djedi/security-cheatsheets
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
security-cheatsheets/infosec/network-pentesting.md

425 lines
8.2 KiB
Markdown
Raw Permalink Blame History

# Network Pentesting Cheatsheet
Quick reference for network reconnaissance, port scanning, and traffic analysis.
---
## Nmap
### Basic Scans
```bash
# Quick scan
nmap <target>
# Version detection
nmap -sV <target>
# OS detection
nmap -O <target>
# Aggressive scan (OS, version, scripts, traceroute)
nmap -A <target>
# All ports
nmap -p- <target>
# Specific ports
nmap -p 80,443,8080 <target>
# Port range
nmap -p 1-1000 <target>
```
### Scan Types
```bash
# TCP SYN (stealth) - default, requires root
nmap -sS <target>
# TCP connect - no root needed
nmap -sT <target>
# UDP scan
nmap -sU <target>
# Combined TCP/UDP
nmap -sS -sU <target>
# NULL scan (no flags)
nmap -sN <target>
# FIN scan
nmap -sF <target>
# Xmas scan (URG, PSH, FIN)
nmap -sX <target>
```
### Speed and Timing
```bash
# Timing templates (0=paranoid, 5=insane)
nmap -T0 <target> # Slowest, IDS evasion
nmap -T3 <target> # Normal (default)
nmap -T4 <target> # Aggressive
nmap -T5 <target> # Fastest
# Rate limiting
nmap --min-rate 1000 <target>
nmap --max-rate 100 <target>
```
### Output Formats
```bash
# Normal output
nmap -oN scan.txt <target>
# Grepable output
nmap -oG scan.grep <target>
# XML output
nmap -oX scan.xml <target>
# All formats
nmap -oA scan <target>
```
### NSE Scripts
```bash
# Default scripts
nmap -sC <target>
nmap --script=default <target>
# Specific script
nmap --script=http-title <target>
# Script categories
nmap --script=vuln <target>
nmap --script=safe <target>
nmap --script=discovery <target>
# Multiple scripts
nmap --script=http-title,http-headers <target>
# Wildcard
nmap --script=http-* <target>
# Script help
nmap --script-help=http-title
```
### Common Script Categories
| Category | Description |
|----------|-------------|
| auth | Authentication bypass |
| broadcast | Network discovery |
| brute | Brute force attacks |
| default | Safe, useful scripts |
| discovery | Information gathering |
| exploit | Exploit vulnerabilities |
| fuzzer | Fuzzing tests |
| safe | Won't crash targets |
| vuln | Vulnerability scanning |
### Firewall Evasion
```bash
# Fragment packets (8 bytes)
nmap -f <target>
# Fragment packets (16 bytes)
nmap -ff <target>
# Custom MTU (must be multiple of 8)
nmap --mtu 24 <target>
# Decoy scan
nmap -D RND:10 <target>
nmap -D decoy1,decoy2,ME <target>
# Spoof source port
nmap -g 53 <target>
nmap --source-port 80 <target>
# Skip ping (assume host is up)
nmap -Pn <target>
# Custom user agent
nmap --script-args http.useragent="Mozilla/5.0" <target>
# Scan delay (evade rate limiting)
nmap --scan-delay 1s <target>
# Bad checksum (test firewall response)
nmap --badsum <target>
```
### Host Discovery
```bash
# Ping sweep
nmap -sn 192.168.1.0/24
# ARP scan (local network)
nmap -PR 192.168.1.0/24
# List scan (no probe, DNS only)
nmap -sL 192.168.1.0/24
# TCP SYN ping
nmap -PS22,80,443 <target>
# TCP ACK ping
nmap -PA80,443 <target>
# UDP ping
nmap -PU53 <target>
```
### Favorite Commands
```bash
# Comprehensive scan
nmap -A -vv -sV -sC <target> -oA scan
# OSCP-style initial
nmap -sV -sC -oN initial.txt <target>
# Full port scan
nmap -T4 -sS -Pn -p- -oN allports.txt <target>
# Quick top 1000
nmap -sV -sC -T4 <target>
# Vuln scan
nmap --script=vuln -oN vulns.txt <target>
```
---
## Wireshark
### Display Filters
#### IP Filtering
```
ip.addr == 192.168.1.1 # Traffic to/from IP
ip.src == 192.168.1.1 # Source IP
ip.dst == 192.168.1.1 # Destination IP
ip.addr == 192.168.1.0/24 # Subnet
ip.addr != 192.168.1.1 # Exclude IP
```
#### Port Filtering
```
tcp.port == 80 # TCP port 80
udp.port == 53 # UDP port 53
tcp.port == 80 || tcp.port == 443 # HTTP or HTTPS
tcp.dstport == 443 # Destination port
tcp.srcport == 8080 # Source port
```
#### Protocol Filtering
```
http # HTTP traffic
dns # DNS traffic
tcp # TCP traffic
udp # UDP traffic
icmp # ICMP traffic
arp # ARP traffic
ssl || tls # Encrypted traffic
```
