Giant Penetration Testing Cheat Sheet for Linux Commands – II

Well, people, we are back to the second series of the Linux command cheat sheets. We are going to continue the article from the previous post, if you haven’t read our first edition of the series, then we would request you to first read that part before reading this one. So, here we start our Linux command journey from where we have left it yesterday.

Network Interface & IP Commands

  • ifconfig command helps in displaying the interface information such as MAC address, IPv4/IPv6 addresses, interface status, transmitted and received data, and so on.
  • To enable the interface which is shut down to run again this command can be used by you, ifconfig [interface] up.
  • To display the current routing table including the default route following command can be used; route.

Port and Service Commands

Earlier at the time of yore, Linux users adopt a tool called ipchains. However, these days ipchains is somehow lost its touch and turned out antique. Instead, the netstat command has been used to edit something in Linux. This command has numerous features such as;

  • To show all the ports in listing state – netstat -l command is used.
  • To show all the used ports – netstat -a command is adopted.
  • To view all the UDP connections which are open – netstat -u command is helpful.
  • To view all TCP connections which are open – netstat -t command has been diagnosed.
  • To search all the open connections and ports with the character http – netstat -a | grep [protocol] command can be used.

NMAP Command Reference

So, as we have already told you at the beginning of the series that we will divide the Linux commands into three groups to better study them. Now, we are moving to the NMAP commands. Here, we will study all the NMAP commands in detail so that you won’t have any doubt in the end.

Moreover, it should be noted that NMAP is highly versatile. It has been used in shell program on numerous Linux distribution, but the data it generates can be “plugged in” to other programs as input. For example, using the Metasploit framework, you can actually create the database of hosts which will target the NMAP scans.

So, in the section, we will share the exact syntax that you can use as penetrating test tool in the NMAP command. That’s why carefully go through the syntax and frame it in your mind.

Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

Can pass hostnames, IP addresses, networks, etc.

Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

-iL <inputfilename>: Input from list of hosts/networks

-iR <num hosts>: Choose random targets

–exclude <host1[,host2][,host3],…>: Exclude hosts/networks

–excludefile <exclude_file>: Exclude list from file

HOST DISCOVERY:

-sL: List Scan – simply list targets to scan

-sn: Ping Scan – disable port scan

-Pn: Treat all hosts as online — skip host discovery

-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports

-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes

-PO[protocol list]: IP Protocol Ping

-n/-R: Never do DNS resolution/Always resolve [default: sometimes]

–dns-servers <serv1[,serv2],…>: Specify custom DNS servers

–system-dns: Use OS’s DNS resolver

–traceroute: Trace hop path to each host

SCAN TECHNIQUES:

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

-sU: UDP Scan

-sN/sF/sX: TCP Null, FIN, and Xmas scans

–scanflags <flags>: Customize TCP scan flags

-sI <zombie host[:probeport]>: Idle scan

-sY/sZ: SCTP INIT/COOKIE-ECHO scans

-sO: IP protocol scan

-b <FTP relay host>: FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

-p <port ranges>: the Only scan specified ports

Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9

-F: Fast mode – Scan fewer ports than the default scan

-r: Scan ports consecutively – don’t randomize

–top-ports <number>: Scan <number> most common ports

–port-ratio <ratio>: Scan ports more common than <ratio>

SERVICE/VERSION DETECTION:

-sV: Probe open ports to determine service/version info

–version-intensity <level>: Set from 0 (light) to 9 (try all probes)

–version-light: Limit to most likely probes (intensity 2)

–version-all: Try every single probe (intensity 9)

–version-trace: Show detailed version scan activity (for debugging)

There are plenty of other syntax options available in the NMAP command. But, to start the process following syntax are going to be sufficient for you. However, to know more about the NMAP command reference you have to wait up for the next blog post in the series. Till than keep reading and following us.

Send a Message