» Tags

Network

Network Enumeration Tools

Network Enumeration Tools Comprehensive collection of network enumeration tools and techniques for reconnaissance and penetration testing. Nmap Basic Network Scanning # Basic host discovery nmap -sn TARGET_NETWORK # Ping scan nmap -PE TARGET_IP # TCP SYN scan nmap -sS TARGET_IP # TCP connect scan nmap -sT TARGET_IP # UDP scan nmap -sU TARGET_IP # Comprehensive scan nmap -sS -sU -O -A -v TARGET_IP # Scan multiple targets nmap TARGET_IP1 TARGET_IP2 TARGET_IP3 # Scan network range nmap 192.168.1.0/24 # Scan from file nmap -iL targets.txt Advanced Nmap Options # Stealth scan nmap -sS -f TARGET_IP # Fragment packets nmap -sS -f -D RND:10 TARGET_IP # Decoy scan nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP # Source port scan nmap -sS --source-port 53 TARGET_IP # Timing template nmap -T0 TARGET_IP # Paranoid nmap -T1 TARGET_IP # Sneaky nmap -T2 TARGET_IP # Polite nmap -T3 TARGET_IP # Normal nmap -T4 TARGET_IP # Aggressive nmap -T5 TARGET_IP # Insane # Port range nmap -p 1-1000 TARGET_IP nmap -p 80,443,8080,8443 TARGET_IP nmap -p- TARGET_IP # All ports # Service detection nmap -sV TARGET_IP # OS detection nmap -O TARGET_IP # Script scanning nmap -sC TARGET_IP # Custom scripts nmap --script vuln TARGET_IP nmap --script safe TARGET_IP nmap --script auth TARGET_IP nmap --script discovery TARGET_IP nmap --script exploit TARGET_IP nmap --script malware TARGET_IP nmap --script intrusive TARGET_IP nmap --script version TARGET_IP nmap --script vuln,exploit TARGET_IP # Output formats nmap -oN results.txt TARGET_IP nmap -oX results.xml TARGET_IP nmap -oG results.grep TARGET_IP nmap -oA results TARGET_IP # All formats Nmap Scripts # HTTP enumeration nmap --script http-enum TARGET_IP nmap --script http-headers TARGET_IP nmap --script http-methods TARGET_IP nmap --script http-robots.txt TARGET_IP nmap --script http-sitemap-generator TARGET_IP nmap --script http-title TARGET_IP nmap --script http-vhosts TARGET_IP # SMB enumeration nmap --script smb-enum-shares TARGET_IP nmap --script smb-enum-users TARGET_IP nmap --script smb-enum-groups TARGET_IP nmap --script smb-enum-domains TARGET_IP nmap --script smb-os-discovery TARGET_IP nmap --script smb-protocols TARGET_IP nmap --script smb-security-mode TARGET_IP nmap --script smb-system-info TARGET_IP # SNMP enumeration nmap --script snmp-info TARGET_IP nmap --script snmp-brute TARGET_IP nmap --script snmp-communities TARGET_IP nmap --script snmp-hh3c-logins TARGET_IP nmap --script snmp-interfaces TARGET_IP nmap --script snmp-ios-config TARGET_IP nmap --script snmp-netstat TARGET_IP nmap --script snmp-processes TARGET_IP nmap --script snmp-public TARGET_IP nmap --script snmp-sysdescr TARGET_IP nmap --script snmp-win32-services TARGET_IP nmap --script snmp-win32-shares TARGET_IP nmap --script snmp-win32-software TARGET_IP nmap --script snmp-win32-users TARGET_IP # DNS enumeration nmap --script dns-brute TARGET_IP nmap --script dns-cache-snoop TARGET_IP nmap --script dns-client-subnet-scan TARGET_IP nmap --script dns-fingerprint TARGET_IP nmap --script dns-ip6-arpa-scan TARGET_IP nmap --script dns-nsec3-enum TARGET_IP nmap --script dns-nsec-enum TARGET_IP nmap --script dns-random-srcport TARGET_IP nmap --script dns-random-txid TARGET_IP nmap --script dns-recursion TARGET_IP nmap --script dns-service-discovery TARGET_IP nmap --script dns-srv-enum TARGET_IP nmap --script dns-zone-transfer TARGET_IP # FTP enumeration nmap --script ftp-anon TARGET_IP nmap --script ftp-bounce TARGET_IP nmap --script ftp-brute TARGET_IP nmap --script ftp-libopie TARGET_IP nmap --script ftp-proftpd-backdoor TARGET_IP nmap --script ftp-syst TARGET_IP nmap --script ftp-vsftpd-backdoor TARGET_IP nmap --script ftp-vuln-cve2010-4221 TARGET_IP # SSH enumeration nmap --script ssh-hostkey TARGET_IP nmap --script ssh-brute TARGET_IP nmap --script ssh-publickey-acceptance TARGET_IP nmap --script ssh-run TARGET_IP nmap --script ssh2-enum-algos TARGET_IP nmap --script sshv1 TARGET_IP # SMTP enumeration