eJPT Junior Penetration Tester
ShopAuthorPatreonHTB Pro Labs
eCPPTv2 Certified Professional Penetration Tester
eCPPTv2 Certified Professional Penetration Tester
  • 🍕eCPPTv2 Study
  • Author
  • Certification
    • 🟢Exam Description
    • Register
  • RFS Tips
    • 🟢Before the Exam
    • 🟢Prepare your Setup
    • 🟢Questions?
    • 🎓Learn more... Get eCPPTv2
    • 🟢Start Hacking
  • Reports
    • PwnDoc Documentation
    • 🟢Templates
  • Methodology
    • 🟢To Scan a Network
    • 🟢To Attack a Linux Machine
    • 🟢To Attack a Windows Machine
    • 🟠Linux Privilege Escalation
    • Windows Privilege Escalation
    • Linux Post Exploitation
    • Windows Post Exploitation
    • Pivoting Methodology
  • Web Tools
    • Why these Tools
    • Rev Shells
    • MD5 Crack
    • CyberChef
    • SecLists
    • WADcoms
    • LOLBAS
    • GTFOBins
  • Network Security
    • Information Gathering
      • Intro
      • Passive / Active
      • OSINT
      • Social Media
      • Infrastructure
      • DNS
        • NSlookup
        • Dig
        • fierce
        • DNSenum
        • DNSmap
        • DNSrecon
      • Host Discovery
        • Fping
        • Hping
        • Nmap
      • Maltego
      • Foca
      • Breach Data
    • Scanning
      • Intro
      • Wireshark
        • Promiscuous Interface
        • 🟢Filters
        • Colors
        • Follow Stream
      • Scan Types
      • 🟢Hping3
      • Nmap
      • 💚eCPPTv2 - Firewall IDS Evasion
    • 🟢Enumeration
    • Sniffing & MitM Attacks
      • Passive
      • Active
      • MiTM
        • Local to Remote
        • DHCP Spoofing
        • LLMNR Poisoning
        • NBT-NS Poisoning
      • Tools
        • Dsniff
        • Wireshark
        • TCPDump
        • Ethercap
    • Exploitation
    • Post Exploitation
    • Social Engineering
    • Anonymity
  • Linux Exploitation
    • Introduction
    • Information Gathering
      • Remote Enumeration
        • Enum NFS
        • rpcbind
        • SMB
        • SMTP
      • Local Enumeration
        • Network Info
        • System Info
    • Exploitation over the Network
      • Samba
        • UserMap CVE-2007-2447
        • SymLink Directory Traversal
        • SambaCry CVE-2017-7494
        • Writeable Share to RCE
      • PHP CGI
      • Ruby DRB RMI port 8787
      • JAVA RMI Registry - port 1099
      • Exploiting Java Deserialization
      • TomCat
      • Password Spray Attack
      • Shellshock
      • Heartbleed
    • Post Exploitation
      • Intro
      • msfconsole scripts
      • Privilege Escalation
        • Docker
          • Unix Sockets Exploitation
        • Restricted Shells
        • Cracking Shadow File
        • 🟢Dump Memory Credentials
        • 🟢Dump SWAP Credentials
        • 🟢Shared Object Libraries
        • Kernel Exploits
          • Dirty Cow
          • Stack Clash
          • DCCP
          • Race Condition
          • msfconsole
      • Lateral Movement
        • Samba
          • Dump Samba Secrets
        • SSH
          • SSH Hijacking
          • Steal SSH credentials
        • VPNPivot
        • Dump Firefox Credentials
        • Sniffing
      • Data Exfiltration
      • Maintaining Access
        • HTTPS
        • Reverse Shells
        • Custom Services
  • Metasploit
    • Notes
    • 🟢Detect Live Hosts with Metasploit
    • 🟢Port Scanning with Metasploit
    • Network Services Scanning
    • Payloads
    • Exploitation with Metasploit
    • Post Exploitation with Metasploit
  • System Security
    • Page 5
  • Web App Security
    • Best Academy
    • HTTP
      • Basics
      • Encoding
      • Same Origin
      • Cookies
      • Sessions
      • Web Proxies
    • Enumerating
      • Infrastructure
      • Mapping Application
    • Tools
    • XSS
      • Free Courses
      • XSS Types
      • Attack Types
    • SQL Injection
    • CMSs
  • Powershell for Pentesters
    • Page 2
  • Wi-Fi Security
    • Page 6
  • Commands Notes
    • 🟢Information Gathering
    • 🟢Host Discovery
    • 🟢Scanning
    • 🟢Enumeration
    • 🟢MSFVenom
  • Pivoting
    • Tips
    • Socks4 vs Socks5
    • Pivoting Techniques
    • Meterpreter
    • SSH
    • Proxy Chains
    • 🟢Chisel
    • Socat
  • Buffer OverFlow
    • Tips for Bof in eCPPTv2
    • Computerphile - Buffer Overflow
    • The Cyber Mentor - BoF
  • 🟢TryHackMe Rooms
    • 🟢Privilege Escalation
      • LazyAdmin
      • LinuxPrivEsc
      • Empline
      • Windows 10 Privesc
    • 🟢Pivoting
      • Wreath Network
      • VulnNetInternal
    • 🟢Buffer Overflow
      • Gatekeeper
      • Buffer Overflow Prep
    • 🟢Metasploit
      • RP Metasploit
      • Metasploit Intro
  • Community Exam Tips
    • Exploits
    • Shells
    • PrivEsc
    • Report
    • BoF
    • Wordlists
    • 🟢Articles - Exam Reviews
    • 🟢Videos - Exam Reviews
  • Free Courses
    • Page 1
  • Paid Courses
    • Page 3
  • After Exam
    • Page 4
Powered by GitBook
On this page
  • What to expect?
  • What if the Network is blocking some types of traffic?
  • Detect Hosts using Layer 2 - ARP
  • Detect Hosts using Layer 3 - IP / ICMP
  • Detect Hosts using Layer 4 - TCP/UDP
  • Traceroute is our Friend!
  • Keep in Mind

