Home

Currently in the works:

1. device discovery tools and techniques along with nmap

• broadcast ping
• run arpscan and append the discovered ip addresses to the targets.txt file
• run nmap device discovery and append to targets.txt
• arp -a to send discovered ip addresses to the targets.txt file
• remove duplicates
• count devices found

broadcastip="$(ip addr | grep global | cut -d ' ' -f 8)" #broadcast address discovery ping -b -c 10 -i 20 $broadcastip #broadcast ping arp-scan --interface=$interface --localnet > arpscan.txt cat arpscan.txt | grep -F '.' | grep -v -F '(' | cut -f 1 > arpscan_ips.txt nmap -n -sn 192.0.2.0/24 -oG - | awk '/Up$/{print $2}' > nmapscan_ips.txt arpdata="arp -a | cut -d ' ' -f 1,2,4 | sed 's/[()]//g'" #get hostname + ip + MAC through ARP -f 1,2,4 eval $arpdata > arpdata.txt # (Hostname | IP | MAC)

2. vulnerability discovery options that are more accurate than searchsploit and look for CVEs

• Best solution has yet to be found
• Possibly "vulscan" nmap script. Just would have to deal with keeping local csv file updated.

3. nmap scripting engine

• "--script-updatedb" #run update in script every month or so
• "--script (category or script name)"
• potential categories: all, auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln

4. giving user options for nmap scan type

• Spoofing (MAC, IP address):
• "-D [decoy1,decoy2,ME,RND]" #RND:(number) random decoys #should be an online ip address #hosts also scanning network
• "-S (sourceip)" #spoof source address #usually won't receive reply packets #makes network thinks someone else is scanning them
• "--spoof-mac 0" #randomly spoof source mac address
• "--spoof-mac (mac address, prefix, or vendor name)" #vendor information located in nmap-mac-prefixes file #ex: Dell, Apple, Cisco, Hewlett Packard
• Intensity (Normal, Extreme):
• "nmap -sV --version-all" #try every single probe, highest intensity
• "nmap -O --osscan-guess" #agressive os scan
• "-v" #increases verbosity level
• "-vv" #most verbosity
• "-p-" #ports 1-65535
• Scan Concealing Techniques:
• "--data-length (bytes)" #add additional data to packet size to avoid firewall length detection
• "--randomize-hosts" #scan hosts in random order #default is sequential

5. generation of unique files based on date

• "-oX 'results-%m-%d-%H'" #using strftime nmap syntax
• Or use Date command to create file as a variable
• Possibly ask user input for what the file name should be called

6. creation of command line menu

• Basic options still require little user input
• Can customize file name or scan type if users so choose
• Accept user input to create a cronjob to run script at certain times #user would need to set up default network and make sure output files unique
• Menus: "Choose Network and Commence Scan", "Schedule Scan", "Customize Scan"