Network Pentesting Cheatsheet
Quick reference for network reconnaissance, port scanning, and traffic analysis.
Nmap
Basic Scans
# Quick scan
nmap <target>
# Version detection
nmap -sV <target>
# OS detection
nmap -O <target>
# Aggressive scan (OS, version, scripts, traceroute)
nmap -A <target>
# All ports
nmap -p- <target>
# Specific ports
nmap -p 80,443,8080 <target>
# Port range
nmap -p 1-1000 <target>
Scan Types
# TCP SYN (stealth) - default, requires root
nmap -sS <target>
# TCP connect - no root needed
nmap -sT <target>
# UDP scan
nmap -sU <target>
# Combined TCP/UDP
nmap -sS -sU <target>
# NULL scan (no flags)
nmap -sN <target>
# FIN scan
nmap -sF <target>
# Xmas scan (URG, PSH, FIN)
nmap -sX <target>
Speed and Timing
# Timing templates (0=paranoid, 5=insane)
nmap -T0 <target> # Slowest, IDS evasion
nmap -T3 <target> # Normal (default)
nmap -T4 <target> # Aggressive
nmap -T5 <target> # Fastest
# Rate limiting
nmap --min-rate 1000 <target>
nmap --max-rate 100 <target>
Output Formats
# Normal output
nmap -oN scan.txt <target>
# Grepable output
nmap -oG scan.grep <target>
# XML output
nmap -oX scan.xml <target>
# All formats
nmap -oA scan <target>
NSE Scripts
# Default scripts
nmap -sC <target>
nmap --script=default <target>
# Specific script
nmap --script=http-title <target>
# Script categories
nmap --script=vuln <target>
nmap --script=safe <target>
nmap --script=discovery <target>
# Multiple scripts
nmap --script=http-title,http-headers <target>
# Wildcard
nmap --script=http-* <target>
# Script help
nmap --script-help=http-title
Common Script Categories
| Category |
Description |
| auth |
Authentication bypass |
| broadcast |
Network discovery |
| brute |
Brute force attacks |
| default |
Safe, useful scripts |
| discovery |
Information gathering |
| exploit |
Exploit vulnerabilities |
| fuzzer |
Fuzzing tests |
| safe |
Won't crash targets |
| vuln |
Vulnerability scanning |
Firewall Evasion
# Fragment packets (8 bytes)
nmap -f <target>
# Fragment packets (16 bytes)
nmap -ff <target>
# Custom MTU (must be multiple of 8)
nmap --mtu 24 <target>
# Decoy scan
nmap -D RND:10 <target>
nmap -D decoy1,decoy2,ME <target>
# Spoof source port
nmap -g 53 <target>
nmap --source-port 80 <target>
# Skip ping (assume host is up)
nmap -Pn <target>
# Custom user agent
nmap --script-args http.useragent="Mozilla/5.0" <target>
# Scan delay (evade rate limiting)
nmap --scan-delay 1s <target>
# Bad checksum (test firewall response)
nmap --badsum <target>
Host Discovery
# Ping sweep
nmap -sn 192.168.1.0/24
# ARP scan (local network)
nmap -PR 192.168.1.0/24
# List scan (no probe, DNS only)
nmap -sL 192.168.1.0/24
# TCP SYN ping
nmap -PS22,80,443 <target>
# TCP ACK ping
nmap -PA80,443 <target>
# UDP ping
nmap -PU53 <target>
Favorite Commands
# Comprehensive scan
nmap -A -vv -sV -sC <target> -oA scan
# OSCP-style initial
nmap -sV -sC -oN initial.txt <target>
# Full port scan
nmap -T4 -sS -Pn -p- -oN allports.txt <target>
# Quick top 1000
nmap -sV -sC -T4 <target>
# Vuln scan
nmap --script=vuln -oN vulns.txt <target>
Wireshark
Display Filters
IP Filtering
ip.addr == 192.168.1.1 # Traffic to/from IP
ip.src == 192.168.1.1 # Source IP
ip.dst == 192.168.1.1 # Destination IP
ip.addr == 192.168.1.0/24 # Subnet
ip.addr != 192.168.1.1 # Exclude IP
Port Filtering
tcp.port == 80 # TCP port 80
udp.port == 53 # UDP port 53
tcp.port == 80 || tcp.port == 443 # HTTP or HTTPS
tcp.dstport == 443 # Destination port
tcp.srcport == 8080 # Source port
Protocol Filtering
http # HTTP traffic
dns # DNS traffic
tcp # TCP traffic
udp # UDP traffic
