Page cover

Internal only

ARP Scan

arp-scan --interface=wlan0 --localnet
arp-scan --interface=wlan0 10.0.1.0/24

More Info:

NetDiscover

netdiscover -i wlan0 -r range

-r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8

netdiscover -i wlan0 -p -f -P -L

-P print results in a format suitable for parsing by another program and stop after active scan

-L similar to -P but continue listening after the active scan is completed

-f enable fastmode scan, saves a lot of time, recommended for auto

-p passive mode: do not send anything, only sniff

SMB security level

nmap --script smb-security-mode.nse -p 445 <PORT> <TARGET>
nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139,445
nmap -p445 --script smb-protocols <TARGET>

Info: http://nmap.org/nsedoc/scripts/smb-security-mode.html

NetBIOS Scanner

NetBIOS Scanner: http://www.nirsoft.net/utils/netbios_scanner.html

Nmap nbstat

nmap -sU --script nbstat.nse -p137 <host>

https://nmap.org/nsedoc/scripts/nbstat.html

Metasploit

  • use auxiliary/scanner/smb/smb_version

  • use auxiliary/scanner/smb/smb_enumshares

  • use auxiliary/scanner/smb/smb_lookupsid

  • use auxiliary/scanner/smb/smb_enumusers

Enumerate SMB resources

nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139,445
PreviousExternal/InternalNextNetwork Vulnerability Scanning

Last updated