Active
Directly interacts with a target system to obtain information.
Designed to take screenshots of websites provide some server header info, and identify default credentials if known.
eyewitness --web -x <nmap_scan>.xml -d <output_name>
eyewitness --web -x <nessus_scan>.xml -d <output_name>
eyewitness -f <subdomains> -d <output_name>
Automated
Infrastructure
Technology Stack
whatweb -v <DOMAIN>
whatweb -v -a <LEVEL_AGGRESSIVE> <DOMAIN>
Option to intall it as a browser extension.
WAF
Allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.
wafw00f -v -a <DOMAIN>
DNS Subdomain & Vhost
Script for DNS info and specific scans
dnsrecon -d <DOMAIN> [-n <SERVER_DNS>]
dnsrecon -d <DOMAIN> -D <WORDLIST> -t brt (bruteforce)
dnsrecon -d <DOMAIN> -r <RANGE> (reverse lookup)
Script that autoenumerates DNS subdomain
dnsenum <DOMAIN> [--dnsserver <SERVER_DNS>]
Bruteforce subdomain
gobuster dns [--resolver <SERVER_DNS>] -do <DOMAIN> -w <WORDLIST> -ne
Try to find Vhost
ffuf -c -w <WORDLIST>:X -u http://X.<DOMAIN>/
ffuf -c -w <WORDLIST>:X -u http://<IP:PORT or DOMAIN>/ -H 'Host: X.<DOMAIN>'
Create the list with own NameServers/Domain (ex., myResolver.txt)
subbrute.py -r myResolver.txt <DOMAIN> [-s <WORDLIST>]
Zone Transfer
Zone Transfer is how a secondary (slave) DNS server receives information from the primary (master) DNS server and updates it. The primary DNS server may not be configured correctly. If we can successfully perform a zone transfer for a domain, we will get all the information available for that domain.
Need to find all possible Subdomains and Name Servers.
Need to perform Asynchronous Full Transfer Zone (AXFR) queries on each element found at 1.
Online Test for open Zone Transfer.
Port & Host scanning
Finding the active host and ports for then proceeding with services enumeration.
ARP on the same subnet, otherwise ICMP
nmap -sn <NETWORK>
Host discovery, no port scan.
nmap -iL <FILE>
Input from list of hosts/networks
nmap -sn -PE/-PS/-PA/-PU <NETWORK>
ICMP/TCP-SYN/TCP-ACK/UDP scan.
--disable-arp-ping
Disable ARP.
--packet-trace, --reason
For investigating.
Ping Sweep
Do this at least twice to be sure.
Linux
for i in {1..254} ;do (ping -c 1 X.X.X.$i | grep "bytes from" &) ;done
CMD
for /L %i in (1 1 254) do ping X.X.X.%i -n 1 -w 100 | find "Reply"
PowerShell
1..254 | % {"172.15.5.$($): $(Test-Connection -count 1 -comp 172.15.5.$($) -quiet)"}
nmap -Pn -n <IP>
NO host scan and NO DNS resolution.
sudo nmap -sS <IP>
SYN scan (default with sudo).
nmap -sT <IP>
CONNECT scan (default without sudo).
sudo nmap -sA <IP>
ACK scan.
sudo nmap -sU [--open] <IP>
UDP scan.
-v
Show open ports as soon as it reveals them.
-T<1-5> -sV -sC -O
Speed, Version, Default Script, OS
-A
sV + sC + O
--source-port
Possibile bypass firewall (ex. 53)
/usr/share/nmap/scripts/
nmap --script-updatedb
nmap --script--help <SCRIPT>
nmap --script "<SCRIPT or TYPE>" <IP>
Scripts for enumeration and attack of services. (LINK)
nmap -oN <NAME> <IP>
nmap -oX <NAME> <IP>
nmap -oG <NAME> <IP>
nmap -oA <NAME> <IP>
TXT format, .nmap
XML format, .xml
Grepable format, .gnmap
All format.
xsltproc <FILE.xml> -o <NEW_NAME.html>
Create an html page from xml nmap scan.
netcat
nc -nzvv -w 1 <IP> <PORT-RANGE> (CONNECT scan)
nc -nzv -u -w 1 <IP> <PORT-RANGE> (UDP scan, !false-positive!)
Powershell
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("<IP>", $_)) "TCP port $_ is open"} 2>$null
Internet-scale port scanner, for very large networks
sudo masscan <NETWORK>
ICMP scan
fping -a -q -g <NETWORK>
ARP scan
arp-scan -g -S <SOURCE_MAC> -i <INTERFACE> <NETWORK>
The Modern Port Scanner
rustscan -a <IP> [<NMAP OPTIONS>]
netcat
for i in $(seq 1 254); do nc -zv -w 1 X.X.X.$i 445;done
Windows Defender blocks ICMP, traditional ping.
Last updated
Was this helpful?