CTF Methodology - Network Reconnaisance

The motivation behind CTF Methodology - Network Reconnaisance post is to keep a cheat sheet of all scanning methods that come in handy while starting the Reconnaisance phase for a CTF or a lab box . Will try to keep this list updated as new boxes teach new scanning methods .

Network scanning

Nmap

Full TCP Nmap

Enumerate through all the ports and services for identifying easy to find vulnerabilities and get a full picture of applications/services running on the host in question

1

nmap -sV -sC -p- -o nmap.out -vvv $RHOST

• -sV Probe open ports to determine service/version info
• -sC equivalent to --script=default. --script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories
• -p- means it has to scan for all ports from 0 to 65535
• -A means
• -T4 is a time template where T0 is very slow and T5 very fast
• -vvv means very very very verbose

Full UDP Nmap

1

nmap -sU --top-ports 20 -o nmap-udp.out -vvv $RHOST

Stealthy

1

nmap -sS $RHOST

Fast Scan

1

nmap $RHOST -F

Only scan top 100

1

nmap $RHOST --top-ports 100

When no initial results

1

nmap -Pn -n -vvv -p1-500 -o nmap-partial.out $RHOST

Scan Targeted Ports

1

nmap -Pn -n -vvv -p22,80 -oN nmap-targeted.out $RHOST

Automated nmap scanning

1

nmapAutomator ip All

Check if ftp allows anonymous login

1

nmap -Pn -n -vvv -p21 -sC -sV $RHOST

Scan for alive hosts in a CIDR range

1

nmap -sn -vvv $RHOST/24

Scan for alive hosts in a CIDR range faster and sort machines that are up, filter the IPs and create a file

1
2
3

nmap -sn -n -vvv $RHOST/24 > ip-range.txt
cat ip-range.txt | grep -B 1 "Host is up"
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' ip-range.txt > only-ip.txt

Scan for specefic IP range

1

nmap -sP $RHOST-100

Knock that port

1

for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x $RHOST; done

Find unused IP addresses and store in a text file

1

nmap -v -sn $RHOST/24 | grep down | awk '{print $5}' > filename.txt

Dont Ping

1

nmap -PN -vvv $RHOST

Grab Banner

1
2
3

telnet ip port
nc -nv ip port
curl -iv $RHOST