My Network Recon Checklist

Network Scan

# my preference
nmap -sV -sC -v -oA output <targetip>
nmap -p- -v <targetip>

#full tcp scan 
nmap -sC -sV -p- -vv -oA full ip
nmap -sT -p- --min-rate 10000 -oA nmap/alltcp ip


nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP> 
nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP> 
nmap -p- --min-rate 10000 -oA scans/nmap-alltcp ip

nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p <port> <host
nmap -p80 $ip –script http-put –script-args http-put.url=’/test/sicpwn.php’,httpput.le=’/var/www/html/sicpwn.php

#AutoRecon
ar -ct 4 -cs 10 -t examip.txt -o /root/oscp/exam/
ar -ct 4 -cs 10 ip
ar -ct 4 -cs 10 -t file.txt 
python3 autorecon.py -ct 4 -cs 10 


#Nmap Automator 
na ip  All
./nmapAutomator.sh ip All  

#onetwopunch
/onetwopunch.sh -t targets -p all -n "-sV -O --version-intensity=9" 

#reconnoitre
reconnoitre -t ip -o ~/oscp/practice/oscp1/tools-techniques/Reconnoitre/ --services
reconnoitre -t ip --services --quick -o /root
reconnoitre -t ip -o /root/oscp/exam/


#nikto 
nikto -host ip
nikto -h ip


For port knocking

for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x ip; done


#SNMP
#SNMP-Check
snmp-check ip
snmp-check $IP
snmpcheck -t $IP -c public
snmpcheck -t ip.X -c public

#onesixtyone
onesixtyone -c names -i hosts

#SNMPWALK
snmpwalk -c public -v1 $IP

#SNMPENUM
perl snmpenum.pl $IP public windows.txt

#NMAP SCRIPTS
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt x.x.x.x
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IP
nmap -sU -p 161 --script /usr/share/nmap/scripts/snmp-win32-users.nse $IP

#port knock
for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x server_ip_address; done

Port Knocking

  1. Knock

    • apt-get install knockd

    • Then you simply type: knock [ip] [port]. For example: knock ip 4000 5000 6000

    • After that you have to scan the network to see if any new port is open.

    • If you know what port is open you can connect to the port using netcat. The following command would work nc 192.168.1.102 8888. This would then connect to the port.

  2. Nmap/bash

  3. for x in 4000 5000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done

PreviousActive Info GatheringNextMy Web Recon Checklist

Last updated