OSCP Learning Notes - Scanning(1)
TCP vs UDP
TCP:
- Connection-oriented
- Suited for applications that require high reliablity[HTTP, FTP,Telnet]
- Three-way handshake
UDP:
- Connectionless
- Suited for applications that need fast connection[DNS, DHCP, SNMP]
- No handshake
Scanning with Nmap
Example:
- nmap -sn -oN /root/sweep.txt 10.0.0.0/24
- nmap -vv -Pn -A -sS -T4 -p- -oN /root/scan1.txt 10.0.0.15
- namp -vv -Pn -A -sU -T4 --top-ports 200 -oN /root/udpscan.txt 10.0.0.15
- namp -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oN /root/udpscan2.txt 10.0.0.15
- nmap -vv -p 137 --script=all 10.0.0.15
cd /usr/share/nmap/scripts/ - need to study
acarsd-info.nse ip-forwarding.nse
address-info.nse ip-geolocation-geoplugin.nse
afp-brute.nse ip-geolocation-ipinfodb.nse
afp-ls.nse ip-geolocation-map-bing.nse
afp-path-vuln.nse ip-geolocation-map-google.nse
afp-serverinfo.nse ip-geolocation-map-kml.nse
afp-showmount.nse ip-geolocation-maxmind.nse
ajp-auth.nse ip-https-discover.nse
ajp-brute.nse ipidseq.nse
ajp-headers.nse ipmi-brute.nse
ajp-methods.nse ipmi-cipher-zero.nse
ajp-request.nse ipmi-version.nse
allseeingeye-info.nse ipv6-multicast-mld-list.nse
amqp-info.nse ipv6-node-info.nse
asn-query.nse ipv6-ra-flood.nse
auth-owners.nse irc-botnet-channels.nse
auth-spoof.nse irc-brute.nse
backorifice-brute.nse irc-info.nse
backorifice-info.nse irc-sasl-brute.nse
bacnet-info.nse irc-unrealircd-backdoor.nse
banner.nse iscsi-brute.nse
bitcoin-getaddr.nse iscsi-info.nse
bitcoin-info.nse isns-info.nse
bitcoinrpc-info.nse jdwp-exec.nse
bittorrent-discovery.nse jdwp-info.nse
bjnp-discover.nse jdwp-inject.nse
broadcast-ataoe-discover.nse jdwp-version.nse
broadcast-avahi-dos.nse knx-gateway-discover.nse
broadcast-bjnp-discover.nse knx-gateway-info.nse
broadcast-db2-discover.nse krb5-enum-users.nse
broadcast-dhcp6-discover.nse ldap-brute.nse
broadcast-dhcp-discover.nse ldap-novell-getpass.nse
broadcast-dns-service-discovery.nse ldap-rootdse.nse
broadcast-dropbox-listener.nse ldap-search.nse
broadcast-eigrp-discovery.nse lexmark-config.nse
broadcast-igmp-discovery.nse llmnr-resolve.nse
broadcast-listener.nse lltd-discovery.nse
broadcast-ms-sql-discover.nse maxdb-info.nse
broadcast-netbios-master-browser.nse mcafee-epo-agent.nse
broadcast-networker-discover.nse membase-brute.nse
broadcast-novell-locate.nse membase-http-info.nse
broadcast-ospf2-discover.nse memcached-info.nse
broadcast-pc-anywhere.nse metasploit-info.nse
broadcast-pc-duo.nse metasploit-msgrpc-brute.nse
broadcast-pim-discovery.nse metasploit-xmlrpc-brute.nse
broadcast-ping.nse mikrotik-routeros-brute.nse
broadcast-pppoe-discover.nse mmouse-brute.nse
broadcast-rip-discover.nse mmouse-exec.nse
broadcast-ripng-discover.nse modbus-discover.nse
broadcast-sonicwall-discover.nse mongodb-brute.nse
broadcast-sybase-asa-discover.nse mongodb-databases.nse
broadcast-tellstick-discover.nse mongodb-info.nse
broadcast-upnp-info.nse mqtt-subscribe.nse
broadcast-versant-locate.nse mrinfo.nse
broadcast-wake-on-lan.nse msrpc-enum.nse
broadcast-wpad-discover.nse ms-sql-brute.nse
broadcast-wsdd-discover.nse ms-sql-config.nse
broadcast-xdmcp-discover.nse ms-sql-dac.nse
cassandra-brute.nse ms-sql-dump-hashes.nse
cassandra-info.nse ms-sql-empty-password.nse
cccam-version.nse ms-sql-hasdbaccess.nse
