Scanning and Enumeration
To Find Hosts in the Network
netdiscover
arp-scan -l
ping 10.10.10.0/24
nmap -sn 10.10.10.0/24
fping 10.10.10.10
Basic Finger Printing
COMMAND
DESCRIPTION
nc -v 192.168.1.1 25
telnet 192.168.1.1 25
Basic versioning / finger printing via displayed banner
Ping Sweep One Liner
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done
Port Scanner One Liner Bash
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done
NMAP
nmap -T4 -p- -A 10.10.10.10
nmap -sC -sV -Pn 10.10.10.10 | tee a.nmap
Basic Nmap Commands:
COMMAND
DESCRIPTION
nmap -v -sS -A -T4 target
Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap -v -sS -p--A -T4 target
As above but scans all TCP ports (takes a lot longer)
nmap -v -sU -sS -p- -A -T4 target
As above but scans all TCP ports and UDP scan (takes even longer)
nmap -v -p 445 --script=smb-check-vulns
--script-args=unsafe=1 192.168.1.X
Nmap script to scan for vulnerable SMB servers - WARNING: unsafe=1 may cause knockover
ls /usr/share/nmap/scripts/* | grep ftp
Search nmap scripts for keywords
RUSTSCAN
rustscan -a 10.10.10.10

MASSCAN
masscan -p1-65535 --rate 1000 192.168.1.1
NESSUS

DNS Enumeration
Banner Grabbing
DNS does not have a "banner" to grab. The closest equivalent is a magic query for version.bind. CHAOS TXT
which will work on most BIND nameservers.
You can perform this query using dig
:
dig version.bind CHAOS TXT @DNS
If that does not work you can use fingerprinting techniques to determine the remote server's version -- the fpdns
tool is one option for that, but there are others.
You can grab the banner also with a nmap script:
--script dns-nsid
Zone Transfer
dig axfr @<DNS_IP> #Try zone transfer without domain
dig axfr @<DNS_IP> <DOMAIN> #Try zone transfer guessing the domain
fierce -dns <DOMAIN> #Will try toperform a zone transfer against every authoritative name server and if this doesn'twork, will launch a dictionary attack
More info
dig ANY @<DNS_IP> <DOMAIN> #Any information
dig A @<DNS_IP> <DOMAIN> #Regular DNS request
dig AAAA @<DNS_IP> <DOMAIN> #IPv6 DNS request
dig TXT @<DNS_IP> <DOMAIN> #Information
dig MX @<DNS_IP> <DOMAIN> #Emails related
dig NS @<DNS_IP> <DOMAIN> #DNS that resolves that name
dig -x 192.168.0.2 @<DNS_IP> #Reverse lookup
dig -x 2a00:1450:400c:c06::93 @<DNS_IP> #reverse IPv6 lookup
#Use [-p PORT] or -6 (to use ivp6 address of dns)
Using nslookup
nslookup
> SERVER <IP_DNS> #Select dns server
> 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe...
> <IP_MACHINE> #Reverse lookup of a machine, maybe...
Useful Metasploit modules
auxiliary/gather/enum_dns #Perform enumeration actions
Quick Commands
dig @10.10.217.140 givemetheflag.com A
nslookup -type=A givemetheflag.com 10.10.217.140
nslookup
> SERVER 10.10.217.140
> givemetheflag.com
dnsrecon -d givemetheflag.com -n 10.10.217.140
CMS Scanning
droopescan scan drupal -u http://IP_ADDR wpscan --url http://IP_ADDR --enumerate u,p,t
Last updated
Was this helpful?