Pentest & Bug Bounty Resources and Techniques

External/Internal

PreviousNetwork Host Scan/Discovery NextInternal only

Last updated 6 months ago

External/Internal

Nmap

For

Nmap to Markdown:

Network Discovery with scripts

sudo nmap -sS -Pn -sV -v --top-ports 8000 --min-parallelism 20 --min-hostgroup 30 --max-rtt-timeout 300ms --max-retries 2 -oA SYN_8K_ports --script default,discovery,broadcast --open-only -iL ip_hostname.txt

--script=default: Runs a set of default scripts that are commonly used for network discovery and general scanning. It includes basic checks for services, OS detection, and some vulnerability checks.

broadcast category: These scripts are designed for discovering hosts and services by broadcasting requests across the network.
discovery category: These scripts are more specific to discovering information about the network.

-sV: Detects the version of services running on open ports.

--open-only report only open ports, not closed ports.

ICMP

This is the easiest and fastest way to discover if a host is up or not. You could try to send some ICMP packets and expect responses. The easiest way is just sending an echo request and expect from the response. You can do that using a simple pingor using fpingfor ranges. You could also use nmap to send other types of ICMP packets (this will avoid filters to common ICMP echo request-response).

ping -c 1 199.66.11.4    # 1 echo request to a host
fping -g 199.66.11.0/24  # Send echo requests to ranges
nmap -PE -PM -PP -sn -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests

sudo nmap -PE -PP -PM --min-parallelism 20 --min-hostgroup 30 --max-rtt-timeout 30ms --max-retries 2 -A -oA HostDiscoveryMultpleICMP Network

-PE Use ICMP Echo Request

-PP Use ICMP Timestamp Request

-PM Use ICMP Netmask Request

UDP Port Discovery

You could also try to check for some UDP port open to decide if you should pay more attention to a host. As UDP services usually don't respond with any data to a regular empty UDP probe packet it is difficult to say if a port is being filtered or open. The easiest way to decide this is to send a packet related to the running service, and as you don't know which service is running, you should try the most probable based on the port number:

nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
# The -sV will make nmap test each possible known UDP service packet
# The "--version-intensity 0" will make nmap only test the most probable

Nmap Docker

docker run --rm -it -v "<LOCAL_FOLDER>\nmap:/nmap" instrumentisto/nmap <NMAP PARAMETERS> -oA /nmap/<OUTPUT_NAME> <DOMAIN/S>

Using a list of domains/IPs

Ensure that the local file with a domain list exists, so make sure that the <DOMAIN_LIST.txt> file is located in <LOCAL_FOLDER>.

docker run --rm -it -v "<LOCAL_FOLDER>:/nmap" instrumentisto/nmap <NMAP PARAMETERS> -oA /nmap/<OUTPUT NAME> -iL /nmap/<DOMAIN_LIST.txt>

Masscan

Scan Networks

# Locally
sudo masscan 10.6.66.40 10.6.104.191 10.11.119.9 10.6.67.21 -p 21,22,23,25,100-700,3389,8080 --banners -e cscotun0 --open-only --max-rate 10000 --oX output-file.xml

# Docker
docker run --rm -v "<LOCAL_FOLDER>:/masscan" btx3/masscan 10.6.66.40 10.6.104.191 10.11.119.9 10.6.67.21 -p 21,22,23,25,100-700,3389,8080 --banners -e eth0 --open-only --max-rate 10000 -oX masscan/output-file.xml

--banners specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few protocols are supported.

--open-only report only open ports, not closed ports.

-oX / -oG: Use -oX for an XML output or -oG for a grepable output

HTTP Port Discovery

This is just a TCP port discovery useful when you want to focus on discovering HTTP services:

# Locally
sudo masscan -p80,443,8000-8100,8443 <199.66.11.0/24> --open-only -oX output-file.xml

# Docker
docker run --rm -v "<LOCAL_FOLDER>:/masscan" btx3/masscan <199.66.11.0/24> -p80,443,8000-8100,8443 --banners -e eth0 --open-only --max-rate 10000 -oX masscan/output-file.xml

--banners specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few protocols are supported.

--open-only report only open ports, not closed ports.

-oX / -oG: Use -oX for an XML output or -oG for a grepable output

Scan Specific Hosts

Masscan only accepts IP addresses and does not support hostnames in its input list. If your input file contains hostnames (like example.com), that will cause an error, as Masscan cannot resolve them automatically.

Run the Scan

# Locally
sudo masscan -iL <hosts.txt> -p 21,22,23,25,100-700,3389,8080 --banners --open-only --max-rate 100 -oX <output-file.xml>

# Docker
docker run --rm -v "<LOCAL_FOLDER>:/masscan" btx3/masscan -iL <HOSTS.txt> -p 21,22,23,25,100-700,3389,8080 --banners -e eth0 --open-only --max-rate 10000 -oX masscan/output-file.xml

--banners specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few protocols are supported.

--open-only report only open ports, not closed ports.

-oX / -oG: Use -oX for an XML output or -oG for a grepable output

Zmap

zmap -p 445 -o output-file 172.16.0.0/16 10.32.0.0/16 10.200.0.0/16

sn1per

Info: Automated Pentest Recon Scanner

DISCOVER

Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.

sudo sniper -t <CIDR> -m discover -w <WORSPACE_ALIAS>
sudo sniper -t www.domain.com -m discover -w workspace_name

AIRSTRIKE

Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.

sudo sniper -f /full/path/to/targets.txt -m airstrike
sudo sniper -t domain.com | <CIDR> -m discover -w domain && sudo sniper -f /usr/share/sniper/loot/domain/lyse/domains/targets.txt -m airstrike

HackerTarget Tools

Info: The following are a collection of online IP Tools that can be used to quickly get information about IP Addresses, Web Pages and DNS records.

