nmap Network discovery

nmap -sn -PE -sP -PA80,22  SUBNET

Bash Network discovery

for lastOctet in {1..254}; do
    ping -c 1 192.168.1.$lastOctet | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 &

UDP Scan

  • -sU : scan UDP
  • -sV : fingerprint

Quick UDP Scan (top 200)

nmap --top-ports 200 -sU -sV -oA /tmp/output IP 

DNS Scan

Looking for reverse PTR on subnet

dnsrecon -n DNSServer -r SUBNET 


test connection with dnsname

check robots.txt

curl >robots.txt

Directory scan :

dirb http://$target

gobuster -u http://$target -w /usr/share/wordlist/dirbuster/directory-list -o output.log -t 50

Check backup file

eg. index.bak, index.html~, copy of index.html

nmap --script=http-backup-finder $target

Enumeration wordpress

wpscan --url http://example.com/ --enumerate u


nmap –script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25


User enumeration (CVE-2018-15473)

python ssh-enum.py --port 22 --threads 5 --outputFile ssh_users.txt --outputFormat list --userList list.txt

  • ssh-enum.py (6 ko)
  • # FTP ```nmap -sV -Pn -vv -p21 --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221``` # SNMP ```snmp-check -t 1 -v2c -c public``` # SMB ```nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse``` ```enum4linux -a``` # DNS ## Resolve an IP using DIG ```dig @ google.com``` ## Find Mail servers for a domain ```dig @ google.com -t mx``` ## Zone Transfer ```dig @ domain.com.local -t axfr``` ```nslookup / ls -d domain.com.local```