Enum
| Nmap | Description |
|---|---|
| Host discovery and scanning | |
nmap <IP>/<CIDR> -sn -oA tnet | grep for | cut -d" " -f5 |
Scan network range saving results |
nmap -sn -oA tnet -iL hosts | grep for | cut -d" " -f5nmap -sn -oA tnet <IP1> <IP2> <IP3> | grep for | cut -d" " -f5nmap -sn -oA tnet <IP.x-y> | grep for | cut -d" " -f5 |
Scan specific network range saving results |
--packet-trace |
Show all packets sends and received |
--reason |
Show why Nmap says the hosts are alive |
-PE |
Use ICMP Echo requests for the scan (but Nmap prioritizes ARP) |
--disable-arp-ping |
Disable ARP ping |
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP> -oG allPorts |
Nmap open ports custom scan redirecting the output to allPorts file |
nmap -sCV -p<ports> <IP> |
Nmap basic recon scripts scan over speccific ports showing service version |
-Pn |
Disable ICMP Echo requests |
-n |
Disable DNS resolution |
-sS |
SYN Sealth Scan (doesn't complete the THW, being faster and sealth) |
-sT |
TCP Scan (default scan). It uses the TWH to determinate port status (noisy, but polite) |
-sU |
UDP scan |
--initial-rtt-timeout--max-rtt-timeout |
Time to receive a response from the scanned port |
--max-retries |
Max amount of retries Nmap does when scanning ports |
--min-rate |
Set the amount of packets that are going to simultaneously be sent |
-T 0-5 |
Timing templates. T3 is the default one. |
| NSE | |
auth |
Auth credentials |
broadcast |
Host discovery by broadcasting and the discovered hosts |
brute |
Log in by brute-forcing with credentials |
defaultsudo nmap <target> -sC |
Basic scripts |
discovery |
Evaluation of accessible services |
dos |
Check if the host is vulnerable to DOS |
exploit |
Exploit known vulnerabilities for the scanned port |
external |
Scripts that use external services for further processing |
fuzzer |
Identify vulns and unexpected packet handling by sending different fields, which can take much time |
intrusive |
Intrusive scripts that could negatively affect the target system |
malware |
Checks if some malware infects the target system |
safe |
Defensive scripts that do not perform intrusive and destructive access |
version |
Extension for service detection |
vuln |
Identification of specific vulnerabilities |
nmap <IP> --script <category> |
Specific scripts category |
nmap <IP> --script <script-name>,<script-name>,... |
Specific defined scripts |
nmap -sV --script=banner -p<ports> <IP> |
Banner grabbing |
locate scripts/<script-name> |
List various available nmap scripts |
nmap --script-updatedb |
Update NSE DB |
| Firewall and IDS/IPS evasion | |
-sA |
TCP ACK scan, it sends TCP packets with only the ACK flag, being harder to filter. |
-D RND:5 |
Decoy scanning method generates various random source IP addresses for the scan |
-f |
Packets fragmentation |
--mtu |
MTU is a firewall value used in Nmap to bypass firewalls by adjunsting the size of the packets sent. |
--data-length 21 |
Packet size |
-S <IP> |
Specifies the source IP address for the scan |
--spoof-mac |
Spoof origin MAC address |
-g 53 |
Specifies the source port for the scan |
-e tun0 |
Speficies the source interface for the scan |
--dns-server <ns>,<ns> |
Specifies the DNS server used for the scan |
ncat -nv --source-port 53 <IP> 50000 |
Connect to a port using netcat from port 53/tcp (accepted by the firewall) |
| Output | |
-oN filename |
Normal format |
-oA filename |
All available formats |
-oG filename |
Grep format |
-oX filenamexsltproc target.xml -o target.html |
XML format and XML conversion to HTML |
| Nmap alternatives | |
|---|---|
masscan -p<ports> -Pn <IP>/<CIDR> --rate=10000 |
Valid alternative to nmap |
arp-scan -I eth0 --localnet --ignoredups |
ARP scan in the local network. |
netdiscover |
Util to perform a scan in the local network. |
ping -c 1 <IP> |
ICMP packet |
echo '' > /dev/tcp/<IP>/80 |
Communications to /dev/tcp, an alternative to ICMP |
Web Enum
| Web Enum | |
|---|---|
curl -IL https://<IP> |
Grab website banner |
