CyberSec Notes
  • Bienvenida
    • CyberSec Notes
  • Network Services
    • Port 21 - FTP
    • Port 22 - SSH
    • Port 23 - Telnet
    • Port 25 - SMTP
    • Port 53 - DNS
      • Deploy DNS Server with BIND
    • Port 80/443 - HTTP/HTTPS
      • Wordpress
      • CMS Made Simple (CMSMS)
    • Port 88 - Kerberos
    • Port 386, 636, 3268, 3269 - LDAP
    • Port 445 - SMB
    • Port 1521,1522-1529 - Oracle TNS Listener
    • Port 3128 - Squid
    • Port 5985, 5986 - WinRM
  • Command && Control
    • Sliver C2 [in progress]
  • Ataques en Entornos Windows
    • MalDev
      • AV Evasion
        • Function call obfuscation
      • Code Samples
        • Shellcode Execution C#
        • Shellcode Execution C++
        • Stager HTTP C#
        • Stager HTTP C++
        • Process Inyection C++
        • Process Inyection C#
        • XOR Encrypt C++
    • Directorio Activo
      • Spriying
      • Autenticacion Net-NTLMv2 y tipos de hashes
        • Pass the Hash
        • SMB Relay
      • Autenticación Kerberos
        • Extensiones del protocolo Kerberos (SPNs & PACs)
        • AS_REP Roasting
        • Kerberoasting
        • Silver Ticket Attack
        • Golden Ticket Attack
      • DCSync
      • Mimikatz
      • BloodHound
      • Privilege Escalation
        • PS Credentials in XML format
      • Utils
    • Amsi Bypass
    • Buffer Overflow
      • Stack Based 32 bits [in progress]
        • Windows SLMail 5.5
  • Ataques en Entornos Linux
    • Privilege escalation [in progress]
    • MalDev
      • Simple Reverse Shell
    • Buffer Over Flow
      • Stack Based 32 bits
        • Linux, Vulnerable functions in C programs
    • Persistencia
  • General
    • Host Discovery
    • Reverse Shells Cheet Sheet
    • Pivoting
      • Chisel
      • Port Forwarding
      • Nmap con pivoting
    • Google Dorks [in progress]
    • Denial of Service (DoS)
      • Low and Slow
    • Docker
  • Pentesting Web
    • XML External Entity Injection(XXE)
      • Portswigger Lab #1: Retrieve Files
      • Portswigger Lab #2: Perform SSRF
      • Portswigger Lab #6: Blind XXE to retrieve data via error messages
    • Open Redirect
    • LFI
      • Log Poisoning (Apache, SSH y SMPT)
  • Wireless Pentesting
    • Pre Connection Attacks
      • WEP
      • WPA/WPA2
    • Post Connection Attacks
      • ARP Spoof
    • Fake AP for Captive Portal
Powered by GitBook
On this page
  • ARP Discovery
  • ICMP Discovery
  • Ping and ARP scan (combined)
  • TCP SYN Scan
  • TCP ACK Scan
  • UDP Ping Scan
  • Reverse DNS Lookup
  1. General

Host Discovery

ARP Discovery

# arp-scan:
sudo arp-scan -I tap0 <IP>/24

# Nmap:
sudo nmap -n -sn <IP>/24 -PR -oG - | awk '/Up$/{print $2}'

ICMP Discovery

# fping: Ping sweep
fping  -a -g <IP>/24 2> /dev/nul

# fping: sweep, generate statistics and list alive hosts
fping -asgq <CIDR>/<IP>

# Nmap: Ping sweep and save to file
nmap -n -sn <IP>/24 -oG - | awk '/Up$/{print $2}' >> nmapresults.txt

# icmp discovery via bash
#!/bin/bash

for i in $(seq 1 255); do
        timeout 1 bash -c "ping -c 1 <ip>.$i" &>/dev/null && echo "[+] <ip>.$i ACTIVE" &
done; wait

Ping and ARP scan (combined)

fping  -a -g <IP> 2> /dev/null | sudo nmap -n -sn <IP> -PR -oG - | awk '/Up$/{print $2}' | uniq -u > AliveHosts.txt

TCP SYN Scan

For host discovery such as the command above we should also use non ICMP scanning techniques in the event ICMP is blocked on a host and we miss it. We can use the following command below to perform a TCP scan sweep.

nmap -n -sn -PS <IP>/24

TCP ACK Scan

nmap -n -sn -PA <IP>/24

UDP Ping Scan

Useful for bypassing firewalls that filter TCP traffic and allow UDP traffic. By default a UDP scan will scan ports 40 and 125.

nmap -sn -sU <IP>/24

Reverse DNS Lookup

nmap -R -sL <IP>/24

PreviousPersistenciaNextReverse Shells Cheet Sheet

Last updated 1 year ago