EJPT - dejanu/linux GitHub Wiki

  1. Sniffing:

TCP (uses 3way handshake connection, but before the server must bind and listen to an open port): SYN, SYN+ACK, ACK.

TCP full scan = SYN, SYN-ACK, ACK
TCP half scan = SYN, SYN-ACK

fping vs nmap:

#ping sweep : uses ICMP packets by sending echo Request and receiving echo Reply just to test if the Host is up
fping -a -g 10.54.3.0/24 2>/dev/null
#Ping Scan - disable port scan
nmap -sn 192.168.1.0/24

!!! Usually the hosts on a network are configured not to respond to ICMP PING Request (used by fping) on the other side nmap -sn marks a host as being up if the host responds with the MAC address to an ARP request, so nmap will report multiple host in opposition to fping which after the arp Request send also a ICMP echo request.

  1. Find secret server:

Add routes manually in order to reach different networks. Interface tap0 is a virtual interface created by OpenVPN

# show/manipulate IP routing table
$ route -n 

# add entry in order to reach 192.168.222.199 : ip route add <IP>/<MASK> via <GW> dev <eth0>
$ ip route add 192.169.222.0/24 via 10.175.34.1
  1. Burp suite - asses web applications security

! Prerequisites: configure the web browser to use burp proxy (default port 8080) .

Find hidden resources in a web application (e.g. robots.txt) aka web-fuzzing using Burp Intruder tool that allows you to send numerous similar HTTP requests to the application.

  • Target -> Scope -> Add URL
  • Proxy -> Intercept -> Make sure that "Intercept is on"
  • Proxy -> Options -> Running 127.0.0.1:8080 (check if Burp proxy is active and running)
  • Proxy -> HTTP History and select a request without any params (RIGHT CLICK and send to Intruder)
  • Intruder -> Positions -> Select what you want to parametrise from the HTTP request ยงยง
  • Intruder -> Payload -> Load robots.txt
  1. OS Fingerprinting and Port scanning ๐Ÿ‘

nmap -sS (silent scan doesn't complete the TCP) vs nmap -sT ( full TCP connection with 3way handshake) .

!! A -sT scan gets recorded in the application logs of the target

A representative nmap scam : nmap -A -T4 192.168.1.0/24

# find target IP
$ netdiscover -r <IP>/<MASK>

#all
nmap -A <IP>/<MASK>


# host discover using Ping Scan - disable port scan
$ nmap -sn <IP>/<MASK>
$ nmap -sN 10.0.2.0-255

# host discover using List Scan - simply list targets to scan
$ nmap -sL <IP>

# full TCP connect scan and OS detection
$ nmap -sT -O <IP> 
$ nmap -sT -O <IP>/<MASK> 

# state of port (open or closed)
$ nmap -sT -p80 <IP>
$ nmap -sT -p80-100 <IP>

# view service on a port aka banner grabbing and check the services running on machines
$ nmap -sS -sV -p 80 <IP>
$ nmap -sT -sV -A -O -v -p 1โ€“65535 192.168.1.17
  1. Network attacks:

Hydra - parallelised network/authentication/login cracker, it supports Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Hydra is based on modules, each module being specific to a certain protocol.

Seclists source: https://github.com/danielmiessler/SecLists . To get more information about a certain module/protocol:
hydra -U rdp/ssh or check supported services: hydra -h | grep -i supported .

``bash #install password lists /usr/share/seclists/Passwords apt-get install seclists apt -y install seclists

โš ๏ธ **GitHub.com Fallback** โš ๏ธ