🔎Reconnaissance

Col. of recon tips/tools from ePTS course + other recourses

🗺️ Network Mapping:

Ping Sweep (don't show error) check out Bash tut.

fping -a -g <net_id>/<mask> 2>/dev/null

Nmap sweep

Use wildcard (*) to sweep through a network + -sn for ping scan:

nmap -sn 192.168.0.* -oN discovery.nmap
nmap -sn 10.142.11.0/24

use -iL to get a list of IP's from a file:

nmap -sn -iL ip_list.txt

you can also use other types of host scanning (not just ping scan):

🖥️ OS Fingerprinting:

p0f

passively analyze capture traffic (where Nmap props are blocked or you can't actively fingerprint)Nmap. documentation

Nmap OS Fingerprinting

use -Pn to skip ping scan (done on the Net Mapping Step)

sudo nmap -Pn -sV -O -A -T4 -p- --open -iL <target(s)>
depends on engagement choose lighter/aggressive.

--osscan-limit great when you fastly want to fingerprint thousands of hosts

-sV: identify the Deamon running version.

-A: Enables OS, Version detection, executes in-build scripts for further snum.

-sS: TCP SYN port scan.

-sU: UDP port scan.

-p-400: scan for the first 400 ports (1-400).

-n/-R: no DNS resolve / Always DNS resolve [defualt: sometimes].

Nmap Vul Assessment:

sudo nmap --script vuln --script-args=unsafe=1 -iL <file>

📂Find Files:

After exploiting a Windows machine you can find what you want with:

dir /s /b <file>

Find User:

assuming you comprised a server (gained a shell) how to find the name of the user managing it:

ps aux | grep apache
cat etc/passwd
find / -iname <flag> 2>/dev/null
Logo11 Ways to Find User Account Info and Login Details in LinuxTecmint: Linux Howtos, Tutorials &amp; Guides

In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).

Enumerates all the binaries that have SUID permission:

find / -perm -u=s -type f 2>/dev/null

-perm -u=s : rhe trick is in this flag by find.

find all writable files:

find -type f -maxdepth 1 -writable

example of finding SUID be usful:

https://alvinsmith.gitbook.io/progressive-oscp/untitled/vulnversity-privilege-escalation

full story here: https://0n3z3r0n3.medium.com/tryhackme-vulnversity-1b1c7d96bca4

Finding URLs:

Simple way to extract all JS URLs for potentially secret / sensitive information:

cat scope.txt | subjs | tee js_url | uniq | tee js_url 2>/dev/null
PreviouseJPTNext🐱‍💻Google Dorks

Last updated

Was this helpful?