#### TCP Flags
```
tcp.flags.syn == 1 # SYN packets
tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN only
tcp.flags.reset == 1 # RST packets
tcp.flags == 0x002 # SYN flag
tcp.flags == 0x012 # SYN-ACK
```
#### HTTP Filtering
```
http.request # HTTP requests
http.response # HTTP responses
http.request.method == "GET" # GET requests
http.request.method == "POST" # POST requests
http.host contains "google" # Host contains
http.response.code == 200 # Status code
http.request.uri contains "login" # URI contains
```
#### Content Filtering
```
frame contains "password" # Frame contains string
http contains "admin" # HTTP contains
tcp contains "secret" # TCP contains
```
### Analysis Filters
```
# Bad TCP
tcp.analysis.flags && !tcp.analysis.window_update
# Retransmissions
tcp.analysis.retransmission
# Slow round trip
tcp.analysis.initial_rtt > 1
# TCP delays
tcp.time_delta > 0.1
# Slow HTTP
http.time > 0.025
# Slow DNS
dns.time > 1
# Suspicious TTL
ip.ttl < 50 && ip.ttl > 30
# Filter out noise
!(eth.addr == ff:ff:ff:ff:ff:ff || arp || icmp || stp || cdp || lldp)
```
### Special Operators
```
contains # Substring match (case-sensitive)
matches # Regex match
in {range} # Range match
```
#### Examples
```
frame contains "google"
http.host matches "\.(org|com|net)"
tcp.port in {80 443 8000..8004}
```
### CLI Tools
#### dumpcap
```bash
# List interfaces
dumpcap -D
# Capture on interface
dumpcap -i 1 -w capture.pcapng
# Ring buffer (10 files, 500MB each)
dumpcap -i 1 -w capture.pcapng -b filesize:500000 -b files:10
```
#### tcpdump
```bash
# Capture all traffic
tcpdump -i eth0
# Capture to file
tcpdump -i eth0 -w capture.pcap
# Read from file
tcpdump -r capture.pcap
# Filter by host
tcpdump host 192.168.1.1
# Filter by port
tcpdump port 80
# Filter by protocol
tcpdump icmp
tcpdump tcp
# Verbose output
tcpdump -v -i eth0
tcpdump -vvv -i eth0
```
#### tshark
```bash
# Capture
tshark -i eth0 -w capture.pcap
# Read and filter
tshark -r capture.pcap -Y "http"
# Extract fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst
```
---
## Service Enumeration
### Common Ports
| Port | Service | Enumeration |
|------|---------|-------------|
| 21 | FTP | `nmap --script=ftp-* -p21` |
| 22 | SSH | `nmap --script=ssh-* -p22` |
| 23 | Telnet | `nmap --script=telnet-* -p23` |
| 25 | SMTP | `nmap --script=smtp-* -p25` |
| 53 | DNS | `nmap --script=dns-* -p53` |
| 80 | HTTP | `nmap --script=http-* -p80` |
| 110 | POP3 | `nmap --script=pop3-* -p110` |
| 139/445 | SMB | `nmap --script=smb-* -p139,445` |
| 143 | IMAP | `nmap --script=imap-* -p143` |
| 443 | HTTPS | `nmap --script=ssl-*,http-* -p443` |
| 3306 | MySQL | `nmap --script=mysql-* -p3306` |
| 3389 | RDP | `nmap --script=rdp-* -p3389` |
| 5432 | PostgreSQL | `nmap --script=pgsql-* -p5432` |
### SMB Enumeration
```bash
# Enum shares
smbclient -L //<target> -N
nmap --script=smb-enum-shares -p445 <target>
# Connect to share
smbclient //<target>/share -U username
# Enum users
nmap --script=smb-enum-users -p445 <target>
# Check for vulnerabilities
nmap --script=smb-vuln-* -p445 <target>
# CrackMapExec
crackmapexec smb <target>
crackmapexec smb <target> --shares
crackmapexec smb <target> -u user -p pass
```
### DNS Enumeration
```bash
# Zone transfer
dig axfr @<dns-server> <domain>
nmap --script=dns-zone-transfer -p53 <dns-server>
# Reverse lookup
dig -x <ip>
# DNS brute force
nmap --script=dns-brute <domain>
```
---
## Useful Tools
| Tool | Purpose |
|------|---------|
| nmap | Port scanning, service detection |
| masscan | Fast port scanning |
| Wireshark | Packet analysis |
| tcpdump | CLI packet capture |
| netcat | Network Swiss army knife |
| CrackMapExec | SMB/AD enumeration |
| enum4linux | SMB/Samba enumeration |
| Responder | LLMNR/NBT-NS poisoning |
---
## Resources
- [Nmap Book](https://nmap.org/book/)
- [Nmap Scripting Engine](https://nmap.org/nsedoc/)
- [Wireshark User Guide](https://www.wireshark.org/docs/wsug_html/)
- [Wireshark Display Filters](https://wiki.wireshark.org/DisplayFilters)
Reference in a new issue View git blame Copy permalink