Network Pentest

arp-scan

scan local network ips

arp-scan --localnet 192.168.1.0/24

netdiscovery

netdiscovery -r 172.20.0.0/24

BruteSpray

Using Custom Wordlists:

python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5

Brute-Forcing Specific Services:

python brutespray.py --file nmap.gnmap --service ftp,ssh,telnet --threads 5 --hosts 5

Specific Credentials:

python brutespray.py --file nmap.gnmap -u admin -p password --threads 5 --hosts 5

Continue After Success:

python brutespray.py --file nmap.gnmap --threads 5 --hosts 5 -c

Use Nmap XML Output

python brutespray.py --file nmap.xml --threads 5 --hosts 5

Use JSON Output

python brutespray.py --file out.json --threads 5 --hosts 5

Interactive Mode

python brutespray.py --file nmap.xml -i

Supported Services

• ssh

• ftp

• telnet

• vnc

• mssql

• mysql

• postgresql

• rsh

• imap

• nntp

• pcanywhere

• pop3

• rexec

• rlogin

• smbnt

• smtp

• svn

• vmauthd

• snmp

IMCP SCAN

# 1 echo request to a host
ping -c 1 199.66.11.4    
# Send echo requests to ranges
fping -g 199.66.11.0/24  
#Send echo, timestamp requests and subnet mask requests
nmap -PEPM -sP -n 199.66.11.0/24 

TCP LARGE SCAN

#Using masscan to scan top20ports of nmap in a /24 range (less than 5min)
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24

HTTP PORT SCAN

masscan -p80,443,8000-8100,8443 199.66.11.0/24

UDP SCAN

nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
# The -sV will make nmap test each possible known UDP service packet
# The "--version-intensity 0" will make nmap only test the most probable

# wget https://raw.githubusercontent.com/CiscoCXSecurity/udp-proto-scanner/master/udp-proto-scanner.pl
#chmod +x udp-proto-scanner.pl
 ./udp-proto-scanner.pl 199.66.11.53/24

It looks for :
- DNS
- TFTP
- NTP
- NBT
- SunRPC
- MS SQL
- DB2
- SNMPv3

SCTP SCAN

#Probably useless, but it's pretty fast, why not trying?
nmap -T4 -sY -n --open -Pn <IP/range>

Internal/On-Site Scan

Passsive wardriving

netdiscover -p
p0f -i eth0 -p -o /tmp/p0f.log
# Bettercap
sudo bettercap
net.recon on/off #Read local ARP cache periodically
net.show
set net.show.meta true #more info

• -p = Passive mode : only sniff

Active wardriving

#ARP discovery
nmap -sn <Network> #ARP Requests (Discover IPs)
netdiscover -r 192.168.63.0/24 #ARP requests (Discover IPs)

#NBT discovery
nbtscan -r 192.168.0.1/24 #Search in Domain

# Bettercap
net.probe on/off #Discover hosts on current subnet by probing with ARP, mDNS, NBNS, UPNP, and/or WSD
set net.probe.mdns true/false #Enable mDNS discovery probes (default=true)
set net.probe.nbns true/false #Enable NetBIOS name service discovery probes (default=true)
set net.probe.upnp true/false #Enable UPNP discovery probes (default=true)
set net.probe.wsd true/false #Enable WSD discovery probes (default=true)
set net.probe.throttle 10 #10ms between probes sent (default=10)

#IPv6
alive6 <IFACE> # Send a pingv6 to multicast.

Normal Network scan

1. Nmap:

nmap -p 1-1000 192.168.1.1

Large Network Scan

1. Masscan:

masscan -p 1-65535 192.168.1.0/24

2. Zmap:

zmap -p 80,443 192.168.0.0/16   

3. Unicornscan :

unicornscan -mU -p 161 192.168.1.1

4. hping :

hping3 -S -p 80 192.168.1.1

Nmap Basics

Default Scripts + Server Version check

nmap -sC -sV IP_ADDRESS -oN 

If cannot ping , just scan all port

nmap -Pn -p-

Check for subnets

nmap -sn 10.10.10.0/24

nmap -sn 10.10.0.0/16

nmap -sn 10.0.0.0/8

Check for SMB vulnerability

nmap --script smb-vuln*

Check for SSL

nmap --script ssl-enum-ciphers
nmap --script ssl-*

Check all scripts

ls -l /usr/share/nmap/scripts/

Check for subdomain

nmap --script dns-brute -sn google.com

Bypass Firewall Techniques

Fragmentation : Bypass firewall packet inspection

nmap -f 192.168.0.1

Resizing MTU : Confuse firewall packet size inspection

nmap --mtu 24 192.168.0.1

Using decoy address : spoof packets from other hosts to confuse or obfuscate the target system

nmap -D RND:10 192.168.0.1

nmap -D decoy-ip-1,decoy-ip-2,decoy-ip-3 192.168.0.1

• RND: 10 = Fake IP up to 10

Idle Zombie Scan : using other host to scan

nmap -sI 192.168.0.1 192.168.0.40

Source Port Number Specification : for firewall that only allow certain ports

nmap --source-port 80 192.168.0.1

Append Random Data : add more data to packet to confuse firewall

nmap --data-length 1024 192.168.0.1

Scan with Random Order : avoid behaviour detection

nmap --randomize-hosts 192.168.0.1

MAC Address Spoofing : change mac address to bypass MAC address-based filters

nmap --spoof-mac 00:11:22:33:44:55 192.168.0.1

Send Bad Checksums : abuse firewall that only check badsum

nmap --badsum 192.168.0.1

TCP/IP Fragmentation : bypass firewall rules that are based on packet contents

nmap --mtu 16 --max-rtt-timeout 10 192.168.0.1

Advanced one-liner :

nmap -sS --max-retries 5 --max-scan-delay 500ms --scan-delay 500ms -T2 -r -D RND:10 -f --source-port 53,80,443,8080 -Pn -vv [TARGET_IP] -oX /root/results.xml

nmap --script-args http.useragent='' -vv --open -sU -sS --script/usr/share/nmap/scripts/vulners.nse -oX /root/results.xml -p T:1-65535,U:53,U:67,U:68,U:69,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:500,:U:520,U:2049 [TARGET_IP]

Threader3000

git clone https://github.com/dievus/threader3000.git
./threader3000.py

Enter IP