The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Ping Sweep
  • Port Scanning
  • Tools

Pivoting

Introduction

Once you have owned your victim's machine, it is time to pivot to other hosts and enumerate their open ports. In this section, you will find some techniques to perform such tasks.

Ping Sweep

The easiest way to find hosts on a network can be achieved by sending ICMP requests to each host and waiting for their reply.

Windows:

for /l %i in (1,1,254) do @ping -n 1 -w 100 X.X.X.%i | find "Reply"

Linux:

for i in {1..254} ;do (ping -c 1 X.X.X.$i | grep "bytes from" &) ;done

Port Scanning

Here are some "One-liners" that you can use to perform port scanning against your victim's system.

PowerShell:

1..65536 | % {echo ((new-object Net.Sockets.TcpClient).Connect(“X.X.X.X”,$_)) “Port $_ is open!”} 2>$null

Bash:

#!/bin/bash
temp=$(mktemp -t PortScan_XXXXXX)
for port in $(seq 1 65535); do
    timeout 2 bash -c "2>/dev/null echo '' > /dev/tcp/$1/$port " && echo "[*] Port $port - OPEN" | tee -a $temp &
done; wait
echo "Results stored at $temp"

Python:

#!/usr/bin/python3
import socket
import sys
for port in range(65536):
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 try:
  s.connect((sys.argv[1],port))
  print("Port ", port, " is open")
 except:
  pass
  #print("Port ", port, " is closed")

Tools

Here you have better tools to perform port scanning and ping sweep.

Last updated 1 year ago

Nmap portable:

Minimalistic PowerShell TCP Scanner:

Minimalistic PowerShell UDP Scanner:

Link
Link
Link