nmap #
enumerate services and use default scripts
nmap -sC -sV -oN normal.txt target-ip
scan all tcp ports
nmap -p- -oN all_ports.txt target-ip
scan all udp ports
nmap -p- -sU -oN all_udp_ports.txt target-ip
use script categories
nmap --script vuln,safe,discovery -oN scan.txt target-ip
list all nse scripts
ls -lh /usr/share/nmap/scripts/
host discovery for fast scan
nmap -sn -v -oA nmap/host_discovery target-ip
find all host that are up
grep "Up" nmap/host_discovery.gnmap | awk '{print $2}' > ips_host_discovery.tx
scan only hosts that are up
nmap -p- -sC -sV -T5 --min-parallelism 100 -oA nmap/all_ports -iL host_discovery -v
nmap through socks4 proxy
nmap --proxies socks4://proxy-ip:1080 target-ip
ftp bounce scan
nmap -P0 -n -b username:password@target-ip target2-ip --proxies socks4://proxy-ip:1080 -vvvv
massscan #
todo
snmpwalk #
gather snmp v1 information with standard community strings #
snmpwalk -v1 -c public target-ip
snmpwalk -v1 -c private target-ip
snmpwalk -v1 -c manager target-ip
enumerate windows users #
snmpwalk -c public -v1 target-ip 1.3.6.1.4.1.77.1.2.25
enumerate current windows processes #
snmpwalk -c public -v1 target-ip 1.3.6.1.2.1.25.4.2.1.2
enumerate windows open tcp ports #
snmpwalk -c public -v1 target-ip 1.3.6.1.2.1.6.13.1.3
enumerate installed software #
snmpwalk -c public -v1 target-ip 1.3.6.1.2.1.25.6.3.1.2
make use of MIB files and translate the OIDs automatically #
- default folder for MIB files:
/usr/share/snmp/mibs
export MIBS=ALL
onesixtyone #
bruteforce community strings #
echo public > community.txt
echo private >> community.txt
echo manager >> community.txt
for ip in $(seq 200 254); do echo 1.2.3.${ip}; done > target-ip.txt
onesixtyone -c community.txt -i target-ip.txt
dig #
full zone transfer
dig -t AXFR target-dns-ip
host #
full zone transfer
host -l target-dns-ip