Network Mapping
Once we access a network, we can map it using the following steps.
- Info of the machine executing scans
First step, information of the machine from where we are scanning:
- Subents Discovery
To identify the current subnet:
Wireshark could be used to identify new subnets.
- ARP Scans
If we are physically connected to a network, we have direct visibility into the local subnet. We can then perform ARP scans to discover devices on the same local network segment.
If we have remote access, we must run the ARP scan directly on the compromised machine to discover devices on its local network, so we must install network scanning tools on the remote machine, this is because this type of scan does not work through a proxy
Passive:
netdiscover -S -P -N -p -r $SUBNET
Active
netdiscover -S -P -N -r $SUBNET
nmap -n -PR $SUBNET
- Ping Sweeps (ICPM)
We can actively scan hosts through ICPM:
nmap -sP --host-timeout 30s --max-retries 3 $SUBNET
nmap -sP $SUBNET
nmap -PE -PM -PP -sn -n $SUBNET
- TCP SYN Scan
To discover hosts sending a SYN packet to specific ports that may be open:
nmap -sn -PS22-25,80,88,135,139,389,445,636,1024,3268,3269,3389,5985,5986,8080 $SUBNET
To extract active hosts:
grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' scan.txt
Select-String -Path 'yourfile.txt' -Pattern '(\d{1,3}\.){3}\d{1,3}' -AllMatches | % { $_.Matches } | % { $_.Value }
- TCP ACK Scan
To discover hosts sending a ACK packet to specific ports that may be open:
nmap -PA22-25,80,88,135,139,389,445,636,1024,3268,3269,3389,5985,5986,8080 $SUBNET
- TCP Port Scan
To perform a TCP Port scan agains the most used ports:
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 $SUBNET
- HTTP Discovery
masscan -p80,443,8000-8100,8443 199.66.11.0/24
- UDP Discovery
nmap -sU -sV --version-intensity 0 -F -n $SUBNET
- SCTP Port Discovery
nmap -T4 -sY -n --open -Pn $SUBNET
- Quick service scan
To map a network and its services:
nmap -iL scope.txt -Pn -sV -top-ports 200 -max-retries 1 -max-scan-delay 10ms -max-rtt-timeout 20ms -v -oA LiveIPs_Services
- Infrastructure Scan
To scan an infrastructure and notice open ports and up hosts:
nmap -sS -p 21,22,80,88,111,135,139,389,443,445,636,1024,1433,3268,3269,3389,5900,5985,5986,8080,8443,10000 -n --min-rate 5000 -Pn --open X.X.X.0/16
Then, from the XML output, to obtain hosts with a specific open port for further scans:
cat open-ports.xml | grep "21/tcp" -B 4 | grep "Nmap scan report for" | awk '{print $NF}'
To do the same filtering for various ports:
cat open-ports.xml | grep -E "8080/tcp|80/tcp" -B 4 | grep "Nmap scan report for" | awk '{print $NF}' | sort | uniq
To look for open ports in a more stealthy way using netcat:
One-liner for /24 scan:
range="10.10.10"; for i in $(seq -f "$range.%g" 0 255); do open_ports=""; for port in 80 443 445 1433 8080 8443; do if nc -w 1 -nzv $i $port 2>&1 | grep -q "open"; then open_ports="$open_ports $port"; fi; done; if [ ! -z "$open_ports" ]; then echo "[+] $i Open Ports: $open_ports" | tee -a "${range}_open_ports.txt"; fi; done
One-liner for /16 scan:
range="10.10"; for i in $(seq 0 255); do for j in $(seq 0 255); do ip="$range.$i.$j"; open_ports=""; for port in 21 22 80 88 111 135 139 389 443 445 636 1024 1433 3268 3269 3389 5900 5985 5986 8080 8443 10000; do if nc -w 1 -nzv $ip $port 2>&1 | grep -q "open"; then open_ports="$open_ports $port"; fi; done; if [ ! -z "$open_ports" ]; then echo "[+] $ip Open Ports: $open_ports" | tee -a "${range}_open_ports.txt"; fi; done; done
- Quick External Recon with nmap
Stealthy scan for external subnet (use proxy system that setted up in the cloud not to expose your IP):
nmap -Pn -sT -vvvv -oA scan 10.10.10.10/22 -p22,80,443,8080,8443
Then, for quick web enumeration using the nmap output:
https://github.com/michenriksen/aquatone
cat scan.xml | aquatone -nmap -out capture
The output from amass can also be used with this tool:
cat output | ./aquatone
An alternative to nmap:
naabu -list subdomains.txt -c 50 -nmap-cli 'nmap -sV -sC' -o naabu-full.txt
Last updated