Enumeration

Nmap

  • Quick TCP Scan
1
nmap -sC -sV -vv -oN quick 10.10.10.10
Copied!
  • Quick TCP Scan
1
nmap -sU -sV -vv -oN quick_udp 10.10.10.10
Copied!
  • Full TCP Scan
1
nmap -sC -cV -p- -vv -oN full 10.10.10.10
Copied!

Banner Grabbing

  • Netcat Banner Grab
1
nc -v 10.10.10.10 <port>
Copied!
  • Telnet Banner Grab
1
telnet 10.10.10.10 <port>
Copied!

SMB

  • Nmap Vulnerability Scan
1
nmap -p 139,445 -vv --script=smb-vuln* 10.10.10.10
Copied!
  • Nmap User and Share Scan
1
nmap -p 139,445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
Copied!
  • Enum4linux
1
enum4linux -a 10.10.10.10
Copied!
  • smbmap
1
smbmap -H 10.10.10.10
Copied!
  • Null Connection Test
1
rpcclient -U "" 10.10.10.10
Copied!
  • Connecting to a client
1
smbclient //MOUNT/share
Copied!
  • Getting the version of Samba:
1
# Originally from: https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html#enum4linux
2
#!/bin/sh
3
#Author: rewardone
4
#Description:
5
# Requires root or enough permissions to use tcpdump
6
# Will listen for the first 7 packets of a null login
7
# and grab the SMB Version
8
#Notes:
9
# Will sometimes not capture or will print multiple
10
# lines. May need to run a second time for success.
11
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
12
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
13
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
14
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
15
sleep 0.5 && echo ""
Copied!

SNMP

  • snmp-check
1
snmp-check 10.10.10.10
Copied!

Web Scanning

  • quick directory busting scan with gobuster
1
gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.10:<port> -s 200,204,301,302,307,403,500 -e -k -t 50 -np -o gobuster_quick_scan.txt
Copied!
  • targeting specific extensions with gobuster
1
gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.10:<port> -s 200,204,301,302,307,403,500 -e -k -t 50 -np -o gobuster_quick_scan.txt -x .txt,.php
Copied!
  • Nikto
1
nikto -h http://10.10.10.10:<port>
Copied!
  • WordPress Scan
1
wpscan -u 10.10.10.10 port
Copied!

Oracle Databases

  • Oscanner
1
oscanner -s 10.10.10.10. -p 1521
Copied!
Last modified 1yr ago