Scan and Discovery

nmapAutomator: A script you can run in the background! Useful for running during your enum exercise. I used it during my OSCP certification!

mapCIDR: it is developed to ease load distribution for mass scanning operations, it can be used both as a library and as independent CLI tool.

RustScan: The Modern Port Scanner. Find ports quickly (3 seconds at its fastest). Run scripts through our scripting engine (Python, Lua, Shell supported).

dscan: Distributed Nmap, wrapper around Nmap to allow distributed network enumeration.

%dscan --name project name srv --config dscan.conf targets.txt
    
    Distributed Scan Status
    ========================
    
    ---------	----------------	------------
    N Stages	N  Pending Tasks	Completion %
    ---------	----------------	------------
    4        	0               	0.00%       
    
    ---------	----------	-----------	------------
    Stage    	N Targets	N Finished	Completion %
    ---------	----------	-----------	------------
    discovery	1         	0          	0.00%       
    
    ---------------	---------	-----------	------------
    Agent          	Stage    	Task Status	Target Ip   
    ---------------	---------	-----------	------------
    127.0.0.1:53281	discovery	DOWNLOADING	127.0.0.1/32

hcxdumptool: Small tool to capture packets from wlan devices.

sudo hcxdumptool -i wlp39s0f3u4u5 -o output.pcapng -t 5 --enable_status=3

start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0
FILTERLIST...............: 0 entries
MAC CLIENT...............: f0a225a8faa8
MAC ACCESS POINT.........: 00bb3a4250d5 (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 61585
ANONCE...................: 765e00f3f9788ebf2df96c69ee9806b19df6105b2c39b389d76d4d85ee5f0f66
 
[10:37:11 - 001] 00156d9a26c0 -> f0a225a8faa8 Anan Apartment [PROBERESPONSE, SEQUENCE 2696, AP CHANNEL 1]
[10:37:12 - 001] 6c8dc120891f -> ffffffffffff Anan Apartment [PROBEREQUEST, SEQUENCE 2643]
[10:37:12 - 001] 00bb3a4250d6 -> 6c8dc120891f Anan Apartment [PROBERESPONSE, SEQUENCE 0, AP CHANNEL 1]
[10:37:12 - 001] 70778110c833 -> 00156d9a26c0  [PROBEREQUEST, SEQUENCE 256]
[10:37:32 - 009] 403decc272b8 -> 2c5bb8742b39 Paangoon_2G [PROBERESPONSE, SEQUENCE 1940, AP CHANNEL 9]
[10:37:36 - 011] ec1f72b8f3d1 -> f0a225a8faa8 Muay [PROBERESPONSE, SEQUENCE 2902, AP CHANNEL 11]
[10:37:38 - 011] 083e8eaa328b -> ffffffffffff Muay [PROBEREQUEST, SEQUENCE 9]
[10:37:38 - 011] 00bb3a4250d7 -> 083e8eaa328b Muay [PROBERESPONSE, SEQUENCE 9, AP CHANNEL 11]
[10:37:39 - 011] 083e8eaa328b -> ec1f72b8f3d1 [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 14306]
[10:37:39 - 011] ec1f72b8f3d1 -> 083e8eaa328b [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 7419]
[10:37:50 - 002] 4c189a2fb76e -> ffffffffffff Topline_Wifi [PROBEREQUEST, SEQUENCE 344]
[10:37:50 - 002] 00bb3a4250d8 -> 4c189a2fb76e Topline_Wifi [PROBERESPONSE, SEQUENCE 10, AP CHANNEL 2]
[10:38:01 - 008] b6b98a73aa05 -> f0a225a8faa8 Panmongkon [PROBERESPONSE, SEQUENCE 1433, AP CHANNEL 8]
[10:38:01 - 008] b6b98a73e88a -> f0a225a8faa8 Panmongkon [PROBERESPONSE, SEQUENCE 3790, AP CHANNEL 8]
[10:38:20 - 001] 74da38b04d5a -> ffffffffffff seasun [PROBEREQUEST, SEQUENCE 3235]
[10:38:20 - 001] 00bb3a4250d9 -> 74da38b04d5a seasun [PROBERESPONSE, SEQUENCE 25, AP CHANNEL 1]
INFO: cha=9, rx=13802, rx(dropped)=1073, tx=319, powned=2, err=0