cics-enum.nse ms-sql-info.nse
cics-info.nse ms-sql-ntlm-info.nse
cics-user-brute.nse ms-sql-query.nse
cics-user-enum.nse ms-sql-tables.nse
citrix-brute-xml.nse ms-sql-xp-cmdshell.nse
citrix-enum-apps.nse mtrace.nse
citrix-enum-apps-xml.nse murmur-version.nse
citrix-enum-servers.nse mysql-audit.nse
citrix-enum-servers-xml.nse mysql-brute.nse
clamav-exec.nse mysql-databases.nse
clock-skew.nse mysql-dump-hashes.nse
coap-resources.nse mysql-empty-password.nse
couchdb-databases.nse mysql-enum.nse
couchdb-stats.nse mysql-info.nse
creds-summary.nse mysql-query.nse
cups-info.nse mysql-users.nse
cups-queue-info.nse mysql-variables.nse
cvs-brute.nse mysql-vuln-cve2012-2122.nse
cvs-brute-repository.nse nat-pmp-info.nse
daap-get-library.nse nat-pmp-mapport.nse
daytime.nse nbd-info.nse
db2-das-info.nse nbstat.nse
deluge-rpc-brute.nse ncp-enum-users.nse
dhcp-discover.nse ncp-serverinfo.nse
dict-info.nse ndmp-fs-info.nse
distcc-cve2004-2687.nse ndmp-version.nse
dns-blacklist.nse nessus-brute.nse
dns-brute.nse nessus-xmlrpc-brute.nse
dns-cache-snoop.nse netbus-auth-bypass.nse
dns-check-zone.nse netbus-brute.nse
dns-client-subnet-scan.nse netbus-info.nse
dns-fuzz.nse netbus-version.nse
dns-ip6-arpa-scan.nse nexpose-brute.nse
dns-nsec3-enum.nse nfs-ls.nse
dns-nsec-enum.nse nfs-showmount.nse
dns-nsid.nse nfs-statfs.nse
dns-random-srcport.nse nje-node-brute.nse
dns-random-txid.nse nje-pass-brute.nse
dns-recursion.nse nntp-ntlm-info.nse
dns-service-discovery.nse nping-brute.nse
dns-srv-enum.nse nrpe-enum.nse
dns-update.nse ntp-info.nse
dns-zeustracker.nse ntp-monlist.nse
dns-zone-transfer.nse omp2-brute.nse
docker-version.nse omp2-enum-targets.nse
domcon-brute.nse omron-info.nse
domcon-cmd.nse openlookup-info.nse
domino-enum-users.nse openvas-otp-brute.nse
dpap-brute.nse openwebnet-discovery.nse
drda-brute.nse oracle-brute.nse
drda-info.nse oracle-brute-stealth.nse
duplicates.nse oracle-enum-users.nse
eap-info.nse oracle-sid-brute.nse
enip-info.nse oracle-tns-version.nse
epmd-info.nse ovs-agent-version.nse
eppc-enum-processes.nse p2p-conficker.nse
fcrdns.nse path-mtu.nse
finger.nse pcanywhere-brute.nse
fingerprint-strings.nse pcworx-info.nse
firewalk.nse pgsql-brute.nse
firewall-bypass.nse pjl-ready-message.nse
flume-master-info.nse pop3-brute.nse
fox-info.nse pop3-capabilities.nse
freelancer-info.nse pop3-ntlm-info.nse
ftp-anon.nse pptp-version.nse
ftp-bounce.nse puppet-naivesigning.nse
ftp-brute.nse qconn-exec.nse
ftp-libopie.nse qscan.nse
ftp-proftpd-backdoor.nse quake1-info.nse
ftp-syst.nse quake3-info.nse
ftp-vsftpd-backdoor.nse quake3-master-getservers.nse
ftp-vuln-cve2010-4221.nse rdp-enum-encryption.nse
ganglia-info.nse rdp-vuln-ms12-020.nse
giop-info.nse realvnc-auth-bypass.nse
gkrellm-info.nse redis-brute.nse
gopher-ls.nse redis-info.nse
gpsd-info.nse resolveall.nse
hadoop-datanode-info.nse reverse-index.nse
hadoop-jobtracker-info.nse rexec-brute.nse
hadoop-namenode-info.nse rfc868-time.nse
hadoop-secondary-namenode-info.nse riak-http-info.nse
hadoop-tasktracker-info.nse rlogin-brute.nse
hbase-master-info.nse rmi-dumpregistry.nse
hbase-region-info.nse rmi-vuln-classloader.nse
hddtemp-info.nse rpcap-brute.nse
hnap-info.nse rpcap-info.nse
hostmap-bfk.nse rpc-grind.nse
hostmap-crtsh.nse rpcinfo.nse
hostmap-ip2hosts.nse rsa-vuln-roca.nse
