on under recon
2 minute read

I modified these notes from TJ Null’s pentest template notes and ported them into Obsidian. Posting them here to spread the love.

“PCAP IT OR IT DIDNT HAPPEN…its up to you if you need to”


  • tcpdump -i eth0
  • tcpdump -c -i eth0
  • tcpdump -A -i eth0
  • tcpdump -w 0001.pcap -i eth0
  • tcpdump -r 0001.pcap
  • tcpdump -n -i eth0
  • tcpdump -i eth0 port 22
  • tcpdump -i eth0 -src 172.21.10.X
  • tcpdump -i eth0 -dst 172.21.10.X

Other tools:

Tshark (Command Line Wireshark) Wireshark

Network Scanning

NetDiscover (ARP Scanning):

  • netdiscover -i eth0
  • netdiscover -r


  • nmap -sn
  • nmap -sn
  • nmap -sn 172.21.10.*


  • nbtscan -r

Linux Ping Sweep (Bash)

  • for i in {1..254} ;do (ping -c 1 172.21.10.$i grep “bytes from” &) ;done

Windows Ping Sweep (Run on Windows System)

  • for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 172.21.1.%i is up.

Network / Host Scan through ARP:

Scan a network through ARP by using the command, nping:

  • nping –arp-type ARP

Adding Routes in Kali

root@demonalex:~# ip route add via

root@demonalex:~# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface … UG 0 0 0 tap0 …

root@demonalex:~# nmap -sn -n Starting Nmap 7.70 ( ) at 2020-04-25 11:57 EDT Nmap scan report for Host is up (0.059s latency). Nmap scan report for Host is up (0.062s latency). Nmap done: 256 IP addresses (2 hosts up) scanned in 5.87 seconds

Host Scanning


  • nmap -sC -sV
  • nmap -Pn -sC -sV -p-
  • nmap -sV -Pn
  • nmap -T4 -sC -sV
  • nmap -A

Nmap Stealth:

  • nmap -sS -sC -sV
  • nmap -sS -p-

UDP Scan:

  • nmap -sS -sU -Pn -sV
  • nmap -sU -A –top-ports=20 –version-all
  • nmap -sU -A -p 53,67,68,161,162 –version-all
  • unicornscan -mU -p ,161,162,137,123,138,1434,445,135,67,68,53,139,500,637,162,69

IPv6 Scan:

Nmap Scripts:

Location: /usr/share/nmap/scripts/

  • nmap –scripts vuln,safe,discovery -oN results.txt target-ip

Scans through Socks proxy:

  • nmap –proxies socks4://proxy-ip:8080 target-ip


  • dnsrecon -d -a
  • dnsrecon -d -t axfr
  • dnsrecon -d
  • dnsrecon -d -D -t brt
  • Try
  • Try google,


  • dig + short
  • dig MX
  • dig NS
  • dig> SOA
  • dig ANY +noall +answer
  • dig -x
  • dig -4 (For IPv4)
  • dig -6 (For IPv6)
  • dig mx +noall +answer ns +noall +answer
  • dig -t AXFR


  • Sublist3r -d
  • Sublist3r -v -d -p 80,443


  • amass enum -d
  • amass intel -whois -d
  • amass intel -active -p 80,443,8080,8443
  • amass intel -ipv4 -whois -d
  • amass intel -ipv6 -whois -d

Connect SSL service with Raw Socket:

  • openssl s_client -connect
  • ncat –ssl -vv 443
comments powered by Disqus