheduler
      • Hijacking File Associations
      • Abusing Services
      • Logon Triggered Persistence
      • MSSQL Enabling xp cmdshell
      • Sticky Keys
      • Using Web Shells
  • recon-enumeration
    • Exploit Research
    • Pentesting DNS
    • Pentesting Kerberos
    • Pentesting FTP
    • Pentesting Email
    • Pentesting SMB
    • Pentesting Redis
    • Banner Grabbing
    • Pentesting Rsync
    • Pentesting MsSql
    • Scanning
    • Pentesting SNMP
    • Pentesting NFS
    • Pentesting LDAP
    • Pentesting Finger
    • User Recon
  • resources
    • resources
    • Youtube / Book List
    • CS/Software Engineer Resources
  • shells
    • Shells
    • web-shells
      • PHP Reverse Shell
      • wwwolf's PHP web shell
  • tool-guides
    • Asymmetric File Encrypt and Decrypt
    • Aws Buckets
    • cewl-crunch
    • Creating a Custom Wordlist
    • evil-winrm
    • Git
    • gobuster
    • Hashcat
    • Hydra User Guide
    • John
    • Linux Basics
    • Mimikatz
    • netcat
    • Nmap
    • nuclei
    • PowerView
    • r2
    • Resources
    • tcpdump
    • T-Shark User Guide
    • tmux
    • ssh
    • Vim
    • Wireshark
    • kwp
    • LAPS
    • KeePass KeeThief
    • FileCryptography.psm1
    • Impacket Pastable Commands
    • crackmapexec Pastable Commands
    • feroxbuster
    • NetExec
    • Ligolo-ng
    • gs-netcat
    • Scarecrow
  • Web Path
    • Testing for LFI
    • Testing for RFI
    • Testing for SQL
    • Testing for XSS
    • Authentication Bypass
    • Cmd Injection
    • Javascript Vulnerabilities
    • SSTI
    • Web Servers
    • JWT Tokens
    • Adobe Coldfusion
    • NoSQL Injection
    • vhost Enumeration
  • Wifi/Bluetooth/ZigBee/SDR/SmartCards
    • Wifi Capture Filters
    • Bluetooth Basics
    • Wifi Overview
    • Bettercap Bluetooth / Wifi
    • Aircrack-ng
    • Airdecap-ng
    • Aireplay-ng
    • RTL-SDR Radio
    • Bluetooth Low Energy
    • Smart Cards
    • Airodump-ng Airgraph-ng
    • gqrx
  • Windows
    • powershell-cheatsheet
    • Windows Privlage Escalation
    • Anti-Virus Evasion
    • Windows Registry
    • exploits
      • printspoofer
    • Windows Kernel Vulnerabilities
    • Windows Defender
    • AMSI Bypasses
    • pktmon Packet Capture Windows
    • Powershell Constrained Language Mode
    • Windows Survey
    • Windows Persistence
    • Windows World Writeable Dirs
  • firewalls
    • iptables
    • ufw
    • netsh advfirewall
  • Malware Analysis
    • Malware Analysis Fundamentals
    • Packer Identification by File section names
    • Analyzing Malicious Documents
    • In Depth Malware Analysis
    • Reversing Malicious Code
  • Infrastructure Development
    • SSL Cert Generation
    • Pfsense
      • OpenVPN Server on Pfsense
    • Proxmox OVA Import
  • Python3 Reference
    • Python3 Cheatsheet
    • Regex Python3
  • EDR
    • Velociraptor EDR
  • Host Forensics
    • Windows Host Forensics
    • Windows NT Versions
    • Windows Logs
  • Cloud
    • AWS
  • OSINT
    • Spiderfoot
    • Shodan Dorks
  • Phishing
  • Random
  • Linux
    • awk
    • cut
    • grep
    • sort
    • Cups CVE2024
  • Windows Malware Development
    • Win32 API
    • Processes Threads Handles
      • Message Box Example (Basic)
      • CreateProcess Example (Basic)
  • Golang
  • Mikrotik
    • Implementing a Password Reset Function for Persistent Access in MikroTik RouterOS
    • Cleaner Wrasse
  • Firmware Reversing
Powered by GitBook
On this page
  • AutoRecon
  • General Enumeration Figure out the Hosts and Services Running
  • NetDiscover
  • Nmap
  • NSE
  • Detecting Linux Version from nmap SSH output
  • Vulnerability Scanning

Was this helpful?

