# Network Pentest

## arp-scan

scan local network ips

```
arp-scan --localnet 192.168.1.0/24
```

## netdiscovery

```
netdiscovery -r 172.20.0.0/24
```

## BruteSpray

**Using Custom Wordlists:**

```bash
python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5
```

**Brute-Forcing Specific Services:**

```bash
python brutespray.py --file nmap.gnmap --service ftp,ssh,telnet --threads 5 --hosts 5
```

**Specific Credentials:**

```bash
python brutespray.py --file nmap.gnmap -u admin -p password --threads 5 --hosts 5
```

**Continue After Success:**

```bash
python brutespray.py --file nmap.gnmap --threads 5 --hosts 5 -c
```

**Use Nmap XML Output**

```bash
python brutespray.py --file nmap.xml --threads 5 --hosts 5
```

**Use JSON Output**

```bash
python brutespray.py --file out.json --threads 5 --hosts 5
```

**Interactive Mode**

```bash
python brutespray.py --file nmap.xml -i
```

Supported Services

* ssh
* ftp
* telnet
* vnc
* mssql
* mysql
* postgresql
* rsh
* imap
* nntp
* pcanywhere
* pop3
* rexec
* rlogin
* smbnt
* smtp
* svn
* vmauthd
* snmp

## IMCP SCAN

```bash
# 1 echo request to a host
ping -c 1 199.66.11.4    
# Send echo requests to ranges
fping -g 199.66.11.0/24  
#Send echo, timestamp requests and subnet mask requests
nmap -PEPM -sP -n 199.66.11.0/24 
```

## TCP LARGE SCAN

```bash
#Using masscan to scan top20ports of nmap in a /24 range (less than 5min)
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24
```

## HTTP PORT SCAN

```bash
masscan -p80,443,8000-8100,8443 199.66.11.0/24
```

## UDP SCAN

```bash
nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
# The -sV will make nmap test each possible known UDP service packet
# The "--version-intensity 0" will make nmap only test the most probable

# wget https://raw.githubusercontent.com/CiscoCXSecurity/udp-proto-scanner/master/udp-proto-scanner.pl
#chmod +x udp-proto-scanner.pl
 ./udp-proto-scanner.pl 199.66.11.53/24

It looks for :
- DNS
- TFTP
- NTP
- NBT
- SunRPC
- MS SQL
- DB2
- SNMPv3
```

## SCTP SCAN

```bash
#Probably useless, but it's pretty fast, why not trying?
nmap -T4 -sY -n --open -Pn <IP/range>
```

## Internal/On-Site Scan

## Passsive wardriving

```bash
netdiscover -p
p0f -i eth0 -p -o /tmp/p0f.log
# Bettercap
sudo bettercap
net.recon on/off #Read local ARP cache periodically
net.show
set net.show.meta true #more info
```

* `-p` = Passive mode : only sniff

## Active wardriving

```bash
#ARP discovery
nmap -sn <Network> #ARP Requests (Discover IPs)
netdiscover -r 192.168.63.0/24 #ARP requests (Discover IPs)

#NBT discovery
nbtscan -r 192.168.0.1/24 #Search in Domain

# Bettercap
net.probe on/off #Discover hosts on current subnet by probing with ARP, mDNS, NBNS, UPNP, and/or WSD
set net.probe.mdns true/false #Enable mDNS discovery probes (default=true)
set net.probe.nbns true/false #Enable NetBIOS name service discovery probes (default=true)
set net.probe.upnp true/false #Enable UPNP discovery probes (default=true)
set net.probe.wsd true/false #Enable WSD discovery probes (default=true)
set net.probe.throttle 10 #10ms between probes sent (default=10)

#IPv6
alive6 <IFACE> # Send a pingv6 to multicast.
```

## Normal Network scan

#### 1. Nmap:

```bash
nmap -p 1-1000 192.168.1.1
```

## Large Network Scan

#### 1. Masscan:

```
masscan -p 1-65535 192.168.1.0/24
```

#### 2. Zmap:

```
zmap -p 80,443 192.168.0.0/16   
```

#### 3. Unicornscan :

```
unicornscan -mU -p 161 192.168.1.1
```

#### 4. hping :

```
hping3 -S -p 80 192.168.1.1
```

### Nmap Basics

#### Default Scripts + Server Version check

```
nmap -sC -sV IP_ADDRESS -oN 
```

#### If cannot ping , just scan all port

```
nmap -Pn -p-
```

#### Check for subnets

```
nmap -sn 10.10.10.0/24

nmap -sn 10.10.0.0/16

nmap -sn 10.0.0.0/8
```

#### Check for SMB vulnerability

```
nmap --script smb-vuln*
```

#### Check for SSL

```
nmap --script ssl-enum-ciphers
nmap --script ssl-*
```

#### Check all scripts

```
ls -l /usr/share/nmap/scripts/
```

#### Check for subdomain

```
nmap --script dns-brute -sn google.com
```

### Bypass Firewall Techniques

**Fragmentation : `Bypass firewall packet inspection`**

```
nmap -f 192.168.0.1
```

**Resizing MTU : Confuse firewall packet size inspection**

```
nmap --mtu 24 192.168.0.1
```

**Using decoy address :  spoof packets from other hosts to confuse or obfuscate the target system**

```
nmap -D RND:10 192.168.0.1

nmap -D decoy-ip-1,decoy-ip-2,decoy-ip-3 192.168.0.1
```

* RND: 10 = Fake IP up to 10

**Idle Zombie Scan : using other host to scan**

```
nmap -sI 192.168.0.1 192.168.0.40
```

**Source Port Number Specification : for firewall that only allow certain ports**

```
nmap --source-port 80 192.168.0.1
```

**Append Random Data : add more data to packet to confuse firewall**

```
nmap --data-length 1024 192.168.0.1
```

**Scan with Random Order : avoid behaviour detection**

```
nmap --randomize-hosts 192.168.0.1
```

####

#### MAC Address Spoofing : change mac address to bypass MAC address-based filters

```
nmap --spoof-mac 00:11:22:33:44:55 192.168.0.1
```

**Send Bad Checksums : abuse firewall that only check badsum**

```
nmap --badsum 192.168.0.1
```

**TCP/IP Fragmentation : bypass firewall rules that are based on packet contents**

```
nmap --mtu 16 --max-rtt-timeout 10 192.168.0.1
```

####

#### Advanced one-liner :

```
nmap -sS --max-retries 5 --max-scan-delay 500ms --scan-delay 500ms -T2 -r -D RND:10 -f --source-port 53,80,443,8080 -Pn -vv [TARGET_IP] -oX /root/results.xml
```

```
nmap --script-args http.useragent='' -vv --open -sU -sS --script/usr/share/nmap/scripts/vulners.nse -oX /root/results.xml -p T:1-65535,U:53,U:67,U:68,U:69,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:500,:U:520,U:2049 [TARGET_IP]
```

### Threader3000

```
git clone https://github.com/dievus/threader3000.git
./threader3000.py

Enter IP
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jackmeister.gitbook.io/jackmeister-playbook/network-pentest.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.