Internal only

ARP Scan

arp-scan --interface=wlan0 --localnet
arp-scan --interface=wlan0 10.0.1.0/24

More Info:

• https://www.blackmoreops.com/2015/12/31/use-arp-scan-to-find-hidden-devices-in-your-network/

• https://tools.kali.org/information-gathering/arp-scan

---

NetDiscover

netdiscover -i wlan0 -r range

-r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8

netdiscover -i wlan0 -p -f -P -L

-P print results in a format suitable for parsing by another program and stop after active scan

-L similar to -P but continue listening after the active scan is completed

-f enable fastmode scan, saves a lot of time, recommended for auto

-p passive mode: do not send anything, only sniff

---

SMB security level

nmap --script smb-security-mode.nse -p 445 <PORT> <TARGET>

nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139,445

nmap -p445 --script smb-protocols <TARGET>

Info: http://nmap.org/nsedoc/scripts/smb-security-mode.html

---

NetBIOS Scanner

NetBIOS Scanner: http://www.nirsoft.net/utils/netbios_scanner.html

Nmap nbstat

nmap -sU --script nbstat.nse -p137 <host>

https://nmap.org/nsedoc/scripts/nbstat.html

Metasploit

• use auxiliary/scanner/smb/smb_version

• use auxiliary/scanner/smb/smb_enumshares

• use auxiliary/scanner/smb/smb_lookupsid

• use auxiliary/scanner/smb/smb_enumusers

---

Enumerate SMB resources

nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139,445