Scanning and Enumeration

To Find Hosts in the Network

netdiscover
arp-scan -l
ping 10.10.10.0/24
nmap -sn 10.10.10.0/24
fping 10.10.10.10

Basic Finger Printing

COMMAND	DESCRIPTION
nc -v 192.168.1.1 25 telnet 192.168.1.1 25	Basic versioning / finger printing via displayed banner

Ping Sweep One Liner

for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done

Port Scanner One Liner Bash

for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done

NMAP

nmap -T4 -p- -A 10.10.10.10

nmap -sC -sV -Pn 10.10.10.10 | tee a.nmap

Basic Nmap Commands:

COMMAND	DESCRIPTION
nmap -v -sS -A -T4 target	Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap -v -sS -p--A -T4 target	As above but scans all TCP ports (takes a lot longer)
nmap -v -sU -sS -p- -A -T4 target	As above but scans all TCP ports and UDP scan (takes even longer)
nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.X	Nmap script to scan for vulnerable SMB servers - WARNING: unsafe=1 may cause knockover
ls /usr/share/nmap/scripts/* | grep ftp	Search nmap scripts for keywords

RUSTSCAN

rustscan -a 10.10.10.10

MASSCAN

masscan -p1-65535 --rate 1000 192.168.1.1

NESSUS

DNS Enumeration

Banner Grabbing

DNS does not have a "banner" to grab. The closest equivalent is a magic query for version.bind. CHAOS TXT which will work on most BIND nameservers. You can perform this query using dig:

dig version.bind CHAOS TXT @DNS

If that does not work you can use fingerprinting techniques to determine the remote server's version -- the fpdns tool is one option for that, but there are others.

You can grab the banner also with a nmap script:

--script dns-nsid

Zone Transfer

dig axfr @<DNS_IP> #Try zone transfer without domain
dig axfr @<DNS_IP> <DOMAIN> #Try zone transfer guessing the domain
fierce -dns <DOMAIN> #Will try toperform a zone transfer against every authoritative name server and if this doesn'twork, will launch a dictionary attack

More info

dig ANY @<DNS_IP> <DOMAIN>     #Any information
dig A @<DNS_IP> <DOMAIN>       #Regular DNS request
dig AAAA @<DNS_IP> <DOMAIN>    #IPv6 DNS request
dig TXT @<DNS_IP> <DOMAIN>     #Information
dig MX @<DNS_IP> <DOMAIN>      #Emails related
dig NS @<DNS_IP> <DOMAIN>      #DNS that resolves that name
dig -x 192.168.0.2 @<DNS_IP>   #Reverse lookup
dig -x 2a00:1450:400c:c06::93 @<DNS_IP> #reverse IPv6 lookup

#Use [-p PORT]  or  -6 (to use ivp6 address of dns)

Using nslookup

nslookup
> SERVER <IP_DNS> #Select dns server
> 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe...
> <IP_MACHINE> #Reverse lookup of a machine, maybe...

Useful Metasploit modules

auxiliary/gather/enum_dns #Perform enumeration actions

Quick Commands

dig @10.10.217.140 givemetheflag.com A

nslookup -type=A givemetheflag.com 10.10.217.140

nslookup
> SERVER 10.10.217.140
> givemetheflag.com

dnsrecon -d givemetheflag.com -n 10.10.217.140

CMS Scanning

GitHub - dionach/CMSmap: CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.GitHub

droopescan scan drupal -u http://IP_ADDR wpscan --url http://IP_ADDR --enumerate u,p,t