Services

DNS

Dig on known domains
while read d; do dig -t a $d | grep "IN" | grep -v "^;" ;done < domain.txt | uniq | sort
Transform a list of domains with A record into CSV file
for domain in `cat <domain_list.txt>`; do dig -t a $domain;done | egrep  -v "^$|^;" | grep -P "IN\s+A" | awk   '{sub(/\.$/,"",$1);print $1","$5}' > resolved_domains.csv
DNS lookups / Enumeration DNS / Brute force subdomains
whois <domain>
dig <a|txt|ns|mx> <domain> @<dns_server>
host -t <a|txt|ns|mx> <domain>
host -a <domain>
python sublist3r.py -d <domain> -b
dnsrecon -d <ip> -t std -D /usr/share/wordlists/dnsmap.txt
dnsenum <domain>
dnsmap <domain> -w /usr/share/dnsmap/wordlist_TLAs.txt
Zone transfer
dig axfr <ip> @<dnsserver>
host -l <domain_name> <dnsserver>
DNSSec
ldns-walk @ns1.<domain> <domain> (untested)
DNS cache snooping

Recon-ng https://hackertarget.com/recon-ng-tutorial/

discovery/info_disclosure/cache_snoop

SMB

From Linux

SMB signing

nmap <ip> --script smb-security-mode.nse -p 445
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,\
smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,\
smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse <ip>

List shares

crackmapexec <ip/range> --shares
crackmapexec <range/ip> -u <user> -p <password> -d <domain> --shares
smbclient -L <ip>
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse <ip>
smbmap -H <ip> -u <user> -R -P <445/139>

Check for null login

echo exit | smbclient -L \\\\<ip>

Mount share GUI

smb://<ip>
smbclient \\\\<ip>\\<share>
mount-t cifs "//<ip>/<targeted share>/" /mnt -o username=<FQDN_DOMAIN>/<user>

Get file
Enter anything as password if you have read rights

smbget -R smb://<ip>/<share>/<path>/<file>
From Windows

Display sessions (need admin rights)

net sessions

Create a session

net use \\<target_ip> [password] /u:<user>

Drop a session

net use \\<target_ip> /del

Mount a share on a target

net use * \\<target_ip>\<share> [password] /u:<user>

NetBIOS

nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 <ip>
nbtscan -r <ip>/24
enum4linux -a <ip>
nmblookup -A <ip>

MSRPC /DCERPC

https://www.offensive-security.com/metasploit-unleashed/scanner-dcerpc-auxiliary-modules/

nmap <ip> --script=msrpc-enum

RPC

For null session press enter when ask for password

rpcclient -U "" <ip>
srvinfo
enumdomusers
enumalsgroups domain
lookupnames administrators
querydominfo
enumdomusers
queryuser <user>
lsaquery
lookupnames Guest
lookupnames Administrator
rpcinfo <ip>
rpcinfo -p <ip>

NFS

showmount -e <ip>
mount -t nfs <ip>:<path> <lpwd>

If permission denied, but you know the owner of the directory and its UID, you can add a user with the same UID on your local machine and then go the directory

useradd -u <uid> <user>

Finger

Change the IP directly in the script.

/opt/recon/Finger-User-Enumeration/finger_enum_user.sh <valid_users.txt>

WebDav

davtest -cleanup -url http://<ip>
cadaver http://<ip>
dav:/> put <webshell.txt>
dav:/> copy <webshell.txt> <ws.asp>

SNMP

nmap -p 161 -sUV -A <ip>
nmap -sUV --script snmp-brute --script-args snmp-brute.communitiesdb=<dico.txt> <ip>
snmp-check <ip>
snmp-check -v2c -c public <ip>
onesixtone -w 0 <ip>
snmpwalk -c public <-v1 -v2c -v3> <ip>

test RW

snmpset -v2c -c public <ip> <OID> s test

Brute force SNMPv3
https://github.com/hatlord/snmpwn

./snmpwn.rb -h <hosts.txt> -u <users.txt> -p <passwords.txt> -e <passwords.txt>

OID

Windows User Accounts		1.3.6.1.4.1.77.1.2.25
​Windows Running Programs	1.3.6.1.2.1.25.4.2.1.2
Windows Hostname		1.3.6.1.2.1.1.5
​Windows Share Information	1.3.6.1.4.1.77.1.2.3.1.1
​Windows Share Information	1.3.6.1.4.1.77.1.2.27
Windows TCP Ports		1.3.6.1.2.1.6.13.1.3
Software Name			1.3.6.1.2.1.25.6.3.1.2

FTP

nmap --script=ftp* <ip>
dir -a
binary

TFTP

nmap --open -sU -p 69 <ip>/24

LDAP

ldapwhoami
ldapsearch -H ldap://<ip>

SSH

User enumeration (CVE-2018-15473)

python ssh-enum.py --port <port> --threads 5 --outputFile ssh_users.txt --outputFormat list --userList <dico.txt> <ip>
  • ssh-enum.py (6 kB)
  • nmap --script ssh-hostkey -p 22 <ip>/24 --open
    ssh-keyscan <ip>
    

    NTP (not tested)

    ntpdc -n -c monlist <ip>
    nmap -sU -p 123 --script=ntp-info <ip>
    

    SMTP (not tested)

    nmap --open --script smtp-enum-users -sS -p 25 -sV <ip>/24
    smtp-user-enum -U </usr/share/wordlists/names.txt> -t <ip> -m 150
    

    SSL /TLS

    testssl.sh <url>
    

    IPSec

    ike-scan <ip>
    ike-scan <ip> -A --id=<id> -Ppsk.txt
    

    Oracle DB - 1521

    tnscmd10g version -h <ip>
    tnscmd10g status -h <ip>
    auxiliary/scanner/oracle/sid_brute
    

    Divers

    enum4linux -a <ip>
    

    OS

    nmap -O -sV <ip>
    
    xprobe2 <ip>
    

    Ressources

    http://0daysecurity.com/penetration-testing/enumeration.html