These tools are placed here to be a quick reference whether you are assessing your organizations systems, or popping boxes on a penetration testing engagement.

PreviousNetwork Host Scan/Discovery NextInternal only

Last updated 6 months ago

Nmap

For

Nmap to Markdown:

Network Discovery with scripts

sudo nmap -sS -Pn -sV -v --top-ports 8000 --min-parallelism 20 --min-hostgroup 30 --max-rtt-timeout 300ms --max-retries 2 -oA SYN_8K_ports --script default,discovery,broadcast --open-only -iL ip_hostname.txt

broadcast category: These scripts are designed for discovering hosts and services by broadcasting requests across the network.
discovery category: These scripts are more specific to discovering information about the network.

-sV: Detects the version of services running on open ports.

--open-only report only open ports, not closed ports.

ICMP

ping -c 1 199.66.11.4    # 1 echo request to a host
fping -g 199.66.11.0/24  # Send echo requests to ranges
nmap -PE -PM -PP -sn -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests

sudo nmap -PE -PP -PM --min-parallelism 20 --min-hostgroup 30 --max-rtt-timeout 30ms --max-retries 2 -A -oA HostDiscoveryMultpleICMP Network

-PE Use ICMP Echo Request

-PP Use ICMP Timestamp Request

-PM Use ICMP Netmask Request

UDP Port Discovery

nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
# The -sV will make nmap test each possible known UDP service packet
# The "--version-intensity 0" will make nmap only test the most probable

The nmap line proposed before will test the top 1000 UDP ports in every host inside the /24 range but even only this will take >20min. If need fastest results you can use : ./udp-proto-scanner.pl 199.66.11.53/24 This will send these UDP probes to their expected port (for a /24 range this will just take 1 min): DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, RPCCheck, SNMPv3GetRequest, chargen, citrix, daytime, db2, echo, gtpv1, ike,ms-sql, ms-sql-slam, netop, ntp, rpc, snmp-public, systat, tftp, time, xdmcp.

Nmap Docker

Using the

docker run --rm -it -v "<LOCAL_FOLDER>\nmap:/nmap" instrumentisto/nmap <NMAP PARAMETERS> -oA /nmap/<OUTPUT_NAME> <DOMAIN/S>

Using a list of domains/IPs

Ensure that the local file with a domain list exists, so make sure that the <DOMAIN_LIST.txt> file is located in <LOCAL_FOLDER>.

docker run --rm -it -v "<LOCAL_FOLDER>:/nmap" instrumentisto/nmap <NMAP PARAMETERS> -oA /nmap/<OUTPUT NAME> -iL /nmap/<DOMAIN_LIST.txt>

Masscan

Scan Networks

# Locally
sudo masscan 10.6.66.40 10.6.104.191 10.11.119.9 10.6.67.21 -p 21,22,23,25,100-700,3389,8080 --banners -e cscotun0 --open-only --max-rate 10000 --oX output-file.xml

# Docker
docker run --rm -v "<LOCAL_FOLDER>:/masscan" btx3/masscan 10.6.66.40 10.6.104.191 10.11.119.9 10.6.67.21 -p 21,22,23,25,100-700,3389,8080 --banners -e eth0 --open-only --max-rate 10000 -oX masscan/output-file.xml

--banners specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few protocols are supported.

--open-only report only open ports, not closed ports.

-oX / -oG: Use -oX for an XML output or -oG for a grepable output

HTTP Port Discovery

This is just a TCP port discovery useful when you want to focus on discovering HTTP services:

# Locally
sudo masscan -p80,443,8000-8100,8443 <199.66.11.0/24> --open-only -oX output-file.xml

# Docker
docker run --rm -v "<LOCAL_FOLDER>:/masscan" btx3/masscan <199.66.11.0/24> -p80,443,8000-8100,8443 --banners -e eth0 --open-only --max-rate 10000 -oX masscan/output-file.xml

--banners specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few protocols are supported.

--open-only report only open ports, not closed ports.

-oX / -oG: Use -oX for an XML output or -oG for a grepable output

Scan Specific Hosts

You’ll need to resolve the hostnames into IP addresses before running the Masscan scan. Here’s how you can do that:

Run the Scan

# Locally
sudo masscan -iL <hosts.txt> -p 21,22,23,25,100-700,3389,8080 --banners --open-only --max-rate 100 -oX <output-file.xml>

# Docker
docker run --rm -v "<LOCAL_FOLDER>:/masscan" btx3/masscan -iL <HOSTS.txt> -p 21,22,23,25,100-700,3389,8080 --banners -e eth0 --open-only --max-rate 10000 -oX masscan/output-file.xml

--banners specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few protocols are supported.

--open-only report only open ports, not closed ports.

-oX / -oG: Use -oX for an XML output or -oG for a grepable output

Zmap

zmap -p 445 -o output-file 172.16.0.0/16 10.32.0.0/16 10.200.0.0/16

sn1per

Repository:

Info: Automated Pentest Recon Scanner

DISCOVER

Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.

sudo sniper -t <CIDR> -m discover -w <WORSPACE_ALIAS>
sudo sniper -t www.domain.com -m discover -w workspace_name

AIRSTRIKE

sudo sniper -f /full/path/to/targets.txt -m airstrike
sudo sniper -t domain.com | <CIDR> -m discover -w domain && sudo sniper -f /usr/share/sniper/loot/domain/lyse/domains/targets.txt -m airstrike

HackerTarget Tools

Repo:

Info: The following are a collection of online IP Tools that can be used to quickly get information about IP Addresses, Web Pages and DNS records.

These tools are placed here to be a quick reference whether you are assessing your organizations systems, or popping boxes on a penetration testing engagement.