Network Enumeration

https://github.com/leonjza/awesome-nmap-grep

#Masscan Fast scan network
Intrusionz3r0X@htb[/htb]$ masscan -p -Pn 192.168.0.0/16 --rate=10000 

#Scan the local network
Intrusionz3r0X@htb[/htb]$ arp-scan -I eth0 --localnet --ignoredups
Intrusionz3r0X@htb[/htb]$ net-discover -i eth0
Intrusionz3r0X@htb[/htb]$ fping -a -g 10.10.110.0/24 2>/dev/null

# Banner Grabbing using nc
Intrusionz3r0X@htb[/htb]$  nc -nv 10.129.2.28 25

#Specific Stript category
Intrusionz3r0X@htb[/htb]$ sudo nmap <target> --script <category>

#Defined Scripts
Intrusionz3r0X@htb[/htb]$ sudo nmap <target> --script <script-name>,<script-name>,...

#Host Discovery
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

#SYN-Scan (Default as root | Fast) 
Intrusionz3r0X@htb[/htb]$ sudo nmap -sS -p- -Pn -n --disable-arp-ping 10.129.22.77 -oG NmapScanAllTCPPorts --stats-every=5s

#TCP Connect Scan. (Slow | Accurate | Stealthy | less likely to be detected by IDS/UPS | don't disturb or impact the services  |  SYN-ACK-Open port/RST-Closed port)
Intrusionz3r0X@htb[/htb]$ nmap -sT -p- -Pn -n --disable-arp-ping 10.129.22.77 -oG NmapScanAllTCPPorts --stats-every=5s

#ACK-Scan. (Much harder to filter for firewalls and IDS/IPS system than SYS Scan and TCP Connect Scan)
Intrusionz3r0X@htb[/htb]$ nmap -sA -p- --open -Pn -n --disable-arp-ping 10.129.22.77 -oG NmapScanAllTCPPorts --stats-every=5s

#UDP SCAN
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -sU -F -Pn -n --disable-arp-ping -oG NmapScanUDPTop100Ports --stats-every=5s

#Nmap web common application discovery
Intrusionz3r0@htb[/htb]$ nmap -p 80,443,8000,8080,8180,8888,1000 --open -oA web_discovery -iL scope_list

Firewall Evasion Techniques

#Testing the firewall Rule
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p445 -O

#Using Decoy
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5
Intrusionz3r0X@htb[/htb]$ nmap -p22 192.168.1.15 -D 10.10.10.10,10.10.10.11,10.10.10.12,10.10.10.13

#Append data size to sent packets
Intrusionz3r0X@htb[/htb]$ nmap -p22 192.168.1.15 --data-length 22 

#Spoof MAC address
Intrusionz3r0X@htb[/htb]$ nmap -p22 192.168.1.15 --spoof-mac XX:XX:XX:XX:XX:XX

#Scan by Using Different Source IP
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

#SYN Scan fron DNS Port
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

#Connect to filtered port using ncat
Intrusionz3r0X@htb[/htb]$ ncat -nv --source-port 53 10.129.2.28 50000

Manual AXFR Zone Transfer

Intrusionz3r0X@htb[/htb]$ nslookup -type=NS **zonetransfer.me**

Server:		192.168.1.254
Address:	192.168.1.254#53

Non-authoritative answer:
zonetransfer.me	nameserver = **nsztm1.digi.ninja**.
zonetransfer.me	nameserver = nsztm2.digi.ninja.
.......
.......

Intrusionz3r0X@htb[/htb]$ nslookup -type=any -query=AXFR **zonetransfer.me** **nsztm1.digi.ninja**


#-------------------------------------------------------
#					  patterns.txt (content-file)
#-------------------------------------------------------
lert-api-shv-{GOBUSTER}-sin6
atlas-pp-shv-{GOBUSTER}-sin6
#-------------------------------------------------------

Intrusionz3r0X@htb[/htb]$ export TARGET="facebook.com"
Intrusionz3r0X@htb[/htb]$ export NS="d.ns.facebook.com"
Intrusionz3r0X@htb[/htb]$ export WORDLIST="numbers.txt"
Intrusionz3r0X@htb[/htb]$ gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"

Found: lert-api-shv-01-sin6.facebook.com
Found: atlas-pp-shv-01-sin6.facebook.com
Found: atlas-pp-shv-02-sin6.facebook.com
Found: atlas-pp-shv-03-sin6.facebook.com
Found: lert-api-shv-03-sin6.facebook.com
Found: lert-api-shv-02-sin6.facebook.com
Found: lert-api-shv-04-sin6.facebook.com
Found: atlas-pp-shv-04-sin6.facebook.com

Active enumeration resources

Find out what websites are built with - Wappalyzer

https://github.com/michenriksen/aquatone

PreviousEnumeration Next(OSINT) Active Enumeration

Last updated 1 year ago