Scanning and Enumeration

Port Scanning

nmap

# TCP Fast
nmap -oA nmap-tcp-fast IP_ADDRESS

# TCP Full
nmap -A -p- -oA nmap-tcp-allports IP_ADDRESS

# UDP Fast
nmap -sU -oA nmap-udp-fast IP_ADDRESS

# UDP Full
nmap -sU -p- -A -oA nmap-udp-allports IP_ADDRESS

Useful flags

-Pn                 - Skip host discovery. Useful if you know a host is up.
-T1 - T5            - Scale up or down the accressiveness of the scan (high number is high).
--disable-arp-ping  - Option if scans are slow or misbehaving.

Useful scripts

Usage: --script="script1,script2"
Script Classes:
    http-*
    smb-*

Reconnoitre

# Scan a host or list of hosts including service scans
reconnoitre -t IP_ADDRESS -o /path/to/output --services

# Discover live hosts and hostnames within a range
reconnoitre -t IP_ADDRESS -o /path/to/output --pingsweep --hostnames

# Discover live hosts within a range and then do a quick probe for services
reconnoitre -t IP_ADDRESS -o /path/to/output --pingsweep --services --quick

TCP Services

[ 21 ] FTP - File Transfer Protocol

FTP is the standard network protocol for tranferring files from an FTP server to an FTP client. Other variations of the protocol include:

• FTPS - Encrypted FTP over TLS
• SFTP - Encrypted FTP over SSH
• TFTP - Trivial File Transfer Protocol

Things to look out for

• Anonymous FTP - The ability to connect to an FTP server without valid credentials. This can be done by logging in with the username 'anonymous' and an arbitrary password.

FTP commands

Connect to an FTP using the FTP command and specifying the IP address. Aupply a username and password of a local user on the server, or by cpnnecting anonymously.

root@localhost> ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.1)
Name (127.0.0.1:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

[ 22 ] SSH - Secure SHell

# Useful options
 -v                 Verbose output
 -i IDENTITY.pem    Public key authentication

[ 25 ] SMTP - Simple Mail Transfer Protocol

Enumerate usernames

smtp-user-enum -M VRFY -U ~/Tools/SecLists/Usernames/top_shortlist.txt -t IP_ADDRESS -p 25 | tee smtp-user-enum.txt

[ 80, 443 ] HTTP / HTTPS - HyperText Transfer Protocol (Secure)

Enumerate files / directories

dirb http://IP_ADDRESS:PORT/ -o dirb.txt

dirbuster -H -u http://IP_ADDRESS:PORT/ -l /root/Tools/SecLists/Discovery/Web_Content/raft-medium-directories.txt -t 20 -s / -v -r dirbuster.txt

gobuster -w /root/Tools/SecLists/Discovery/Web_Content/common.txt -u http://IP_ADDRESS:PORT/ -s '200,204,301,302,307,403,500' -e | tee gobuster.txt

gobuster -w /root/Tools/SecLists/Discovery/Web_Content/CGIs.txt -u http://IP_ADDRESS:PORT/ -s '200,204,301,302,307,403,500' -e | tee gobuster-cgi.txt

Scan for common files / vulnerabilities

nikto -host http://IP_ADDRESS -port PORT | tee nikto.txt

WordPress

Once you have wp-admin Administrator credentials, reverse shell by modifying a theme's page (eg. 404)

# General scan
wpscan --url http://IP_ADDRESS:PORT/WP_PATH/ --enumerate vp,vt,tt,cb,dbe,u | tee wpscan.txt

# Password bruteforce
wpscan -U users.txt -P ~/Tools/SecLists/Passwords/rockyou.txt --password-attack wp-login --url=http://10.11.1.234:80

# Note: wp-login can be interchanged with xmlrpc or xmlrpcmulitcall

WebDAV

nmap --script="http-iis-webdav-vuln" -oA nmap-webdav -T4 -p PORT IP_ADDRESS

davtest -url http://IP_ADDRESS | tee davtest.txt

cadaver -url http://IP_ADDRESS | tee davtest.txt

[ 111 ] rpcbind

rpcinfo

rpcinfo -p IP_ADDRESS | tee rpcinfo.txt

[ 139, 445 ] SMB - Server Message Block

Common SMB scans

enum4linux -a IP_ADDRESS | tee enum4linux.txt

nmap -sV -Pn -vv -p 139,445 --script=smb-vuln* --script-args=unsafe=1 -oA 'nmap-smb' IP_ADDRESS
nmap -sV -Pn -vv -p 445 --script=smb-enum-users --script-args=unsafe=1 -oA 'nmap-smb-users' IP_ADDRESS

Query NetBIOS names

nmblookup -A IP_ADDRESS | tee nmblookup.txt

Enumerate shares

smbclient -L //IP_ADDRESS
smbclient //MOUNT/share

[ 161 ] SNMP - Simple Network Management Protocol

snmp-check IP_ADDRESS