hostmap-robtex.nse rsync-brute.nse
http-adobe-coldfusion-apsa1301.nse rsync-list-modules.nse
http-affiliate-id.nse rtsp-methods.nse
http-apache-negotiation.nse rtsp-url-brute.nse
http-apache-server-status.nse rusers.nse
http-aspnet-debug.nse s7-info.nse
http-auth-finder.nse samba-vuln-cve-2012-1182.nse
http-auth.nse script.db
http-avaya-ipoffice-users.nse servicetags.nse
http-awstatstotals-exec.nse shodan-api.nse
http-axis2-dir-traversal.nse sip-brute.nse
http-backup-finder.nse sip-call-spoof.nse
http-barracuda-dir-traversal.nse sip-enum-users.nse
http-bigip-cookie.nse sip-methods.nse
http-brute.nse skypev2-version.nse
http-cakephp-version.nse smb2-capabilities.nse
http-chrono.nse smb2-security-mode.nse
http-cisco-anyconnect.nse smb2-time.nse
http-coldfusion-subzero.nse smb2-vuln-uptime.nse
http-comments-displayer.nse smb-brute.nse
http-config-backup.nse smb-double-pulsar-backdoor.nse
http-cookie-flags.nse smb-enum-domains.nse
http-cors.nse smb-enum-groups.nse
http-cross-domain-policy.nse smb-enum-processes.nse
http-csrf.nse smb-enum-services.nse
http-date.nse smb-enum-sessions.nse
http-default-accounts.nse smb-enum-shares.nse
http-devframework.nse smb-enum-users.nse
http-dlink-backdoor.nse smb-flood.nse
http-dombased-xss.nse smb-ls.nse
http-domino-enum-passwords.nse smb-mbenum.nse
http-drupal-enum.nse smb-os-discovery.nse
http-drupal-enum-users.nse smb-print-text.nse
http-enum.nse smb-protocols.nse
http-errors.nse smb-psexec.nse
http-exif-spider.nse smb-security-mode.nse
http-favicon.nse smb-server-stats.nse
http-feed.nse smb-system-info.nse
http-fetch.nse smb-vuln-conficker.nse
http-fileupload-exploiter.nse smb-vuln-cve2009-3103.nse
http-form-brute.nse smb-vuln-cve-2017-7494.nse
http-form-fuzzer.nse smb-vuln-ms06-025.nse
http-frontpage-login.nse smb-vuln-ms07-029.nse
http-generator.nse smb-vuln-ms08-067.nse
http-git.nse smb-vuln-ms10-054.nse
http-gitweb-projects-enum.nse smb-vuln-ms10-061.nse
http-google-malware.nse smb-vuln-ms17-010.nse
http-grep.nse smb-vuln-regsvc-dos.nse
http-headers.nse smtp-brute.nse
http-huawei-hg5xx-vuln.nse smtp-commands.nse
http-icloud-findmyiphone.nse smtp-enum-users.nse
http-icloud-sendmsg.nse smtp-ntlm-info.nse
http-iis-short-name-brute.nse smtp-open-relay.nse
http-iis-webdav-vuln.nse smtp-strangeport.nse
http-internal-ip-disclosure.nse smtp-vuln-cve2010-4344.nse
http-joomla-brute.nse smtp-vuln-cve2011-1720.nse
http-jsonp-detection.nse smtp-vuln-cve2011-1764.nse
http-litespeed-sourcecode-download.nse sniffer-detect.nse
http-ls.nse snmp-brute.nse
http-majordomo2-dir-traversal.nse snmp-hh3c-logins.nse
http-malware-host.nse snmp-info.nse
http-mcmp.nse snmp-interfaces.nse
http-methods.nse snmp-ios-config.nse
http-method-tamper.nse snmp-netstat.nse
http-mobileversion-checker.nse snmp-processes.nse
http-ntlm-info.nse snmp-sysdescr.nse
http-open-proxy.nse snmp-win32-services.nse
http-open-redirect.nse snmp-win32-shares.nse
http-passwd.nse snmp-win32-software.nse
http-phpmyadmin-dir-traversal.nse snmp-win32-users.nse
http-phpself-xss.nse socks-auth-info.nse
http-php-version.nse socks-brute.nse
http-proxy-brute.nse socks-open-proxy.nse
http-put.nse ssh2-enum-algos.nse
http-qnap-nas-info.nse ssh-auth-methods.nse
http-referer-checker.nse ssh-brute.nse
http-rfi-spider.nse ssh-hostkey.nse
