First Chapter

  1. Conduct Search Engine Discovery and Reconnaissance for Information Leakage
    Tools: Burp Proxy, dirb, Dirbuster, fuzzdb, Tilde Scanner, dirs3arch, sublist3r, Reconnoitre

  2. Use a search engine to search for Network diagrams and Configurations, Credentials, Error message content.
    Tools: google hacking, shodan, Censys,

  3. Identify application architecture including Web language, WAF, Reverse proxy, Application Server, Backend Database, http methods etc
    Tools: Browser, curl, wget, Whatweb, BlindElephant, Wappalyzer, CMSmap

  4. Find applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone transfers
    Tools: Webhosting.info, dnsrecon, Nmap, fierce, Recon-ng, Intrigue

Network Scan 

Kali
>
 nmap -sn 192.168.1.0/24
Kali
>
 nmap -sP 192.168.1.0/2
Kali
>
 for ip in $(cat targets.txt);do nmap -A -T4 -oN scans/nmap.$ip.txt $ip;done
>
 nmap -sS -sV -sC -n [IP]

>
Enumerate SNMP (UDP 161) if it’s open! This will show other open ports/running services and applications!
 snmp-check -t [IP] -c public
>
Enumerate SMB (TCP 139/TCP 445) if it’s open!. This will show open shares, anonymous logins, etc.
  enum4linux [IP]
>  
Run nikto on interesting directories!
     nikto -h http(s)://[IP]:[PORT]/[DIRECTORY]
UDP Scan
UDP-Protocol-Scanner 
# Port Scan
udp-protocol-scanner.pl -f ips.txt

# Protocol specific scan
udp-protocol-scanner -p ntp -f ips.txt

nmap -sU -sV -n --top-ports 200 [IP]
Netcat 
# UDP (ICMP Error -
>
 Port Closed)
Kali
>
 nc -nv -u -z -w 1 host 160-162
NMAP 
Kali
>
 sudo nmap -sU -A -T3 --top-ports 100 10.10.10.24
TCP Scan
Netcat 
Kali
>
 nc -nvv -w 1 -z host 1000-2000
NMAP 
Kali
>
 nmap -p 1-65535 -sV -sS -T4 $TARGET
Kali
>
 nmap -v -sS -A -T4 $TARGET
Kali
>
 nmap -v -sV -O -sS -T4 $TARGET

>
all port scan
nmap -v -p- TARGET
Masscan 
 $ masscan 10.11.0.0/16 -p443 

 $ masscan 10.11.0.0/16 -p80,443 

 $ masscan 10.11.0.0/16 ‐‐top-ports 100

DirBuster over dirb. Opt for using the medium wordlist for better results!

  • /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Check for anonymous logins for FTP/SMB!

  • ftp [IP]
    • Username: anonymous Password: anonymous

smbclient -L \\[IP]

Username: rootPassword: None

Check for WebDav! Nmap script scan should pick it up! If not…

  • davtest -url http(s)://[IP]

Don’t overthink it! Try low hanging fruit first!

  • Password the same as Username?
  • Username/Password combo of admin:admin
  • Google the Documentation. Default Credentials/Login?

results matching ""

    No results matching ""