icmp # ICMP traffic
arp # ARP traffic
ssl || tls # Encrypted traffic
TCP Flags
tcp.flags.syn == 1 # SYN packets
tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN only
tcp.flags.reset == 1 # RST packets
tcp.flags == 0x002 # SYN flag
tcp.flags == 0x012 # SYN-ACK
HTTP Filtering
http.request # HTTP requests
http.response # HTTP responses
http.request.method == "GET" # GET requests
http.request.method == "POST" # POST requests
http.host contains "google" # Host contains
http.response.code == 200 # Status code
http.request.uri contains "login" # URI contains
Content Filtering
frame contains "password" # Frame contains string
http contains "admin" # HTTP contains
tcp contains "secret" # TCP contains
Analysis Filters
# Bad TCP
tcp.analysis.flags && !tcp.analysis.window_update
# Retransmissions
tcp.analysis.retransmission
# Slow round trip
tcp.analysis.initial_rtt > 1
# TCP delays
tcp.time_delta > 0.1
# Slow HTTP
http.time > 0.025
# Slow DNS
dns.time > 1
# Suspicious TTL
ip.ttl < 50 && ip.ttl > 30
# Filter out noise
!(eth.addr == ff:ff:ff:ff:ff:ff || arp || icmp || stp || cdp || lldp)
Special Operators
contains # Substring match (case-sensitive)
matches # Regex match
in {range} # Range match
Examples
frame contains "google"
http.host matches "\.(org|com|net)"
tcp.port in {80 443 8000..8004}
CLI Tools
dumpcap
# List interfaces
dumpcap -D
# Capture on interface
dumpcap -i 1 -w capture.pcapng
# Ring buffer (10 files, 500MB each)
dumpcap -i 1 -w capture.pcapng -b filesize:500000 -b files:10
tcpdump
# Capture all traffic
tcpdump -i eth0
# Capture to file
tcpdump -i eth0 -w capture.pcap
# Read from file
tcpdump -r capture.pcap
# Filter by host
tcpdump host 192.168.1.1
# Filter by port
tcpdump port 80
# Filter by protocol
tcpdump icmp
tcpdump tcp
# Verbose output
tcpdump -v -i eth0
tcpdump -vvv -i eth0
tshark
# Capture
tshark -i eth0 -w capture.pcap
# Read and filter
tshark -r capture.pcap -Y "http"
# Extract fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst
Service Enumeration
Common Ports
| Port |
Service |
Enumeration |
| 21 |
FTP |
nmap --script=ftp-* -p21 |
| 22 |
SSH |
nmap --script=ssh-* -p22 |
| 23 |
Telnet |
nmap --script=telnet-* -p23 |
| 25 |
SMTP |
nmap --script=smtp-* -p25 |
| 53 |
DNS |
nmap --script=dns-* -p53 |
| 80 |
HTTP |
nmap --script=http-* -p80 |
| 110 |
POP3 |
nmap --script=pop3-* -p110 |
| 139/445 |
SMB |
nmap --script=smb-* -p139,445 |
| 143 |
IMAP |
nmap --script=imap-* -p143 |
| 443 |
HTTPS |
nmap --script=ssl-*,http-* -p443 |
| 3306 |
MySQL |
nmap --script=mysql-* -p3306 |
| 3389 |
RDP |
nmap --script=rdp-* -p3389 |
| 5432 |
PostgreSQL |
nmap --script=pgsql-* -p5432 |
SMB Enumeration
# Enum shares
smbclient -L //<target> -N
nmap --script=smb-enum-shares -p445 <target>
# Connect to share
smbclient //<target>/share -U username
# Enum users
nmap --script=smb-enum-users -p445 <target>
# Check for vulnerabilities
nmap --script=smb-vuln-* -p445 <target>
# CrackMapExec
crackmapexec smb <target>
crackmapexec smb <target> --shares
crackmapexec smb <target> -u user -p pass
DNS Enumeration
# Zone transfer
dig axfr @<dns-server> <domain>
nmap --script=dns-zone-transfer -p53 <dns-server>
# Reverse lookup
dig -x <ip>
# DNS brute force
nmap --script=dns-brute <domain>
Useful Tools
| Tool |
Purpose |
| nmap |
Port scanning, service detection |
| masscan |
Fast port scanning |
| Wireshark |
Packet analysis |
| tcpdump |
CLI packet capture |
| netcat |
Network Swiss army knife |
| CrackMapExec |
SMB/AD enumeration |
| enum4linux |
SMB/Samba enumeration |
| Responder |
LLMNR/NBT-NS poisoning |
Resources
