Enumeration¶

TCP¶

nmap -sS -sV -sC -n [IP] nmap -vv -Pn -A -sC -sS -T 4 -p- 10.0.0.1

UDP¶

nmap -sU -sV -n --top-ports 200 [IP]

SNMP (UDP 161)¶

snmp-check -t [IP] -c public

SMTP¶

nmap –script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1

SNMP¶

snmpwalk -c public -v1 10.0.0.0

SMB (TCP 139/TCP 445)¶

enum4linux [IP]

WebDav¶

davtest -url http(s)://[IP]

FTP:¶

ftp [IP]
Username: anonymous Password: anonymous

nmap –script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.0.0.1

SMB (anonymous)¶

smbclient -L \\[IP]
Username: root Password: None

enum4linux 10.0.0.1

nmap –script=smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse 10.0.0.1

MySQL¶

nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1 -p 3306

Web Applications¶

Structure Discovery¶

dirb http://10.0.0.1 /usr/share/wordlists/dirb/common.txt

Vulnerability Discovery¶

nikto -h http(s)://[IP]:[PORT]/[DIRECTORY]

Password Attacks¶

https://hashkiller.co.uk

john hashes.txt
hashcat -m 500 -a 0 -o output.txt –remove hashes.txt /usr/share/wordlists/rockyou.txt

hydra 10.0.0.1 http-post-form “/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid” -P /usr/share/wordlists/rockyou.txt -l admin

hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt ssh://10.0.0.1

Tunneling¶

Tunnels traffic through 10.0.0.1 and makes a route for all traffic destined for 10.10.10.0/24 through your sshuttle tunnel.

sshuttle -r root@10.0.0.1 10.10.10.0/24

sshuttle -l (any port) -r root@10.10.0.1 10.10.0.0/24

AV Bypassing¶

root@kali:~/Hyperion-1.0# wine hyperion.exe ../backdoor.exe ../backdoor_mutation.exe

https://github.com/furrukhtaj/Enumerator

Scripts from awansec¶

https://awansec.com/oscp-review.html