curl -k https://<IP> |
Skip SSL cert check |
whatweb <IP> |
List details about the webserver/certificates |
whatweb --no-errors <IP>/16 |
Web App enumeration across a network |
ctrl+u |
View page source code (in Firefox) |
gobuster dir -u http://<IP>/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20 |
Run a directory scan on a website using 20 threats |
gobuster dns -d <IP> -w /usr/share/SecLists/Discovery/DNS/namelist.txt -t 20 |
Run an active domain enumeration on a website using 20 threats |
openssl s_client -connect <IP>:443 |
Inspect the site's SSL certificate |
sslscan <IP> |
Scan to search vulns in a HTTPS site |
FTP
| Command | Description |
|---|---|
ftp <IP> |
Connecting to FTP |
status |
Overview server's settings |
debugtrace |
Show additional info of the operations |
ls -R |
Recursive listing (if it's enabled) |
get |
Download a file |
wget -m --no-passive ftp://anonymous:anonymous@<IP> |
Download all available files |
put |
Upload a file from the current folder |
openssl s_client -connect <IP>:21 -starttls ftp |
Connect to a FTP server that runs with TLS/SSL encryption |
SMB
| Command | Description |
|---|---|
smbclient -N -L //<IP> |
Authentication as 'guest' on SMB |
smbclient //<IP>/<share> -N |
Authentication as 'guest' on SMB shared resource |
smbclient //<IP>/<share> -U <user> <password> |
Authentication with valid credentials on SMB shared resource |
get |
Download files |
!command |
Execute local system commands |
!smbstatus |
Info of the connection |
rpcclient -U "" <IP>srvinfoenumdomainsquerydominfonetshareenumallnetsharegetinfo shared_resourceenumdomusersqueryuser user_RID |
Interaction with the target using RPC rpcclient Manual |
for i in $(seq 500 1100);do rpcclient -N -U "" <IP> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name|user_rid|group_rid" && echo "";done |
Brute force user RIDs |
samrdump <IP> |
Username enumeration using Impacket scripts |
smbmap -H <IP> |
Enumerating SMB shares |
crackmapexec smb <IP> --shares -u '' -p '' |
Authentication as 'guest' on SMB |
enum4linux-ng <IP> -A |
SMB enumeration using enum4linux |
NFS
| Command | Description |
|---|---|
showmount -e <IP> |
Show available NFS shares |
mkdir target_nfsmount -t nfs <IP>:/<share> ./target_nfs/ -o nolock |
Mount a NFS share |
ls -n |
List contents with UIDs & GUIDs |
umount ./target-NFS |
Umount a NFS share |
DNS
| Command | Description |
|---|---|
dig soa www.inlanefreight.com |
Domain SOA record |
dig ns inlanefreight.com @<nameserver> |
Domain NS records |
dig ch txt version.bind <nameserver> |
DNS server's version (if this entry exists) |
dig any inlanefreight.com @<nameserver> |
Domain info (all records) |
dig axfr internal.inlanefreight.htb @<nameserver> |
Zone's info |
for sub in $(cat /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @<nameserver> | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done |
Subdomain bash brute forcing |
dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb |
Subdomain dnsenum brute forcing |
SMTP / IMAP / POP
| Command | Description |
|---|---|
| SMTP Command | |
smtp-commandssmtp-open-relay |
Nmap scripts |
telnet <IP> 25HELO mail1.inlanefreight.htb |
Connection to SMTP server |
AUTH PLAIN |
AUTH is a service extension used to authenticate the client |
HELO |
The client logs in with its computer name and thus starts the session |
MAIL FROM |
The client names the email sender |
RCPT TO |
The client names the email recipient |
DATA |
The client initiates the transmission of the email |
RSET |
The client aborts the initiated transmission but keeps the connection between client and server |
VRFY |
The client checks if a mailbox is available for message transfer |
EXPN |
The client also checks if a mailbox is available for messaging with this command |
NOOP |
The client requests a response from the server to prevent disconnection due to time-out |
QUIT |
The client terminates the session |
CONNECT <IP>:25 HTTP/1.0 |
Make a web proxy connect to the SMTP server |
