Services
Webβ
tip
EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if known.
It is a good way to do a quick visual triage depending on your scope.
./EyeWitness.py -f <urls.txt> --web
DNSβ
Dig on known domainsβ
while read d; do dig -t a $d | grep "IN" | grep -v "^;" ;done < domain.txt | uniq | sort
Transform a list of domains with A record into CSV fileβ
for domain in `cat <domain_list.txt>`; do dig -t a $domain;done | egrep -v "^$|^;" | grep -P "IN\s+A" | awk '{sub(/\.$/,"",$1);print $1","$5}' > resolved_domains.csv
DNS (reverse) lookups / Enumeration DNS / Brute force subdomainsβ
whois <domain>
dig <a|txt|ns|mx> <domain> @<dns_server>
host -t <a|txt|ns|mx> <domain>
host -a <domain>
python sublist3r.py -d <domain> -b
dnsrecon -d <ip> -t std -D /usr/share/wordlists/dnsmap.txt
dnsenum <domain>
dnsmap <domain> -w /usr/share/dnsmap/wordlist_TLAs.txt
subdomain2(){ amass enum -norecursive -noalts -d $1 > $1.txt ; subjack -w $1.txt -t 100 -timeout 30 -ssl -c /root/go/src/github.com/haccer/subjack/fingerprints.json -v 3; }
Zone transferβ
dig axfr <domain> @<dnsserver>
host -l <domain> <dnsserver>
DNSSecβ
ldns-walk @ns1.<domain> <domain> (untested)
DNS cache snoopingβ
Recon-ng - https://hackertarget.com/recon-ng-tutorial/
discovery/info_disclosure/cache_snoop
DHCPβ
nmap --script broadcast-dhcp-discover
SMBβ
From Linuxβ
enum4linux -a <ip>
SMB signing
nmap <ip> --script smb-security-mode.nse -p 445
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,\
smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,\
smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse <ip>
List shares
crackmapexec <ip/range> --shares
crackmapexec <range/ip> -u <user> -p <password> -d <domain> --shares
smbclient -L <ip>
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse <ip>
smbmap -H <ip> -u <user> -R -P <445/139>
Check for null login
echo exit | smbclient -L \\\\<ip>
Mount share
smb://<ip>
smbclient \\\\<ip>\\<share>
mount-t cifs "//<ip>/<targeted share>/" /mnt -o username=<FQDN_DOMAIN>/<user>
tip
Enter anything as password if you have read rights.
smbget -R smb://<ip>/<share>/<path>/<file>
From Windowsβ
Display sessions (need admin rights)
net sessions
Create a session
net use \\<target_ip> [password] /u:<user>
Drop a session
net use \\<target_ip> /del
Mount a share on a target
net use * \\<target_ip>\<share> [password] /u:<user>
NetBIOSβ
nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 <ip>
nbtscan -r <ip>/24
enum4linux -a <ip>
nmblookup -A <ip>
MSRPC /DCERPCβ
nmap <ip> --script=msrpc-enum
RPCβ
tip
For null session press enter when prompted for a password.
rpcclient -U "" <ip>
srvinfo
enumdomusers
enumalsgroups domain
lookupnames administrators
querydominfo
enumdomusers
queryuser <user>
lsaquery
lookupnames Guest
lookupnames Administrator
rpcinfo <ip>
rpcinfo -p <ip>
NFSβ
tip
If you get a permission denied but you know the owner of the directory and its UID, you can add a user with the same UID on your local machine and then access the remote directory with this user.
useradd -u <uid> <user>
showmount -e <ip>
mount -t nfs <ip>:<path> <lpwd>
Fingerβ
The IP must be changed directly in the script.
/opt/recon/Finger-User-Enumeration/finger_enum_user.sh <valid_users.txt>
WebDavβ
davtest -cleanup -url http://<ip>
cadaver http://<ip>
dav:/> put <webshell.txt>
dav:/> copy <webshell.txt> <ws.asp>
SNMPβ
List of known OID
- Windows User Accounts 1.3.6.1.4.1.77.1.2.25
- βWindows Running Programs 1.3.6.1.2.1.25.4.2.1.2
- Windows Hostname 1.3.6.1.2.1.1.527
- Windows TCP Ports 1.3.6.1.2.1.6.13.1.3
- Software Name 1.3.6.1.2.1.25.6.3.1.2
nmap -p 161 -sUV -A <ip>
nmap -sUV --script snmp-brute --script-args snmp-brute.communitiesdb=<dico.txt> <ip>
snmp-check <ip>
snmp-check -v2c -c public <ip>
onesixtone -w 0 <ip>
snmpwalk -c public <-v1 -v2c -v3> <ip>
Test read and write rightsβ
snmpset -v2c -c public <ip> <OID> s test
./snmpwn.rb -h <hosts.txt> -u <users.txt> -p <passwords.txt> -e <passwords.txt>
FTPβ
nmap --script=ftp* <ip>
dir -a
binary
TFTPβ
nmap --open -sU -p 69 <ip>/24
LDAPβ
ldapwhoami
ldapsearch -H ldap://<ip>
SSHβ
User enumeration (CVE-2018-15473) ssh-user-enumeration.py
python ssh-enum.py --port <port> --threads 5 --outputFile ssh_users.txt --outputFormat list --userList <dico.txt> <ip>
nmap --script ssh-hostkey -p 22 <ip>/24 --open
ssh-keyscan <ip>
NTPβ
ntpdc -n -c monlist <ip>
nmap -sU -p 123 --script=ntp-info <ip>
SMTPβ
nmap --open --script smtp-enum-users -sS -p 25 -sV <ip>/24
smtp-user-enum -U </usr/share/wordlists/names.txt> -t <ip> -m 150
SSL /TLSβ
testssl.sh <url>
IPSecβ
ike-scan <ip>
ike-scan <ip> -A --id=<id> -Ppsk.txt
Oracle DB - 1521β
tnscmd10g version -h <ip>
tnscmd10g status -h <ip>
auxiliary/scanner/oracle/sid_brute