search
WEBSITEGITHUBLINKEDININSTAGRAM

πŸ†•IP & Network Enumeration

hashtag
fping Scan

hashtag
fping Host Discovery Scan

fping -a -g <network> 2>/dev/null

network ==> Network for Host Discovery
						Eg : 192.168.99.0/24
						     192.168.99.0-24

-a ==> Show only Live hosts
-g ==> perform ping sweep rather than standard ping

hashtag
Offline OS Fingerprinting tools

[1] p0f [<http://lcamtuf.coredump.cx/p0f3/>]

hashtag
Nmap Scanning

hashtag
data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7arrow-up-right

hashtag
Basic Nmap Syntax

nmap <ip-address>

Notations

hashtag
Basic Nmap Commands used during INE Labs

Host Discovery Scan

sudo nmap -sn -T5 10.100.13.0/24 -v -oN ./nmap/host_discovery.txt

sudo nmap -sn -iL -T5 network_list.txt -v -oN ./nmap/host_discovery.txt

Live Hosts Detailed Scan

sudo nmap -sC -sV -O -Pn -T5 -v -iL active_hosts.txt -oN ./nmap/live_host_detail-nmap.txt

All Port Scan

sudo nmap -sC -sV -T5 -Pn -p- -v -iL active_hosts.txt -oN ./nmap/live_hosts_detail_scan-nmap.txt

Dump Active Hosts from Nmap Host Discovery Output File

cat ./nmap/host_discovery.txt | grep "Nmap scan report for" | grep -v "host down" | cut -d " " -f 5 > active_hosts.txt

Here, active_hosts.txt contains the IP-Addresses of the provided machines to test.

Sample Table of Nmap data

β•‘ 22 β•‘ SSH β•‘

β•‘ 53 β•‘ DNS β•‘

β•‘ 80, 443 β•‘ HTTP/HTTPS web server β•‘

β•‘ 445 β•‘ Windows shares (SMB), also Linux equivalent -Samba service β•‘

β•‘ 25 β•‘ SMTP (Simple Mail Transfer Protocol) β•‘

β•‘ 21 β•‘ FTP (File Transfer Protocol) β•‘

β•‘ 137-139 β•‘ Windows NetBIOS services β•‘

β•‘ 1433-1434 β•‘ 1433-1434 MSSQL Database β•‘

β•‘ 3306 β•‘ MySQL Database β•‘

β•‘ 8080, 843 β•‘ HTTP(s) web server, HTTP Proxy β•‘

PreviousSystem CommandsNextSQL Injection

Last updated