Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  1. Active Directory Attack Lab: Recon-to-Root
  2. Reconnaissance Phase

1. Full TCP Port Scan on Target Host

PreviousReconnaissance PhaseNext2. Service and Version Detection

Last updated 25 days ago

1. Full TCP Port Scan on Target Host

To begin any pentest, you must discover what services the machine is running. A full TCP port scan helps uncover all active ports, even if services are running on unusual ports.

Tool Used: nmap

Chosen for its speed, versatility, and accuracy in network scanning.

nmap -Pn -sS -p- 192.168.10.4

  • -Pn: Skip ping (Treat host as online)

  • -sS: SYN scan for stealth and speed (if you are not root, run it with sudo)

  • -p-: Scan all 65535 TCP ports

Hints & Tips:

  1. Always scan all ports (-p-) to avoid missing hidden services.

  2. Use -Pn if ICMP is blocked or when you treat host as online.