Network

Discovery

Network range scan:

netdiscover -r <ipaddress-range>

Network range scan, medium speed:

nmap -sn -T3 <ipaddress-range>

DNS

Info:

whois <ipaddress>

A hosts:

dig <domain>
host <domain>

MX hosts:

dig <domain> mx
host -t mx <domain>

Nameservers:

dig <domain> ns
host -t ns <domain>

Canonical Name

dig <domain> cname
host -t cname <ipaddress>

Enumerate sub domains:

nmap --script=dns-brute --script-args dns-brute.domain=<domain>

To manually enumerate sub domains create a text file of common subdomains:

cat <<EOF > subdomains.txt
> www
ftp
mail
owa
proxy
router
admin
www2
firewall
mx
pop3
cloud
account
> EOF

Then create a bash script:

vi sub-enum.sh

#!/bin/bash

if [ -z "$1" ]
  then
	echo "Usage: $0 <host>"
	exit 1
fi

host=$1

for name in $(cat subdomains.txt); do
	host $name.$host | grep "has address" 
done


:wq

Add execute permissions and run:

chmod +x sub-enum.sh
./sub-enum.sh <host>

Transfer:

dig axfr @<A-host> <domain>
dnsrecon -d <domain> -t axfr

Auto tools:

dnsrecon <domain>
dnsenum <domain>

Hosts

All ports, ‘stealth’ scan, OS fingerprinting, and medium speed:

nmap -sS -Pn -p- -A -T3 <ipaddress>

All ports, ‘stealth’ scan, OS fingerprinting, and higher speed with cleaner output:

nmap -sS -Pn -p- -A -T4 <ipaddress> | grep -v -E "Start|Nmap"

Top popular 25 ports, version scan, medium speed:

nmap -sV -T3 --top-ports 25 <ipaddress>

Top popular ports, TCP and UDP scan:

nmap -sSU --top-ports 100 <ipaddress>

Port selection:

nmap -p <ports> <ipaddress>

UDP port selection:

nmap -sU -p <ports> <ipaddress>

Port test, verbose, don’t send data:

nc -v -z <ipaddress> <port>

UDP port test, verbose, don’t send data:

nc -u -v -z <ipaddress> <port>

SMB

Typical Windows Versions:

SMB1Windows 2000
Windows XP
Windows 2003
SMB2Windows Vista SP1
Windows 2008
SMB2.1Windows 7
Windows 2008 R2
SMB3 Windows 8
Windows 2012

Typical share names:

  • C$
  • Admin$
  • IPC$

Enumerate shares:

nmap --script=smb-enum-shares -p139,445 <ipaddress>

Enumerate users:

nmap --script=smb-enum-users -p139,445 <ipaddress>
enum4linux -a <ipaddress>

Brute force, with UDP added:

nmap -sU -sS --script smb-brute -p U:137,T:139,445 <ipaddress>

Search for vulnerabilities:

nmap -sV --script=smb-vuln* -p U:137,T:139,445 <ipaddress>

Capture traffic to find smb version:

ngrep -i -d <network interface> 's.?a.?m.?b.?a.*[[:digit:]]' &
echo "exit" | smbclient -L <ipaddress>

Connect to smb shares:

smbclient \\\\<ipaddress>\\<share> -U administrator
smbclient -L <ipaddress> -W <workgroup>

FTP

Scan for anonymous access:

nmap -sT --script=ftp-anon -p21 <ipaddress>

Attempt brute force:

nmap -sT --script=ftp-brute -p21 <ipaddress>

Scan for vulnerabilities:

nmap -sT --script=ftp-vuln* -p21 <ipaddress>

Connect:

ftp <ipaddress> 21

SSH

Scan authentication methods:

nmap -sT --script=ssh-auth-methods -p22 <ipaddress>

Attempt user brute force:

nmap -sT --script=ssh-brute -p22 <ipaddress>

Telnet

Connect:

telnet <ipaddress>

Connect alt:

nc -vv <ipaddress> 23

SMTP

Connect:

telnet <ipaddress> 25

Connect alt:

nc -vv <ipaddress> 25

Then, verify user (quit with Ctrl+]):

> VRFY <user>

Enumerate users:

smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t <ipaddress>

SNMP

Windows Parameters:

1.3.6.1.2.1.25.1.6.0System Processes
1.3.6.1.2.1.25.4.2.1.2Running Programs
1.3.6.1.2.1.25.4.2.1.4Processes Path
1.3.6.1.2.1.25.2.3.1.4Storage Units
1.3.6.1.2.1.25.6.3.1.2Software Name
1.3.6.1.4.1.77.1.2.25User Accounts
1.3.6.1.2.1.6.13.1.3TCP Local Ports

Scan using default port on UDP:

nmap -sU --open -p 161 <ipaddress>

Brute force connection:

nmap -sU -Pn -p 161 --script=snmp-brute <ipaddress>

Attempt connection with the community string (default public):

snmpwalk -c <communitystring> <ipaddress> -v<version>

Attempt connectio and return Windows Users:

snmpwalk -c <communitystring> -v1 <ipaddress> 1.3.6.1.4.1.77.1.2.25

RPC

Connect:

rpcclient -p <port> <ipaddress>

Connect with UDP and anonymous user:

rpcclient -u -p 111 <ipaddress> -U anonymous