nmap --top-ports 5000 ip
nmap -T4 -F ip
nmap -sV -T4 -O -F -A --version-light ip
nmap -p- -T4 -v ip
nmap -A -T4 -sC -sV ip
nmap 192.168.1.1/24 -sn -T4 ip
nmap -sC ip
nmap --script "default,discovery,exploit,version,vuln" ip
nmap --script "default,discovery,exploit,version,vuln,servicetags,ntp-monlist,dns-recursion,snmp-sysdescr" ip
sudo nmap -sU -T4 ip
sudo nmap -sUV -T4 -F --version-intensity 0 ip
sudo nmap -sU -A -PN -n -pU:19,53,123,161 -script=ntp-monlist,dns-recursion,snmp-sysdescr ip
sudo nmap -sU -pU:19,53,123,161 -Pn -n --max-retries=0 ip
nmap -T4 -sY -n --open -Pn ip
sudo nmap -sS -sU -p- -PN -O -sV -sC --allports --version-all -T4 ip -vv
Port: 53
Domain Name System (DNS) is the hierarchical and distributed naming system used to identify computers reachable through the Internet. These are most commonly used to map human-friendly domain names to the numerical IP addresses computers need to locate services.
dig ANY @dns_ip domain
dig TXT @dns_ip domain
dig axfr @dns_ip domain
dig -x ip @dns_ip
dnsrecon -r 127.0.0.0/24 -n ip_dns
Port: 161 / 162
SNMP is used to monitor the network, detect network faults, and sometimes even used to configure remote devices.
snmp-check ip
The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. - redhat
Port: 111
rpcinfo -p ip
A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. - redhat
Port: 2049
To bypass permission change your uid
Show NFS
showmount -e squashed.htb
mount -t nfs squashed.htb:/ nsf_mount -o nolock
ARP Scannner Tools shows every active IPv4 device on your Subnet. Since ARP is non-routable, this type of scanner only works on the local LAN.
Address Resolution Protocol (ARP) is the Dynamic mapping technique used to map the logical address (IP) to a physical address (MAC).
sudo arp
Address HWtype HWaddress Flags Mask Iface
NameHost ether xx:xx:xx:xx:xx:xx C INTRFC
netdiscover
arp-scan -l
ss -lntu
netstat -tulpn
export HYDRA_PROXY=connect://localhost:8080
hydra -C wordlist.txt SERVER_IP -s PORT http-get /
hydra -l admin -P wordlist.txt -f ip -s port http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"
hydra -L user.txt -P pass.txt -u -f -t 4 ssh://ip:port
hydra -l m.gates -P /usr/share/wordlists/rockyou.txt ftp://127.0.0.1
sudo wireshark
smb || smb2 || http || tcp ||
ip.src == 1.1.1.1 && ip.dst == 1.1.1.1 && tcp.port == 80
tcpflow -r capture.pcap
sudo tcpdump -i any
sudo tcpdump -i any -c <MAX_PACKETS> host 192.168.1.1 '&&' port 80 '&&' src 1.1.1.1
sudo tcpdump -i any -c10 -nn -A port 80
sudo tcpdump -i any -w file.pcap
from scapy.all import *
scapy_cap = rdpcap('file.pcap')
i = 0
for packet in scapy_cap:
if type(packet[TCP].payload) == scapy.packet.Raw:
try:
print(i, ':', packet[TCP].payload.load.decode())
except:
print(i, ':', packet[TCP].payload.load)
i += 1