https://github.com/OWASP/Amass
$ amass enum - d < DOMAIN >
$ amass intel -- asn < ASN >
$ amass intel -- asn < ASN > - list
$ amass enum - active - d < DOMAIN > - p 80 ,443 ,8080
https://book.hacktricks.xyz/pentesting/pentesting-imap#banner-grabbing
$ nc - v < RHOST > 80
$ telnet < RHOST > 80
$ curl - vX < RHOST >
Port
Service
21/TCP
FTP
22/TCP
SSH
25/TCP
SMTP
53/TCP
DNS
53/UDP
DNS
80/TCP
HTTP
135/TCP
RPC
139/TCP
Netbios
443/TCP
HTTPS
445/TCP
SMB
1723/TCP
VPN
3389/TCP
RDP
5985/TCP
WinRM
Domain Controller specific Ports
Port
Service
88/TCP
Kerberos
389/TCP
LDAP
636/TCP
LDAPS
445/TCP
SMB
$ dig txt _dmarc .< DOMAIN > | grep dmarc
$ whois < DOMAIN >
$ dig @< RHOST > - x < DOMAIN >
$ dig {a |txt |ns |mx } < DOMAIN >
$ dig {a |txt |ns |mx } < DOMAIN > @ns1 .< DOMAIN >
$ dig axfr @< RHOST > < DOMAIN > // zone transfer - needs 53/TCP
$ host - t {a |txt |ns |mx } < DOMAIN >
$ host - a < DOMAIN >
$ host - l < DOMAIN > ns1 .< DOMAIN >
$ nslookup -> set type = any -> ls - d < DOMAIN >
$ for sub in $(cat subDOMAINs .txt );do host $sub .< DOMAIN :|grep "has.address" ;done
$ dnsenum < DOMAIN >
$ dnsenum -- threads 64 -- dnsserver < RHOST > - f /usr /share /seclists /Discovery /DNS /subdomains - top1million - 110000. txt < DOMAIN >
$ sudo vi /etc /hosts
$ dnsrecon - r 127.0 .0 .0 /24 - n < RHOST >
$ dnsrecon - r 127.0 .1 .0 /24 - n < RHOST >
$ dnsrecon - d < DOMAIN > - t axfr @ns2 .< DOMAIN >
https://github.com/trickster0/Enyx
$ python enyx .py 2 c public < RHOST >
$ finger root @< RHOST >
$ finger "|/bin/id@<RHOST>"
msf6 > use auxiliary /scanner /finger /finger_users
https://github.com/pentestmonkey/finger-user-enum
$ ./finger - user - enum .pl - U users .txt - t < RHOST >
https://github.com/robertdavidgraham/masscan
$ sudo masscan - e tun0 - p0 - 65535 -- max - rate 500 -- interactive < RHOST >
https://github.com/pd4d10/memcached-cli
memcrashed / 11211 /UDP
$ npm install - g memcached - cli
$ memcached - cli < USERNAME > :< PASSWORD > @< RHOST > :11211
$ echo - en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc - q1 - u 127.0 .0 .1 11211
STAT pid 21357
STAT uptime 41557034
STAT time 1519734962
$ sudo nmap < RHOST > - p 11211 - sU - sS -- script memcached - info
$ stats items
$ stats cachedump 1 0
$ get link
$ get file
$ get user
$ get passwd
$ get account
$ get username
$ get password
$ sudo naabu - p - - l /PATH /TO /FILE /< FILE > - o /PATH /TO /FILE /< FILE >
$ sudo netdiscover - i < INTERFACE > - r < RHOST >
$ nbtscan < RHOST >
$ nmblookup - A < RHOST >
$ nmap - A - T4 - p - - sS - sV - oN initial -- script discovery < RHOST >
$ nmap - A - T4 - sC - sV -- script vuln < RHOST >
$ nmap - sV -- script http - trace < RHOST >
$ nmap - sV -- script ssl - cert - p 443 < RHOST >
$ nmap - sV -- script ssl - enum - ciphers - p 443 < RHOST >
$ nmap - A - T4 - p - < RHOST >
$ nmap - A - T4 - sS - sU - v < RHOST >
$ nmap - sC - sV - oN initial -- script discovery < RHOST >
$ nmap - sC - sV - oA nmap < RHOST >
$ nmap - sS - sV < RHOST >
$ nmap - p - < RHOST > // full port scan
$ nmap - sS < RHOST > // ping scan
$ nmap - sT < RHOST > // TCP scan
$ nmap - sU < RHOST > // UDP scan
$ nmap - PR - sN < RHOST > // ARP scan
$ nmap - PP - sn < RHOST > // ICMP timestamp discovery
$ nmap - PM - sn < RHOST > // ICMP address mask discovery
$ nmap - PE - sn < RHOST > // ICMP echo discovery
$ nmap - PU - sn < RHOST > // UDP ping discovery
$ nmap - PS < RPORT > < RHOST > // TCP SYN ping discovery
