Network Enumeration

PreviousEnumeration Next(OSINT) Active Enumeration

Last updated 4 months ago

#Masscan Fast scan network Intrusionz3r0X@htb[/htb]$ masscan -p -Pn 192.168.0.0/16 --rate=10000 #Scan the local network Intrusionz3r0X@htb[/htb]$ arp-scan -I eth0 --localnet --ignoredups Intrusionz3r0X@htb[/htb]$ net-discover -i eth0 Intrusionz3r0X@htb[/htb]$ fping -a -g 10.10.110.0/24 2>/dev/null # Banner Grabbing using nc Intrusionz3r0X@htb[/htb]$ nc -nv 10.129.2.28 25 #Specific Stript category Intrusionz3r0X@htb[/htb]$ sudo nmap <target> --script <category> #Defined Scripts Intrusionz3r0X@htb[/htb]$ sudo nmap <target> --script <script-name>,<script-name>,... #Host Discovery Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5 #SYN-Scan (Default as root | Fast) Intrusionz3r0X@htb[/htb]$ sudo nmap -sS -p- -Pn -n --disable-arp-ping 10.129.22.77 -oG NmapScanAllTCPPorts --stats-every=5s #TCP Connect Scan. (Slow | Accurate | Stealthy | less likely to be detected by IDS/UPS | don't disturb or impact the services | SYN-ACK-Open port/RST-Closed port) Intrusionz3r0X@htb[/htb]$ nmap -sT -p- -Pn -n --disable-arp-ping 10.129.22.77 -oG NmapScanAllTCPPorts --stats-every=5s #ACK-Scan. (Much harder to filter for firewalls and IDS/IPS system than SYS Scan and TCP Connect Scan) Intrusionz3r0X@htb[/htb]$ nmap -sA -p- --open -Pn -n --disable-arp-ping 10.129.22.77 -oG NmapScanAllTCPPorts --stats-every=5s #UDP SCAN Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -sU -F -Pn -n --disable-arp-ping -oG NmapScanUDPTop100Ports --stats-every=5s #Nmap web common application discovery Intrusionz3r0@htb[/htb]$ nmap -p 80,443,8000,8080,8180,8888,1000 --open -oA web_discovery -iL scope_list

#Testing the firewall Rule Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p445 -O #Using Decoy Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5 Intrusionz3r0X@htb[/htb]$ nmap -p22 192.168.1.15 -D 10.10.10.10,10.10.10.11,10.10.10.12,10.10.10.13 #Append data size to sent packets Intrusionz3r0X@htb[/htb]$ nmap -p22 192.168.1.15 --data-length 22 #Spoof MAC address Intrusionz3r0X@htb[/htb]$ nmap -p22 192.168.1.15 --spoof-mac XX:XX:XX:XX:XX:XX #Scan by Using Different Source IP Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0 #SYN Scan fron DNS Port Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 #Connect to filtered port using ncat Intrusionz3r0X@htb[/htb]$ ncat -nv --source-port 53 10.129.2.28 50000

Intrusionz3r0X@htb[/htb]$ nslookup -type=NS **zonetransfer.me** Server: 192.168.1.254 Address: 192.168.1.254#53 Non-authoritative answer: zonetransfer.me nameserver = **nsztm1.digi.ninja**. zonetransfer.me nameserver = nsztm2.digi.ninja. ....... ....... Intrusionz3r0X@htb[/htb]$ nslookup -type=any -query=AXFR **zonetransfer.me** **nsztm1.digi.ninja**

#------------------------------------------------------- # patterns.txt (content-file) #------------------------------------------------------- lert-api-shv-{GOBUSTER}-sin6 atlas-pp-shv-{GOBUSTER}-sin6 #------------------------------------------------------- Intrusionz3r0X@htb[/htb]$ export TARGET="facebook.com" Intrusionz3r0X@htb[/htb]$ export NS="d.ns.facebook.com" Intrusionz3r0X@htb[/htb]$ export WORDLIST="numbers.txt" Intrusionz3r0X@htb[/htb]$ gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt" Found: lert-api-shv-01-sin6.facebook.com Found: atlas-pp-shv-01-sin6.facebook.com Found: atlas-pp-shv-02-sin6.facebook.com Found: atlas-pp-shv-03-sin6.facebook.com Found: lert-api-shv-03-sin6.facebook.com Found: lert-api-shv-02-sin6.facebook.com Found: lert-api-shv-04-sin6.facebook.com Found: atlas-pp-shv-04-sin6.facebook.com

Network Enumeration

Network Enumeration

Firewall Evasion Techniques

Manual AXFR Zone Transfer

Active enumeration resources

Firewall Evasion Techniques

Manual AXFR Zone Transfer

Active enumeration resources