The usual order

1. Net­work sweep (detect­ing the systems)
2. Net­work trac­ing (detect­ing the rela­tions between the systems)
3. Port scan
4. OS fin­ger­print­ing
5. Ver­sion scanning
6. Vul­ner­a­bil­i­ty scanning

Network scan

Detect hosts for a domain (use Seclist):

for ip in $(cat common-subdomains.txt); do
  host $ip.megacorpone.com;
done

Reverse lookup: Find domains for addresses:

for ip in $(seq 155 190); do
 host 50.7.67.$ip;
done | grep -v "not found"

Zonefile enumeration

Grab zone­file from a ran­dom tar­get domain:

host -a -l fraunhofer.de ns3.fraunhofer.de

Get autho­r­a­tive DNS servers for a domain:

host -t ns $target_domain

Try now zone trans­fer with all of these servers.

Tools

• dnsre­con
  dnsrecon -d $target_doman -t axfr
• dnsenum
  dnsenum $target_domain

Port scan

• Scan as root. Nmap won’t use ICMP pack­ets and NO ACK pack­ets if UID != 0.
• Con­sid­er to use the ‑sT scan in a more sen­si­tive envi­ron­ment. Because incom­plete con­nec­tions like from stealth scans are unusu­al, there are a big red flag for red teams / IDS / IPS.

First quick scan:

nmap -sS $target | tee nmap-short.txt
nmap -sS -oA nmap-short $target
proxychains4 -q nmap -Pn -sT $target | tee nmap-short.txt

Sec­ond scan:

nmap -sC -sV $target | tee nmap-standard.txt
nmap -sC -sV -oA nmap-standard $target
proxychains -q nmap -sC -sV -sT -Pn $target | tee nmap-standard.txt

Third scan for vulnerabilities:

nmap -sV -T5 -F $target --script vuln | tee nmap-vuln.txt
nmap -sV -oA nmap-vuln -T5 -F $target --script vuln
proxychains -q nmap -sV -T5 -sT -Pn -F $target --script vuln | tee nmap-vuln.txt

Fourth com­plete TCP scan

nmap -sS -p- $target | tee nmap-tcp-full.txt
nmap -sS -oA nmap-tcp-full -p- $target
proxychains -q nmap -sT -Pn -p- $target | tee nmap-tcp-full.txt

UDP scan

masscan -e tun0 -p U:1-65535 --rate 2000 $target

Tip: To get a nice list of detect­ed ver­sions, take the port from the first scan and list details only for these ports:

nmap $target -p 22,25,80,110,111,119,2049,4555 -sV --reason

Bonus: Make nmap vulscan if you need more.

Quick nc scan:

nc -nvv -w 1 -z 10.2.2.23 1-65535
# Copy output in file
cat TEMPFILE.txt | grep -v "Connection refused"

If it should be faster, try some­thing like –min-rate=10000

Tools

• Dmit­ry: Active Infor­ma­tion Gath­er­ing Tool
• Dnmap: Dis­trib­uted Port Scanning
• Var­i­ous OS detec­tion tools
• https://canarytokens.org/nest/

Other ideas

• Bring users from the tar­get net­work to click a link to a legit­i­mate page (or a page which dis­plays an error, serv­er fail­i­ure, …) which col­lects as many as pos­si­ble infor­ma­tion which are send via the brows­er (maybe also by invok­ing a JS which col­lects more infor­ma­tion about the environment).