Network Pentest
arp-scan
scan local network ips
arp-scan --localnet 192.168.1.0/24
netdiscovery
netdiscovery -r 172.20.0.0/24
BruteSpray
Using Custom Wordlists:
python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5
Brute-Forcing Specific Services:
python brutespray.py --file nmap.gnmap --service ftp,ssh,telnet --threads 5 --hosts 5
Specific Credentials:
python brutespray.py --file nmap.gnmap -u admin -p password --threads 5 --hosts 5
Continue After Success:
python brutespray.py --file nmap.gnmap --threads 5 --hosts 5 -c
Use Nmap XML Output
python brutespray.py --file nmap.xml --threads 5 --hosts 5
Use JSON Output
python brutespray.py --file out.json --threads 5 --hosts 5
Interactive Mode
python brutespray.py --file nmap.xml -i
Supported Services
ssh
ftp
telnet
vnc
mssql
mysql
postgresql
rsh
imap
nntp
pcanywhere
pop3
rexec
rlogin
smbnt
smtp
svn
vmauthd
snmp
IMCP SCAN
# 1 echo request to a host
ping -c 1 199.66.11.4
# Send echo requests to ranges
fping -g 199.66.11.0/24
#Send echo, timestamp requests and subnet mask requests
nmap -PEPM -sP -n 199.66.11.0/24
TCP LARGE SCAN
#Using masscan to scan top20ports of nmap in a /24 range (less than 5min)
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24
HTTP PORT SCAN
masscan -p80,443,8000-8100,8443 199.66.11.0/24
UDP SCAN
nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
# The -sV will make nmap test each possible known UDP service packet
# The "--version-intensity 0" will make nmap only test the most probable
# wget https://raw.githubusercontent.com/CiscoCXSecurity/udp-proto-scanner/master/udp-proto-scanner.pl
#chmod +x udp-proto-scanner.pl
./udp-proto-scanner.pl 199.66.11.53/24
It looks for :
- DNS
- TFTP
- NTP
- NBT
- SunRPC
- MS SQL
- DB2
- SNMPv3
SCTP SCAN
#Probably useless, but it's pretty fast, why not trying?
nmap -T4 -sY -n --open -Pn <IP/range>
Internal/On-Site Scan
Passsive wardriving
netdiscover -p
p0f -i eth0 -p -o /tmp/p0f.log
# Bettercap
sudo bettercap
net.recon on/off #Read local ARP cache periodically
net.show
set net.show.meta true #more info
-p
= Passive mode : only sniff
Active wardriving
#ARP discovery
nmap -sn <Network> #ARP Requests (Discover IPs)
netdiscover -r 192.168.63.0/24 #ARP requests (Discover IPs)
#NBT discovery
nbtscan -r 192.168.0.1/24 #Search in Domain
# Bettercap
net.probe on/off #Discover hosts on current subnet by probing with ARP, mDNS, NBNS, UPNP, and/or WSD
set net.probe.mdns true/false #Enable mDNS discovery probes (default=true)
set net.probe.nbns true/false #Enable NetBIOS name service discovery probes (default=true)
set net.probe.upnp true/false #Enable UPNP discovery probes (default=true)
set net.probe.wsd true/false #Enable WSD discovery probes (default=true)
set net.probe.throttle 10 #10ms between probes sent (default=10)
#IPv6
alive6 <IFACE> # Send a pingv6 to multicast.
Normal Network scan
1. Nmap:
nmap -p 1-1000 192.168.1.1
Large Network Scan
1. Masscan:
masscan -p 1-65535 192.168.1.0/24
2. Zmap:
zmap -p 80,443 192.168.0.0/16
3. Unicornscan :
unicornscan -mU -p 161 192.168.1.1
4. hping :
hping3 -S -p 80 192.168.1.1
Nmap Basics
Default Scripts + Server Version check
nmap -sC -sV IP_ADDRESS -oN
If cannot ping , just scan all port
nmap -Pn -p-
Check for subnets
nmap -sn 10.10.10.0/24
nmap -sn 10.10.0.0/16
nmap -sn 10.0.0.0/8
Check for SMB vulnerability
nmap --script smb-vuln*
Check for SSL
nmap --script ssl-enum-ciphers
nmap --script ssl-*
Check all scripts
ls -l /usr/share/nmap/scripts/
Check for subdomain
nmap --script dns-brute -sn google.com
Bypass Firewall Techniques
Fragmentation : Bypass firewall packet inspection
nmap -f 192.168.0.1
Resizing MTU : Confuse firewall packet size inspection
nmap --mtu 24 192.168.0.1
Using decoy address : spoof packets from other hosts to confuse or obfuscate the target system
nmap -D RND:10 192.168.0.1
nmap -D decoy-ip-1,decoy-ip-2,decoy-ip-3 192.168.0.1
RND: 10 = Fake IP up to 10
Idle Zombie Scan : using other host to scan
nmap -sI 192.168.0.1 192.168.0.40
Source Port Number Specification : for firewall that only allow certain ports
nmap --source-port 80 192.168.0.1
Append Random Data : add more data to packet to confuse firewall
nmap --data-length 1024 192.168.0.1
Scan with Random Order : avoid behaviour detection
nmap --randomize-hosts 192.168.0.1
MAC Address Spoofing : change mac address to bypass MAC address-based filters
nmap --spoof-mac 00:11:22:33:44:55 192.168.0.1
Send Bad Checksums : abuse firewall that only check badsum
nmap --badsum 192.168.0.1
TCP/IP Fragmentation : bypass firewall rules that are based on packet contents
nmap --mtu 16 --max-rtt-timeout 10 192.168.0.1
Advanced one-liner :
nmap -sS --max-retries 5 --max-scan-delay 500ms --scan-delay 500ms -T2 -r -D RND:10 -f --source-port 53,80,443,8080 -Pn -vv [TARGET_IP] -oX /root/results.xml
nmap --script-args http.useragent='' -vv --open -sU -sS --script/usr/share/nmap/scripts/vulners.nse -oX /root/results.xml -p T:1-65535,U:53,U:67,U:68,U:69,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:500,:U:520,U:2049 [TARGET_IP]
Threader3000
git clone https://github.com/dievus/threader3000.git
./threader3000.py
Enter IP
Last updated
Was this helpful?