Initial enums
This will capture initial reconnaissance data from target network and hosts. We run the commands below for almost all CTF environments all the time.
IP Range
netdiscover -r 10.10.10.0/24
nmap -sn 10.11.1.1-255 | grep "Nmap scan report for" | cut -d " " -f 5
nmap -sP -PR -n 10.11.1.1-254 | grep "Nmap scan report for" | cut -d" " -f5
Rustscan
# Export RHOST=<IP Address>
rustscan $RHOST -t 500 -b 1500 -- -A
-t: the number of threads
-b: sets the rate at which packets are sen
--: to separate a command for nmap
-A: all in nmap option
Nmap
nmap -sC -sV -oA nmap/init $RHOST
sudo nmap -p- -sV -vv --open --reason $RHOST
sudo nmap -vv -sC -sV -p- -oA nmap/all --max-retries 0 $RHOST
# OneTwoPunch
https://raw.githubusercontent.com/superkojiman/onetwopunch/master/onetwopunch.sh
onetwopunch.sh ip.txt tcp
# Scan for UDP
nmap 10.11.1.111 -sU
unicornscan -mU -v -I 10.11.1.111
# Connect to tcp/udp if one is open
nc 10.10.10.10 80
nc -u 10.11.1.111 48772
nmapAutomator
sudo nmapAutomator -H $RHOST -t All -o nmapautomator/
Autorecon
sudo -E su -p
autorecon.py -vv -o autorecon/ 10.10.10.143
/opt/enum/AutoRecon/autorecon.py -vv -o autorecon/ $RHOST
NmapAutomator
nmapAutomator.sh -H $RHOST -t All
Sparta
# This may be run for assurance.
https://github.com/SECFORCE/sparta
/cd /opt/enum/sparta
python3 sparta.py
Last updated