Nosql-MongoDB-injection-username-password-enumeration: Using this script, we can enumerate Usernames and passwords of Nosql(mongodb) injecion vulnerable web applications.

python nosqli-user-pass-enum.py -u http://example.com/index.php -up username -pp password -ep username -op login:login,submit:submit

nullinux: Nullinux is an internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB. If no username and password are provided in the command line arguments, an anonymous login, or null session, is attempted. Nullinux acts as a wrapper around the Samba tools smbclient & rpcclient to enumerate hosts using a variety of techniques.

ridenum: A simple open source method for performing null session brute forces.

./ridenum.py 192.168.1.50 500 50000 /root/dict.txt /root/user.txt

tomcat-weak-password-scanner: Tomcat password brute-force.

SharpEDRChecker: Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.

finger-user-enum: finger-user-enum (Solaris OS) is a tool for enumerating OS-level user accounts via the finger service. As of release v1.0 it is known to work against the default Solaris daemon. It may not yet work against all daemons since there is no defined format for the data returned by the finger service.

List of usernames: https://raw.githubusercontent.com/danielmiessler/SecLists/master/Usernames/Names/names.txt

$ ./finger-user-enum.pl -U users.txt -t 10.0.0.1
 Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum ) 

  ----------------------------------------------------------
 |                   Scan Information                       |
  ---------------------------------------------------------- 

 Worker Processes ......... 5
 Usernames file ........... users.txt
 Target count ............. 1
 Username count ........... 47
 Target TCP port .......... 79
 Query timeout ............ 5 secs
 Relay Server ............. Not used 

 ######## Scan started at Sun Jan 21 19:44:22 2007 #########
 root@10.0.0.1: root     Super-User            console     2:03 Wed 07:23 ..
 bin@10.0.0.1: bin             ???            pts/1        <Dec 21 13:04> 10.0.0.99
 daemon@10.0.0.1: daemon          ???                         < .  .  .  . >..
 adm@10.0.0.1: adm      Admin                              < .  .  .  . >..
 lp@10.0.0.1: lp       Line Printer Admin                 < .  .  .  . >..
 uucp@10.0.0.1: uucp Admin                         < .  .  .  . >..
 nobody@10.0.0.1: nobody4  SunOS 4.x Nobody                   < .  .  .  . >..
 ftp@10.0.0.1: ftp      Anonymous FTPUser     674          <Aug 11 14:22> 10.0.0.99
 ######## Scan completed at Sun Jan 21 19:44:23 2007 #########
 8 results. 

 47 queries in 1 seconds (47.0 queries / sec)

PreviousInfrastructure and Network NextNetwork mapper

Last updated 7 months ago

%dscan --name project name srv --config dscan.conf targets.txt Distributed Scan Status ======================== --------- ---------------- ------------ N Stages N Pending Tasks Completion % --------- ---------------- ------------ 4 0 0.00% --------- ---------- ----------- ------------ Stage N Targets N Finished Completion % --------- ---------- ----------- ------------ discovery 1 0 0.00% --------------- --------- ----------- ------------ Agent Stage Task Status Target Ip --------------- --------- ----------- ------------ 127.0.0.1:53281 discovery DOWNLOADING 127.0.0.1/32

