Uncategorized

Generic Remote Enumeration

All listed items are separate commands unless otherwise specified…

NMAP - STANDARD FIRST APPROACH

…if sudo is required, it will let you know
…otherwise, just use the pasted command

nmap -A -T4 -p- -sS -O -oN nmap_10.10.1.299.txt ip
nmap -A -T4 -p- -sS -OA -oN nmap_10.10.1.299.txt ip
nmap -sU --top-ports 100 -vv ip
nmap -sV -vv -p <ports> --script vuln ip

BASH - GENERIC NETWORK SCAN

#!/bin/bash
host=10.5.5.11
for port in {1..65535}; do
timeout .1 bash -c "echo >/dev/tcp/$host/$port" &&
echo "port $port is open"
done
echo "Done"

SCAN USING NETCAT

nc -vv -z 10.10.1.299 1-65535 2>&1 | grep "succeeded" > scan.out

SCAN PORTS INDIVIDUALLY

nc -nv 10.10.1.299 25
VRFY root
telnet 10.10.1.299 25
VRFY root
nc -nvC 10.10.1.299 110
USER root
PASS alphabeta
nc -nvC 10.10.1.299 4555 #DIFFERENT WAY TO SEND THE COMMAND -nvC
nc -nv 10.10.1.299 4555 -C

ONE-LINER SCAN

for user in marcus john mailadmin jenny ryuu joe45; do ( echo USER ${user}; sleep 2s; echo PASS abcd; sleep 2s; echo LIST; sleep 2s; echo quit) | nc -nvC 10.10.1.299 110;  done

READ MAIL

nc -nvC 10.10.1.299 110
RETR 1

CURL

curl -i ip
curl -i http://ip
curl -i http://url.com

WEB DIRECTORY ENUMERATION

dirb http://10.10.1.299
dirb http://10.10.1.299 -P 10.10.1.299:8080 -o file.txt  # USED TO SCAN OTHER PORTS
dirbuster
gobuster dir -u http://10.10.1.299:8080 -w /usr/share/wordlists/dirb/big.txt

REMOTE PROCEDURE CALL (RPC)

rpcinfo -s 10.10.1.299

NETWORK FILE SYSTEM (NFS)

showmount -a ip
showmount -e ip

SNMP

snmpwalk -c public -v1 -t 10 ip

ADD LINKS THAT ARE FOUND

…exit the /etc/hosts file and add the IP and links
…this acts as an internal DNS server

# within /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
10.10.1.299	url.com
10.10.1.299	sub.url.com

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

CREATE WORDLIST FROM WEBSITE

…great to use when you move onto brute-force

# CREATE A WORDLIST
cewl -w searchWordlists.txt -d2 -m 3 search.htb

# EXAMPLE BRUTE-FORCE TECHNIQUE
crackmapexec smb search.htb search.htb -u searchWordlists.txt -p IsolationIsKey?

GOOGLE BOT

…sometimes sites won’t allow public searches
…so change into a google bot
…use burpsuite to change your agent

# NEWER AGENT HEADER TO USE
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

# OLD AGENT HEADER SOMETIMES WORKS
Googlebot/2.1 (+http://www.google.com/bot.html)

FTP

…simply use “anonymous” with no password

ftp ip
user: anonymous
pass: <just hit enter>
Scroll to top