This is a very basic script that runs nmap every day using default ports and then uses ndiff to compare the results. We can then take the output of this script and use it to notify our team of new ports discovered daily.
#!/bin/bash
mkdir /opt/nmap_diff
d=$(date +%Y-%m-%d)
y=$(date -d yesterday +%Y-%m-%d)
/usr/bin/nmap -T4 -oX /opt/nmap_diff/scan_$d.xml 10.100.100.0/24 >
/dev/null 2>&1
if [ -e /opt/nmap_diff/scan_$y.xml ]; then
/usr/bin/ndiff /opt/nmap_diff/scan_$y.xml /opt/nmap_diff/scan_$d.xml >
/opt/nmap_diff/diff.txt
fi
The same approach can be taken with vulnerability scanners and other tools.
Remote Discovery
you can use nmap, masscan or unicorn scan for this:
for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x 1.1.1.1; done
DNS lookups, Zone Transfers & Brute-Force
whois domain.com
dig {a|txt|ns|mx} domain.com
dig {a|txt|ns|mx} domain.com @ns1.domain.com
host -t {a|txt|ns|mx} megacorpone.com
host -a megacorpone.com
host -l megacorpone.com ns1.megacorpone.com
dnsrecon -d megacorpone.com -t axfr @ns2.megacorpone.com
dnsenum domain.com
nslookup -> set type=any -> ls -d domain.com
for sub in $(cat subdomains.txt);do host $sub.domain.com|grep "has.address";done
Local Discovery
Netdiscover
Discover live hosts in LAN and get the internal IP address and MAC address of live hosts in the network.It can be used in both active and passive mode.
netdiscover -i [interface]
Options:
-i device: your network device
-r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8
-l file: scan the list of ranges contained into the given file
-p passive mode: do not send anything, only sniff
-m file: scan the list of known MACs and host names
-F filter: Customize pcap filter expression (default: "arp")
-s time: time to sleep between each arp request (miliseconds)
-n node: last ip octet used for scanning (from 2 to 253)
-c count: number of times to send each arp reques (for nets with packet loss)
-f enable fastmode scan, saves a lot of time, recommended for auto
-d ignore home config files for autoscan and fast mode
-S enable sleep time supression betwen each request (hardcore mode)
-P print results in a format suitable for parsing by another program
-N Do not print header. Only valid when -P is enabled.
-L in parsable output mode (-P), continue listening after the active scan is completed
A great discovery tool for Active Directory Environments
responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
responder.py -I eth0 -wrf
Bettercap
Advanced MitM and sniffer tool.
bettercap -X --proxy --proxy-https -T <target IP>
# better cap in spoofing, discovery, sniffer
# intercepting http and https requests,
# targetting specific IP only
Traceroute
discovers the route that packets take between two system in the network. it helps us to construct network architecture diagrams and it is included in most if not all OSs.
Windows:
tracert [target]
Linux:
traceroute [target]
Linux traceroute
Linux traceroute sends packets to target with varying TTLs in the IP header. by default sends UDP packets with incrementing destination ports starting from port 33434 going up by one port for each probe packet sent ( each hope measured three times ).
here are some of the most used options:
-f [number]: set the initial TTL for the first packet
-g [host list] : specify a loose source route (8 maximum hops)
-I : use ICMP echo request instead of UDP
-T : use TCP SYN instead of UDP with deafult dest port 80
-m [number] : set the maximum number of hops
-n : print numbers instead of names
-p [port] : set port ( for UDP sets the base port and increment, for TCP its fixed port
-w [number] : wait for N seconds before giving up and writing * (default 5)
-4 : force use of IPv4
-6 : force use of IPv6
windows traceroute
sends ICMP echo request messages to target, starting with small TTLs.
some useful options:
-h [number] : max number of hops (default 30)
-d : dont resolve names
-j [hostlist] : use loose source routing with a space-separated list of router IPs (up to 9 max)
-w [number] : wait for N milliseconds before givving up and writing a * (default is 4000)
-4 : force use of IPv4
-6 : force use of IPv6
Web based traceroute services
instead of tracing from your address to target various websites allow you to trace from them to the target. so you can traceroute from around the world. by domain name or IP address. this is very useful in seeing if you are being shunned during a test.
Network Mapping
Traceroute
for best performance and mapping the network hops use traceroute with these three options and compare the results:
this will run a traceroute with multiple methods and combine the results for better view.
using this method we can minimize the chance of lost hopes in the route. ( the * signs). here is the bash script you can use with the target domain or IP as an argument to perform the same task:
#!/bin/bash
if [ $# -ne 1 ]
then
echo "usage: $0 <target ip/domain>"
exit 1
fi
echo "[*] Using UDP with incremental from 33434 "
traceroute $1 | tee -a tmp1
echo "[*] Using TCP SYN port 80"
traceroute -T $1 | tee -a tmp2
echo "[*] Using ICMP echo request"
traceroute -I $1 | tee -a tmp3
echo "[*] Using TCP SYN port 443"
traceroute $1 -T 443 | tee tmp4
echo
echo "[+] Multi-route finished [+]"
echo "[+] Results saved to $1.txt file [+]"
cat tmp1 tmp2 tmp3 tmp4 | grep -v '*' | sort -n -k 1 -u | sort -g | tee -a $1.txt
rm -rf tmp1 tmp2 tmp3 tmp4
Zenmap
you can also use zenmap for network mapping which is a GUI for nmap tool and can be downloaded from .
