# Network Pentesting Cheatsheet Quick reference for network reconnaissance, port scanning, and traffic analysis. --- ## Nmap ### Basic Scans ```bash # Quick scan nmap # Version detection nmap -sV # OS detection nmap -O # Aggressive scan (OS, version, scripts, traceroute) nmap -A # All ports nmap -p- # Specific ports nmap -p 80,443,8080 # Port range nmap -p 1-1000 ``` ### Scan Types ```bash # TCP SYN (stealth) - default, requires root nmap -sS # TCP connect - no root needed nmap -sT # UDP scan nmap -sU # Combined TCP/UDP nmap -sS -sU # NULL scan (no flags) nmap -sN # FIN scan nmap -sF # Xmas scan (URG, PSH, FIN) nmap -sX ``` ### Speed and Timing ```bash # Timing templates (0=paranoid, 5=insane) nmap -T0 # Slowest, IDS evasion nmap -T3 # Normal (default) nmap -T4 # Aggressive nmap -T5 # Fastest # Rate limiting nmap --min-rate 1000 nmap --max-rate 100 ``` ### Output Formats ```bash # Normal output nmap -oN scan.txt # Grepable output nmap -oG scan.grep # XML output nmap -oX scan.xml # All formats nmap -oA scan ``` ### NSE Scripts ```bash # Default scripts nmap -sC nmap --script=default # Specific script nmap --script=http-title # Script categories nmap --script=vuln nmap --script=safe nmap --script=discovery # Multiple scripts nmap --script=http-title,http-headers # Wildcard nmap --script=http-* # Script help nmap --script-help=http-title ``` ### Common Script Categories | Category | Description | |----------|-------------| | auth | Authentication bypass | | broadcast | Network discovery | | brute | Brute force attacks | | default | Safe, useful scripts | | discovery | Information gathering | | exploit | Exploit vulnerabilities | | fuzzer | Fuzzing tests | | safe | Won't crash targets | | vuln | Vulnerability scanning | ### Firewall Evasion ```bash # Fragment packets (8 bytes) nmap -f # Fragment packets (16 bytes) nmap -ff # Custom MTU (must be multiple of 8) nmap --mtu 24 # Decoy scan nmap -D RND:10 nmap -D decoy1,decoy2,ME # Spoof source port nmap -g 53 nmap --source-port 80 # Skip ping (assume host is up) nmap -Pn # Custom user agent nmap --script-args http.useragent="Mozilla/5.0" # Scan delay (evade rate limiting) nmap --scan-delay 1s # Bad checksum (test firewall response) nmap --badsum ``` ### Host Discovery ```bash # Ping sweep nmap -sn 192.168.1.0/24 # ARP scan (local network) nmap -PR 192.168.1.0/24 # List scan (no probe, DNS only) nmap -sL 192.168.1.0/24 # TCP SYN ping nmap -PS22,80,443 # TCP ACK ping nmap -PA80,443 # UDP ping nmap -PU53 ``` ### Favorite Commands ```bash # Comprehensive scan nmap -A -vv -sV -sC -oA scan # OSCP-style initial nmap -sV -sC -oN initial.txt # Full port scan nmap -T4 -sS -Pn -p- -oN allports.txt # Quick top 1000 nmap -sV -sC -T4 # Vuln scan nmap --script=vuln -oN vulns.txt ``` --- ## Wireshark ### Display Filters #### IP Filtering ``` ip.addr == 192.168.1.1 # Traffic to/from IP ip.src == 192.168.1.1 # Source IP ip.dst == 192.168.1.1 # Destination IP ip.addr == 192.168.1.0/24 # Subnet ip.addr != 192.168.1.1 # Exclude IP ``` #### Port Filtering ``` tcp.port == 80 # TCP port 80 udp.port == 53 # UDP port 53 tcp.port == 80 || tcp.port == 443 # HTTP or HTTPS tcp.dstport == 443 # Destination port tcp.srcport == 8080 # Source port ``` #### Protocol Filtering ``` http # HTTP traffic dns # DNS traffic tcp # TCP traffic udp # UDP traffic icmp # ICMP traffic arp # ARP traffic ssl || tls # Encrypted traffic ``` #### TCP Flags ``` tcp.flags.syn == 1 # SYN packets tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN only tcp.flags.reset == 1 # RST packets tcp.flags == 0x002 # SYN flag tcp.flags == 0x012 # SYN-ACK ``` #### HTTP Filtering ``` http.request # HTTP requests http.response # HTTP responses http.request.method == "GET" # GET requests http.request.method == "POST" # POST requests http.host contains "google" # Host contains http.response.code == 200 # Status code http.request.uri contains "login" # URI contains ``` #### Content Filtering ``` frame contains "password" # Frame contains string http contains "admin" # HTTP contains tcp contains "secret" # TCP contains ``` ### Analysis Filters ``` # Bad TCP tcp.analysis.flags && !tcp.analysis.window_update # Retransmissions tcp.analysis.retransmission # Slow round trip tcp.analysis.initial_rtt > 1 # TCP delays tcp.time_delta > 0.1 # Slow HTTP http.time > 0.025 # Slow DNS dns.time > 1 # Suspicious TTL ip.ttl < 50 && ip.ttl > 30 # Filter out noise !(eth.addr == ff:ff:ff:ff:ff:ff || arp || icmp || stp || cdp || lldp) ``` ### Special Operators ``` contains # Substring match (case-sensitive) matches # Regex match in {range} # Range match ``` #### Examples ``` frame contains "google" http.host matches "\.(org|com|net)" tcp.port in {80 443 8000..8004} ``` ### CLI Tools #### dumpcap ```bash # List interfaces dumpcap -D # Capture on interface dumpcap -i 1 -w capture.pcapng # Ring buffer (10 files, 500MB each) dumpcap -i 1 -w capture.pcapng -b filesize:500000 -b files:10 ``` #### tcpdump ```bash # Capture all traffic tcpdump -i eth0 # Capture to file tcpdump -i eth0 -w capture.pcap # Read from file tcpdump -r capture.pcap # Filter by host tcpdump host 192.168.1.1 # Filter by port tcpdump port 80 # Filter by protocol tcpdump icmp tcpdump tcp # Verbose output tcpdump -v -i eth0 tcpdump -vvv -i eth0 ``` #### tshark ```bash # Capture tshark -i eth0 -w capture.pcap # Read and filter tshark -r capture.pcap -Y "http" # Extract fields tshark -r capture.pcap -T fields -e ip.src -e ip.dst ``` --- ## Service Enumeration ### Common Ports | Port | Service | Enumeration | |------|---------|-------------| | 21 | FTP | `nmap --script=ftp-* -p21` | | 22 | SSH | `nmap --script=ssh-* -p22` | | 23 | Telnet | `nmap --script=telnet-* -p23` | | 25 | SMTP | `nmap --script=smtp-* -p25` | | 53 | DNS | `nmap --script=dns-* -p53` | | 80 | HTTP | `nmap --script=http-* -p80` | | 110 | POP3 | `nmap --script=pop3-* -p110` | | 139/445 | SMB | `nmap --script=smb-* -p139,445` | | 143 | IMAP | `nmap --script=imap-* -p143` | | 443 | HTTPS | `nmap --script=ssl-*,http-* -p443` | | 3306 | MySQL | `nmap --script=mysql-* -p3306` | | 3389 | RDP | `nmap --script=rdp-* -p3389` | | 5432 | PostgreSQL | `nmap --script=pgsql-* -p5432` | ### SMB Enumeration ```bash # Enum shares smbclient -L // -N nmap --script=smb-enum-shares -p445 # Connect to share smbclient ///share -U username # Enum users nmap --script=smb-enum-users -p445 # Check for vulnerabilities nmap --script=smb-vuln-* -p445 # CrackMapExec crackmapexec smb crackmapexec smb --shares crackmapexec smb -u user -p pass ``` ### DNS Enumeration ```bash # Zone transfer dig axfr @ nmap --script=dns-zone-transfer -p53 # Reverse lookup dig -x # DNS brute force nmap --script=dns-brute ``` --- ## Useful Tools | Tool | Purpose | |------|---------| | nmap | Port scanning, service detection | | masscan | Fast port scanning | | Wireshark | Packet analysis | | tcpdump | CLI packet capture | | netcat | Network Swiss army knife | | CrackMapExec | SMB/AD enumeration | | enum4linux | SMB/Samba enumeration | | Responder | LLMNR/NBT-NS poisoning | --- ## Resources - [Nmap Book](https://nmap.org/book/) - [Nmap Scripting Engine](https://nmap.org/nsedoc/) - [Wireshark User Guide](https://www.wireshark.org/docs/wsug_html/) - [Wireshark Display Filters](https://wiki.wireshark.org/DisplayFilters)