Pivoting

Introduction

Once you have owned your victim's machine, it is time to pivot to other hosts and enumerate their open ports. In this section, you will find some techniques to perform such tasks.

Ping Sweep

The easiest way to find hosts on a network can be achieved by sending ICMP requests to each host and waiting for their reply.

Windows:

for /l %i in (1,1,254) do @ping -n 1 -w 100 X.X.X.%i | find "Reply"

Linux:

for i in {1..254} ;do (ping -c 1 X.X.X.$i | grep "bytes from" &) ;done

Port Scanning

Here are some "One-liners" that you can use to perform port scanning against your victim's system.

PowerShell:

1..65536 | % {echo ((new-object Net.Sockets.TcpClient).Connect(β€œX.X.X.X”,$_)) β€œPort $_ is open!”} 2>$null

Bash:

#!/bin/bash
temp=$(mktemp -t PortScan_XXXXXX)
for port in $(seq 1 65535); do
    timeout 2 bash -c "2>/dev/null echo '' > /dev/tcp/$1/$port " && echo "[*] Port $port - OPEN" | tee -a $temp &
done; wait
echo "Results stored at $temp"

Python:

#!/usr/bin/python3
import socket
import sys
for port in range(65536):
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 try:
  s.connect((sys.argv[1],port))
  print("Port ", port, " is open")
 except:
  pass
  #print("Port ", port, " is closed")

Tools

Here you have better tools to perform port scanning and ping sweep.

  • Nmap portable: Link

  • Minimalistic PowerShell TCP Scanner: Link

  • Minimalistic PowerShell UDP Scanner: Link

Last updated