Dark Arts
  • index
  • BUY ME A BOOK
  • 🪄Dark Magic
    • Pentesting
      • Industry Methodologies
    • Scopes of Testing
    • Reconnaissance
      • Passive
        • WHOIS
        • DNS
          • nslookup
          • dig
        • WAF
        • Subdomain
        • Google Dork
        • Misc. Techniques
        • Leaked Passwords
      • Active
        • Browser & Plugins
        • ping & traceroute
        • fping
        • telnet & netcat
        • DNS
          • Zone Transfer
          • DNS Amplification DDoS Attack Breakdown
        • Misc. Techniques
    • Vulnerability Assessment
    • Attack Types
  • 🕷️Aragoogs Nest
    • Web Application Overview & Security
      • Security Testing
      • Common Threats & Risks
    • Web Application Architecture
      • Technologies
    • HTTP/S
      • Message
      • Request
      • Response
        • Status Code
    • Crawling/Spidering
  • 🧪Potions
    • Web Browsers
    • Computer Networking
      • Network Protocol
      • Packets
      • OSI Layer
        • Layer 3: Network
        • Layer 4: Transport
      • DNS
        • Primary-Secondary
        • Local Name Resolution
        • Domain Hierarchy
        • FQDN
        • Lookups
        • DNS Resolution
        • DNS Records
        • Security: Attack-Defense (Default)
  • 🎆Spells
    • 📜Linux Scroll
    • 📜WebShell Scroll
    • git
      • Attacks + Vulnerabilities
  • 🖼️Flaws w/ Magical Frameworks
    • Windows
      • In a Nutshell
      • CVE-2019-0708: BlueKeep
      • CVE-2017-0144: EternalBlue: MS17-010
      • Attacking Services
        • MS IIS - WebDAV
        • SMB
        • HTTP File Server (HFS)
        • Apache Tomcat Web Server
        • RDP
        • WinRM
      • File System Vulnerabilities
      • Credential Dumping
        • Password Search in Windows Configuration Files
        • Mimikatz
        • Pass-the-Hash Attack
    • Linux
      • In a Nutshell
      • CVE-2014-6271: Shellshock
      • Attacking Services
        • FTP
        • SSH
        • SAMBA
        • SMTP
        • RSYNC
      • Dumping Hashes
  • 🌼Marauder's Boost
    • Privilege Escalation
    • Windows PrivEsc
      • Windows Kernel Exploit
      • Bypassing UAC
      • Access Token Impersonation
    • Linux PrivEsc
      • Linux Kernel Exploit
      • Misconfigured Cron Jobs
      • Exploiting SUID Binaries
      • shells
      • File Permissions
  • ☠️Death Eaters
    • Post Exploitation
      • Windows
      • Linux
  • 🪄OLLIVANDERS
    • nmap
      • Host Discovery
      • Port Scan
      • Service & OS
      • NSE
      • Firewall/IDS Evasion
      • Scan Optimization
      • Misc. Methods
    • ffuf
    • Hydra
    • Metasploit Framework
      • Architecture
      • Must to Know
      • msfvenom
      • Auxiliary Modules
      • Service Enumeration
      • Vulnerability Scanning
      • Imports
      • Automating
    • Vulnerability Scanners
    • Wireshark
  • 🚂Platform 9(3/4)
    • Auth-Auth
      • Authentication
        • Password-based Authentication
        • Basic Authentication
        • Multi-factor Authentication
        • Access Token
        • Token-based Authentication
          • JWT
          • OAuth 2.0
    • Secure Headers
      • Content-Security-Policy (CSP)
    • Cryptography
      • Caesar Cipher
  • ⛲Port Pensieve
    • Enumeration
      • SMB & NetBIOS
      • SNMP
    • Wordlists
  • 🔆DUELS
    • Pivoting
    • SMB Relay Attack
  • 🗺️Marauder's Map
    • Web Application Pentesting
    • API Pentesting
      • GraphQL
        • Primer
    • Mobile Application Pentesting
  • 🎧SIDE CHANNEL
    • Side Channel Analysis
    • Timing Side-Channel Attacks
      • Vulnerable Login
  • 🥃Sky
    • Cloud Basics
    • Cloud Management
      • Shared Responsibility Model
    • Using Cloud Resources
      • Monitoring & Alerts
      • Identity & Access Management
      • Scalability & Availability
      • Solution Design
    • Cloud Providers
    • Cloud Security & Regulatory Compliance
      • Resource Protection
      • ICCA: Cloud Security & Regulatory Compliance
    • ICCA Preparation
      • Knowledge Tests
      • Lab
  • 🔷Obsidian
    • Pentest Engagement
      • Scoping
    • Pentest Ethics
      • Rules of Engagement
    • Auditing Fundamentals
      • Process/Lifecycle
      • Pentest & Security Auditing
      • GRC
      • Standards, Frameworks & Guidelines
      • From Audit to Pentest
  • 💢Threat Modeling
    • Why Threat Model?
  • 📡THREAT INTEL
    • Threat Intelligence
    • Tool Dump
  • 📱Anything-Mobile-IoT
    • Firmware
    • Firmware Analysis
      • Example: CVE-2016-1555
    • Firmware Installation/Flashing
  • 🎉Mischeif
    • Social Engineering
    • Phishing
      • GoPhish
    • Pretexting
Powered by GitBook
On this page
  • Methodology: Host discovery -> Port Scanning -> Service Version Detection
  • Using nmap in Metasploit
  • SMB (Recon + Scan) with nmap
  1. OLLIVANDERS
  2. nmap

