Contents
nmap -p 21 --script ftp* <ip>
nmap -p 22 --script ssh* -oA ssh_scan <ip>
ssh-keyscan <ip>
ssh-vulnkey <ip> key.pub
nmap --open --script smtp-enum-users -sS -p 25 -sV $IP/24
dnsrecon -d <server> -t axfr
host -l test.com ns1.test.com
dig axfr test.com @ns1.test.com
nslookup -> set type=any -> ls -d test.com
dnsrecon -d TARGET -d /usr/share/wordlists/dnsmap.txt -t std
finger root@<ip>
finger admin@<ip>
finger 'a b c d e f g h'@<ip>
Start Burp Suite NOW!
nikto http://192.168.56.1 -o nikto.txt
dirb http://192.168.56.1 -r -o dirb.txt
dirbuster
wpscan --update
wpscan --url <http://> --enumerate p
wpscan --url <http://> --enumerate t
wpscan --url <http://> --enumerate u
wpscan --url <http://> --wordlist <pass.txt> --threads 50
wpscan --url <http://> --wordlist <pass.txt> --username admin --threads 50
rpcclient -U "" TARGET
nmap -sU --open -p 161 192.168.1.0/24 -oG SNMP_hosts.txt
nmap -p 161 --script snmp-enum <ip>
snmp-check <ip>
onesixtyone -c community.txt -i <ip>
snmpwalk -c <community_string> -v1 <ip>
snmpwalk -c public -v1 <ip> 1.3.6.1.4.1.77.1.2.25
snmpwalk -c public -v1 <ip> 1.3.6.1.2.1.6.13.1.3
snmpwalk -c public -v1 <ip> 1.3.6.1.2.1.25.6.3.1.2
ldapsearch -h <ip> -p <port> -x -s base
ldapsearch -LLL -x -H ldap://<FQDN> -b '' -s base '(objectclass=*)'
Start Burp Suite NOW!
nikto http://192.168.56.1 -o nikto.txt
dirb http://192.168.56.1 -r -o dirb.txt
dirbuster
wpscan --update
wpscan --url <http://> --enumerate p
wpscan --url <http://> --enumerate t
wpscan --url <http://> --enumerate u
wpscan --url <http://> --wordlist <pass.txt> --threads 50
wpscan --url <http://> --wordlist <pass.txt> --username admin --threads 50
sslscan <ip>
nmap -sV --script ssl-enum-ciphers -p 443 <ip>
nmap -v -p 139, 445 -oA SMB_Scan 10.11.1.0/24
nmblookup -A <ip>
nbtscan <ip>
nbtscan -r 192.168.1.1/24
smbclient -L //<IP>
smbclient //MOUNT/share -I TARGET -N
smbclient //<IP>/sharename -U <username>
rpcclient -U "" TARGET
enum4linux -a TARGET
nmap -p 139, 445 --script smb* -oA smb_scan <ip>
crackmapexec smb -u users.txt -p passes.txt --local-auth 10.10.10.178 --continue-on-success
You may need to install the nfs-common package:apt-get install nfs-common
showmount -e <ip>
mkdir /tmp/nfs
mount -t nfs <ip>:<share> /tmp/nfs
When mounting the shares often times the User id (uid) will be checked as an “authetntication” to the share to make sure that only the user that owns the share can access the content, even though you have successfully mounted it on your local machine. As such, if you know the uid of the user in question you can create a user with the same userid witht he following command:
useradd -u 2000 lokii --> add a user (lokii) with a uid of 2000
mysql -u admin -padmin -c "show databases;set database mysql;select* from users;"
mysql -u admin -padmin -h <ip>