http-robots.txt.nse ssh-publickey-acceptance.nse
http-robtex-reverse-ip.nse ssh-run.nse
http-robtex-shared-ns.nse sshv1.nse
http-security-headers.nse ssl-ccs-injection.nse
http-server-header.nse ssl-cert-intaddr.nse
http-shellshock.nse ssl-cert.nse
http-sitemap-generator.nse ssl-date.nse
http-slowloris-check.nse ssl-dh-params.nse
http-slowloris.nse ssl-enum-ciphers.nse
http-sql-injection.nse ssl-heartbleed.nse
http-stored-xss.nse ssl-known-key.nse
http-svn-enum.nse ssl-poodle.nse
http-svn-info.nse sslv2-drown.nse
http-title.nse sslv2.nse
http-tplink-dir-traversal.nse sstp-discover.nse
http-trace.nse stun-info.nse
http-traceroute.nse stun-version.nse
http-trane-info.nse stuxnet-detect.nse
http-unsafe-output-escaping.nse supermicro-ipmi-conf.nse
http-useragent-tester.nse svn-brute.nse
http-userdir-enum.nse targets-asn.nse
http-vhosts.nse targets-ipv6-map4to6.nse
http-virustotal.nse targets-ipv6-multicast-echo.nse
http-vlcstreamer-ls.nse targets-ipv6-multicast-invalid-dst.nse
http-vmware-path-vuln.nse targets-ipv6-multicast-mld.nse
http-vuln-cve2006-3392.nse targets-ipv6-multicast-slaac.nse
http-vuln-cve2009-3960.nse targets-ipv6-wordlist.nse
http-vuln-cve2010-0738.nse targets-sniffer.nse
http-vuln-cve2010-2861.nse targets-traceroute.nse
http-vuln-cve2011-3192.nse targets-xml.nse
http-vuln-cve2011-3368.nse teamspeak2-version.nse
http-vuln-cve2012-1823.nse telnet-brute.nse
http-vuln-cve2013-0156.nse telnet-encryption.nse
http-vuln-cve2013-6786.nse telnet-ntlm-info.nse
http-vuln-cve2013-7091.nse tftp-enum.nse
http-vuln-cve2014-2126.nse tls-alpn.nse
http-vuln-cve2014-2127.nse tls-nextprotoneg.nse
http-vuln-cve2014-2128.nse tls-ticketbleed.nse
http-vuln-cve2014-2129.nse tn3270-screen.nse
http-vuln-cve2014-3704.nse tor-consensus-checker.nse
http-vuln-cve2014-8877.nse traceroute-geolocation.nse
http-vuln-cve2015-1427.nse tso-brute.nse
http-vuln-cve2015-1635.nse tso-enum.nse
http-vuln-cve2017-1001000.nse unittest.nse
http-vuln-cve2017-5638.nse unusual-port.nse
http-vuln-cve2017-5689.nse upnp-info.nse
http-vuln-cve2017-8917.nse url-snarf.nse
http-vuln-misfortune-cookie.nse ventrilo-info.nse
http-vuln-wnr1000-creds.nse versant-info.nse
http-waf-detect.nse vmauthd-brute.nse
http-waf-fingerprint.nse vmware-version.nse
http-webdav-scan.nse vnc-brute.nse
http-wordpress-brute.nse vnc-info.nse
http-wordpress-enum.nse vnc-title.nse
http-wordpress-users.nse voldemort-info.nse
http-xssed.nse vtam-enum.nse
iax2-brute.nse vuze-dht-info.nse
iax2-version.nse wdb-version.nse
icap-info.nse weblogic-t3-info.nse
iec-identify.nse whois-domain.nse
ike-version.nse whois-ip.nse
imap-brute.nse wsdd-discover.nse
imap-capabilities.nse x11-access.nse
imap-ntlm-info.nse xdmcp-discover.nse
impress-remote-discover.nse xmlrpc-methods.nse
informix-brute.nse xmpp-brute.nse
informix-query.nse xmpp-info.nse
informix-tables.nse
Scanning with Nessus
Download Website:https://www.tenable.com/
Start Nessus Service command: /etc/init.d/nessusd start
Auto start command: update-rc.d nessusd eanble
Nessus URL: https://localhost:8834

Example:
Basic Network Scan
S1:

S2:

S3:

S4:

OSCP Learning Notes - Scanning(1)的更多相关文章
- OSCP Learning Notes - Scanning(2)
Scanning with Metasploite: 1. Start the Metasploite using msfconsole 2. search modules 3.Choose one ...
