Scanning and Enumeration
To Find Hosts in the Network
netdiscover
arp-scan -l
ping 10.10.10.0/24
nmap -sn 10.10.10.0/24
fping 10.10.10.10Basic Finger Printing
COMMAND
DESCRIPTION
nc -v 192.168.1.1 25
telnet 192.168.1.1 25
Basic versioning / finger printing via displayed banner
Ping Sweep One Liner
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done
Port Scanner One Liner Bash
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done
NMAP
nmap -T4 -p- -A 10.10.10.10
nmap -sC -sV -Pn 10.10.10.10 | tee a.nmap
Basic Nmap Commands:
COMMAND
DESCRIPTION
nmap -v -sS -A -T4 target
Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap -v -sS -p--A -T4 target
As above but scans all TCP ports (takes a lot longer)
nmap -v -sU -sS -p- -A -T4 target
As above but scans all TCP ports and UDP scan (takes even longer)
nmap -v -p 445 --script=smb-check-vulns
--script-args=unsafe=1 192.168.1.X
Nmap script to scan for vulnerable SMB servers - WARNING: unsafe=1 may cause knockover
ls /usr/share/nmap/scripts/* | grep ftp
Search nmap scripts for keywords
RUSTSCAN
rustscan -a 10.10.10.10
MASSCAN
masscan -p1-65535 --rate 1000 192.168.1.1
NESSUS
DNS Enumeration
Banner Grabbing
DNS does not have a "banner" to grab. The closest equivalent is a magic query for version.bind. CHAOS TXT which will work on most BIND nameservers.
You can perform this query using dig:
If that does not work you can use fingerprinting techniques to determine the remote server's version -- the fpdns tool is one option for that, but there are others.
You can grab the banner also with a nmap script:
Zone Transfer
More info
Using nslookup
Useful Metasploit modules
Quick Commands
CMS Scanning
droopescan scan drupal -u http://IP_ADDR wpscan --url http://IP_ADDR --enumerate u,p,t
Last updated
Was this helpful?