PRIMARY CATEGORY → PENTESTING ROOT
Information 🛈
Nmap - Ports List
Top 1000 Ports
nmap -sT --top-ports 1000 -v -oG - # TCP
nmap -sU --top-ports 1000 -v -oG - # UDPPorts ordered by frequency
To list ports sorted by frequency of occurrence based on Historical Nmap Data →
sort -r -k3 /usr/share/nmap/nmap-services | grep -iPv '^#.+$' | lessHost Discovery - Passive
UNIX-Like
TCPDump
tcpdump --interface '<NTW_INTERFACE>' -v -n -l | grep -ioP --color -- '\d{1,3}(\.\d{1,3}){3}'Wireshark is just as valid if a GUI is available, such as an RDP connection
ARP
arp -aIP
ip route listWindows
Wireshark
ARP
arp -aRoute
route printHost Discovery - Active
Nmap
By default, nmap detects if the source IP Address is in the same network segment that the target one
In that case, It proceeds to carry out the host discovery via ARP Ping method
INFO
It is always recommended to perform any Nmap Scan on a privilege basis as such scans require elevated privileges and actions
Use
--packet-traceand--reasonoptions to see the Host Discovery Method used by Nmap and more information about the Scan
ARP Ping
sudo nmap -sn -n -oA activeHosts <NETWORK_ADDRESS> | grep -iPo -- 'for\s\K\d{1,3}(\.\d{1,3}){3}'ICMP Echo Request
To disable ARP Ping and specify ICMP Echo Requests as the host discovery method →
sudo nmap -sn -PE -n --disable-arp-ping -oA activeHosts <NETWORK_ADDRESS> | grep -iPo -- 'for\s\K\d{1,3}(\.\d{1,3}){3}'Use
-iLto provide a targets list from an input file
Bash
ICMP (Ping)
Applied to /24 Networks
- Oneliner
for _ip in X.X.X.{1..254} ; do ( ping -c1 -W1 "$_ip" &> /dev/null && printf "Active Host - %s\n" "$_ip" & ) ; done- Bash Script
#!/usr/bin/env bash
sigint_handler ()
{
printf \
"\n[+] SIGINT Signal sent to %s. Exiting...\n" \
"${0##*/}" \
1>&2
trap - SIGINT
kill -SIGINT "$$"
}
hostDiscovery ()
{
local -- _ipRange=${1%.*} _ip=
for _ip in $_ipRange.{1..254}
do
ping -c1 -W1 "$_ip" &> /dev/null && printf "Host Active -> %s\n" "$_ip" &
done ; wait
}
trap 'sigint_handler' SIGINT
hostDiscovery "$@"bash hostDiscovery.bash X.X.X.X/24Metasploit
From a meterpreter session
meterpreter > run post/multi/gather/ping_sweep RHOSTS=<CIDR> # e.g. 172.16.5.0/24CMD
As far as I know, there is no way to implement parallelism in CMD to speed up scanning
for /L %i in (1,1,254) do @ping /n 1 /w 200 X.X.X.%i > NUL && echo 192.168.1.%i - ACTIVE HOSTPowershell
W/O Workflow
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.16.5.$($_) -quiet)"}Workflow
Parallelism
1..6 | % {""}; Workflow ICMPSweep {foreach -Parallel -ThrottleLimit 8 ($i in 1..254){if(ping -n 1 -w 200 172.16.6.$i | Select-String -Pattern 'TTL'){"172.16.6.$($i) - ACTIVE HOST"}}}; ICMPSweepFping
fping -asgq <CIDR>Port Scanning
Nmap
Default Scan as Root → Top 1000 TCP ports via -sS Stealth/Syn Scan
Default Scan as Non-Privileged User → Top 1000 TCP Ports via -sT Connect/TCP Scan
It is always recommended to perform a Port Scan first to get a small overview of the available ports
Stealth/SYN Scan
-sSOption
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG <OUTPUT_FILE> <TARGET>Connect/TCP Scan
-sTOption
nmap -p- --open -sT --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG <OUTPUT_FILE> <TARGET>UDP Scan
-sUOption
nmap -p- --open -sU --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG <OUTPUT_FILE> <TARGET>Once the initial scan has been done, just proceed to carry out a comprehensive scan for each open port
This scan perform some actions such as:
-
Obtain the Service and its Version running on each open port →
-sV -
Run a basic set of Nmap Recon Scripts (Default Category) →
-sC
Default NSE Category
-sC
find / -iname '*.nse' -type f 2> /dev/null | xargs grep --color -iP -- 'categories.+default'To extract all Nmap NSE Categories →
grep -iPo -- '"\K\w+(?=")' < <( find / -iname '*.nse' -type f 2> /dev/null -exec grep --color -i -- 'categories' {} + 2> /dev/null ) | sort -uComprehensive Scan
nmap -p<PORTS> -sC -sV -n -Pn --disable-arp-ping -oA <OUTPUT_FILE> <TARGET>Output Formats
Note that there are several formats available for exporting Scan Output in Nmap
-
Grepable Format
-oG→ Use tools like this one to parse the most relevant information -
Normal Format
-oN -
XML Format
-oX→ Usexsltprocto convert the XML output to HTML and get a better overview of the analysis
xsltproc <XML_FILE> --output <HTML_FILE>python3 -m http.server <PORT>Bash
PortsScan.bash
#!/usr/bin/env bash getHosts() { local -- _ip=${1%.*} _host= _tmpFile=$( mktemp --tmpdir=. ) local -n -- _hosts=$2 trap 'rm --force -- "$_tmpFile"' RETURN for _host in "$_ip".{1..254} do timeout 1 ping -c1 -W1 "$_host" &> /dev/null && \ printf "%s\n" "$_host" >> "$_tmpFile" & done wait while IFS= read -r _ip || [[ $_ip ]] do _hosts+=("$_ip") done < "$_tmpFile" } getPorts() { local -- _ip=$1 _port= _host= local -a -- _nodes=() #local -a _ports=(21 22 23 25 53 80 135 139 443 445 389 636 3306 5432 1433) getHosts "$1" _nodes for _host in "${_nodes[@]}" do #for _port in "${_ports[@]}" for _port in {1..5000} do timeout 1 bash -c "echo '' > /dev/tcp/${_host}/${_port}" &> /dev/null && \ printf "Host -> %s | Port -> %s\n" "$_host" "$_port" & done done ; wait } getPorts "$@"
Firewall - IDS/IPS Evasion
Nmap
ACK Scan
-sAOption
nmap -p- --open -sA --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG <OUTPUT_FILE> <TARGET>Decoys
-DOption
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -D RND:6 -oG <OUTPUT_FILE> <TARGET>CAUTION
Note that hosts related to the IP Addresses used as decoys need to be active to avoid a possible SYN Flood on the target
Source IP/Port
-Sand--source-portOptions
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -S <SPOOFED_IP> --source-port <PORT> -oG <OUTPUT_FILE> <TARGET>