2-1: Network Recon
My approach to initial network enumeration is the most predictable part of the process: I start with two commands:
- A Rustscan of all TCP ports as it's lightning fast to get results:
rustscan --timeout 500 --batch-size 1500 -a [ip]
The results of this scan inform the following nmap scan, as I only want to do more in-depth scans of open ports.
sudo nmap -sV -sC -O -p [port1,port2,port3, etc.] -oA tcp-services-scripts_port1-port2-etc [ip]
This scan will run service enumeration, operating system enumeration, and default scripts against the discovered ports. Usually this is enough information to get me started on more specific enumeration.
But before I get to that, I kick off the first of several UDP scans, as these take longer to complete I prefer to batch these into ranges of ports:
- Scan 1:
nmap -sU -p 1-1000 -oA udp_1-1000 -vv [ip]
- Scan 2:
nmap -sU -p 1001-5000 -oA udp_1001-5000 -vv [ip]
Depending on results I'll either then run a single final scan to hit the rest of the port range, or keep batching them. If any open ports are discovered repeat the nmap -sV -sC
scan against those ports.
In my experience so far I haven't had to make use of more specific nmap scan types to test whether a firewall is present, so those aren't covered here.
Additional service enumeration
There will be cases where either a) nmap identified an open port but couldn't fingerprint it or b) it did identify the service name but didn't run any specific scripts against it.
When either is true I have to do a little more digging:
- Search the port number online to see if there are any services that default to using this port or ports
- If I have a service name, see if nmap has any scripts to run against that service specifically.
- E.g., to enumerate LDAP try running nmap with scripts using a wildcard search. Here it will select any LDAP script that doesn't include brute in the name:
nmap --script "ldap* and not brute" [ip]
- E.g., to enumerate LDAP try running nmap with scripts using a wildcard search. Here it will select any LDAP script that doesn't include brute in the name:
- Try manually connecting with netcat and/or telnet to see if it responds to interaction;
nc [ip] [port]
ortelnet [ip] [port]
- Similarly, try a basic cURL request:
curl [ip]
orcurl -IL [ip]
for only the response headers.