Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Test Connectivity
# Default infinite pings
ping -c3 <TARGET>
Sample Output:
TO-DO# Default 5 pings
ping <TARGET>
Sample Output:
TO-DO# Check specific port
Test-NetConnection <TARGET> -Port <TARGET_PORT>
Sample Output:
TO-DO# With Active Directory Module Installed
Get-ADComputer -Filter * | ForEach-Object { $_ | Select-Object Name, @{Name='IPAddress';Expression={(Test-Connection -ComputerName $_.Name -Count 1).IPV4Address}}}
Sample Output:
TO-DOTest Reverse Connectivity
sudo tcpdump -ni tun0 icmp
Sample Output:
TO-DOSniff Network Traffic
# Sniff on network adapter
sudo tcpdump -i eth0 -w packets.pcap
Sample Output:
root@NIX01:/dev/shm# sudo tcpdump -i eth0 -w packets.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C124 packets captured <----- Send Ctrl+C after some time
133 packets received by filter
0 packets dropped by kernel
# Sniff on a port
sudo tcpdump -i lo -nnXs 0 'port <TARGET_PORT>'
Sample Output:
TO-DO# Sniff HTTPS traffic
sudo ./mitmdump -p 443 --mode reverse:https://<DOMAIN> --ssl-insecure --set flow_detail=3
Sample Output:
TO-DORef: mitmproxy
Quick Subnet Scan
# 255.255.255.0 or /24
for i in $(seq 1 254); do (ping -c 1 <SUBNET>.${i} | grep "bytes from" &); done;
Sample Output:
TO-DO# 255.255.0.0 or /16
for i in $(seq 1 254); do for j in $(seq 1 254); do (ping -c 1 <SUBNET>.${i}.${j} | grep "bytes from" &); done; done;
Sample Output:
TO-DO1..254 | % { $ip="<SUBNET>.$_"; if (Test-Connection $ip -Count 1 -Quiet) { "$ip is alive" } }
Sample Output:
*Evil-WinRM* PS C:\Users\Administrator\Documents> 1..254 | % { $ip="172.16.1.$_"; if (Test-Connection $ip -Count 1 -Quiet) { "$ip is alive" } }
172.16.2.5 is alive
Quick Port Scan
for i in $(seq 1 65535); do (nc -zvn <TARGET> ${i} 2>&1 | grep -v "Connection refused" &); done
Sample Output:
TO-DO# This is SLOW
1..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect('<TARGET>',$_)) "Port $_ is open!"} 2>$null
Sample Output:
TO-DO# This is QUICK
ascan <SUBNET>.1-254
Sample Output:
sliver (session) > ascan 192.168.99.1-254
[*] Successfully executed ascan
[*] Got output:
_____ _ _____
| _ |___| |_| __|___ ___ ___
| | _| _|__ | _| .'| |
|__|__|_| |_| |_____|___|__,|_|_|
ArtScan by @art3x ver 1.1
[.] Scanning IP(s): 192.168.99.1-254
[.] PORT(s): TOP 120
[.] Threads: 20 Rechecks: 0 Timeout: 100
192.168.99.1:445 is open.
192.168.99.1:139 is open.
192.168.99.1:464 is open.
192.168.99.1:88 is open.
192.168.99.1:389 is open.
192.168.99.1:80 is open. code:301 len:169 title:301 Moved Permanently
192.168.99.1:135 is open.
192.168.99.1:53 is open.
192.168.99.1:593 is open. ncacn_http/1.0
192.168.99.1:2179 is open.
192.168.99.1:3268 is open.
192.168.99.1:5985 is open. code:404 len:315 title:
192.168.99.1:47001 is open. code:404 len:315 title:
192.168.99.1:9389 is open.
------------------
192.168.99.2:445 is open.
192.168.99.2:139 is open.
192.168.99.2:135 is open.
192.168.99.2:5985 is open. code:404 len:315 title:
192.168.99.2:47001 is open. code:404 len:315 title:
------------------
192.168.99.12:22 is open. SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7
------------------
Summary:
192.168.99.1: 53,80,88,135,139,389,445,464,593,2179,3268,5985,9389,47001
192.168.99.2: 135,139,445,5985,47001
192.168.99.12: 22
Scan Duration: 8.88 s
Ref: ascan
Check ARP Table
arp -na
Sample Output:
TO-DOcat /proc/net/arp
Sample Output:
TO-DOCheck IP
ifconfig
Sample Output:
TO-DOip addr
Sample Output:
TO-DOcat /proc/net/fib_trie
Sample Output:
TO-DOipconfig /all
Sample Output:
TO-DO# Check DNS
ipconfig /displaydns
Sample Output:
TO-DO# Get DC IP
nltest /dsgetdc:<DOMAIN> /force
Sample Output:
TO-DO# Get AD-Computers IP
Get-ADComputer -Filter * -Properties IPv4Address | select name,IPV4Address
Sample Output:
TO-DOCheck Network Connections
# TCP
netstat -plant
Sample Output:
$ netstat -plant
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
...[SNIP]...
# UDP
netstat -plunt
Sample Output:
$ netstat -plunt
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
...[SNIP]...
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
...[SNIP]...
# If netstat not present
cat /proc/net/tcp | grep '00000000:0000 0A'
Sample Output:
TO-DOss -tnl
Sample Output:
TO-DO# List listening ports
netstat -ano | findstr LISTENING
Sample Output:
TO-DO# List TCP listening ports and processes
Get-NetTCPConnection -State Listen | Select-Object -Property *,@{'Name' = 'ProcessName';'Expression'={(Get-Process -Id $_.OwningProcess).Name}} | Format-Table -Property LocalAddress,LocalPort,OwningProcess,ProcessName
Sample Output:
TO-DO