$ nmap - PA < RPORT > < RHOST > // TCP ACK ping discovery
$ sudo nmap - sS - f - p < RPORT > < RHOST > // fragment packets for stealth
$ sudo nmap - sS - ff - p < RPORT > < RHOST > // fragmets packets double times for stealth
$ nmap -- script safe - p 445 < RHOST > // detailed scan on smb
- p1 - 65535 // ports
- p - // all ports
- sV // version detection
- sS // TCP SYN scan
- sT // TCP connect scan
- sU // UDP scan
- sX // Xmas scan (sets FIN, PSH, URG flags)
- sC // script scan
- T4 // timing options
- PN // no ping
- oA // write to file (basename)
- oN // write to file (normal)
- sn // host discovery only
- 6 // IPv6
- n // no dns resolution
- O // OS detection
- A // aggressive scan
- D // Decoy scan
- f // fragment packets
- S // spoof src ip address
- g // spoof src port
- n // no DNS lookup
- R // Reverse DNS lookup
-- mtu // set MTU size
-- spoof - mac // spoof mac address
-- data - length < size > // append random data
-- scan - delay 5 s // delay
-- max - retries 1 // set retry limit to speed the scan up
$ ls - lh /usr /share /nmap /scripts /* ssh *
$ locate - r '\.nse $' | xargs grep categories | grep categories | grep 'default \|version \|safe ' | grep smb
$ xsltproc nmap .xml - o nmap .html
$ sudo nmap - sn < XXX .XXX .XXX > .1 - 253
$ sudo nmap - sS < XXX .XXX .XXX > .1 - 253
Enable Monitoring with iptables
$ sudo iptables - I INPUT 1 - s < RHOST > - j ACCEPT
$ sudo iptables - I OUTPUT 1 - d < RHOST > - j ACCEPT
$ sudo iptables - Z
Generate grepable Output for IP Addresses and Ports
$ sudo nmap < XXX .XXX .XXX > .1 - 253 - oG < FILE >
$ sudo nmap - p < RPORT > < XXX .XXX .XXX > .1 - 253 - oG < FILE >
$ grep Up < FILE > | cut - d " " - f 2
$ grep open < FILE > | cut - d " " - f2
$ sudo nmap - iL /PATH /TO /FILE /< FILE > - p - - oG /PATH /TO /FILE /< FILE > | awk - v OFS = ':' '/open / {for (i = 4 ;i <=NF ;i ++ ) {split ($i ,a ,"/" ); if (a [2 ]== "open" ) print $2 , a [1 ]}}' | sort | uniq > /PATH /TO /FILE /< FILE >
$ nmap -- script targets - asn -- script - args targets - asn .asn = < ASN >
$ nmap - sV -- script = smb - enum - shares - p 445 < RHOST >
$ nmap - p 111 -- script = nfs - ls ,nfs - statfs ,nfs - showmount < RHOST >
$ for x in 7000 8000 9000 ; do nmap - Pn –host_timeout 201 –max - retries 0 - p $x < RHOST > ; done
$ nmap - p 111 -- script = nfs - ls ,nfs - statfs ,nfs - showmount < RHOST >
$ nmap $TARGET - p 88 -- script krb5 - enum - users -- script - args krb5 - enum - users .realm = 'test ' < RHOST >
$ nmap - p 80 < RHOST > -- script http - put -- script - args http - put .url = '<RHOST > ',http - put .file = '<FILE > '
https://github.com/trailofbits/onesixtyone
$ echo public > < FILE >
$ echo private >> < FILE >
$ echo manager >> < FILE >
$ for ip in $(seq 1 254 ); do echo < XXX .XXX .XXX > .$ip ; done > < FILE >
$ onesixtyone - c < FILE > - i < FILE >
Brute-Force Community Strings
$ onesixtyone - i snmp - ips .txt - c community .txt
https://<RHOST>/sitemap.xml
$ for p in {1. .65535 }; do nc - vn < RHOST > $p - w 1 - z & done 2 > < FILE > .txt
https://github.com/AlexRandomed/One-Liner-Bash-Scanner
$ export ip = < RHOST > ; for port in $(seq 1 65535 ); do timeout 0.01 bash - c "</dev/tcp/$ip/$port && echo The port $port is open || echo The Port $port is closed > /dev/null" 2 > /dev /null || echo Connection Timeout > /dev /null ; done
telnet < RHOST > 25
Connected to < RHOST > .
