Scan and Discovery

nmapAutomator: A script you can run in the background! Useful for running during your enum exercise. I used it during my OSCP certification!

RustScan: The Modern Port Scanner. Find ports quickly (3 seconds at its fastest). Run scripts through our scripting engine (Python, Lua, Shell supported).

dscan: Distributed Nmap, wrapper around Nmap to allow distributed network enumeration.

%dscan --name project name srv --config dscan.conf targets.txt
Distributed Scan Status
========================
--------- ---------------- ------------
N Stages N Pending Tasks Completion %
--------- ---------------- ------------
4 0 0.00%
--------- ---------- ----------- ------------
Stage N Targets N Finished Completion %
--------- ---------- ----------- ------------
discovery 1 0 0.00%
--------------- --------- ----------- ------------
Agent Stage Task Status Target Ip
--------------- --------- ----------- ------------
127.0.0.1:53281 discovery DOWNLOADING 127.0.0.1/32

hcxdumptool: Small tool to capture packets from wlan devices.

sudo hcxdumptool -i wlp39s0f3u4u5 -o output.pcapng -t 5 --enable_status=3
start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0
FILTERLIST...............: 0 entries
MAC CLIENT...............: f0a225a8faa8
MAC ACCESS POINT.........: 00bb3a4250d5 (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 61585
ANONCE...................: 765e00f3f9788ebf2df96c69ee9806b19df6105b2c39b389d76d4d85ee5f0f66
[10:37:11 - 001] 00156d9a26c0 -> f0a225a8faa8 Anan Apartment [PROBERESPONSE, SEQUENCE 2696, AP CHANNEL 1]
[10:37:12 - 001] 6c8dc120891f -> ffffffffffff Anan Apartment [PROBEREQUEST, SEQUENCE 2643]
[10:37:12 - 001] 00bb3a4250d6 -> 6c8dc120891f Anan Apartment [PROBERESPONSE, SEQUENCE 0, AP CHANNEL 1]
[10:37:12 - 001] 70778110c833 -> 00156d9a26c0 [PROBEREQUEST, SEQUENCE 256]
[10:37:32 - 009] 403decc272b8 -> 2c5bb8742b39 Paangoon_2G [PROBERESPONSE, SEQUENCE 1940, AP CHANNEL 9]
[10:37:36 - 011] ec1f72b8f3d1 -> f0a225a8faa8 Muay [PROBERESPONSE, SEQUENCE 2902, AP CHANNEL 11]
[10:37:38 - 011] 083e8eaa328b -> ffffffffffff Muay [PROBEREQUEST, SEQUENCE 9]
[10:37:38 - 011] 00bb3a4250d7 -> 083e8eaa328b Muay [PROBERESPONSE, SEQUENCE 9, AP CHANNEL 11]
[10:37:39 - 011] 083e8eaa328b -> ec1f72b8f3d1 [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 14306]
[10:37:39 - 011] ec1f72b8f3d1 -> 083e8eaa328b [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 7419]
[10:37:50 - 002] 4c189a2fb76e -> ffffffffffff Topline_Wifi [PROBEREQUEST, SEQUENCE 344]
[10:37:50 - 002] 00bb3a4250d8 -> 4c189a2fb76e Topline_Wifi [PROBERESPONSE, SEQUENCE 10, AP CHANNEL 2]
[10:38:01 - 008] b6b98a73aa05 -> f0a225a8faa8 Panmongkon [PROBERESPONSE, SEQUENCE 1433, AP CHANNEL 8]
[10:38:01 - 008] b6b98a73e88a -> f0a225a8faa8 Panmongkon [PROBERESPONSE, SEQUENCE 3790, AP CHANNEL 8]
[10:38:20 - 001] 74da38b04d5a -> ffffffffffff seasun [PROBEREQUEST, SEQUENCE 3235]
[10:38:20 - 001] 00bb3a4250d9 -> 74da38b04d5a seasun [PROBERESPONSE, SEQUENCE 25, AP CHANNEL 1]
INFO: cha=9, rx=13802, rx(dropped)=1073, tx=319, powned=2, err=0

Nosql-MongoDB-injection-username-password-enumeration: Using this script, we can enumerate Usernames and passwords of Nosql(mongodb) injecion vulnerable web applications.

python nosqli-user-pass-enum.py -u http://example.com/index.php -up username -pp password -ep username -op login:login,submit:submit

nullinux: Nullinux is an internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB. If no username and password are provided in the command line arguments, an anonymous login, or null session, is attempted. Nullinux acts as a wrapper around the Samba tools smbclient & rpcclient to enumerate hosts using a variety of techniques.

ridenum: A simple open source method for performing null session brute forces.

./ridenum.py 192.168.1.50 500 50000 /root/dict.txt /root/user.txt

tomcat-weak-password-scanner: Tomcat password brute-force.

SharpEDRChecker: Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.

finger-user-enum: finger-user-enum (Solaris OS) is a tool for enumerating OS-level user accounts via the finger service. As of release v1.0 it is known to work against the default Solaris daemon. It may not yet work against all daemons since there is no defined format for the data returned by the finger service.

List of usernames: https://raw.githubusercontent.com/danielmiessler/SecLists/master/Usernames/Names/names.txt

$ ./finger-user-enum.pl -U users.txt -t 10.0.0.1
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 5
Usernames file ........... users.txt
Target count ............. 1
Username count ........... 47
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Sun Jan 21 19:44:22 2007 #########
[email protected]: root Super-User console 2:03 Wed 07:23 ..
[email protected]: bin ??? pts/1 <Dec 21 13:04> 10.0.0.99
[email protected]: daemon ??? < . . . . >..
[email protected]: adm Admin < . . . . >..
[email protected]: lp Line Printer Admin < . . . . >..
[email protected]: uucp Admin < . . . . >..
[email protected]: nobody4 SunOS 4.x Nobody < . . . . >..
[email protected]: ftp Anonymous FTPUser 674 <Aug 11 14:22> 10.0.0.99
######## Scan completed at Sun Jan 21 19:44:23 2007 #########
8 results.
47 queries in 1 seconds (47.0 queries / sec)