📔
Cyber Security Notes
  • Introduction
  • CVEs
    • CVE-2022-33106
  • Paper Reviews
    • Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
  • Security Basics Notes
    • Identification, Authentication and Authorization
  • Enumeration and Initial Compromise
    • Methodology
    • Footprinting
    • Network Protocols
      • FTP
      • SMB
      • DNS
      • NFS
      • SMTP
      • IMAP/POP3
      • SNMP
      • MySQL
      • MSSQL
      • Oracle TNS
      • IPMI
    • Nifty One Liners
    • Brute-Force Web Pages
      • Hydra
    • Network Pentest
      • Quick SMB cheatsheet
      • SSH keypair basics
      • Compromise using SSH Key
      • Networking fundamentals Interview topics
      • nmap quick cheatsheet
      • Metasploit Quick Reference
    • Web Pentest
      • Web Pentest Interview top topics
      • Wordpress Exploitation
      • Joomla Exploitation
      • Login Bypass using Cookie Tampering/Poisoning
      • Subdomain Enumeration
      • CSRF mitigation
      • XSS mitigation
      • CSP bypass with JSONP
      • PHP Vulnerabilities
      • Python Serialization Vulnerabilities - Pickle
      • SQL Injections
        • SQLmap
      • SSTI
      • XSS
    • Buffer Overflow Prep
      • Understanding CPUs
      • Virtual Memory and Paging
      • Syscalls
      • Theorem Proving
      • Stripping readable function names
      • Insecure C functions
      • Stack Canaries
      • Linking - GOT,PLT
      • Return Oriented Programming
    • Active Directory - Basics
      • AD DS
      • Managing OUs
      • Group Policies
      • Authentications
      • Trees, Forests and Trusts
      • Kerberos
      • Attacking Kerberos
      • Priv Esc (Post Exploitation)
    • DNS/Domain Enum Masterguide
  • Post Exploitation
    • Shell Escape Techniques
    • Getting stable shell after compromise
    • Linux Privilege Escalation
      • Sudoers file
      • Sudoers entry - Yum
      • Wildcards - Basics
      • Wildcards - Chown
      • Wildcards - Tar
      • Linux Permissions & SUID/SGID/Sticky Bit
      • SUID - nmap
      • SUID - bash
      • SUID - man
      • NFS no_root_squash
      • SUID - pkexec
      • Bad permissions
    • Windows Privilege Escalation
      • SeImpersonatePrivilege Token Impersonation
      • Firefox Creds
      • Potatoes
      • Print Spooler Basics
      • Print Spooler CVE 2020-1030
      • SpoolFool
    • Data Exfiltration Post Exploitation
  • Port Forwarding Cheatsheet
  • Powershell Essentials
    • Powershell Basics
    • Powershell Enumeration
    • Powershell Port Scanner
    • Powershell One Liner Port Scanning
    • Powershell Port Scan in a given CIDR
  • Application Security
    • System Calls in Linux
    • Buffer Overflow Defenses
    • Format string vulnerabilities
    • Sample Github Actions
    • Basic Bugs in Demo Application
    • Using AFL++
  • Linux 64-bit Assembly
    • GDB Basics
      • My relevant GDB cheatsheet
      • Task 1 - Tamper strcmp logic
      • Breakpoints
      • Always starting with intel flavor
      • GDB TUI Mode
    • Basic Hello World Program
    • Registers in 64-bit
    • global directive
    • Reducing instructions and Removing NULL-> Optimizing memory in Assembly
    • Data Types
    • Endianness
    • Moving Data
    • push, pop, and the stack
    • Analysis - Writing data on memory location and referencing
    • Arithmetic Operations
    • Bitwise Logical Operations
    • Bit-Shifting Operations
    • Control Instructions
    • Loops
    • Procedures
    • Stack-Frames and Procedures
    • String Operations
    • Shellcoding basics
      • Introduction and Common Rules
      • Basic Shellcodes->Exit
      • Testing shellcode->Skeleton Code
      • Techniques-> JMP,CALL,POP
      • Techniques-> Stack
      • Techniques-> (64-bit only) RIP Relative Addressing
      • Shellcode 1 -> execve(/bin/sh) STACK PUSH
      • Shellcode 1 -> execve(/bin/sh) JMP CALL POP
      • Techniques-> XOR-Encoder
  • Cloud Security
    • Foundational Technology
    • Learning Through Project Omega
    • IAM Essentials
      • Deep dive into IAM - Part 1
    • Amazon S3
    • Risk Management & Data Controls
    • Enumeration
      • S3 - Enum Basics - PwnedLabs
      • S3 - Identify the AWS Account ID from a Public S3 Bucket
      • EBS - Loot Public EBS Volumes
      • S3- Exploit Weak Bucket Policies for Privileged Access
  • API Security
    • WSDL
  • Reverse Engineering
    • Some string Operations
    • Numbers and Inputs
    • Address inputs
    • Recursive Function
    • Crackme: level1
    • Crackme: level2
    • CTF: Memory Dereferencing
    • CTF: Monty Python
  • CTF Challenge Learnings
    • vsCTF 2024
      • Sanity Check
      • not-quite-caesar
      • Intro to reversing
    • NCL Individual 2024
      • Web Challenges
        • PiratePals
        • Pierre's Store
    • Pico CTF 2024
      • Web Exploitation
        • Bookmarklet
        • WebDecode
        • Unminify
        • Trickster
      • General Skills
        • Commitment Issues
        • Time Machine
        • Blame Game
        • Collaborative Development
        • Binary Search
        • Dont-you-love-banners
    • Sunshine CTF
      • Knowledge Repository
    • Amazon WiCys CTF
      • I am Lazy
      • Password Locker on the Web
      • Happy Birthday Card Generator
      • Bloggergate
      • simple offer
      • Bad Actor
      • Secret Server
      • Simple PCAP
      • Hidden Message
    • C code using getenv()
    • Command Injection with filter
    • Pwning
      • Shoddy_CMP
      • PLT_PlayIT
  • Applied Cryptography
    • Linear Congruential Generator
  • Tools for everything
Powered by GitBook
On this page