Edit on GitHub
  1. recon-enumeration

Scanning

AutoRecon

autorecon -ct 2 -cs 2 -vv -o outputdir 192.168.1.100 192.168.1.1/30 localhost
autorecon 10.200.97.200
autorecon -t targets.txt — only-scans-dir

  • -ct (concurrent targets)

  • -o custom output directory location.

  • -cs limits the number of concurent scans per target

  • Auto recon will create and store the results in the /results directory.

General Enumeration Figure out the Hosts and Services Running

NetDiscover

  • Netdiscover is an active/passive reconnaissance tool that uses ARP to find live hosts on a local network.

  • Netdiscover actively searches for live hosts on the network by broadcasting ARP requests like a router.

  • By default netdiscover operates in active mode, however you can use it in passive mode with -p. With passive move it will not broadcast anything.

  • Note: ARP is unable to cross network boundaries or over any VPN connection

netdiscover -r 10.11.1.0/24

Nmap

  • I have no time to read, just give me the nmap scanning meta.

nmap -sS x.x.x.x -p- --min-rate 10000
nmap -A -T5 x.x.x.x -p- -vv
nmap --script=scriptname.nse x.x.x.x -vv

Ping Scan -sn Option

  • -sn tells nmap to perform host discovery only without any additional port scanning and prints out details of any hosts that responded.

nmap -sn 10.11.1.0/24

  • nmap also has the -Pn option which will disable the host discovery stage altogether on a scan. The -Pn option is best used in combination with other scans.

TCP Connect Scan

  • The TCP connect scan in Nmap is the alternative TCP scan to use when a SYN scan is not an option.

  • TCP connect scan should be used when nmap does not have raw packet privileges which is required for a SYN scan.

nmap -sT [target host]

TCP SYN Scan

  • Does not complete the 3 way handshake

nmap -sS [target host]

UDP Port Scanning

  • Always check for UDP ports will pick up DNS, NTP, SNMP

nmap -sU [target host]
nmap -sU -F [target host]

Fingerprint Services

  • To figure out what services are running on target ports we use:

nmap -sV [target ip address]

  • The following command will use nmap port scan to detect the service and OS:

nmap -sV -O [target ip address]

  • Can also use the -A option in Nmap. The A stands for aggressive scan options and enables OS detection, script scanning and traceroute.

nmap -A [target ip address]

Scanning port ranges with Nmap

  • By default nmap will only scan the most 1000 common ports. To override the default use the -p

nmap -p 1-100 [target host]
nmap -p 137-139,445 [target host]

NSE

  • Web Application Vulnerability scan:

nmap --script=http-vuln* 10.10.10.10

  • Location of scripts

/usr/share/nmap/scripts

  • Scripts are sorted by protocol, can sort by service

ls -l /usr/share/nmap/scripts/ftp*

  • Nmap script help

nmap --script-help ftp-anon

  • Nmap script execution

nmap --script=[script name] [target host]

  • The following command executes a script names http-robots.txt on port 80:

nmap --script=http-robots.txt.nse [target host]

Detecting Linux Version from nmap SSH output

  • If ssh is running on the target, and it can fingerprint the service you have a good chance of detecting the operating system version:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)
|   256 80:a4:c5:2e:9a:b1:ec:da:27:64:39:a4:08:97:3b:ef (ECDSA)
|_  256 f5:90:ba:7d:ed:55:cb:70:07:f2:bb:c8:91:93:1b:f6 (ED25519)

  • Take a look at the part 4ubuntu0.5

  • If you google that and select the launchpad.net link it will tell you the OS version

Vulnerability Scanning

  • Good nmap command

nmap -T4 -n -sC -sV -p- -oN nmap-versions --script='*vuln*' [ip]
nmap -p 80 --script=all $ip - Scan a target using all NSE scripts. May take an hour to complete.
nmap -p 80 --script=*vuln* $ip - Scan a target using all NSE vuln scripts.
nmap -p 80 --script=http*vuln* $ip  - Scan a target using all HTTP vulns NSE scripts.
nmap -p 21 --script=ftp-anon $ip/24 - Scan entire network for FTP servers that allow anonymous access.
nmap -p 80 --script=http-vuln-cve2010-2861 $ip/24 - Scan entire network for a directory traversal vulnerability. It can even retrieve admin's password hash.
PreviousPentesting MsSqlNextPentesting SNMP

Last updated 2 years ago

Was this helpful?

https://launchpad.net/ubuntu/+source/openssh/1:7.6p1-4ubuntu0.5