nmap --script smtp-commands TARGET_IP nmap --script smtp-enum-users TARGET_IP nmap --script smtp-ntlm-info TARGET_IP nmap --script smtp-open-relay TARGET_IP nmap --script smtp-strangeport TARGET_IP nmap --script smtp-vuln-cve2010-4344 TARGET_IP nmap --script smtp-vuln-cve2011-1720 TARGET_IP nmap --script smtp-vuln-cve2011-1764 TARGET_IP Masscan Basic Network Scanning # Basic port scan masscan -p80,443 TARGET_NETWORK # Scan all ports masscan -p0-65535 TARGET_NETWORK # Scan common ports masscan -p1-1000 TARGET_NETWORK # Scan specific ports masscan -p22,80,443,8080,8443 TARGET_NETWORK # Scan with rate limit masscan -p80,443 --rate=1000 TARGET_NETWORK # Scan with output file masscan -p80,443 -oG results.txt TARGET_NETWORK # Scan with XML output masscan -p80,443 -oX results.xml TARGET_NETWORK # Scan with JSON output masscan -p80,443 -oJ results.json TARGET_NETWORK # Scan with binary output masscan -p80,443 -oB results.bin TARGET_NETWORK Advanced Masscan Options # Stealth scan masscan -p80,443 --rate=100 TARGET_NETWORK # Randomize hosts masscan -p80,443 --randomize-hosts TARGET_NETWORK # Randomize ports masscan -p80,443 --randomize-ports TARGET_NETWORK # Adapter selection masscan -p80,443 --adapter eth0 TARGET_NETWORK # Source IP masscan -p80,443 --source-ip 192.168.1.100 TARGET_NETWORK # Source port masscan -p80,443 --source-port 40000 TARGET_NETWORK # Banner grab masscan -p80,443 --banners TARGET_NETWORK # Ping scan masscan --ping TARGET_NETWORK # ARP scan masscan --arp TARGET_NETWORK # ICMP scan masscan --icmp TARGET_NETWORK Zmap Basic Network Scanning # Basic port scan zmap -p 80 TARGET_NETWORK # Scan multiple ports zmap -p 80,443 TARGET_NETWORK # Scan port range zmap -p 80-443 TARGET_NETWORK # Scan with rate limit zmap -p 80 --rate=1000 TARGET_NETWORK # Scan with bandwidth limit zmap -p 80 --bandwidth=10M TARGET_NETWORK # Scan with output file zmap -p 80 -o results.txt TARGET_NETWORK # Scan with JSON output zmap -p 80 -o results.json TARGET_NETWORK # Scan with CSV output zmap -p 80 -o results.csv TARGET_NETWORK # Scan with binary output zmap -p 80 -o results.bin TARGET_NETWORK Advanced Zmap Options # Stealth scan zmap -p 80 --rate=100 TARGET_NETWORK # Randomize targets zmap -p 80 --shards=1/1 TARGET_NETWORK # Blacklist file zmap -p 80 --blacklist-file=blacklist.txt TARGET_NETWORK # Whitelist file zmap -p 80 --whitelist-file=whitelist.txt TARGET_NETWORK # Source IP zmap -p 80 --source-ip=192.168.1.100 TARGET_NETWORK # Source port zmap -p 80 --source-port=40000 TARGET_NETWORK # Interface selection zmap -p 80 --interface=eth0 TARGET_NETWORK # Gateway MAC zmap -p 80 --gateway-mac=00:11:22:33:44:55 TARGET_NETWORK # Probe module zmap -p 80 --probe-module=tcp_synscan TARGET_NETWORK # Output module zmap -p 80 --output-module=json TARGET_NETWORK Custom Scripts Python Network Scanner import socket import threading import queue import time import ipaddress def network_scanner(target, ports, threads=10, delay=0): def worker(): while True: try: port = ports.get() if port is None: break sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(1) result = sock.connect_ex((target, port)) if result == 0: print(f"[OPEN] {target}:{port}") sock.close() time.sleep(delay) except Exception as e: pass finally: ports.task_done() # Start threads for i in range(threads): t = threading.Thread(target=worker) t.daemon = True t.start() # Add ports to queue for port in range(1, 65536): ports.put(port) # Wait for completion ports.join() # Usage target = "TARGET_IP" ports = queue.Queue() network_scanner(target, ports, threads=100, delay=0.01) Bash Network Scanner #!