This article was also published on razcodes.dev
Since I have been learning more lately about pentesting, and playing on sites like tryhackme.com, I find myself starting with the same tools usually so I decided to write this short post about the process.
Init
Sometimes you know the IP of the machine that you will be working on and sometimes you don't. Sometimes there is more than one machine on the network you want to look into, so in those cases, you start with the basic IP scan.
nmap -sn -n 192.168.0.0/24 -oN discovery.nmap
Options:
-sn: ping scan
-n: no DNS resolution
-oN: output scan in normal to file
Besides using nmap for this, you can also use netdiscover to see all the machine on the current network by specifying the interface.
netdiscover -i tap0
Here I use tap0 as the interface if I am connected to a VPN or if I just look at machines on my internal network I would use eth0.
netdiscover -i eth0
Once nmap is done running, I take that file and remove everything from it leaving just the IPs.
cat discovery.nmap | grep for | cut -d " " -f 5 > ips.txt
I also make sure my IP is not in there so I don't scan myself.
More
Now that we have a list of IPs, I can run a longer scan.
nmap -sV -p- -n -v -Pn -T4 -iL ips.txt -A --open
Options:
-sV: version info
-p-: scan all ports
-n: no DNS resolution
-v: verbose
-Pn: treat host as online
-T4: timing template
-iL: use the file and only scan IPs in it
-A: OS detection, version, script scan, traceroute
--open: only show open
Of course these might not work for every engagement and you should read more about nmap strategies before using them, but for my needs so far these have worked well.
Website involved
If the scans above yield some http ports open (80,8080, etc), I then run dirbuster to look for any folders that might be hidden.
dirb http://10.10.47.53
Fork in the road
After the usual scan above is where I take a different road based on whatever scenario I encounter, now that I have the data I need from the scan.
Happy scanning!
Top comments (0)