Network Scanning
Host Discovery¶
ARP¶
Quickly discover live hosts on same the subnet as the NIC.
sudo nmap -sn -PR -n -T4 <cidr> -oA nmap_live_hosts_arp
TCP/UDP/ICMP¶
Quickly discover live hosts including on routed subnets.
sudo nmap -sn -n -T4 -PE -PP -PS80,135,139,389,443,445,464,636,3268,3269,3389,5985,5986,22 -PA80,443,445 -PU53,123,137,161 -iL scope.txt -oA nmap_live_hosts
Extract live IPs from nmap xml output
xmlstarlet sel -t -m "//host[status/@state='up']/address[@addrtype='ipv4']" -v "@addr" -n nmap_live_hosts.xml
Output: List of IPs including whichever IP each domain resolved to.
Extract live hosts from xml output in input format (domains or IPs)
xmlstarlet sel -t -m "//host[status/@state='up']" -i "hostnames/hostname[@type='user']" -v "hostnames/hostname[@type='user'][1]/@name" -n -b -i "not(hostnames/hostname[@type='user'])" -v "address[@addrtype='ipv4']/@addr" -n nmap_live_hosts.xml
Output: list of IPs and/or domains, whichever were used in the nmap -iL file.
Quick Service Scan¶
Quickly discover running services.
sudo nmap -sS -sV --version-light -Pn -n -T4 --top-ports 200 --open -iL scope.txt -oA nmap_quick_tcp
Comprehensive Service Scan¶
Identify all open TCP ports and common UDP.
TCP & UDP¶
Scan all 65,535 TCP and common UDP ports and perform light service discovery
sudo nmap -sS -sU -sV --version-intensity 0 -Pn -n -T4 -p T:1-65535,U:53,67-69,111,123,135,137-139,161-162,445,500,514,520,631,996-999,1434,1701,1900,3283,4500,5353,49152-49154 --max-retries 2 --open -iL scope.txt -oA nmap_comp
TCP Only¶
Scan all 65,535 TCP ports and perform light service discovery
sudo nmap -sS -sV --version-intensity 0 -Pn -n -T4 -p- --max-retries 2 --open -iL scope.txt -oA nmap_comp_tcp
UDP Only¶
Scan common UDP ports and perform light service discovery
sudo nmap -sU -sV --version-intensity 0 -Pn -n -T3 -p 53,67-68,69,88,111,123,137-138,161-162,389,464,500,520,631,1434,1701,1812-1813,1900,2049,3389,3702,4500,5004-5005,5060,5353,5355,11211,4789 --max-retries 2 --open -iL scope.txt -oA nmap_comp_udp
Deep Service Scanning¶
Extract open TCP port numbers from nmap_output.xml into a comma separated list
xmlstarlet sel -t -m "//port[@protocol='tcp'][state/@state='open']" -v @portid -n nmap_comp.xml | sort -n | uniq | paste -sd, - > open_tcp.lst
Extract open UDP port numbers from nmap_output.xml into a comma separated list
xmlstarlet sel -t -m "//port[@protocol='udp'][state/@state='open' or state/@state='open|filtered']" -v @portid -n nmap_comp.xml | sort -n | uniq | paste -sd, - > open_udp.lst
Extract all the open ports from a comprehensive or quick scan for further discovery
Perform deeper discovery against all identified live hosts and open ports
sudo nmap -Pn -sVC -p<open_ports> -iL scope.txt -oA nmap_comp_svc
Web Service Scanning¶
Extract nmap detected web servers into lists¶
Extract all http services from nmap.xml
xmlstarlet sel -t -m '//host[status/@state="up"]/ports/port[@protocol="tcp" and state/@state="open" and service[contains(@name,"http")]]' -v 'concat(../../address[@addrtype="ipv4"]/@addr,":",@portid)' -n nmap_comp_svc.xml > web_servers.lst
Output list format:
<ip>:<port>
Extract all http services from nmap.xml
xmlstarlet sel -t -m "//host[status/@state='up']/ports/port[@protocol='tcp'][state/@state='open' and contains(service/@name,'http')]" -i "../../hostnames/hostname[@type='user']" -v "concat(../../hostnames/hostname[@type='user'][1]/@name,':',@portid)" -b -i "not(../../hostnames/hostname[@type='user']) and ../../address[@addrtype='ipv4']" -v "concat(../../address[@addrtype='ipv4']/@addr,':',@portid)" -b -i "not(../../hostnames/hostname[@type='user']) and ../../address[@addrtype='ipv6']" -v "concat('[',../../address[@addrtype='ipv6']/@addr,']:',@portid)" -b -n nmap_comp_svc.xml | awk 'NF' | sort -u > web_servers.lst
Output list format:
<ip_or_domain>:<port>This will output the web servers with an IP or domain as the host, whichever was originally supplied for the nmap scan.
Extract all http services from nmap.xml
xmlstarlet sel -t -m '//host[status/@state="up"]/ports/port[@protocol="tcp" and state/@state="open" and service[contains(@name,"http")]]' -i 'service[@tunnel="ssl" or contains(@name,"https") or contains(@name,"ssl")]' -o 'https://' -b -i 'not(service[@tunnel="ssl" or contains(@name,"https") or contains(@name,"ssl")])' -o 'http://' -b -v '../../address[@addrtype="ipv4"]/@addr' -o ':' -v '@portid' -n nmap_comp_svc.xml > web_servers_with_proto.lst
Output list format
http(s)://<ip>:<port>
Extract all http services from nmap.xml
xmlstarlet sel -t -m '//host[status/@state="up"]/ports/port[@protocol="tcp"][state/@state="open" and contains(service/@name,"http")]' -i 'service/@tunnel="ssl" or starts-with(service/@name,"https") or contains(service/@name,"ssl/http")' -o 'https://' -b -i 'not(service/@tunnel="ssl" or starts-with(service/@name,"https") or contains(service/@name,"ssl/http"))' -o 'http://' -b -i '../../hostnames/hostname[@type="user"]' -v 'concat(../../hostnames/hostname[@type="user"][1]/@name,":",@portid)' -b -i 'not(../../hostnames/hostname[@type="user"]) and ../../address[@addrtype="ipv4"]' -v 'concat(../../address[@addrtype="ipv4"]/@addr,":",@portid)' -b -i 'not(../../hostnames/hostname[@type="user"]) and ../../address[@addrtype="ipv6"]' -v 'concat("[",../../address[@addrtype="ipv6"]/@addr,"]:",@portid)' -b -n nmap_comp_svc.xml | awk 'NF' | sort -u > web_servers_with_proto.lst
Output list format:
https(s)://<ip_or_domain>:<port>This will output the web servers with an IP or domain as the host, whichever was originally supplied for the nmap scan.
Gather screenshots¶
https://github.com/sensepost/gowitness
Web server list must be in the format:
<host>:<port>
Web directory enumeration¶
Loop through list of web servers and enumerate directories
while IFS= read -r url; do [[ -z "$url" || "$url" = \#* ]] && continue; proto=${url%%://*}; rest=${url#*://}; ip=${rest%%:*}; port=${rest##*:}; PROTO=${proto:u}; ffuf -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt:FUZZ -u "$url/FUZZ" -ach | tee "ffuf_${PROTO}_${ip}_${port}"; done < web_servers_with_proto.lst
Web server list must be in the format:
http(s)://<host>:<port>