During a CTF I’ve been playing recently I encountered a situation when I needed to scan an internal network of a host I had a shell on. The static nmap binary I had worked fine on the host and I enumerated open ports inside of the network, but I wanted to also perform vesion detection and run nmap scripts. Both of these require additional files which are not bundled with the static nmap and I didn’t feel like dropping a bunch of files on the host. I decided to use proxychains to proxy nmap through a SOCKS tunnel. Complications ensued.

How do you gather uptime information from a large number of remote hosts? Open a bunch of terminals and paste the command to each of them? Loop over the hosts with a shell script? Thankfully, there is a better way.

Port forwarding is a foundational skill for any penetration tester or red teamer. This article covers the basics and discusses a few practical examples of port forwarding with SSH.

Feroxbuster is a great forced-browsing / directory-busting tool. In this article, I explore making the search more efficient by scanning at a low depth and filtering the found directories.