Initial Enumeration
Scanning
discover hosts
netdiscover -r 10.0.0.0/24scan subnet for hosts
nmap -v -sn 10.0.0.0/24Syn-scan
nmap -sS INSERTIPADDRESSScan all ports, might take a while.
nmap INSERTIPADDRESS -p-Service-version, default scripts, OS:
nmap INSERTIPADDRESS -sV -sC -O -p 111,222,333Scan for UDP
nmap INSERTIPADDRESS -sUScan through proxychains
proxychains nmap -v -sT 10.3.3.34 -PnUnicornscan
unicornscan -mU -v -I INSERTIPADDRESSConnect to udp if one is open
nc -u INSERTIPADDRESS 48772Monster scan
nmap INSERTIPADDRESS -p- -A -T4 -sCWireshark
Check for traffic coming from or to hostPort 21 - FTP
• FTP-Name:
• FTP-version:
• Anonymous login:
nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESSPort 22 - SSH
• Name:
• Version:
• Takes-password:
• If you have usernames test login with username:usernamePort 25 - SMTP
• Name:
• Version:
• VRFY:
nc -nvv INSERTIPADDRESS 25
HELO foo
telnet INSERTIPADDRESS 25
VRFY root
EXPN all
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESSPort 53- DNS
gobuster -m dns -w subdomains.txt -u google.comPort 110 - Pop3
• Name:
• Version:
telnet INSERTIPADDRESS 110
USER pelle@INSERTIPADDRESS
PASS admin
or:
USER pelle
PASS admin
# List all emails
list
# Retrieve email number 5, for example
retr 5Port 111 - Rpcbind
rpcinfo -p INSERTIPADDRESSPort 123-NTP
ntp-info and ntp-monlist
Check ntpd version for exploitsPort 139/445 - SMB
• Name:
• Version:
• Domain/workgroup name:
• Domain-sid:
• Allows unauthenticated login:
nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445
enum4linux -a INSERTIPADDRESS
rpcclient -U "" INSERTIPADDRESS
-c options
srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall
smbclient -L INSERTIPADDRESS
smbclient //INSERTIPADDRESS/tmp
smbclient \\\\INSERTIPADDRESS\\ipc$ -U john
smbclient //INSERTIPADDRESS/ipc$ -U john
nmblookup -A INSERTIPADDRESSLog in with shell (psexec for linux):
winexe -U username //INSERTIPADDRESS "cmd.exe" --systemPort 161/162 UDP - SNMP
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS
snmp-check -t INSERTIPADDRESS -c public
# Common community strings
public
private
communityPort 1433 - MSSQL
SQL shell from Kali
sqsh -S IPADDRESS -U sa
>SELECT * from Table;
>GOUseful MSSQL Commands
Version
SELECT @@versionComments
SELECT 1 — comment
SELECT /*comment*/1Current User
SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPIDList Users
SELECT name FROM master..syslogins;List Databases
SELECT name FROM master.dbo.sysdatabases;List Tables
SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE';List Tables for specific database
SELECT TABLE_NAME FROM <DATABASE_NAME>.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE';Port 1521 - Oracle
• Name:
• Version:
• Password protected:
tnscmd10g version -h INSERTIPADDRESS
tnscmd10g status -h INSERTIPADDRESSPort 2049 - NFS
showmount -e INSERTIPADDRESS
If you find anything you can mount it like this:
mount INSERTIPADDRESS:/ /tmp/NFS
mount -t INSERTIPADDRESS:/ /tmp/NFS3306 - MySQL
• Name:
• Version:
nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse INSERTIPADDRESS -p 3306Remote MySQL shell
mysql --host=INSERTIPADDRESS -u root -pUseful MySQL commands
Version
SELECT @@versionComments
SELECT 1; #comment
SELECT /*comment*/1;Current User
SELECT user();
SELECT system_user();List Users
SELECT user FROM mysql.user; List Password Hashes, must be privileged
SELECT host, user, password FROM mysql.user; List Databases
show databases;
SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0List Columns
SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema';List Tables
show tables;
SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema';List Stored Procedures
SHOW PROCEDURE STATUS;
SELECT name from mysql.proc; Check for FILE privilege which allows users to access or create files on the system
SELECT user,file_priv FROM mysql.user WHERE FILE_PRIV='Y';Port 3389 - Remote desktop
Test logging in to see what OS is running
rdesktop -u guest -p guest INSERTIPADDRESS -g 94%
# Brute force
ncrack -u administrator -P /usr/share/wordlists/rockyou.txt -p 3389 IPADDRESSLast updated