smtp-user-enum -M VRFY -U footprinting-wordlist.txt -t <IP>python3 smtp-user-recon.py <IP> footprinting-wordlist.txt |
User enumeration brute force |
curl -k 'imaps://<IP>' --user user:password -v |
Banner grabbing and more info |
openssl s_client -connect <IP>:pop3sopenssl s_client -connect <IP>:imaps |
POP3 and IMAP TLS encrypted interaction |
| IMAP Commands | |
1 LOGIN username password |
User's login |
1 LIST "" * |
List directories |
1 CREATE "INBOX" |
Create mailbox |
1 DELETE "INBOX" |
Delete amailbox |
1 RENAME "ToRead" "Important" |
Rename mailbox |
1 SELECT INBOX |
Select mailbox to access emails |
1 UNSELECT INBOX |
Exit the selected mailbox |
1 FETCH <ID> all1 FETCH 1 BODY[TEXT] |
Retrieves data associated with a message in the mailbox |
1 LOGOUT |
Exit |
| POP3 Commands | |
USER username |
Identifies the user |
PASS password |
Authentication of the user using its password |
STAT |
Requests the number of saved emails from the server |
LIST |
Requests from the server the number and size of all emails |
RETR id |
Requests the server to deliver the requested email by ID |
DELE id |
Requests the server to delete the requested email by ID |
CAPA |
Requests the server to display the server capabilities |
RSET |
Requests the server to reset the transmitted information |
QUIT |
Exit |
SNMP
| Command | Description |
|---|---|
snmpwalk -v 2c -c public <IP> |
Scan SNMP on an IP |
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt <IP> |
Brute force SNMP community string |
braa <community_string>@<IP>:.1.3.6.* |
Brute force the individual OIDs and enumerate them |
MySQL
| Command | Description |
|---|---|
mysql* |
Nmap scripts |
mysql -u <user> -p<password> -h <IP> |
Connect to the MySQL server |
MSSQL
| Command | Description |
|---|---|
ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER |
Nmap scripts |
mssql_ping |
Metasploit scaner |
python3 mssqlclient.py <user>@<IP> -windows-auth |
Connecting with mssqlclient.py |
Oracle TNS
| Command | Description |
|---|---|
oracle-sid-brute |
Nmap script to bruteforce SIDs |
odat all -s <IP> |
Scan Oracle DB service and its components |
odat utlfile -s <IP> -d XE -U <user> -P <password> --sysdba --putFile C:\\inetpub\\wwwroot <file> ./<file>curl -X GET http://<IP>/<file> |
File upload |
sqlplus <user>/<password>@<IP>/XE |
Connect to the Oracle DB SQLPlus Manual |
sqlplus <user>/<password>@<IP>/XE as sysdba |
Connect to the Oracle DB as sysdba |
IPMI
| Command | Description |
|---|---|
ipmi-version |
Nmap script |
auxiliary/scanner/ipmi/ipmi_version |
Metasploit scanner |
auxiliary/scanner/ipmi/ipmi_dumphashes |
Metasploit hash dumping |
Dell iDRAC - root:calvinHP iLO - Administrator:<factory randomized 8-character string>Supermicro IPMI - ADMIN:ADMINIBM IMM - USERID PASSW0RDFujitsu Integrated Remote Management Controller - admin:adminOracle ILOM - root:changemeASUS iKVM - admin:admin |
Default passwords |
Remote Access Protocols
| SSH | Description |
|---|---|
git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit ./ssh-audit.py <IP> |
Fingerptinting |
ssh -v <user>@<IP> -o PreferredAuthentications=password |
Change auth method |
| Rsync | |
| Rsync Abuse Guide | |
nc -nv <IP> 873 |
Accesible shares |
rsync -av --list-only rsync://<IP>/<share> |
Share enumeration |
| R-Services | |
rlogin <IP> -l <user> |
Logggin in using rlogin |
rwo |
List authenticated users using rwho |
rusers -al <IP> |
List authenticated users using rusers |
| RDP | |
rdp* |
Nmap script |
--packet-trace |
Nmap parameter to inspect packets |
git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git./rdp-sec-check.pl <IP> |
Perl script to enumerate RDP rdp-sec-check-pl |
rdesktop, xfreerdp, Reminna |
Linux tools to connect to RDP servers |
| WinRM | |
| Windows PS cmdlet to discover servers Test-WsMan |
|
evil-winrm -i <IP> -u <user> -p <password> |
Linux tool to discover servers evilwinrm |
| WMI | |
wmiexec.py <user>:"<password>"@<IP> "hostname" |
Scan WMI server wmiexec.py |