/bin/bash TARGET_IP="TARGET_IP" THREADS=10 # Function to check port check_port() { local port=$1 local target=$2 if timeout 1 bash -c "echo >/dev/tcp/$target/$port" 2>/dev/null; then echo "[OPEN] $target:$port" fi } # Export function for parallel export -f check_port export TARGET_IP # Run parallel port check seq 1 65535 | parallel -j "$THREADS" check_port {} "$TARGET_IP" Network Discovery ARP Scanning # ARP scan arp-scan -l # ARP scan with interface arp-scan -I eth0 -l # ARP scan with output arp-scan -l -o results.txt # ARP scan with verbose arp-scan -l -v # ARP scan with quiet arp-scan -l -q # ARP scan with timeout arp-scan -l -t 1000 # ARP scan with retries arp-scan -l -r 3 # ARP scan with random arp-scan -l --random # ARP scan with local arp-scan -l --local ICMP Scanning # ICMP ping ping -c 4 TARGET_IP # ICMP ping with timestamp ping -D TARGET_IP # ICMP ping with flood ping -f TARGET_IP # ICMP ping with interval ping -i 0.2 TARGET_IP # ICMP ping with size ping -s 1000 TARGET_IP # ICMP ping with TTL ping -t 64 TARGET_IP # ICMP ping with verbose ping -v TARGET_IP # ICMP ping with quiet ping -q TARGET_IP UDP Scanning # UDP scan with nmap nmap -sU TARGET_IP # UDP scan with specific ports nmap -sU -p 53,67,68,69,123,135,137,138,139,161,162,445,500,514,520,631,1434,1900,4500,49152 TARGET_IP # UDP scan with service detection nmap -sU -sV TARGET_IP # UDP scan with OS detection nmap -sU -O TARGET_IP # UDP scan with scripts nmap -sU --script vuln TARGET_IP Service Detection Banner Grabbing # Telnet banner grab telnet TARGET_IP 80 # Netcat banner grab nc TARGET_IP 80 # Nmap banner grab nmap -sV --script banner TARGET_IP # Curl banner grab curl -I http://TARGET_IP # Wget banner grab wget --spider -S http://TARGET_IP # OpenSSL banner grab openssl s_client -connect TARGET_IP:443 # SMTP banner grab nc TARGET_IP 25 # FTP banner grab nc TARGET_IP 21 # SSH banner grab nc TARGET_IP 22 Service Enumeration # HTTP service enumeration nmap --script http-enum TARGET_IP nmap --script http-headers TARGET_IP nmap --script http-methods TARGET_IP nmap --script http-robots.txt TARGET_IP nmap --script http-sitemap-generator TARGET_IP nmap --script http-title TARGET_IP nmap --script http-vhosts TARGET_IP # SMB service enumeration nmap --script smb-enum-shares TARGET_IP nmap --script smb-enum-users TARGET_IP nmap --script smb-enum-groups TARGET_IP nmap --script smb-enum-domains TARGET_IP nmap --script smb-os-discovery TARGET_IP nmap --script smb-protocols TARGET_IP nmap --script smb-security-mode TARGET_IP nmap --script smb-system-info TARGET_IP # SNMP service enumeration nmap --script snmp-info TARGET_IP nmap --script snmp-brute TARGET_IP nmap --script snmp-communities TARGET_IP nmap --script snmp-hh3c-logins TARGET_IP nmap --script snmp-interfaces TARGET_IP nmap --script snmp-ios-config TARGET_IP nmap --script snmp-netstat TARGET_IP nmap --script snmp-processes TARGET_IP nmap --script snmp-public TARGET_IP nmap --script snmp-sysdescr TARGET_IP nmap --script snmp-win32-services TARGET_IP nmap --script snmp-win32-shares TARGET_IP nmap --script snmp-win32-software TARGET_IP nmap --script snmp-win32-users TARGET_IP Best Practices Rate Limiting # Add delay between requests nmap -T2 TARGET_IP # Use fewer threads nmap -T1 TARGET_IP # Use proxy rotation nmap -sS --proxies http://proxy1:8080,http://proxy2:8080 TARGET_IP Stealth Mode # Use random timing nmap -T3 --randomize-hosts TARGET_IP # Use fragment packets nmap -sS -f TARGET_IP # Use decoy scans nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP # Use source port spoofing nmap -sS --source-port 53 TARGET_IP Output Analysis # Save results to file nmap -oN results.txt TARGET_IP # Filter by port status grep "open" results.txt grep "filtered" results.txt grep "closed" results.txt # Filter by service grep "http" results.txt grep "ssh" results.txt grep "ftp" results.txt grep "smb" results.txt grep "snmp" results.txt Troubleshooting Common Issues # Connection timeout nmap -T1 TARGET_IP # Too many requests nmap -T0 TARGET_IP # Invalid target nmap -sn TARGET_NETWORK # Permission denied sudo nmap -sS TARGET_IP Performance Optimization # Use appropriate timing nmap -T4 TARGET_IP # Use smaller port ranges nmap -p 1-1000 TARGET_IP # Use specific scripts nmap --script vuln TARGET_IP Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate tools for the target Document findings properly Follow responsible disclosure practices

1월 10, 2025 · 8 분