OffSec Live: PEN-200

author: Nathan Acks
date: 2022-07-13

Netcat Port Scanning

Quick-n-dirty netcat port scan:

nc -nvv -w 1 -z $IP_ADDRESS $PORT

$PORT can be a port range; -w 1 sets netcat’s timeout to 1 second. By default netcat performs a TCP scan in this mode; use -u to make UDP connections instead.

SNMP

Always pay attention to SNMP. (Which is an unfortunate directive, as I haven’t been paying attention…)

If SNMP v1 or v2 are being used, then the protocol is unencrypted; even if a custom community name has been set, it can be easily sniffed. Once the community name is known, devices can be queried with “MIB” strings.

Apparently Windows will report things like local users and installed antivirus information over SNMP!

The onesixtyone and snmpwalk tools can be used to probe SNMP. NMAP also has a set of useful SNMP-related scripts.