Reconnaissance

In the reconnaissance phase of penetration testing, the primary objective is to collect essential data on the target network's systems by constructing a detailed network map. This crucial step lays the groundwork for further analysis and potential exploitation.

Host Discovery

The initial step in network mapping involves pinpointing active hosts within the network. This can be accomplished by conducting ping sweeps and ARP scans to enumerate hosts.

ARP Scan

arp-scan -I <interface> --localnet --ignoredups

Nmap Ping Scan

nmap -sn <network>/<mask>

Bash Ping Sweep

bash -c 'n=<network> ;for i in {1..254}; do \
(timeout 2 ping -c 1 $n.$i | grep -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}:" | \
tr -d ":" &); done; wait'

Specify the <network>without the last octet(e.g. 192.168.1)

Port Scan

After completing network enumeration and identifying our targets, the next step involves scanning open ports on the hosts to uncover vulnerabilities and potential attack vectors.

Nmap TCP Port Scan

nmap -p- --open -sS -n -v -Pn --min-rate 5000 -oN allPorts <target>

Bash TCP Port Scan

bash -c 'ip=<target>; for port in $(seq 1 65535); do \
(echo > /dev/tcp/$ip/$port) > /dev/null 2>&1 && \
echo -e "$port\033[K" & if [ $((port % 200)) -eq 0 ]; \
then wait; fi; echo -ne "$port/65535\r"; done; wait'

Nmap UDP Port Scan

nmap -sU -F -oN udpPorts <target>

Service & Version Detection

nmap -p<port/s> -sCV -oN portScan <target>

Nmap Scripts

nmap -p<port/s> --script <script> <target>

You can list all available Nmap scripts using the following command:

 # List nmap nse scripts
 ls /usr/share/nmap/scripts | grep <service>
 # Get info about a script
 nmap --script-help <script>