copy Copy chevron-down
PenTesting🧪 chevron-right eJPT 🔎Reconnaissance Col. of recon tips/tools from ePTS course + other recourses
🗺️ Network Mapping:
Copy fping -a -g <net_id>/<mask> 2>/dev/null Use wildcard (*) to sweep through a network + -sn for ping scan:
Copy nmap -sn 192.168.0.* -oN discovery.nmap
nmap -sn 10.142.11.0/24 use -iL to get a list of IP's from a file:
Copy nmap -sn -iL ip_list.txt you can also use other types of host scanning (not just ping scan):
🖥️ OS Fingerprinting:
passively analyze capture traffic (where Nmap props are blocked or you can't actively fingerprint)Nmap. documentationarrow-up-right
Nmap OS Fingerprinting
use -Pn to skip ping scan (done on the Net Mapping Step)
depends on engagement choose lighter/aggressive. --osscan-limit great when you fastly want to fingerprint thousands of hosts
-sV: identify the Deamon running version.
-A: Enables OS, Version detection, executes in-build scripts for further snum.
-sS: TCP SYN port scan.
-sU: UDP port scan.
-p-400: scan for the first 400 ports (1-400).
-n/-R: no DNS resolve / Always DNS resolve [defualt: sometimes].
Nmap Vul Assessment:
After exploiting a Windows machine you can find what you want with:
assuming you comprised a server (gained a shell) how to find the name of the user managing it:
Enumerates all the binaries that have SUID permission:
-perm -u=s : rhe trick is in this flag by find.
find all writable files:
example of finding SUID be usful:
https://alvinsmith.gitbook.io/progressive-oscp/untitled/vulnversity-privilege-escalationarrow-up-right
full story here: https://0n3z3r0n3.medium.com/tryhackme-vulnversity-1b1c7d96bca4arrow-up-right
Simple way to extract all JS URLs for potentially secret / sensitive information:
