forked from sd-geek/OSCP
-
Notifications
You must be signed in to change notification settings - Fork 14
/
01 - Discovery
153 lines (113 loc) · 4.91 KB
/
01 - Discovery
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
################## Discovery##################
-------------- Google --------------
Google search to find website sub domains
site:microsoft.com site:[www.microsoft.com](http://www.microsoft.com)
Google filetype, and intitle
intitle:”netbotz appliance” “OK” -filetype:pdf
Google inurl
inurl:”level/15/sexec/-/show”
Google Hacking Database:
https://www.exploit-db.com/google-hacking-database/
-------------- Email Harvesting --------------
Simply Email
# git clone https://github.com/killswitch-GUI/SimplyEmail.git ./SimplyEmail.py -all -e TARGET-DOMAIN
-------------- Whois Enumeration --------------
whois domain-name-here.com whois $ip
-------------- Arp Scan --------------
arp-scan --interface=eth1 192.168.187.1/24
DNS_LOOKUP_AD.sh
++++++++++ need ++++++++++
-------------- NMAP --------------
Zone Transfer
# dnsrecon -t axfr -d <DOMAIN>
Initial ping scan
# nmap -sn <IP ADDRESS RANGE> -oA initialpingscan
Fast Full Scan
# nmap -sS --min-rate 5000 --max-retries 1 -p- <IP ADDRESS>
Scripts and Verbose
# nmap -sC -sV -p <PORTS> <IP ADDRESS>
--------------NMAP Scripts --------------
Standard scans
TCP SCAN
# nmap -sC -sV -oA -ip-
# nmap -Pn -p- -vv -ip-
UDP SCAN
# Nmap -Pn -p- -sU -vv -ip-
Vuln Script
https://nmap.org/nsedoc/ -- scripts
# Nmap -Pn -sV -O -pT:{TCP ports found in step 1},U:{UDP ports found in step 1} -script *vuln* <ip address>
Grab banners manually for more clarity: nc -nv <ip-address> <port>
Vulners Script
# nmap -sV --script=vulners <IP Address>
Check for vulnerablities
# nmap -sS -sV -A -O --script="*-vuln-*" --script-args=unsafe=1 <Target IP>
-------------- Unicorn Scan --------------
Unicorn TCP
# unicornscan -r200 192.168.28.67:1-65000 -v -mT
# unicornscan -i tap0 -I -mT $IP:a
# db_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A -p
Unicorn UDP
# unicornscan -r200 192.168.28.67:1-65000 -v -mU
# unicornscan -i tap0 -I -mU $IP:a
# db_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A -sU -p
-------------- Ping Sweep --------------
# ping -c 1 10.0.0.69 >> /dev/null && echo Online
# for ip in $(seq 1 5); do ping -c 10.0.0.$ip > dev/null && echo "Online 10.0.0.$ip"; done
# for ip in $(seq 1 5); do ping -c 1 192.168.187.$ip > /dev/null && echo "Online 192.168.187.$ip"; done
-------------- Port Knocking --------------
Check existing port to find any other ports needed.
# nc -vn <IP> <port>
Hping3 to unlock.
# hping3 -S <IP ADDRESS> -p <PORT 1> -c 1; hping3 -S <IP ADDRESS> -p L<IP ADDRESS <PORT 2> -c 1; hping3 -S <IP ADDRESS> -p <PORT 2> -c 1
-------------- Enum4Linux --------------
# enum4Linux -a <IP ADDRESS>
-------------- Find Hidden Directories --------------
# Find .
-------------- Directory and File Permissions --------------
# ls -lah /home
-------------- Banner Grabbing --------------
# NC <IPADDRESS> <PORT>
# nc -v <IPADDRESS> <PORT>
# telnet <IPADDRESS> <PORT>
-------------- Recon-ng --------------
# git clone https://[email protected]/LaNMaSteR53/recon-ng.git
# cd /opt/recon-ng
# ./recon-ng show modules help
-------------- DB_MAP --------------
# db_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A –p
# db_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A -sU -p
-------------- DNS --------------
Massscan
# ++++++++++ need ++++++++++
Sublist3r
# python3 sublist3r.py -v -d target.com
Host Lookup
# host -t ns megacorpone.com
Reverse Lookup Brute Force - find domains in the same range
# for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
Perform MX Record Lookup
# dig mx domain-name-here.com @nameserver
Perform Zone Transfer with DIG
# dig axfr domain-name-here.com @nameserver
DNS Zone Transfers
Windows DNS zone transfer
# nslookup -> set type=any -> ls -d blah.com Linux DNS zone transfer
# dig axfr blah.com @ns1.blah.com
Dnsrecon DNS Brute Force
# dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
Dnsrecon DNS List of megacorp
# dnsrecon -d megacorpone.com -t axfr
DNSEnum
# dnsenum zonetransfer.me
-------------- Subdomain Check --------------
Network
Vanquish - Auto recon + exploit suggester
Are there any NETBIOS, SMB, RPC ports discovered?
RPC
# rpcclient <ip address> -U “” -N
# rpcinfo: What services are running? Rpcinfo -p <target ip>
Wireshark
Use Wireshark / tcpdump to capture traffic on the target host:
# tcpdump -i tap0 host <target-ip> tcp port 80 and not arp and not icmp -vv
Fuzzing
# sfuzz -S 192.168.1.1 -p 10443 -T -f /usr/share/sfuzz/sfuzz-sample/basic.http