Misc. Methods

PreviousScan OptimizationNextffuf

Last updated 8 months ago

Research is a pivotal component of any methodology. It involves identifying a problem or question, gathering relevant information, and exploring existing literature. By searching for information online, you can uncover various tactics and strategies that have been employed in similar contexts. This process not only enhances your understanding but also allows you to apply effective approaches tailored to your specific needs. Ultimately, thorough research equips you with the knowledge necessary to make informed decisions and achieve your objectives.

Methodology: Host discovery -> Port Scanning -> Service Version Detection

Using nmap in Metasploit

Step 1: Run Nmap to Save Results

nmap [IP] -oX result.xml

Step 2: Start Metasploit Famework & Create a Workspace (Optional)

msfconsole
workspace
workspace -a meta-nmap

Step 3: Check DB Status and Import Nmap Result

db_status
db_import result.xml

Step 4: View Hosts & Services

$ hosts

## SAMPLE RESULT ______________

Address         Name           OS        State
------------------------------------------------
192.168.1.10    target-host    Linux    Alive

$ services

## SAMPLE RESULT ______________

Port    Protocol   Name         State
--------------------------------------------
22     tcp        ssh          open
80     tcp        http         open

Step 5: Run nmap directly from MSF

db_nmap -Pn -sS -O -p- [IP]

SMB (Recon + Scan) with nmap

Targets -

  • Identify SMB Protocol Dialects

  • Find SMB security level information

  • Enumerate active sessions, shares, Windows users, domains, services, etc.

## SMB Scripts

## Identify SMB Protocol Dialects
nmap -Pn -sS -T4 -sV [host]
https://nmap.org/nsedoc/scripts/smb-protocols.html
nmap -p445 --script smb-protocls [host]

## Find SMB security level information
https://nmap.org/nsedoc/scripts/smb-security-mode.html
nmap -p445 --script smb-security-mode [host]

## Enumerate active sessions, shares, Windows users, domains, services, etc.
Sessions:
nmap -p445 --script smb-enum-sessions [host]
nmap -p445 --script smb-enum-sessions --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local

Shares:
nmap -p445 --script smb-enum-shares demo.ine.local
nmap -p445 --script smb-enum-shares --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local


Users:
nmap -p445 -script smb-enum-users --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local

All smb related scripts:
nmap -p445 -script smb-* --script-args smbusername=administrator,smbpassword=smbserver_771 demo.ine.local
🪄