Please read the Disclaimer.
Network
Discovery
Network range scan:
netdiscover -r <ipaddress-range>Network range scan, medium speed:
nmap -sn -T3 <ipaddress-range>DNS
Info:
whois <ipaddress>A hosts:
dig <domain>host <domain>MX hosts:
dig <domain> mxhost -t mx <domain>Nameservers:
dig <domain> nshost -t ns <domain>Canonical Name
dig <domain> cnamehost -t cname <ipaddress>Enumerate sub domains:
nmap --script=dns-brute --script-args dns-brute.domain=<domain>To manually enumerate sub domains create a text file of common subdomains:
cat <<EOF > subdomains.txt
> www
ftp
mail
owa
proxy
router
admin
www2
firewall
mx
pop3
cloud
account
> EOFThen create a bash script:
vi sub-enum.sh
#!/bin/bash
if [ -z "$1" ]
then
echo "Usage: $0 <host>"
exit 1
fi
host=$1
for name in $(cat subdomains.txt); do
host $name.$host | grep "has address"
done
:wqAdd execute permissions and run:
chmod +x sub-enum.sh
./sub-enum.sh <host>Transfer:
dig axfr @<A-host> <domain>dnsrecon -d <domain> -t axfrAuto tools:
dnsrecon <domain>dnsenum <domain>Hosts
All ports, ‘stealth’ scan, OS fingerprinting, and medium speed:
nmap -sS -Pn -p- -A -T3 <ipaddress>All ports, ‘stealth’ scan, OS fingerprinting, and higher speed with cleaner output:
nmap -sS -Pn -p- -A -T4 <ipaddress> | grep -v -E "Start|Nmap"Top popular 25 ports, version scan, medium speed:
nmap -sV -T3 --top-ports 25 <ipaddress>Top popular ports, TCP and UDP scan:
nmap -sSU --top-ports 100 <ipaddress>Port selection:
nmap -p <ports> <ipaddress>UDP port selection:
nmap -sU -p <ports> <ipaddress>Port test, verbose, don’t send data:
nc -v -z <ipaddress> <port>UDP port test, verbose, don’t send data:
nc -u -v -z <ipaddress> <port>SMB
Typical Windows Versions:
| SMB1 | Windows 2000 Windows XP Windows 2003 |
| SMB2 | Windows Vista SP1 Windows 2008 |
| SMB2.1 | Windows 7 Windows 2008 R2 |
| SMB3 | Windows 8 Windows 2012 |
Typical share names:
- C$
- Admin$
- IPC$
Enumerate shares:
nmap --script=smb-enum-shares -p139,445 <ipaddress>Enumerate users:
nmap --script=smb-enum-users -p139,445 <ipaddress>enum4linux -a <ipaddress>Brute force, with UDP added:
nmap -sU -sS --script smb-brute -p U:137,T:139,445 <ipaddress>Search for vulnerabilities:
nmap -sV --script=smb-vuln* -p U:137,T:139,445 <ipaddress>Capture traffic to find smb version:
ngrep -i -d <network interface> 's.?a.?m.?b.?a.*[[:digit:]]' &
echo "exit" | smbclient -L <ipaddress>Connect to smb shares:
smbclient \\\\<ipaddress>\\<share> -U administratorsmbclient -L <ipaddress> -W <workgroup>FTP
Scan for anonymous access:
nmap -sT --script=ftp-anon -p21 <ipaddress>Attempt brute force:
nmap -sT --script=ftp-brute -p21 <ipaddress>Scan for vulnerabilities:
nmap -sT --script=ftp-vuln* -p21 <ipaddress>Connect:
ftp <ipaddress> 21SSH
Scan authentication methods:
nmap -sT --script=ssh-auth-methods -p22 <ipaddress>Attempt user brute force:
nmap -sT --script=ssh-brute -p22 <ipaddress>Telnet
Connect:
telnet <ipaddress>Connect alt:
nc -vv <ipaddress> 23SMTP
Connect:
telnet <ipaddress> 25Connect alt:
nc -vv <ipaddress> 25Then, verify user (quit with Ctrl+]):
> VRFY <user>Enumerate users:
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t <ipaddress>SNMP
Windows Parameters:
| 1.3.6.1.2.1.25.1.6.0 | System Processes |
| 1.3.6.1.2.1.25.4.2.1.2 | Running Programs |
| 1.3.6.1.2.1.25.4.2.1.4 | Processes Path |
| 1.3.6.1.2.1.25.2.3.1.4 | Storage Units |
| 1.3.6.1.2.1.25.6.3.1.2 | Software Name |
| 1.3.6.1.4.1.77.1.2.25 | User Accounts |
| 1.3.6.1.2.1.6.13.1.3 | TCP Local Ports |
Scan using default port on UDP:
nmap -sU --open -p 161 <ipaddress>Brute force connection:
nmap -sU -Pn -p 161 --script=snmp-brute <ipaddress>Attempt connection with the community string (default public):
snmpwalk -c <communitystring> <ipaddress> -v<version>Attempt connectio and return Windows Users:
snmpwalk -c <communitystring> -v1 <ipaddress> 1.3.6.1.4.1.77.1.2.25RPC
Connect:
rpcclient -p <port> <ipaddress>Connect with UDP and anonymous user:
rpcclient -u -p 111 <ipaddress> -U anonymous