- OSCP Learning Notes - Overview
Prerequisites: Knowledge of scripting languages(Bash/Pyhon) Understanding of basic networking concep ...
- OSCP Learning Notes - Exploit(7)
Pre-Exploit Password Attacks Tools: 1. ncrack Ncrack 0.6 ( http://ncrack.org )Usage: ncrack [Options ...
- OSCP Learning Notes - Privilege Escalation
Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...
- OSCP Learning Notes - Buffer Overflows(3)
Finding Bad Characters 1. Find the bad charaters in the following website: https://bulbsecurity.com/ ...
- OSCP Learning Notes - Buffer Overflows(2)
Finding the Offset 1. Use the Metasploite pattern_create.rb tool to create 5900 characters. /usr/sha ...
- OSCP Learning Notes - Buffer Overflows(1)
Introduction to Buffer Overflows Anatomy of Memory Anatomy of the Stack Fuzzing Tools: Vulnserver - ...
- OSCP Learning Notes - Netcat
Introduction to Netcat Connecting va Listening Bind Shells Attacker connects to victim on listening ...
- OSCP Learning Notes - Enumeration(4)
DNS Enumeration 1. Host Tool host is a simple utility for performing DNS lookups. It is normally use ...
随机推荐
- 精美图文讲解Java AQS 共享式获取同步状态以及Semaphore的应用
| 好看请赞,养成习惯 你有一个思想,我有一个思想,我们交换后,一个人就有两个思想 If you can NOT explain it simply, you do NOT understand it ...
- arduino连接1602LCD方法
arduino连接1602LCD方法 参考代码:
- 08.DRF-反序列化
三.反序列化使用 3.1 验证 使用序列化器进行反序列化时,需要对数据进行验证后,才能获取验证成功的数据或保存成模型类对象. 在获取反序列化的数据前,必须调用is_valid()方法进行验证,验证成功 ...
- Redis面试专题
Redis面试专题 1. 什么是redis? Redis 是一个基于内存的高性能key-value数据库. (有空再补充,有理解错误或不足欢迎指正) 2. Reids的特点 Redis本质上是一个Ke ...
- Vue数据更新页面没有更新问题总结
Vue数据更新页面没有更新问题总结 1. Vue无法检测实例别创建时不存在于data中的property 原因: 由于Vue会在初始化实例时对property执行getter/setter转化,所以p ...
- 前端基础:HTTP 协议详解
参考:https://kb.cnblogs.com/page/130970/#httpmeessagestructe HTTP协议是无状态的 http协议是无状态的,同一个客户端的这次请求和上次请求是 ...
- P2136 拉近距离
我也想有这样的爱情故事,可惜我单身 其实这道题就是一个比较裸的最短路问题.对于一个三元组 (S,W,T) ,S其实就是一个端点,而W就是到达的端点,连接两个端点的边长为-T,注意要取一个相反数,这样才 ...
- nginx配置奇怪问题记录
执行 nginx -t 检查配置报了如下错误: 下面是配置信息 遇到个很奇怪的问题,plm-api-stage 这么配置就可以正常校验过,但是改成 plm-stage-api,就会上面的警告信息: ...
- 'printf' Function
printf is not part of the C language; there is no input or output defined in C itself. printf is jus ...
- SpringCloud Alibaba (四):Dubbo RPC框架
Dubbo简介 Apache Dubbo |ˈdʌbəʊ| 是一款高性能.轻量级的开源Java RPC框架,它提供了三大核心能力:面向接口的远程方法调用,智能容错和负载均衡,以及服务自动注册和发现.致 ...