RFC - Offensive Security Notes
  • Active Directory
    • Enumeration
      • Active Directory Module
        • Enumerating the Domain
        • Enumerating ACLs
      • PowerView 3.0
      • Verify connectivity to domain controller
      • WMI domain enumeration through root\directory\ldap
      • PAM Trust
      • DNS discovery
        • Get-DnsServerZone
    • Privilege Escalation
      • Kerberos Delegation
        • Unconstrained delegation
        • Constrained delegation
        • Resource-based Constrained Delegation
      • Escalating from child to parent domain
      • Abusing inter-forest trust
      • WSUS server abuse
      • ACL Enumeration with PowerView 2.0
    • Persistence
      • Kerberos attacks
        • Golden ticket
        • Silver ticket
      • DSRM (Directory Services Restore Mode)
  • Initial Access
    • VBA Macros
      • Mark-of-the-Web
  • Discovery
    • Juicy files
      • PowerShell history
    • Network Enumeration
      • Network discovery scans
        • Ping scan
      • Nmap
      • Perimeter firewall scanning for open outbound ports
  • Execution
    • WMI
      • Remote code execution using WMI
    • PowerShell
      • C# assembly in PowerShell
        • List load assembly
        • Add-Type
        • UnsafeNativeMethods
        • DelegateType Reflection
        • Reflective Load
    • C# .Net Assembly
      • Process injection
        • Debugging
        • Using VirtualAllocEx and WriteProcessMemory
        • Using NTAPI Undocumented Functions
    • ReverseShells
      • Linux
        • Stabilizing zsh shell
    • Metasploit
      • HTTPs Meterpreter
  • Exploitation
    • Win32 APIs
      • OpenProcess
      • VirtualAllocEx
      • WriteProcessMemory
      • CreateRemoteThread
  • Credential Access
    • Microsoft Windows
      • Windows credential audit and logon types
      • Local credentials (SAM and LSA)
      • Lsass from forensics dump
      • Access Tokens
        • SeImpersonatePrivilege
      • ntds.dit
        • Dumping the contents of ntds.dit files using PowerShell
      • Mimikatz
      • LAPS
  • Lateral Movement
    • Windows Lateral Movement
      • Remote Desktop Protocol (RDP)
      • PowerShell Remoting (PS Remote)
        • Kerberos double hoping
      • Windows Task Scheduler
    • Linux Lateral Movement
  • Persistence
  • Defence Evasion
    • Antimalware Scan Interface (AMSI)
      • Debugging AMSI with Frida
      • PowerShell Bypasses
      • JS/VBA Bypasses
    • PowerShell
      • PowerShell version 2
      • Constrained Language Mode
      • Just Enough Administration (JEA)
      • ScriptBlockLogging
    • Microsoft Defender
    • Anti-virus evasion
      • Evasion and bypassing detection within C#
        • Encryptors
          • Aes encryptor
        • Sandbox evasion
          • Time accelerated checks
    • AppLocker
      • InstallUtil
      • MsBuild
  • Network Pivoting
    • Proxies and port fowarding
      • SSH
      • Metasploit
      • Socat
      • SSH Shuttle
      • Windows netsh command
    • Network discovery and scanning
  • Exfiltration
    • Windows
      • Copy files over SMB
  • Services
    • MS SQL Server
      • Enumeration
      • UNC Path Injection
      • Privilege Escalation
      • Linked Servers
      • SQL Injection
  • Misc
    • CrackMapExec
    • Cheat sheets
  • Cloud
    • Azure
      • Authentication
      • Enumeration
        • AzureHound
        • Az.Powershell
        • Microsoft Graph PowerShell
      • Initial Access
        • Device Code Phishing
        • Family-Of-Client-Ids - FOCI
        • JWT Assertion
Powered by GitBook
On this page
  • Scan Network Range
  • ARP ping scan
  • ICMP reply scan
  • Service discovery
  • Cheat sheet
  • Scanning Options
  • Output Options
  • Performance Options
  • Firewall and IDS/IPS Evasion
  • Decoys
  • Scan by Using Different Source IP
  • DNS Proxying
  1. Discovery
  2. Network Enumeration

Nmap

Scan Network Range

--reason (Host and port state reasons). Shows the reason each port is set to a specific state and the reason each host is up or down.

ARP ping scan

Basic IP range scan

sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

Scanning IP list

sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

ICMP reply scan

sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping

Service discovery

By default, Nmap scans the top 1000 TCP ports with the SYN scan (-sS). This SYN scan is set only to default when we run it as root because of the socket permissions required to create raw TCP packets. Otherwise, the TCP scan (-sT) is performed by default.

we disable the ICMP echo requests (-Pn), DNS resolution (-n), and ARP ping scan (--disable-arp-ping).

sudo nmap 10.129.2.28 -p 21 --packet-trace -Pn -n --disable-arp-ping

Cheat sheet

Scanning Options

Nmap Option

Description

10.10.10.0/24

Target network range.

-sn

Disables port scanning.

-Pn

Disables ICMP Echo Requests

-n

Disables DNS Resolution.

-PE

Performs the ping scan by using ICMP Echo Requests against the target.

--packet-trace

Shows all packets sent and received.

--reason

Displays the reason for a specific result.

--disable-arp-ping

Disables ARP Ping Requests.

--top-ports=<num>

Scans the specified top ports that have been defined as most frequent.

-p-

Scan all ports.

-p22-110

Scan all ports between 22 and 110.

-p22,25

Scans only the specified ports 22 and 25.

-F

Scans top 100 ports.

-sS

Performs an TCP SYN-Scan.

-sA

Performs an TCP ACK-Scan.

-sU

Performs an UDP Scan.

-sV

Scans the discovered services for their versions.

-sC

Perform a Script Scan with scripts that are categorized as "default".

--script <script>

Performs a Script Scan by using the specified scripts.

-O

Performs an OS Detection Scan to determine the OS of the target.

-A

Performs OS Detection, Service Detection, and traceroute scans.

-D RND:5

Sets the number of random Decoys that will be used to scan the target.

-e

Specifies the network interface that is used for the scan.

-S 10.10.10.200

Specifies the source IP address for the scan.

-g

Specifies the source port for the scan.

--dns-server <ns>

DNS resolution is performed by using a specified name server.

Output Options

Nmap Option

Description

-oA filename

Stores the results in all available formats starting with the name of "filename".

-oN filename

Stores the results in normal format with the name "filename".

-oG filename

Stores the results in "grepable" format with the name of "filename".

-oX filename

Stores the results in XML format with the name of "filename".

Performance Options

Nmap Option

Description

--max-retries <num>

Sets the number of retries for scans of specific ports.

--stats-every=5s

Displays scan's status every 5 seconds.

-v/-vv

Displays verbose output during the scan.

--initial-rtt-timeout 50ms

Sets the specified time value as initial RTT timeout.

--max-rtt-timeout 100ms

Sets the specified time value as maximum RTT timeout.

--min-rate 300

Sets the number of packets that will be sent simultaneously.

-T <0-5>

Specifies the specific timing template.

Firewall and IDS/IPS Evasion

Decoys

10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

Scan by Using Different Source IP

10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

DNS Proxying

10.129.2.28 -p 50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

Connect to the Filtered Port

ncat -nv --source-port 53 10.129.2.28 50000

PreviousPing scanNextPerimeter firewall scanning for open outbound ports

Last updated 2 years ago