Nmap is a utility for network exploration or security auditing. It supports ping scanning, many port scanning techniques, version detection and TCP/IP fingerprinting.
sudo nmap -sS -A -v -sC $IP_ADDRESS
See: https://www.kali.org/tools/nmap/
Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains.
gobuster dir -u http://$DOMAIN/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -k --append-domain
Available Commands:
completion Generate the autocompletion script for the specified shell
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request body
gcs Uses gcs bucket enumeration mode
help Help about any command
s3 Uses aws bucket enumeration mode
tftp Uses TFTP enumeration mode
version shows the current version
vhost Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter)
See: https://www.kali.org/tools/gobuster/
Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships and dump socket statistics on Linux systems.
netstat -tulpen
ss -lntp
See: https://www.kali.org/tools/net-tools/#netstat
SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.
See: https://www.kali.org/tools/seclists/
This package contains a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
on host:
chisel server -p $PORT --reverse
on server:
./chisel client $SERVER_IP:$SERVER_PORT R:$FORWARD_PORT:$CLIENT_IP:$CLIENT_PORT R:$CLIENT_PORT2:$CLIENT_IP2:$FORWARD_PORT2
Example:
./chisel client 10.10.14.199:50505 R:3000:127.0.0.1:3000 R:8001:127.0.0.1:8001
See: https://github.com/jpillora/chisel
open ssh tunnel
ssh -L$PORT:$IP_ADDRESS:$PORT2 $USER@$IP_ADDRESS
Example
ssh -L50505:127.0.0.1:3000 [email protected]
find ports and its service with grep and hide the errors
grep -R $PORT /etc 2>/dev/null