Network Mapping

Once we access a network, we can map it using the following steps.

- Info of the machine executing scans

First step, information of the machine from where we are scanning:

PUBLIC_IP_URL="http://ifconfig.me"
INTERNALIP=$(/usr/sbin/ifconfig eth0 | grep "inet " | awk '{print $2}')
GATEWAY=$(/usr/sbin/route | grep default | awk {'print $2'})
PUBLICIP=$(/usr/bin/curl -m 10 -s $PUBLIC_IP_URL)
INFO_RECON_MACHINE="Date: $(date)\n\
Internal IP Address: $INTERNALIP\n\
Public IP Address: $PUBLICIP\n\
Gateway: $GATEWAY\n"

#Print info
echo $INFO_RECON_MACHINE

- Subents Discovery

To identify the current subnet:

SUBNET=$(ip addr | grep -i eth0 | grep -i inet | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}[\/]{1}[0-9]{1,2}")

(Get-NetIPAddress -InterfaceAlias "Ethernet" -AddressFamily IPv4 | ForEach-Object { $_.IPAddress + "/" + $_.PrefixLength }) -join ", "

Wireshark could be used to identify new subnets.

- ARP Scans

If we are physically connected to a network, we have direct visibility into the local subnet. We can then perform ARP scans to discover devices on the same local network segment.

If we have remote access, we must run the ARP scan directly on the compromised machine to discover devices on its local network, so we must install network scanning tools on the remote machine, this is because this type of scan does not work through a proxy

Passive:

netdiscover -S -P -N -p -r $SUBNET

Active

netdiscover -S -P -N -r $SUBNET

nmap -n -PR $SUBNET

- Ping Sweeps (ICPM)

We can actively scan hosts through ICPM:

nmap -sP --host-timeout 30s --max-retries 3 $SUBNET

nmap -sP $SUBNET

nmap -PE -PM -PP -sn -n $SUBNET

- TCP SYN Scan

To discover hosts sending a SYN packet to specific ports that may be open:

nmap -sn -PS22-25,80,88,135,139,389,445,636,1024,3268,3269,3389,5985,5986,8080 $SUBNET

To extract active hosts:

grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' scan.txt

Select-String -Path 'yourfile.txt' -Pattern '(\d{1,3}\.){3}\d{1,3}' -AllMatches | % { $_.Matches } | % { $_.Value }

- TCP ACK Scan

To discover hosts sending a ACK packet to specific ports that may be open:

nmap -PA22-25,80,88,135,139,389,445,636,1024,3268,3269,3389,5985,5986,8080 $SUBNET

- TCP Port Scan

To perform a TCP Port scan agains the most used ports:

masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 $SUBNET

- HTTP Discovery

masscan -p80,443,8000-8100,8443 199.66.11.0/24

- UDP Discovery

nmap -sU -sV --version-intensity 0 -F -n $SUBNET

- SCTP Port Discovery

nmap -T4 -sY -n --open -Pn $SUBNET

- Quick service scan

To map a network and its services:

nmap -iL scope.txt -Pn -sV -top-ports 200 -max-retries 1 -max-scan-delay 10ms -max-rtt-timeout 20ms -v -oA LiveIPs_Services

- Infrastructure Scan

To scan an infrastructure and notice open ports and up hosts:

nmap -sS -p 21,22,80,88,111,135,139,389,443,445,636,1024,3268,3269,3389,5900,5985,5986,8080,8443,10000 -n --min-rate 5000 -Pn --open X.X.X.0/16

Then, from the XML output, to obtain hosts with a specific open port for further scans:

cat open-ports.xml | grep "21/tcp" -B 4 | grep "Nmap scan report for" | awk '{print $NF}'

To do the same filtering for various ports:

cat open-ports.xml | grep -E "8080/tcp|80/tcp" -B 4 | grep "Nmap scan report for" | awk '{print $NF}' | sort | uniq

- Quick External Recon with nmap

Stealthy scan for external subnet (use proxy system that setted up in the cloud not to expose your IP):

nmap -Pn -sT -vvvv -oA scan 10.10.10.10/22 -p22,80,443,8080,8443

Then, for quick web enumeration using the nmap output:

https://github.com/michenriksen/aquatone

cat scan.xml | aquatone -nmap -out capture

The output from amass can also be used with this tool:

cat output | ./aquatone

An alternative to nmap:

naabu -list subdomains.txt -c 50 -nmap-cli 'nmap -sV -sC' -o naabu-full.txt