PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • Identify Live Hosts
  • Test Firewall rules using Hping3
  • Nmap
  • MASSCAN
  1. Network Pentesting

Scanning

Identify Live Hosts

ping $IP
//Ping Sweep (ICMP ECHO requests) :
fping -a -g $IP   //-a :show sys that are alive// -g:generate addr/mask
fping $IP -r 0 -e //-r:retry 0 times//-e: show elapsed time (can chk 4 IDS)
fping -q -a -g $IP/24 -r 0 -e //Finds all alive sys in subnet, -q: quiet 
nmap -sn $IP
nping $IP
ping6 $IPv6

Test Firewall rules using Hping3

// < --raw-ip, --icmp, --udp, --scan, -- listen>
// < -S, -A, -R, -F, -P, -U, -X> as <syn,ack,rst,fin,psh,urg,xmas>
// flags=RA means port is closed. flags=SA means port is open.

hping3 $IP
hping3 -c 1 $IP -p <port> -s      
hping3 -1 192.168.1.x --rand-dest -I eth0 // -1=tcp packet, -I = interface
nmap -f -f -sS $IP -p <port> -Pn -n --disable-arp-ping //16 bit fragmt
hping3 -S -f -p <port> $IP -c 2  //-S: TCP SYN scan, -f: fragment
nmap -D RND:10 $IP -p <port> -Pn -n --disable-arp-ping
nmap --source-port 53 $IP -sS //Default DNS port 53 often ignored by nw admin
nmap -sS --data-length 10 -p <port> $IP //Adding 10 extra to evade IDS
nmap --spoof-mac <vendor_name> $IP -p <port> -Pn --disable-arp-ping

Nmap

nmap -iL <hostfile.txt> // To input hosts file containing number of hosts.
// -sn : ping scan, disable port scan
//--disable-arp-ping when using -sn 
//default is to use arp scan cuz arp scan is faster if attacker is in same N/W
// -sP: ping scan, skip host discovery & show hosts that respond
// -sL: list targets to scan
// -Pn: skip host discovery
// -PS/PA/PU/PY [port list]: TCP SYN/ACK,UDP,SCTP discovery
// -PE/PP/PM: ICMP echo,timestamp,netmast request discovery
// -PO [protocol list]: IP Protocol Ping
// -n/-R : Never do DNS resolution/Always resolve
// --dns-servers <serv1,serv2,...>: specify custom DNS servers
// --traceroute: Trace hop path to each host
// --exclude-ports <port range> : Exclude specified ports.
// -b : FTP Bounce Scan is Stealthy.If vuln, allows us to launch port
/scans against machines we dont have direct access to on internal n/w
//Scanning Techniques:
// -sS/sT/sA/sW/sM: TCP SYN/ Connect() (Also used in case of IPv6) /ACK /Window /Maimon
// -sS :TCP SYN/Connect,Non-obtrusive,doens't open full connection
// -sU: UDP scan for DNS,SNMP,DHCP,...
//-sN/sF/sX : TCP Null, FIN , Xmas scans
// --scanflags <flags> : Customize TCP scan for flags
// -D : <decoy1,decoy2,...[ME],...> for IP spoofing.
// -D RND=10 : 10 random IP against target for IP spoofing.
// -sI <zombie host:<port> > : Idle scan

// Good zombie has sequential IP ID generation. To find good zombie:

hping3 -S -r -p <port> //-r: displays ID increments.
//If ID increments by 1,target is not sending packets through network n is good zoombie
nmap -O -v -n $IP         // -O for OS detection and -n to list target IP's

// After finding zombie, spoof it's IP & analyse the packets for IP ID.
// If port is open, IP ID increments by 2, if closed, increments by 1.
// To scan the target without sending a single packet from original IP:

hping3 -a $zoombieIP -S -p <port> $IP
nmap -Pn -sI $zoombieIP:<port> $targetIP -v

//Firewall Evasion Techniques
nmap -f $IP             //Fragment packets
nmap -mtu <MTU> $IP     //Specify MTU
nmap --source-port <port> $IP   //Manually specify a port, Ex: 53,20,etc.
nmap -g <port> -sS -p <port> $IP
nmap --randomize-hosts -iL hosts.txt //Randomize scan order

//NSE : cd /usr/share/nmap/scripts
nmap --scripts-updatedb     //Update scripts.
//To search for scripts related to service, say smb:
nmap --script-help "smb*" and discovery
//To use a script:
nmap --scripts <script-name> target/$IP -sn

MASSCAN

(Has most of nmap options & similar use)
masscan $IP/16 -p <port>
masscan $IP/16 -p0-65535 ––rate 1000000
masscan $IP --top-ports
masscan $IP --top-ports 100 --rate 100000 //Scanning top 100 ports quickly
masscan $IP --echo > results.txt 

PreviousInformation GatheringNextPort/Service Enumeration

Last updated 10 months ago