Services
Web
EyeWitness is designed to take screenshots of websites provide some server header info, and identify default credentials if known.
./EyeWitness.py -f <urls.txt> --web
DNS
Dig on known domains
while read d; do dig -t a $d | grep "IN" | grep -v "^;" ;done < domain.txt | uniq | sort
Transform a list of domains with A record into CSV file
for domain in `cat <domain_list.txt>`; do dig -t a $domain;done | egrep -v "^$|^;" | grep -P "IN\s+A" | awk '{sub(/\.$/,"",$1);print $1","$5}' > resolved_domains.csv
DNS (reverse) lookups / Enumeration DNS / Brute force subdomains
whois <domain>
dig <a|txt|ns|mx> <domain> @<dns_server>
host -t <a|txt|ns|mx> <domain>
host -a <domain>
python sublist3r.py -d <domain> -b
dnsrecon -d <ip> -t std -D /usr/share/wordlists/dnsmap.txt
dnsenum <domain>
dnsmap <domain> -w /usr/share/dnsmap/wordlist_TLAs.txt
subdomain2(){ amass enum -norecursive -noalts -d $1 > $1.txt ; subjack -w $1.txt -t 100 -timeout 30 -ssl -c /root/go/src/github.com/haccer/subjack/fingerprints.json -v 3; }
Zone transfer
dig axfr <domain> @<dnsserver>
host -l <domain> <dnsserver>
DNSSec
ldns-walk @ns1.<domain> <domain> (untested)
DNS cache snooping
Recon-ng https://hackertarget.com/recon-ng-tutorial/
discovery/info_disclosure/cache_snoop
DHCP
nmap --script broadcast-dhcp-discover
SMB
From Linux
SMB signing
nmap <ip> --script smb-security-mode.nse -p 445
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,\
smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,\
smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse <ip>
List shares
crackmapexec <ip/range> --shares
crackmapexec <range/ip> -u <user> -p <password> -d <domain> --shares
smbclient -L <ip>
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse <ip>
smbmap -H <ip> -u <user> -R -P <445/139>
Check for null login
echo exit | smbclient -L \\\\<ip>
Mount share GUI
smb://<ip>
smbclient \\\\<ip>\\<share>
mount-t cifs "//<ip>/<targeted share>/" /mnt -o username=<FQDN_DOMAIN>/<user>
Get file Enter anything as password if you have read rights
smbget -R smb://<ip>/<share>/<path>/<file>
From Windows
Display sessions (need admin rights)
net sessions
Create a session
net use \\<target_ip> [password] /u:<user>
Drop a session
net use \\<target_ip> /del
Mount a share on a target
net use * \\<target_ip>\<share> [password] /u:<user>
NetBIOS
nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 <ip>
nbtscan -r <ip>/24
enum4linux -a <ip>
nmblookup -A <ip>
MSRPC /DCERPC
https://www.offensive-security.com/metasploit-unleashed/scanner-dcerpc-auxiliary-modules/
nmap <ip> --script=msrpc-enum
RPC
For null session press enter when ask for password
rpcclient -U "" <ip>
srvinfo
enumdomusers
enumalsgroups domain
lookupnames administrators
querydominfo
enumdomusers
queryuser <user>
lsaquery
lookupnames Guest
lookupnames Administrator
rpcinfo <ip>
rpcinfo -p <ip>
NFS
showmount -e <ip>
mount -t nfs <ip>:<path> <lpwd>
If permission denied, but you know the owner of the directory and its UID, you can add a user with the same UID on your local machine and then go the directory
useradd -u <uid> <user>
Finger
Change the IP directly in the script.
/opt/recon/Finger-User-Enumeration/finger_enum_user.sh <valid_users.txt>
WebDav
davtest -cleanup -url http://<ip>
cadaver http://<ip>
dav:/> put <webshell.txt>
dav:/> copy <webshell.txt> <ws.asp>
SNMP
nmap -p 161 -sUV -A <ip>
nmap -sUV --script snmp-brute --script-args snmp-brute.communitiesdb=<dico.txt> <ip>
snmp-check <ip>
snmp-check -v2c -c public <ip>
onesixtone -w 0 <ip>
snmpwalk -c public <-v1 -v2c -v3> <ip>
test RW
snmpset -v2c -c public <ip> <OID> s test
Brute force SNMPv3 https://github.com/hatlord/snmpwn
./snmpwn.rb -h <hosts.txt> -u <users.txt> -p <passwords.txt> -e <passwords.txt>
OID
Windows User Accounts 1.3.6.1.4.1.77.1.2.25
Windows Running Programs 1.3.6.1.2.1.25.4.2.1.2
Windows Hostname 1.3.6.1.2.1.1.5
Windows Share Information 1.3.6.1.4.1.77.1.2.3.1.1
Windows Share Information 1.3.6.1.4.1.77.1.2.27
Windows TCP Ports 1.3.6.1.2.1.6.13.1.3
Software Name 1.3.6.1.2.1.25.6.3.1.2
FTP
nmap --script=ftp* <ip>
dir -a
binary
TFTP
nmap --open -sU -p 69 <ip>/24
LDAP
ldapwhoami
ldapsearch -H ldap://<ip>
SSH
User enumeration (CVE-2018-15473)
python ssh-enum.py --port <port> --threads 5 --outputFile ssh_users.txt --outputFormat list --userList <dico.txt> <ip>
nmap --script ssh-hostkey -p 22 <ip>/24 --open
ssh-keyscan <ip>
NTP
ntpdc -n -c monlist <ip>
nmap -sU -p 123 --script=ntp-info <ip>
SMTP
nmap --open --script smtp-enum-users -sS -p 25 -sV <ip>/24
smtp-user-enum -U </usr/share/wordlists/names.txt> -t <ip> -m 150
SSL /TLS
testssl.sh <url>
IPSec
ike-scan <ip>
ike-scan <ip> -A --id=<id> -Ppsk.txt
Oracle DB - 1521
tnscmd10g version -h <ip>
tnscmd10g status -h <ip>
auxiliary/scanner/oracle/sid_brute
Divers
enum4linux -a <ip>
OS
nmap -O -sV <ip>
xprobe2 <ip>
Ressources
- http://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html
- http://0daysecurity.com/penetration-testing/enumeration.html