Uncategorized

Generic Remote Enumeration

All listed items are separate commands unless otherwise specified…

NMAP – STANDARD FIRST APPROACH

…if sudo is required, it will let you know
…otherwise, just use the pasted command

nmap -A -T4 -p- -sS -O -oN nmap_10.10.1.299.txt ip nmap -A -T4 -p- -sS -OA -oN nmap_10.10.1.299.txt ip nmap -sU --top-ports 100 -vv ip nmap -sV -vv -p <ports> --script vuln ip


BASH – GENERIC NETWORK SCAN

#!/bin/bash host=10.5.5.11 for port in {1..65535}; do timeout .1 bash -c "echo >/dev/tcp/$host/$port" && echo "port $port is open" done echo "Done"


SCAN USING NETCAT

nc -vv -z 10.10.1.299 1-65535 2>&1 | grep "succeeded" > scan.out

SCAN PORTS INDIVIDUALLY

nc -nv 10.10.1.299 25 VRFY root telnet 10.10.1.299 25 VRFY root nc -nvC 10.10.1.299 110 USER root PASS alphabeta nc -nvC 10.10.1.299 4555 #DIFFERENT WAY TO SEND THE COMMAND -nvC nc -nv 10.10.1.299 4555 -C

ONE-LINER SCAN

for user in marcus john mailadmin jenny ryuu joe45; do ( echo USER ${user}; sleep 2s; echo PASS abcd; sleep 2s; echo LIST; sleep 2s; echo quit) | nc -nvC 10.10.1.299 110; done

READ MAIL

nc -nvC 10.10.1.299 110 RETR 1

CURL

curl -i ip curl -i http://ip curl -i http://url.com

WEB DIRECTORY ENUMERATION

dirb http://10.10.1.299 dirb http://10.10.1.299 -P 10.10.1.299:8080 -o file.txt # USED TO SCAN OTHER PORTS dirbuster gobuster dir -u http://10.10.1.299:8080 -w /usr/share/wordlists/dirb/big.txt

REMOTE PROCEDURE CALL (RPC)

rpcinfo -s 10.10.1.299

NETWORK FILE SYSTEM (NFS)

showmount -a ip showmount -e ip

SNMP

snmpwalk -c public -v1 -t 10 ip

ADD LINKS THAT ARE FOUND

…exit the /etc/hosts file and add the IP and links
…this acts as an internal DNS server

# within /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali 10.10.1.299 url.com 10.10.1.299 sub.url.com # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters

CREATE WORDLIST FROM WEBSITE

…great to use when you move onto brute-force

# CREATE A WORDLIST cewl -w searchWordlists.txt -d2 -m 3 search.htb # EXAMPLE BRUTE-FORCE TECHNIQUE crackmapexec smb search.htb search.htb -u searchWordlists.txt -p IsolationIsKey?

GOOGLE BOT

…sometimes sites won’t allow public searches
…so change into a google bot
…use burpsuite to change your agent

# NEWER AGENT HEADER TO USE Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) # OLD AGENT HEADER SOMETIMES WORKS Googlebot/2.1 (+http://www.google.com/bot.html)

FTP

…simply use “anonymous” with no password

ftp ip user: anonymous pass: <just hit enter>


Scroll to top