Network Scanning
Host Discovery¶
ARP¶
Quickly discover live hosts on same the subnet as the NIC.
sudo nmap -sn -PR -n -T4 <cidr> -oA nmap_live_hosts_arp
TCP/UDP/ICMP¶
Quickly discover live hosts including on routed subnets.
sudo nmap -sn -n -T4 -PE -PP -PS7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900-5901,6000-6002,6646,7070,8000,8008-8009,8080-8081,8443,8888,9000-9001,9090,9100,9102,9999-10001,32768,49152-49157 -PU53,67-69,111,123,135,137-139,161-162,445,500,514,520,631,996-999,1434,1701,1900,3283,4500,5353,49152-49157 --max-retries 2 --host-timeout 180s --min-parallelism 100 -vv -iL scope.txt -oA nmap_live_hosts
Extract live IPs from nmap xml output
xmlstarlet sel -t -m "//host[status/@state='up']/address[@addrtype='ipv4']" -v "@addr" -n nmap_live_hosts.xml
Output: List of IPs including whichever IP each domain resolved to.
Extract live hosts from xml output in input format (domains or IPs)
xmlstarlet sel -t -m "//host[status/@state='up']" -i "hostnames/hostname[@type='user']" -v "hostnames/hostname[@type='user'][1]/@name" -n -b -i "not(hostnames/hostname[@type='user'])" -v "address[@addrtype='ipv4']/@addr" -n nmap_live_hosts.xml
Output:
<host>list of all live IPs and/or domains, whichever were used in the nmap -iL file.
Quick Service Scan¶
Quickly discover running services.
sudo nmap -sS -sV --version-light -Pn -n -T4 --top-ports 200 --open -iL scope.txt -oA nmap_quick_tcp
Comprehensive Service Scan¶
Identify all open TCP ports and common UDP.
TCP & UDP¶
Scan all 65,535 TCP and common UDP ports and perform light service discovery
sudo nmap -sS -sU -sV --version-intensity 0 -Pn -n -T4 -p T:1-65535,U:53,67-69,111,123,135,137-139,161-162,445,500,514,520,631,996-999,1434,1701,1900,3283,4500,5353,49152-49154 --max-retries 2 --open -iL scope.txt -oA nmap_comp
TCP Only¶
Scan all 65,535 TCP ports and perform light service discovery
sudo nmap -sS -sV --version-intensity 0 -Pn -n -T4 -p- --max-retries 2 --open -iL scope.txt -oA nmap_comp_tcp
UDP Only¶
Scan common UDP ports and perform light service discovery
sudo nmap -sU -sV --version-intensity 0 -Pn -n -T3 -p 53,67-68,69,88,111,123,137-138,161-162,389,464,500,520,631,1434,1701,1812-1813,1900,2049,3389,3702,4500,5004-5005,5060,5353,5355,11211,4789 --max-retries 2 --open -iL scope.txt -oA nmap_comp_udp
Deep Service Scanning¶
Extract open TCP port numbers from nmap_output.xml into a comma separated list
xmlstarlet sel -t -m "//port[@protocol='tcp'][state/@state='open']" -v @portid -n nmap_comp.xml | sort -n | uniq | paste -sd, - > open_tcp.lst
Extract open UDP port numbers from nmap_output.xml into a comma separated list
xmlstarlet sel -t -m "//port[@protocol='udp'][state/@state='open' or state/@state='open|filtered']" -v @portid -n nmap_comp.xml | sort -n | uniq | paste -sd, - > open_udp.lst
Extract all the open ports from a comprehensive or quick scan for further discovery
Perform deeper discovery against all identified live hosts and open ports
sudo nmap -Pn -sVC -p<open_ports> --open -iL scope.txt -oA nmap_comp_svc
Web Service Scanning¶
Extract nmap results into a list of potential web servers¶
https://github.com/projectdiscovery/httpx
Extract all open hosts and ports into a list, regardless if nmap thinks they are a web server ot not.
xmlstarlet sel -t -m "//host[status/@state='up']/ports/port[@protocol='tcp' and state/@state='open']" -i "count(../../hostnames/hostname[@type='user'])>0" -v "concat(../../hostnames/hostname[@type='user'][1]/@name,':',@portid)" -b -i "not(count(../../hostnames/hostname[@type='user'])>0) and ../../address[@addrtype='ipv4']" -v "concat(../../address[@addrtype='ipv4']/@addr,':',@portid)" -b -i "not(count(../../hostnames/hostname[@type='user'])>0) and ../../address[@addrtype='ipv6']" -v "concat('[',../../address[@addrtype='ipv6']/@addr,']:',@portid)" -b -n ../../nmap_recon/nmap_comp_svc.xml | sort -u >> host_port.lst
Output list format:
<host>:<port>This will output the web servers with an IP or domain as the host, whichever was originally supplied for the nmap scan.
Sometimes web servers are not identifiable as an http/https service by nmap. This list can be used with httpx to thoroughly detect all running web servers.
Add http:// and https:// before each item in the scope
awk '{print "http://"$0"\nhttps://"$0}' scope.lst | sort -u > scope_schemed.lst
Input:
<host>:<port>Output:
http://<host>:<port>https://<host>:<port>
Generate list of web servers and information
httpx -l web_servers_with_proto.lst -sc -title -cl -location -server -fr -ip | tee httpx.out
Web server list must be in the format:
http(s)://<host>:<port>
Gather screenshots¶
https://github.com/sensepost/gowitness
Web server list must be in the format:
<host>:<port>
Web directory enumeration¶
Loop through list of web servers and enumerate directories using ffuf
mkdir -p results && xargs -a web_servers_with_proto.lst -P 8 -I{} sh -c 'fn=$(printf "%s" "{}" | sed "s#[/:?&]#_#g"); stdbuf -oL ffuf -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -u "{}/FUZZ" -ac -of plain 2>&1 | tee "results/${fn}_ffuf.out"' </dev/null
Web server list must be in the format:
http(s)://<host>:<port>