Was this helpful?

  1. Methodology

To Scan a Network

Methodology To Scan a Network on a Penetration testing assessment, understand what to do without triggering IDS alarms.

Usually on certifications labs or execuing a pentestration test on a client we have define in our scope a sub net with specified range of IPs.

Before start scanning the network I usually execute some commands on my machine to verify what interface is associated with the VPN to verify my IP and verify my ARP table.

What to expect?

Networks can filter types of traffic or traffic to specific port numbers. Pay attention if you trying to get a reverse shell on a random port number, that port could be blocked.

What if the Network is blocking some types of traffic?

As I said networks can filter types of traffic like TCP/UDP/SCTP/ICMP or even IP, yes IP!

Most of corporate networks block all traffic and only allow a tunnel between two endpoints validating src IP and dst IP, protocol type and service/port.

UDP traffic can be block only for a specific host and allowed for other inside the same subnet.

Or can be blocked on all subnet like IPv6.

In these case we need to test the network for each host we've found.

Detect Hosts using Layer 2 - ARP

In order to detect hosts on our network without trigger alot of IDS alarms we can use the ARP command. We will send ARP requests to the network and wait for all responses

Detect Hosts using Layer 3 - IP / ICMP

We can use ping command send ICMP packets and verify if the host is alive but remember some hosts are configured to not response to ICMP ECHOs.

to scan using the IP protocol we can use nmap.

Detect Hosts using Layer 4 - TCP/UDP

What if we can't connect to any port using any protocol? or at least any port we test was

Traceroute is our Friend!

Traceroute using TCP

sudo traceroute -T 192.168.4.5

Traceroute using UDP

sudo traceroute -U 192.168.4.5

Traceroute using ICMP

sudo traceroute -I 192.168.4.5

Keep in Mind

You need to develop you attacking methodology here I only talk about basics steps. Ping me on Discord to talk about other techniques. I will love it!

PreviousTemplatesNextTo Attack a Linux Machine

Last updated 2 years ago

Was this helpful?

🟢
Page cover image