This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing.
Remember to add -sn if you are only interested in host discovery without port-scanning. Omitting -sn will let Nmap default to port-scanning the live hosts.
Option
Purpose
-n
no DNS lookup
-R
reverse-DNS lookup for all hosts
-sn
host discovery only
NMAP Basic Port Scans
Open: indicates that a service is listening on the specified port.
Closed: indicates that no service is listening on the specified port, although the port is accessible. By accessible, we mean that it is reachable and is not blocked by a firewall or other security appliances/programs.
Filtered: means that Nmap cannot determine if the port is open or closed because the port is not accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s host.
Unfiltered: means that Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan -sA.
Open|Filtered: This means that Nmap cannot determine whether the port is open or filtered.
Closed|Filtered: This means that Nmap cannot decide whether a port is closed or filtered.
TCP Flags
URG: Urgent flag indicates that the urgent pointer filed is significant. The urgent pointer indicates that the incoming data is urgent, and that a TCP segment with the URG flag set is processed immediately without consideration of having to wait on previously sent TCP segments.
ACK: Acknowledgement flag indicates that the acknowledgement number is significant. It is used to acknowledge the receipt of a TCP segment.
PSH: Push flag asking TCP to pass the data to the application promptly.
RST: Reset flag is used to reset the connection. Another device, such as a firewall, might send it to tear a TCP connection. This flag is also used when data is sent to a host and there is no service on the receiving end to answer.
SYN: Synchronize flag is used to initiate a TCP 3-way handshake and synchronize sequence numbers with the other host. The sequence number should be set randomly during TCP connection establishment.
FIN: The sender has no more data to send.
Timings
Timings
Description
T0
paranoid (0)
T1
sneaky (1)
T2
polite (2)
T3
normal (3)
T4
aggressive (4)
T5
insane (5)
Summary
Port Scan Type
Example Command
TCP Connect Scan
nmap -sT MACHINE_IP
TCP SYN Scan
sudo nmap -sS MACHINE_IP
UDP Scan
sudo nmap -sU MACHINE_IP
These scan types should get you started discovering running TCP and UDP services on a target host.
These scan types rely on setting TCP flags in unexpected ways to prompt ports for a reply. Null, FIN, and Xmas scan provoke a response from closed ports, while Maimon, ACK, and Window scans provoke a response from open and closed ports.
This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsPenetration testing ethicsRules of Engagement (ROE)Penetration Testing MethodoligiesOSSTMMOWASPNIST Cybersecurity Framework 1.1NCSC CAFBlack box, White box, Grey box penetration testingBlack-Box testingGrey-box testingWhite-Box Testing Penetration testing ethics Hat Category Description…
This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsXSS PayloadsWhat is a payload?Proof of ConceptSession StealingKey LoggerExampleBusiness LogicReflected XSSExample ScenarioPotential ImpactHow to test for Reflected XSSStored XSSExample ScenarioHow to test for Stored XSSDOM Based XSSWhat is…
This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsIntroductionInformation GatheringPermissionsUser enumerationCollection System InformationSearching filesCommand breakdown:Path LevelNetwork ConnectionsScheduled TasksDriversAntivirusTools of the tradeWinPEASPowerUpWindows Exploit SuggesterMetasploitVulnerable SoftwareDLL HijackingIntroduction to DLL FilesFinding DLL Hijacking VulnerabilitiesCreating a malicious DLL fileUnquoted Service…
This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there. Table Of ContentsKey TermsWhy is Encryption importantRSA – Rivest Shamir AdlemanDigital signatures and CertificatesSSH AuthenticationExplaining Diffie Hellman Key ExchangePGP, GPG and AES Key…
Table Of ContentsSourceGood toolsMalware forums/channels/discordTest payload against AVDefcon – Writing custom backdoor payloads with C#Step by Step for obfuscating codeAV Evasion MindMap – From Start to finishGeneral AV Evasion cheatsheetCheck AV – Running, Exclusion, DisableWindows FirewallPowershell – ASMI bypass methods, Disable AV, etcAMSI BypassBypass CLM (Constrained Language Mode)Bypass loggingDisable MS Defender (Require elevation)Add folder exclusionLSASS…
This is a list of Command and control (C2) servers that I’ve tested. Table Of ContentsCovenantInstallation and setupLisenersGruntsPowershell-Empire with StarkillerPoshC2GodGenesisMetasploitSliverLinks and tutorialInstallSliver and MetasploitBeacon vs sessionGenerating HTTP(S) Implants with certificateExtensions (Armory)CheatsheetExample getting beacon with msfBypassing defender with staged process hollowingHavoc C2InstallInstall the dependenciesUbuntu 20.04 / 22.04Kali and other Debian based Distros only.Debian 10/11Building the TeamserverBuilding…