nmap --top-ports 5000 ipnmap -T4 -F ip
nmap -sV -T4 -O -F -A --version-light ipnmap -p- -T4 -v ipnmap -A -T4 -sC -sV ip nmap 192.168.1.1/24 -sn -T4 ipnmap -sC ip
nmap --script "default,discovery,exploit,version,vuln" ip
nmap --script "default,discovery,exploit,version,vuln,servicetags,ntp-monlist,dns-recursion,snmp-sysdescr" ipsudo nmap -sU -T4 ip
sudo nmap -sUV -T4 -F --version-intensity 0 ip
sudo nmap -sU -A -PN -n -pU:19,53,123,161 -script=ntp-monlist,dns-recursion,snmp-sysdescr ip
sudo nmap -sU -pU:19,53,123,161 -Pn -n --max-retries=0 ipnmap -T4 -sY -n --open -Pn ipsudo nmap -sS -sU -p- -PN -O -sV -sC --allports --version-all -T4 ip -vvPort: 53
Domain Name System (DNS) is the hierarchical and distributed naming system used to identify computers reachable through the Internet. These are most commonly used to map human-friendly domain names to the numerical IP addresses computers need to locate services.
dig ANY @dns_ip domaindig TXT @dns_ip domaindig axfr @dns_ip domaindig -x ip @dns_ipdnsrecon -r 127.0.0.0/24 -n ip_dnsPort: 161 / 162
SNMP is used to monitor the network, detect network faults, and sometimes even used to configure remote devices.
snmp-check ipThe rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. - redhat
Port: 111
rpcinfo -p ip
A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. - redhat
Port: 2049
To bypass permission change your uid
showmount -e squashed.htbmount -t nfs squashed.htb:/ nsf_mount -o nolockARP Scannner Tools shows every active IPv4 device on your Subnet. Since ARP is non-routable, this type of scanner only works on the local LAN.
Address Resolution Protocol (ARP) is the Dynamic mapping technique used to map the logical address (IP) to a physical address (MAC).
sudo arp
Address HWtype HWaddress Flags Mask Iface
NameHost ether xx:xx:xx:xx:xx:xx C INTRFCnetdiscoverarp-scan -lss -lntunetstat -tulpnexport HYDRA_PROXY=connect://localhost:8080hydra -C wordlist.txt SERVER_IP -s PORT http-get /hydra -l admin -P wordlist.txt -f ip -s port http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"hydra -L user.txt -P pass.txt -u -f -t 4 ssh://ip:porthydra -l m.gates -P /usr/share/wordlists/rockyou.txt ftp://127.0.0.1sudo wireshark- File > Export Object > HTTP
- Rigth Click On request > Follow > TCP
smb || smb2 || http || tcp ||
ip.src == 1.1.1.1 && ip.dst == 1.1.1.1 && tcp.port == 80
tcpflow -r capture.pcapsudo tcpdump -i anysudo tcpdump -i any -c <MAX_PACKETS> host 192.168.1.1 '&&' port 80 '&&' src 1.1.1.1sudo tcpdump -i any -c10 -nn -A port 80sudo tcpdump -i any -w file.pcapfrom scapy.all import *
scapy_cap = rdpcap('file.pcap')
i = 0
for packet in scapy_cap:
if type(packet[TCP].payload) == scapy.packet.Raw:
try:
print(i, ':', packet[TCP].payload.load.decode())
except:
print(i, ':', packet[TCP].payload.load)
i += 1