# Basic information
Kali> whois domain.com
# See DNS records of type
Kali> dig {a|txt|ns|mx} domain.com
# Same as above but query @nameserver
Kali> dig {a|txt|ns|mx} domain.com @ns1.domain.com
# E-Mail
Kali> simplyemail.py -all -e TARGET-DOMAINBanner Grabbing
Kali> nc -v $TARGET 80
Kali> telnet $TARGET 80
Kali> amap -bqv1 1-65535 $TARGETTTL Fingerprtinging
| Operating System | TTL |
|---|---|
| Windows | 128 |
| Solaris | 255 |
| Cisco | 255 |
Finger
Kali> finger @$TARGET
Kali> finger USERNAME@$TARGETProbe for neighbors (Especially useful for IPV6)
# IPV4/IPV6
Kali> netdiscover -i eth0
# IPV6
Kali> ping6 ff02::1%eth0Kali> nmap -sn 192.168.1.0/24
Kali> nmap -sP 192.168.1.0/2
Kali> for ip in $(cat targets.txt);do nmap -A -T4 -oN scans/nmap.$ip.txt $ip;doneudp-protocol-scanner
# Port Scan
udp-protocol-scanner.pl -f ip.txt
# Protocol specific scan
udp-protocol-scanner -p ntp -f ips.txtNetcat
# UDP (ICMP Error -> Port Closed)
Kali> nc -nv -u -z -w 1 host 160-162NMAP
Kali> sudo nmap -sU -A -T3 --top-ports 100 10.10.10.24 Netcat
Kali> nc -nvv -w 1 -z host 1000-2000NMAP
Kali> nmap -p 1-65535 -sV -sS -T4 $TARGET
Kali> nmap -v -sS -A -T4 $TARGET
Kali> nmap -v -sV -O -sS -T4 $TARGETKali> dirb http://$TARGET /usr/share/wordlists/dirb/big.txt -o dirb.txt
Kali> gobuster -u http://$TARGET -w /usr/share/wordlists/dirb/big.txt -t 100
# A little for loop so you can go do other stuff
Kali> for wordlist in $(ls);do gobuster -u http://$TARGET -w $wordlist -t 100;donecURL
# Robots can give us a clue as to where to look next you may have to send a user agent
Kali> curl -s http://$TARGET/robots.txt
# Check all the methods
Kali> curl -vX OPTIONS $TARGETNikto
Kali> nikto -h http://$TARGETBurpSuite
# I dont care who you are, or what you're doing
# But it's time to go MANUALLY poke the website with BurpSuite
# Play with all the things!
Get Params
Post Params
Cookies
Mess with the headers
Send random data to parameters, fuzz pages such as ?page=home
Change GET requests to POST requests
take note of 301, 302 redirects, infact take note of all error codes
I could go on and on, but man just go poke that fucker.
Kali> ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $TARGETKali> host -l megacorpon.com ns1.megacorpone.com
Kali> dnsrecon -d domain.com -t axfr @ns1.domain.com
Kali> dnsenum domain.com
Kali> nslookup -> set type=any -> ls -d domain.comKali> for sub in $(cat subdomains.txt);do host $sub.domain.com|grep "has.address";done
Kali> dnsrecon -d $TARGET -D wordlist.txt -t std --xml output.xml
# Links
https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/
http://forensicswiki.org/wiki/Determining_OS_version_from_an_evidence_image
https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions
TODO# NMAP
Kali> nmap -sU --script=ms-sql-info $TARGETTODO
# Links
https://n0where.net/understanding-the-ldap/Kali> Rpcinfo -p $TARGETKali> rdesktop -u admin -p password $TARGETKali> rlogin $TARGET
# Sources
https://en.wikipedia.org/wiki/Rlogin# Sometimes shows logged in users/addresses
Kali> nbtscan $TARGET -R 54
# Links
https://highon.coffee/blog/nbtscan-cheat-sheet/
https://technet.microsoft.com/en-us/library/cc940106.aspx?f=255&MSPPError=-2147217396# Fingerprint version
Kali> smbclient -L //$TARGET
# TODO
Kali> nmblookup -A $TARGET
# null Session
Kali> rpcclient -v "" $TARGET
Kali> smbclient -L //$TARGET
# Minimal Scan
Kali> enum4linux $TARGET
# Scan Everything
Kali> enum4linux -a $TARGET
# discover windows/samba on subnet find macs and netbios name/domain
Kali> nbtscan 192.168.1.0/24
# Find open shares
Kali> nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24
Kali> Showmount -e $TARGET/<port>
# Investigate share
Kali> smblookup -A $TARGET smbclient //MOUNT/share -I $TARGET -N
# Enumerate users
Kali> nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.0/24
Kali> python /usr/share/doc/python-impacket-doc/examples/samrdump.py $TARGET
# RID Cycling (500 = admin, 501 = Guest)
Kali> ridenum.py $TARGET 500 50000 /path/to/wordlist.txt
# NBTScan-Unixwiz
Kali> nbtscan-unixwiz -f $TARGET
# Mount Linux/Windows
Kali> mount $TARGET:/vol/share /mnt/nfs
Kali> Mount -t cifs //<server ip>/<share> <local dir> -o username=”guest”,password=””
C:\>net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no
# Links
https://pen-testing.sans.org/blog/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions
http://www.madirish.net/59VRFY username (verifies if username exists – enumeration of accounts)
EXPN username (verifies if username is valid – enumeration of accounts)# Overview
Default Community Names:
public, private, cisco, manager
Enumerate MIB:
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports
# Enmerate users from SNMP
Kali> snmpwalk public -v1 192.168.X.XXX 1 | grep 77.1.2.25 | cut -d” “ -f4
Kali> python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP $TARGET
# Search SNMP with nmap
Kali> nmap -sT -p 161 192.168.1.0/24 -oG snmp_results.txt
# Examples
Kali> snmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.4.2.1.2
Kali> onesixtyone -c community -I $TARGET
Kali> snmpcheck -t $TARGET
Kali> snmpenum -t $TARGET
# Version3
Kali> nmap -sV -p 161 --script=snmp-info 192.168.1.0/24
# Wordlists
/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
# Links
https://www.pcwdld.com/what-is-snmp-and-tutorial
https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb
http://carnal0wnage.attackresearch.com/2007/07/over-in-lso-chat-we-were-talking-about.html