Network Enumeration
https://github.com/leonjza/awesome-nmap-grep
#Masscan Fast scan network
Intrusionz3r0X@htb[/htb]$ masscan -p -Pn 192.168.0.0/16 --rate=10000
#Scan the local network
Intrusionz3r0X@htb[/htb]$ arp-scan -I eth0 --localnet --ignoredups
Intrusionz3r0X@htb[/htb]$ net-discover -i eth0
Intrusionz3r0X@htb[/htb]$ fping -a -g 10.10.110.0/24 2>/dev/null
# Banner Grabbing using nc
Intrusionz3r0X@htb[/htb]$ nc -nv 10.129.2.28 25
#Specific Stript category
Intrusionz3r0X@htb[/htb]$ sudo nmap <target> --script <category>
#Defined Scripts
Intrusionz3r0X@htb[/htb]$ sudo nmap <target> --script <script-name>,<script-name>,...
#Host Discovery
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5
#SYN-Scan (Default as root | Fast)
Intrusionz3r0X@htb[/htb]$ sudo nmap -sS -p- -Pn -n --disable-arp-ping 10.129.22.77 -oG NmapScanAllTCPPorts --stats-every=5s
#TCP Connect Scan. (Slow | Accurate | Stealthy | less likely to be detected by IDS/UPS | don't disturb or impact the services | SYN-ACK-Open port/RST-Closed port)
Intrusionz3r0X@htb[/htb]$ nmap -sT -p- -Pn -n --disable-arp-ping 10.129.22.77 -oG NmapScanAllTCPPorts --stats-every=5s
#ACK-Scan. (Much harder to filter for firewalls and IDS/IPS system than SYS Scan and TCP Connect Scan)
Intrusionz3r0X@htb[/htb]$ nmap -sA -p- --open -Pn -n --disable-arp-ping 10.129.22.77 -oG NmapScanAllTCPPorts --stats-every=5s
#UDP SCAN
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -sU -F -Pn -n --disable-arp-ping -oG NmapScanUDPTop100Ports --stats-every=5s
#Nmap web common application discovery
Intrusionz3r0@htb[/htb]$ nmap -p 80,443,8000,8080,8180,8888,1000 --open -oA web_discovery -iL scope_listFirewall Evasion Techniques
#Testing the firewall Rule
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p445 -O
#Using Decoy
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5
Intrusionz3r0X@htb[/htb]$ nmap -p22 192.168.1.15 -D 10.10.10.10,10.10.10.11,10.10.10.12,10.10.10.13
#Append data size to sent packets
Intrusionz3r0X@htb[/htb]$ nmap -p22 192.168.1.15 --data-length 22
#Spoof MAC address
Intrusionz3r0X@htb[/htb]$ nmap -p22 192.168.1.15 --spoof-mac XX:XX:XX:XX:XX:XX
#Scan by Using Different Source IP
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0
#SYN Scan fron DNS Port
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53
#Connect to filtered port using ncat
Intrusionz3r0X@htb[/htb]$ ncat -nv --source-port 53 10.129.2.28 50000
Manual AXFR Zone Transfer
Intrusionz3r0X@htb[/htb]$ nslookup -type=NS **zonetransfer.me**
Server: 192.168.1.254
Address: 192.168.1.254#53
Non-authoritative answer:
zonetransfer.me nameserver = **nsztm1.digi.ninja**.
zonetransfer.me nameserver = nsztm2.digi.ninja.
.......
.......
Intrusionz3r0X@htb[/htb]$ nslookup -type=any -query=AXFR **zonetransfer.me** **nsztm1.digi.ninja**
#-------------------------------------------------------
# patterns.txt (content-file)
#-------------------------------------------------------
lert-api-shv-{GOBUSTER}-sin6
atlas-pp-shv-{GOBUSTER}-sin6
#-------------------------------------------------------
Intrusionz3r0X@htb[/htb]$ export TARGET="facebook.com"
Intrusionz3r0X@htb[/htb]$ export NS="d.ns.facebook.com"
Intrusionz3r0X@htb[/htb]$ export WORDLIST="numbers.txt"
Intrusionz3r0X@htb[/htb]$ gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"
Found: lert-api-shv-01-sin6.facebook.com
Found: atlas-pp-shv-01-sin6.facebook.com
Found: atlas-pp-shv-02-sin6.facebook.com
Found: atlas-pp-shv-03-sin6.facebook.com
Found: lert-api-shv-03-sin6.facebook.com
Found: lert-api-shv-02-sin6.facebook.com
Found: lert-api-shv-04-sin6.facebook.com
Found: atlas-pp-shv-04-sin6.facebook.comActive enumeration resources
Last updated