Skip to content

Enumeration

Enumeration GPLv3 license

Nmap

Reconnaissance
nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn -oG $TMPFILE $IP
nmap -sC -sV -p$PORTS -oN nmap.txt -Pn $IP
nmap -sU -T4 -F --version-intensity 0 --min-rate 5000 --open $IP |grep -wv filtered > udp-nmap.txt
nmap -p$PORTS --script vuln -oN vulnmap.txt -Pn $IP
nmap 192.168.164.131 -O --osscan-guess

FFuF

Directory
ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://localhost/FUZZ
Extension
ffuf -w /opt/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://localhost/indexFUZZ
ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.212.201/Changes/FUZZ -e '.php'
Word+Ext
ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://localhost/FUZZ.php
Recursion Extension
ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://localhost/FUZZ -recursion -recursion-depth 1 -e .php -v
Subdomain
ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.google.com/
Vhost (use filter -fs)
ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://domain.com/ -H 'Host: FUZZ.domain.com'
KeyParameter (use filter -fs)
ffuf -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://localhost/admin.php?FUZZ=key
ffuf -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://localhost/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'
idValue (use filter -fs)
for i in $(seq 1 10000);do echo $i >> ids.txt;done
ffuf -w ids.txt:FUZZ -u http://localhost/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'
Useful Command
ffuf -recursion -c -e '.htm','.php','.html','.js','.txt','.zip','.bak','.asp','.aspx','.xml','.py','.sh','.log','.json','.old' -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://localhost/FUZZ
Wordlists
/opt/SecLists/Discovery/Web-Content/raft-medium-files.txt
/opt/SecLists/Discovery/Web-Content/common.txt
/opt/SecLists/Passwords/Common-Credentials/best1050.txt
/opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
/opt/SecLists/Discovery/Web-Content/raft-small-extensions.txt

Samba

Recon
nmap -sV -p 139,445 --script smb-vuln* 10.11.1.111
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
Get Version
#tty1
ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]' port 139

#tty2
smbclient -N -L \\10.11.1.115

#Script
#!/usr/bin/env bash
# check samba version

command -v ngrep >/dev/null 2>&1 || { echo -e >&2 "[\e[1;31m!\e[0m] You need \e[1;32mmysql\e[0m app, please install it."; exit 1; }
command -v smbclient >/dev/null 2>&1 || { echo -e >&2 "[\e[1;31m!\e[0m] You need \e[1;32mmysql\e[0m app, please install it."; exit 1; }
command -v screen >/dev/null 2>&1 || { echo -e >&2 "[\e[1;31m!\e[0m] You need \e[1;32mmysql\e[0m app, please install it."; exit 1; }

if [ "$#" -ne "1" ] || [ "$#" -gt "1" ] ; then
    printf '%s\n' "[+] Use: $0 target"
    exit -1
fi

TARGET=$1

close(){
screen -XS ${SESSION} quit
exit 1
}

trap 'close' INT

SESSION=$(tr -dc '0-9' < /dev/urandom | fold -w 5 | head -n 1)

#RunAway
screen -S ${SESSION} -dm bash -c "ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]' port 139"
smbclient -N -L \\${TARGET}
screen -r ${SESSION}

WebInfo

Nikto
# https://github.com/sullo/nikto/wiki/Plugin-list
nikto -h $IP -o nikto.txt
nikto -h 10.10.10.1 -Plugin apacheuser
Headers
curl -s -I -X GET http://$IP >> $OUTPUT
WhatWeb
whatweb http://$IP >> $OUTPUT
Certificates
echo | openssl s_client -showcerts -connect $IP:443 2>/dev/null | openssl x509 -inform pem -noout -text > certificate-info.txt
Nmap
nmap -sV --script=http-enum $TARGET
Mandatory
view source
robots.txt && sitemap.xml
nikto
ffuf *common,raft-files,directories with / and without
sqli
burp
buscar subdominios

WPScan

wpscan --connect-timeout 20 --request-timeout 20
wpscan --stealthy --url http://10.10.10.120/wp/wordpress/ --enumerate
wpscan --url http://192.168.229.52/ -U michael  -P /opt/SecLists/Passwords/Leaked-Databases/rockyou-20.txt --password-attack wp-login # Bruteforce 
wpscan --url http://cmnatics.playground/ --enumerate vp,vt,u # vulnerables
wpscan --url sandbox.local --enumerate ap,at,cb,dbe,u # all