forked from sd-geek/OSCP
-
Notifications
You must be signed in to change notification settings - Fork 14
/
00 - Port Scanning
143 lines (102 loc) · 4.08 KB
/
00 - Port Scanning
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
--------------- Port Scanning ---------------
--------------- Subnet Reference Table ---------------
/ Addresses Hosts Netmask Amount of a Class C
/30 4 2 255.255.255.252 1/64
/29 8 6 255.255.255.248 1/32
/28 16 14 255.255.255.240 1/16
/27 32 30 255.255.255.224 1/8
/26 64 62 255.255.255.192 1/4
/25 128 126 255.255.255.128 1/2
/24 256 254 255.255.255.0 1
/23 512 510 255.255.254.0 2
/22 1024 1022 255.255.252.0 4
/21 2048 2046 255.255.248.0 8
/20 4096 4094 255.255.240.0 16
/19 8192 8190 255.255.224.0 32
/18 16384 16382 255.255.192.0 64
/17 32768 32766 255.255.128.0 128
/16 65536 65534 255.255.0.0 256
Set the ip address as a varble
# export ip=192.168.1.100 nmap -A -T4 -p- $ip
Netcat port Scanning
# nc -nvv -w 1 -z $ip 3388-3390
Discover who else is on the network
# netdiscover
Discover IP Mac and Mac vendors from ARP
# netdiscover -r $ip/24
Nmap stealth scan using SYN
# nmap -sS $ip
Nmap stealth scan using FIN
# nmap -sF $ip
Nmap Banner Grabbing
# nmap -sV -sT $ip
Nmap OS Fingerprinting
# nmap -O $ip
Nmap Regular Scan:
# nmap $ip/24
Enumeration Scan
# nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt
Enumeration Scan All Ports TCP / UDP and output to a txt file
# nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip
Nmap output to a file:
# nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24
Quick Scan:
# nmap -T4 -F $ip/24
Quick Scan Plus:
# nmap -sV -T4 -O -F --version-light $ip/24
Quick traceroute
# nmap -sn --traceroute $ip
All TCP and UDP Ports
# nmap -v -sU -sS -p- -A -T4 $ip
Intense Scan:
# nmap -T4 -A -v $ip
Intense Scan Plus UDP
# nmap -sS -sU -T4 -A -v $ip/24
Intense Scan ALL TCP Ports
# nmap -p 1-65535 -T4 -A -v $ip/24
Intense Scan - No Ping
# nmap -T4 -A -v -Pn $ip/24
Ping scan
# nmap -sn $ip/24
Slow Comprehensive Scan
# nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24
Scan with Active connect in order to weed out any spoofed ports designed to troll you
# nmap -p1-65535 -A -T5 -sT $ip
Enumeration
NMap Enumeration Script List:
--------------- Enumeration ---------------
https://nmap.org/nsedoc/categories/discovery.html
Nmap port version detection MAXIMUM power
# nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p <port> <host>
--------------- SMB Enumeration ---------------
SMB OS Discovery
# nmap $ip --script smb-os-discovery.nse
Nmap port scan
# nmap -v -p 139,445 -oG smb.txt $ip-254
Netbios Information Scanning
# nbtscan -r $ip/24
Nmap find exposed Netbios servers
# nmap -sU --script nbstat.nse -p 137 $ip
SMB Enumeration Tools
# nmblookup -A $ip smbclient //MOUNT/share -I $ip -N rpcclient -U "" $ip enum4linux $ip enum4linux -a $ip
SMB Finger Printing
# smbclient -L //$ip
Nmap Scan for Open SMB Shares
# nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 $ip/24
Nmap scans for vulnerable SMB Servers
# nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip
Nmap List all SMB scripts installed
# ls -l /usr/share/nmap/scripts/smb\*
Enumerate SMB Users
# nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14
# python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip
RID Cycling - Null Sessions
https://www.trustedsec.com/march-2013/new-tool-release-rpc_enum-rid-cycling-attack/
# ridenum.py $ip 500 50000 dict.txt
# use auxiliary/scanner/smb/smb\_lookupsid
Manual Null Session Testing
# Windows: net use \\\\$ip\\IPC$ "" /u:""
# Linux: smbclient -L //$ip
IPV6 Enyx.git
# git clone https://github.com/trickster0/Enyx.git
# python enyx.py 2c public <IPV4 Address>