sudo hcxdumptool -i wlp39s0f3u4u5 -o output.pcapng -t 5 --enable_status=3 start capturing (stop with ctrl+c) INTERFACE:...............: wlan0 FILTERLIST...............: 0 entries MAC CLIENT...............: f0a225a8faa8 MAC ACCESS POINT.........: 00bb3a4250d5 (incremented on every new client) EAPOL TIMEOUT............: 150000 REPLAYCOUNT..............: 61585 ANONCE...................: 765e00f3f9788ebf2df96c69ee9806b19df6105b2c39b389d76d4d85ee5f0f66 [10:37:11 - 001] 00156d9a26c0 -> f0a225a8faa8 Anan Apartment [PROBERESPONSE, SEQUENCE 2696, AP CHANNEL 1] [10:37:12 - 001] 6c8dc120891f -> ffffffffffff Anan Apartment [PROBEREQUEST, SEQUENCE 2643] [10:37:12 - 001] 00bb3a4250d6 -> 6c8dc120891f Anan Apartment [PROBERESPONSE, SEQUENCE 0, AP CHANNEL 1] [10:37:12 - 001] 70778110c833 -> 00156d9a26c0 [PROBEREQUEST, SEQUENCE 256] [10:37:32 - 009] 403decc272b8 -> 2c5bb8742b39 Paangoon_2G [PROBERESPONSE, SEQUENCE 1940, AP CHANNEL 9] [10:37:36 - 011] ec1f72b8f3d1 -> f0a225a8faa8 Muay [PROBERESPONSE, SEQUENCE 2902, AP CHANNEL 11] [10:37:38 - 011] 083e8eaa328b -> ffffffffffff Muay [PROBEREQUEST, SEQUENCE 9] [10:37:38 - 011] 00bb3a4250d7 -> 083e8eaa328b Muay [PROBERESPONSE, SEQUENCE 9, AP CHANNEL 11] [10:37:39 - 011] 083e8eaa328b -> ec1f72b8f3d1 [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 14306] [10:37:39 - 011] ec1f72b8f3d1 -> 083e8eaa328b [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 7419] [10:37:50 - 002] 4c189a2fb76e -> ffffffffffff Topline_Wifi [PROBEREQUEST, SEQUENCE 344] [10:37:50 - 002] 00bb3a4250d8 -> 4c189a2fb76e Topline_Wifi [PROBERESPONSE, SEQUENCE 10, AP CHANNEL 2] [10:38:01 - 008] b6b98a73aa05 -> f0a225a8faa8 Panmongkon [PROBERESPONSE, SEQUENCE 1433, AP CHANNEL 8] [10:38:01 - 008] b6b98a73e88a -> f0a225a8faa8 Panmongkon [PROBERESPONSE, SEQUENCE 3790, AP CHANNEL 8] [10:38:20 - 001] 74da38b04d5a -> ffffffffffff seasun [PROBEREQUEST, SEQUENCE 3235] [10:38:20 - 001] 00bb3a4250d9 -> 74da38b04d5a seasun [PROBERESPONSE, SEQUENCE 25, AP CHANNEL 1] INFO: cha=9, rx=13802, rx(dropped)=1073, tx=319, powned=2, err=0

$ ./finger-user-enum.pl -U users.txt -t 10.0.0.1 Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum ) ---------------------------------------------------------- | Scan Information | ---------------------------------------------------------- Worker Processes ......... 5 Usernames file ........... users.txt Target count ............. 1 Username count ........... 47 Target TCP port .......... 79 Query timeout ............ 5 secs Relay Server ............. Not used ######## Scan started at Sun Jan 21 19:44:22 2007 ######### root@10.0.0.1: root Super-User console 2:03 Wed 07:23 .. bin@10.0.0.1: bin ??? pts/1 <Dec 21 13:04> 10.0.0.99 daemon@10.0.0.1: daemon ??? < . . . . >.. adm@10.0.0.1: adm Admin < . . . . >.. lp@10.0.0.1: lp Line Printer Admin < . . . . >.. uucp@10.0.0.1: uucp Admin < . . . . >.. nobody@10.0.0.1: nobody4 SunOS 4.x Nobody < . . . . >.. ftp@10.0.0.1: ftp Anonymous FTPUser 674 <Aug 11 14:22> 10.0.0.99 ######## Scan completed at Sun Jan 21 19:44:23 2007 ######### 8 results. 47 queries in 1 seconds (47.0 queries / sec)