Scanning and Enumeration

given the following IP, what are the IP running under this subnet?

netdiscover -r



NMAP (https://www.geeksforgeeks.org/nmap-cheat-sheet/?ref=ml_lbp)

To show open port:

nmap <one or more ip addresses or domain names separated by a space>

Scan a specific range



-v verbose details of the scan

-Pn to force the scan even if the ip looks down to the ping

-sA to detect firewall settings

-sL to identify hostname by completing a DNS query for each one

-iL <filename> to scan a list of IP inside a file

-sS to check, securely, for open ports without leaving traces on the target machine

-sU to scan for UDP port

-sn to perform a ping scan, so just to check if the host is up

-p <port list separated by space or port range separated by a dash> <ip or domain address> to specify the (list of) port that you want to scan

-A that stands for Aggressive. It’s the complete scan

-O will tell you the Operating System

-Pn in this case nmap will check the target considering that the host is alive, so even the host is not alive nmap will check this target (no ping scan)


Remote Desktop Protocol is a Windows service which normally runs on the 3389 port.

So to know which machine is running RDP use nmpa and look for 3389 port opened.

There has been a data breach in the x x y stockbroker office. There are 4 valid employees account registered in a machine ( which is used in the stockbroker office: ‘guest’, ‘ceh’, ‘administrator’, ‘john’. Find out who the hacker is

  • So, open RDP with the ip address (admin/aadmin123)
  • then type “net user” to check users registered in that particular windows machine.
  • Probably in the list of the users that will appear there will be an extra user who is the hacker

Hacking Web Application


wpscan --url <websitetocheck> -e u to check the list of username of a wordpress website

wpscan --url <websitetocheck> –usernames <filenameWithUserList> –passwords <filenameWithpasswordList>

wpscan --url <websitetocheck> -u <username> -P <filenameWithpasswordList>


  • msfconsole
  • search <serviceName>
  • use <metasploitServiceName>
  • info (or show option)
  • set <param>
  • run (or exploit)


Hydra is used to test the attacks using wordlists on different protocols (FTP, SSH, HTTPS, VNC, POP3, IMAP,….

hydra -l <username> -p <password> <ipserver> <service>

for instance

hydra -l root -p rootpass ssh

hydra -L user.txt -p rootpass ssh

hydra -L user.txt -P passlist.txt ssh

Hacking Android platform

Getting access to Android using ADB

et’s first check if that port is opened:

nmap <ipAddressOfAndroidDevice> -Pn

the result should be: PORT STATE SERVICE 5555/tcp open freeciv

we can try to connect using the following command:

adb connect <ipAddressOfAndroidDevice>:<port>


adb shell


To crypt

stegsnow -C -m "super secret message" -p "passwordtousetodecodemessage" originalfile.txt filewithhiddenmessage.txt

To decrypt

stegsnow -C -p "passwordtousetodecodemessage" filewithhiddenmessage.txt