Escape character is '^]' .
EHLO ALL
telnet < RHOST > 25
Connected to < RHOST > .
Escape character is '^]' .
220 Mail Service ready
HELO foobar .com
250 Hello .
MAIL FROM : < foobar @contoso .local >
250 OK
RCPT TO : < barfoo @contoso .local >
250 OK
RCPT TO : < admin @contoso .local >
250 OK
RCPT TO : < foobar @contoso .local >
250 OK
RCPT TO : < foobar @contoso .localb >
250 OK
$ smtp - user - enum - M VRFY - U /usr /share /wordlists /seclists /Usernames /Names /names .txt - t < RHOST >
$ smtp - user - enum - M RCPT - U /usr /share /wordlists /seclists /Usernames /Names /names .txt - t < RHOST >
$ smtp - user - enum - M EXPN - U /usr /share /wordlists /seclists /Usernames /Names /names .txt - t < RHOST >
$ python3
Python 3.9 .7 (default , Sep 3 2021 , 06 :18 :44 )
[GCC 10.3 .0 ] on linux
Type "help" , "copyright" , "credits" or "license" for more information .
>>> import binascii
>>> s = '50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135 '
>>> binascii .unhexlify (s .replace (' ' ,''))
b 'P@ssw0rd @123 !!123 \x13 \x91 q \x81 \x92 "2Rbs\x03\x133CSs\x83\x94$4\x95\x05\x15Eu\x86\x16WGW\x98(8i\t\x19IY\x81\x03\x10a\x11\x11A\x15\x11\x91" \x121 & \x13 \x011 \x13 A5 '
$ snmp - check < RHOST >
$ snmp - check - t < RHOST > - c public
https://github.com/codergs/SNMP-MIBS-Downloader
$ sudo apt - get install snmp - mibs - downloader
Comment out "mibs: line"
$ sudo vi /etc /snmp /snmp .conf
$ snmpwalk - c public - v1 < RHOST >
$ snmpwalk - c internal - v2c < RHOST >
$ snmpwalk - v2c - c public < RHOST > .1
$ snmpwalk - c public - v1 < RHOST > .1 .3.6 .1 .2 .1.1 .5
$ snmpwalk - v2c - c public < RHOST > nsExtendObjects
$ snmpwalk - c public - v1 < RHOST > 1.3 .6.1 .4 .1 .77.1 .2 .25
Windows Process Enumeration
$ snmpwalk - c public - v1 < RHOST > 1.3 .6.1 .2 .1 .25.4 .2 .1.2
Windows Share Information
$ snmpwalk - c public - v1 < RHOST > 1.3 .6.1 .4 .1 .77.1 .2 .27
$ snmpwalk - c public - v1 < RHOST > 1.3 .6.1 .4 .1 .77.1 .2 .3.1 .1
$ snmpwalk - c public - v1 < RHOST > 1.3 .6.1 .2 .1 .25.6 .3 .1.2
$ snmpwalk - v2c - c public < RHOST > 1.3 .6.1 .2 .1 .4 .34 .1.3
$ snmpwalk - c public - v1 < RHOST > 1.3 .6.1 .2 .1 .6 .13 .1.3
$ dig txt < DOMAIN > | grep spf
$ subfinder - dL /PATH /TO /FILE /< FILE >
$ subfinder - dL /PATH /TO /FILE /< FILE > - nW - ip - p /PATH /TO /FILE /< FILE >
Scan for Top Routinely Exploited Vulnerabilities according to CISA
$ subfinder - d < DOMAIN > - all - silent | httpx - silent | nuclei - rl 50 - c 15 - timeout 10 - tags cisa - vv
$ tcpdump - envi < INTERFACE > host < RHOST > - s0 - w /PATH /TO /FILE /< FILE > .pcap
Time To Live (TTL) and TCP Window Size Values
Operating System
Time to Live
TCP Window Size
Linux Kernel 2.4 and 2.6)
64
5840
Google Linux
64
5720
FreeBSD
64
65535
OpenBSD
64
16384
Windows 95
32
8192
Windows 2000
128
16384
Windows XP
128
65535
Windows 98, Vista and 7 (Server 2008)
128
8192
iOS 12.4 (Cisco Routers)
255
8760
AIX 4.3
64
16384