Was this helpful?

  1. Enumeration and Initial Compromise
  2. Network Pentest

nmap quick cheatsheet

  1. Checking and storing active devices in a range and store in a file "tnet"

sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5
  1. Scanning a list of hosts

sudo nmap -iL tnet
  1. Show all packets sent and received by --packet-trace -PE : Performs the ping scan by using 'ICMP Echo requests' against the target.

sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace 
  1. Display reason for a specific result --reason

  2. We see here that Nmap does indeed detect whether the host is alive or not through the ARP request and ARP reply alone. To disable ARP requests and scan our target with the desired ICMP echo requests, we can disable ARP pings by setting the "--disable-arp-ping" option. Then we can scan our target again and look at the packets sent and received.

  3. We can check TTL when we do a --disable-arp-ping and based on TTL know which OS it is. 128 - windows 64 - Linux/Mac 255 - network devices

  4. To scan the "x" number of top ports (--top-ports=<number>)

  5. -n: disables DNS resolution. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option reduces scanning times.

  6. TCP Connect scan - The Connect scan (also known as a full TCP connect scan) is highly accurate because it completes the three-way TCP handshake, allowing us to determine the exact state of a port (open, closed, or filtered). However, it is not the most stealthy. In fact, the Connect scan is one of the least stealthy techniques, as it fully establishes a connection, which creates logs on most systems and is easily detected by modern IDS/IPS solutions. Eg:

    Connect Scan on TCP Port 443

    $ sudo nmap 10.129.2.28 -p 443 --packet-trace --disable-arp-ping -Pn -n --reason -sT 
    
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 16:26 CET
    CONN (0.0385s) TCP localhost > 10.129.2.28:443 => Operation now in progress
    CONN (0.0396s) TCP localhost > 10.129.2.28:443 => Connected
    Nmap scan report for 10.129.2.28
    Host is up, received user-set (0.013s latency).
    
    PORT    STATE SERVICE REASON
    443/tcp open  https   syn-ack
    
    Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
  7. Version scan = -sV

  8. Script scan = -sC

  9. Aggressive scan = -A

  10. Nmap XML to GUI HTML report nmap <IP> -oA target xsltproc target.xml -o target.html

  11. Firewall bypass - Decoy scan! -D RND:5

Firewall bypass

  1. HTB Academy hard lab

Firewall and IDS/IPS Evasion - Hard Lab

Now our client wants to know if it is possible to find out the version of the running services on unknown port behind Firewall IDS/IPS. Identify the version of service our client was talking about and submit the flag as the answer.

Scanning Options and Description

  • 10.129.2.28 Scans the specified target.

  • -p 21,22,25 Scans only the specified ports.

  • -sS Performs SYN scan on specified ports.

  • -sA Performs ACK scan on specified ports.

  • -Pn Disables ICMP Echo requests.

  • -n Disables DNS resolution.

  • --disable-arp-ping Disables ARP ping.

  • --packet-trace Shows all packets sent and received.

Scan by Using Decoys

sudo nmap 10.129.2.47 -p 22,80,50000 -sV -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 -e tun0 -D RND:10

Connect To The Filtered Port 50000 discovered, from a different source port of 53 to evade detection.

ncat -nv --source-port 53 10.129.2.47 50000

Testing Firewall Rule

sudo nmap 10.129.2.28 -n -Pn -p445 -O

Scan by Using Different Source IP

sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

SYN-Scan From DNS Port

sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

  1. Medium lab

nmap -Pn -T4 -A -v -sV 10.129.57.157 -p 53 -D RND:5 --stats-every=5s

PreviousNetworking fundamentals Interview topicsNextMetasploit Quick Reference

Last updated 2 months ago

Was this helpful?

Additional techniques by targeting

Firewall and IDS/IPS Evasion - Hard Lab
Firewall and IDS/IPS Evasion