Skip to content

Enumeration

TCP

nmap -sS -sV -sC -n [IP] nmap -vv -Pn -A -sC -sS -T 4 -p- 10.0.0.1

UDP

nmap -sU -sV -n --top-ports 200 [IP]

SNMP (UDP 161)

snmp-check -t [IP] -c public

SMTP

nmap –script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1

SNMP

snmpwalk -c public -v1 10.0.0.0

SMB (TCP 139/TCP 445)

enum4linux [IP]

WebDav

davtest -url http(s)://[IP]

FTP:

ftp [IP]
Username: anonymous Password: anonymous
nmap –script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.0.0.1

SMB (anonymous)

smbclient -L \\[IP]
Username: root Password: None
enum4linux 10.0.0.1
nmap –script=smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse 10.0.0.1

MySQL

nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1 -p 3306

Web Applications

Structure Discovery

dirb http://10.0.0.1 /usr/share/wordlists/dirb/common.txt

Vulnerability Discovery

nikto -h http(s)://[IP]:[PORT]/[DIRECTORY]

Password Attacks

  • https://hashkiller.co.uk
john hashes.txt
hashcat -m 500 -a 0 -o output.txt –remove hashes.txt /usr/share/wordlists/rockyou.txt
hydra 10.0.0.1 http-post-form “/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid” -P /usr/share/wordlists/rockyou.txt -l admin

hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt ssh://10.0.0.1

Tunneling

Tunnels traffic through 10.0.0.1 and makes a route for all traffic destined for 10.10.10.0/24 through your sshuttle tunnel.

sshuttle -r root@10.0.0.1 10.10.10.0/24
sshuttle -l (any port) -r root@10.10.0.1 10.10.0.0/24

AV Bypassing

root@kali:~/Hyperion-1.0# wine hyperion.exe ../backdoor.exe ../backdoor_mutation.exe

https://github.com/furrukhtaj/Enumerator

Scripts from awansec

https://awansec.com/oscp-review.html