Network Enumeration for Pivoting

# All interfaces with IPs
ip addr show

# Brief interface list
ip -br addr show

# Link-level information (MAC, MTU, state)
ip link show

# Wireless interfaces
iw dev

# Physical interface detection (skip loopback)
ip -br addr show | grep -v '^lo'

# Interface details
cat /etc/network/interfaces    # Debian/Ubuntu
cat /etc/sysconfig/network-scripts/ifcfg-*  # RHEL/CentOS

# All adapters with full details
ipconfig /all

# Brief adapter list
Get-NetAdapter | Format-Table Name, Status, MacAddress, LinkSpeed

# IP addresses per adapter
Get-NetIPAddress | Format-Table InterfaceAlias, IPAddress, PrefixLength

# DNS servers
Get-DnsClientServerAddress | Format-Table InterfaceAlias, ServerAddresses

# Full routing table
ip route show

# IPv6 routing table
ip -6 route show

# Route to specific target
ip route get 172.16.0.10

# Default gateway
ip route | grep default

# ARP cache (neighbors on same segment)
ip neigh show

# ARP cache (IPv6 neighbors)
ip -6 neigh show

# Full routing table
route print

# IPv6 routing table
route print -6

# Get specific route
Get-NetRoute -DestinationPrefix "172.16.0.0/24"

# Default gateway
Get-NetRoute -DestinationPrefix "0.0.0.0/0"

# ARP cache
Get-NetNeighbor | Format-Table IPAddress, LinkLayerAddress, InterfaceAlias

# Linux ARP cache
arp -a

# Linux NDP (IPv6 neighbors)
ip -6 neigh show

# Windows ARP cache
arp -a

# Windows NDP
Get-NetNeighbor -AddressFamily IPv6

# ARP scan on Linux
arp-scan --interface=eth0 --localnet

# Quick ARP sweep
for i in $(seq 1 254); do arp -a 192.168.1.$i 2>/dev/null; done

# Passive ARP monitoring
tcpdump -i eth0 -nn -e arp

# All listening TCP/UDP ports
ss -tlnp

# All established connections
ss -tnp

# Services bound to localhost only (tunnel targets!)
ss -tlnp | grep '127.0.0.1\|::1'

# Network connections by process
ss -tnp | grep <PID>

# All listening ports
Get-NetTCPConnection -State Listen | Format-Table LocalAddress, LocalPort, OwningProcess

# Services bound to localhost
Get-NetTCPConnection -State Listen -LocalAddress "127.0.0.1" | Format-Table LocalPort, OwningProcess

# Established connections
Get-NetTCPConnection -State Established | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort

# UDP listeners
Get-NetUDPEndpoint | Format-Table LocalAddress, LocalPort

# Test specific port outbound
curl -s http://<your_server>:80 --connect-timeout 5 && echo "TCP 80 OK"
curl -s http://<your_server>:443 --connect-timeout 5 && echo "TCP 443 OK"
curl -s http://<your_server>:8080 --connect-timeout 5 && echo "TCP 8080 OK"

# Test with netcat
nc -zv <your_server> 22 && echo "TCP 22 OK"
nc -zv <your_server> 443 && echo "TCP 443 OK"
nc -zv <your_server> 53 && echo "TCP 53 OK"

# Test DNS resolution
nslookup <your_domain>
dig <your_domain> @8.8.8.8
host <your_domain>

# Test DNS over TCP (some firewalls only allow UDP)
dig +tcp <your_domain> @8.8.8.8

# Test ICMP outbound
ping -c 3 8.8.8.8

# Windows
Test-NetConnection -ComputerName 8.8.8.8 -Port 0

# Test TCP connection on specific port
Test-NetConnection -ComputerName <your_server> -Port 443

# Test multiple ports
22,80,443,8080,8443,53 | ForEach-Object {
    $result = Test-NetConnection -ComputerName <your_server> -Port $_ -WarningAction SilentlyContinue
    "$($_): $($result.TcpTestSucceeded)"
}

# Quick egress test script
for port in 22 53 80 443 8080 8443 8888 9090; do
    timeout 3 bash -c "echo >/dev/tcp/<your_server>/$port" 2>/dev/null && echo "Port $port: OPEN" || echo "Port $port: CLOSED"
done

# Or with nmap from the pivot host
nmap -p 22,53,80,443,8080,8443 <your_server> -Pn --open

# All iptables rules
sudo iptables -L -n -v

# NAT rules
sudo iptables -t nat -L -n -v

# nftables (newer systems)
sudo nft list ruleset

# UFW status
sudo ufw status verbose

# All firewall rules
Get-NetFirewallRule | Format-Table DisplayName, Enabled, Direction, Action

# Inbound rules
Get-NetFirewallRule -Direction Inbound | Where-Object { $_.Enabled -eq 'True' } | Format-Table DisplayName, Action

# Outbound rules
Get-NetFirewallRule -Direction Outbound | Where-Object { $_.Enabled -eq 'True' -and $_.Action -eq 'Block' } | Format-Table DisplayName

# Specific port rules
Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq 443 }

# IPv6 addresses
ip -6 addr show

# IPv6 routing
ip -6 route show

# IPv6 neighbor discovery (like ARP for IPv6)
ip -6 neigh show

# Multicast ping (discover all IPv6 hosts on segment)
ping6 -c 2 ff02::1%eth0

# NDP scan
rdisc6 eth0

# IPv6 traceroute
traceroute6 <target>

# THC-IPv6 toolkit (Kali)
atool -i eth0   # IPv6 address tool

# IPv6 addresses
Get-NetIPAddress -AddressFamily IPv6 | Format-Table IPAddress, InterfaceAlias

# IPv6 routing
Get-NetRoute -AddressFamily IPv6 | Format-Table DestinationPrefix, NextHop

# IPv6 neighbors
Get-NetNeighbor -AddressFamily IPv6 | Format-Table IPAddress, LinkLayerAddress

# ── Linux ──
ip -br addr show          # Interfaces
ip route show             # Routes
ip neigh show             # ARP neighbors
ss -tlnp                  # Listening ports
iptables -L -n -v         # Firewall
cat /etc/resolv.conf      # DNS config
ip -6 addr show           # IPv6 addresses
ip -6 route show          # IPv6 routes

# ── Windows ──
ipconfig /all                    # Interfaces
route print                       # Routes
arp -a                            # ARP cache
Get-NetTCPConnection -State Listen # Listening ports
Get-NetFirewallRule                # Firewall
Get-NetIPAddress -AddressFamily IPv6 # IPv6

# ── Egress testing ──
curl -s http://<server>:443 --connect-timeout 5  # HTTP egress
nslookup <domain>                                  # DNS egress
ping -c 3 8.8.8.8                                 # ICMP egress