My Network Recon Checklist

Network Scan
# my preference
nmap -sV -sC -v -oA output <targetip>
nmap -p- -v <targetip>
#full tcp scan
nmap -sC -sV -p- -vv -oA full ip
nmap -sT -p- --min-rate 10000 -oA nmap/alltcp ip
nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP>
nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP>
nmap -p- --min-rate 10000 -oA scans/nmap-alltcp ip
nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p <port> <host
nmap -p80 $ip –script http-put –script-args http-put.url=’/test/sicpwn.php’,httpput.le=’/var/www/html/sicpwn.php
ar -ct 4 -cs 10 -t examip.txt -o /root/oscp/exam/
ar -ct 4 -cs 10 ip
ar -ct 4 -cs 10 -t file.txt
python3 -ct 4 -cs 10
#Nmap Automator
na ip All
./ ip All
/ -t targets -p all -n "-sV -O --version-intensity=9"
reconnoitre -t ip -o ~/oscp/practice/oscp1/tools-techniques/Reconnoitre/ --services
reconnoitre -t ip --services --quick -o /root
reconnoitre -t ip -o /root/oscp/exam/
nikto -host ip
nikto -h ip
For port knocking
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x ip; done
snmp-check ip
snmp-check $IP
snmpcheck -t $IP -c public
snmpcheck -t ip.X -c public
onesixtyone -c names -i hosts
snmpwalk -c public -v1 $IP
perl $IP public windows.txt
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt x.x.x.x
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IP
nmap -sU -p 161 --script /usr/share/nmap/scripts/snmp-win32-users.nse $IP
#port knock
for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x server_ip_address; done

Port Knocking

  1. Knock

    • apt-get install knockd

    • Then you simply type: knock [ip] [port]. For example: knock ip 4000 5000 6000

    • After that you have to scan the network to see if any new port is open.

    • If you know what port is open you can connect to the port using netcat. The following command would work nc 8888. This would then connect to the port.

  2. Nmap/bash

  3. for x in 4000 5000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done