Scanners and Sniffers
tip
Change your MAC address to match the network your are connecting to.
macchanger -m <mac> <interface>
Sniffer / Passive scanâ
tip
Start by using Wireshark to listen a network.
netdiscover -i <interface> -p
tcpdump -i <interface> -s 65535 -vv -w <output.pcap>
use auxiliary/sniffer/psnuffle
Extract passwords and credit card numbers from various protocols
python3 ./Pcredz -f file-to-parse.pcap
Host discoveryâ
Linuxâ
netdiscover -r <range> -i <interface> -P | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" > list_ip.txt
nbtscan -r <range>
arp-scan --interface=<interface> --localnet
for i in {1..255}; do arping -c 1 <192.168.0>.$i; done | grep reply
nmap <range> -sn -oG sweep.grep
grep Up sweep.grep |cut -d " " -f2 > list_ip.txt
for i in {1..254}; do ping -c 1 -W 1 <192.168.0.>$i | grep 'from'; done
prefix="172.16" && for i in {0..254}; do echo $prefix.$i/16; for j in {1..254}; do sh -c "ping -m 1 -c 1 -t 1 $prefix.$i.$j | grep \"icmp\" &" ; done; done
OS identification
nmap -O -sV <ip>
xprobe2 <ip>
Windowsâ
1..255 | % { ping -n 1 -w 500 <10.10.10>.$_ | Select-String ttl }
for /L %i in (1,1,255) do @ping.exe -n 1 -w 50 <10.10.10>.%i | findstr TTL
Name resolution in a LAN
for /L %i in (1,1,255) do @nslookup <10.10.10>.%i <ip_dns_server> 2>nul | find "Name" && echo <10.10.10>.%i
Service discoveryâ
Windowsâ
<139,445,5985,5986> | % { Test-NetConnection <ip> -Port $_ }
<1..1024> | % {echo ((New-Object Net.Sockets.TcpClient).Connect("<ip>",$_)) "Port $_ is open" } 2> $null
function portCheck () {
param ($hostName,$port);
$portTest = (new-object net.sockets.tcpclient);
try { $portTest.connect($hostName, $port) } catch {}
if ( $portTest.Connected -eq "True") {
echo "$hostName,$port - Success";
$portTest.Dispose();
} else {
echo "$hostName,$port - Failed";
}
}
$portRange = ("22","80","3389");
#$portRange = [System.Linq.Enumerable]::Range(1,65535);
Foreach ( $prt in $portRange ) {
portCheck -hostName "<ip>" -port $prt;
}
Linuxâ
echo "" | nc -v -n -w1 <ip> <port_range>
nc -n -vz -w1 <ip> <port_min>-<port_max> 2>&1 | grep -v "timed out"
nc -n -vz -w1 <ip> <80 443 445 139 135 8080 22 21> 2>&1 | grep -v "timed out"
UDP
nmap -sU -sV -vv -oX quick_udp <ip>
unicornscan -mU -v -I <ip>
Port Knocking
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x <ip>; done
Service identificationâ
amap <ip> <port>
nmap -sV <ip> -p <port>
nc -vvv <ip> <port>
telnet <ip> <port>
curl -vX <ip>
Agressive scanâ
Locate NSE scripts
locate -r '\.nse$' | xargs grep categories
nmap -iL list_ip.txt -A -sT -T4 --open -Pn -oX output.xml
searchsploit --nmap output.xml
Defense bypassâ
Decoyâ
Find Zombie
use auxiliary/scanner/ip/ipidseq
Use zombie
nmap <ip> -sI <zombie> -p <ports> -D <127.0.0.1,gw,ip lan, ip externe> --source-port 53 --data-length 48 -f --mtu=24 -oX <out.xml>
Firewalkingâ
tracepath -n -p <port> <ip>
traceroute -n -M default -p <port> <ip>
Firewall bypassâ
nmap -f --mtu=512 -D RND:10 --source-port 443 --data-length 20 --spoof-mac Apple <ip>
Source port spoofing
iptables -t nat -I POSTROUTING -p tcp -m tcp -j MASQUERADE --to-ports <source_port_to_spoof>