Skip to content

Scanning and Enumeration

Jump to bottom
Jakob Pennington edited this page Dec 3, 2018 · 7 revisions

Port Scanning

nmap

# TCP Fast
nmap -oA nmap-tcp-fast  IP_ADDRESS

# TCP Full
nmap -A -p- -oA nmap-tcp-allports IP_ADDRESS

# UDP Fast
nmap -sU -oA nmap-udp-fast IP_ADDRESS

# UDP Full
nmap -sU -p- -A -oA nmap-udp-allports IP_ADDRESS

Useful scripts

Usage: script="script1,script2"
Script Classes:
    http-*
    smb-*

Reconnoitre

# Scan a host or list of hosts including service scans
reconnoitre -t IP_ADDRESS -o /path/to/output --services

# Discover live hosts and hostnames within a range
reconnoitre -t IP_ADDRESS -o /path/to/output --pingsweep --hostnames

# Discover live hosts within a range and then do a quick probe for services
reconnoitre -t IP_ADDRESS -o /path/to/output --pingsweep --services --quick

TCP Services

[ 21 ] FTP - File Transfer Protocol

FTP is the standard network protocol for tranferring files from an FTP server to an FTP client. Other variations of the protocol include:

  • FTPS - Encrypted FTP over TLS
  • SFTP - Encrypted FTP over SSH
  • TFTP - Trivial File Transfer Protocol

Things to look out for

  • Anonymous FTP - The ability to connect to an FTP server without valid credentials. This can be done by logging in with the username 'anonymous' and an arbitrary password.

FTP commands

Connect to an FTP using the FTP command and specifying the IP address. Aupply a username and password of a local user on the server, or by cpnnecting anonymously.

root@localhost> ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.1)
Name (127.0.0.1:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

[ 80, 443 ] HTTP / HTTPS - HyperText Transfer Protocol (Secure)

dirb(uster)

dirb http://IP_ADDRESS:PORT/ -o dirb.txt

dirbuster -H -u http://IP_ADDRESS:PORT/ -l /root/Tools/SecLists/Discovery/Web_Content/raft-medium-directories.txt -t 20 -s / -v -r dirbuster.txt

gobuster

gobuster -w /root/Tools/SecLists/Discovery/Web_Content/common.txt -u http://IP_ADDRESS:PORT/ -s '200,204,301,302,307,403,500' -e | tee gobuster.txt

gobuster -w /root/Tools/SecLists/Discovery/Web_Content/CGIs.txt -u http://IP_ADDRESS:PORT/ -s '200,204,301,302,307,403,500' -e | tee gobuster-cgi.txt

nikto

nikto -host IP_ADDRESS -port PORT | tee nikto.txt

WordPress

wpscan --url http://IP_ADDRESS:PORT/WP_PATH/

[ 111 ] rpcbind

rpcinfo

rpcinfo -p IP_ADDRESS

[ 139, 445 ] SMB - Server Message Block

enul4linux

enum4linux -a IP_ADDRESS

Connect to a share

smbclient //MOUNT/share

[ 161 ] SNMP - Simple Network Management Protocol

snmp-check

snmp-check IP_ADDRESS

Contents

Home
The Basics
Scanning and Enumeration
Exploitation
Post Exploitation
Linux Privilege Escalation
Windows Privilege Escalation
Buffer Overflows
Resources

Get in touch

Blog
Email
LinkedIn
Twitter
Website

Clone this wiki locally