Methodology
NMAP:-
Nmap default scan: nmap -sC -sV -Pn -oA initial IP
Nmap fullscan: nmap -p- -Pn -sT -oN full.txt IP
Nmap fullserv scan: nmap -Pn -sV -p IP
Nmap scripts: nmap --script vuln -p IP
Nmap UDP scan: nmap -sU -Pn IP
Nmap UDP fullscan: nmap -sU -p- -Pn IP
Nmap Aggresive scan: nmap -A -Pn IP
Re-run the nmap full port scan again after 1-2hrs to check if all the ports were discovered.
Nmap Scripts: /usr/share/nmap/scripts/
nmap IP --script=... --script-args uri=/cgi-bin/admin.cgi --script-args uri=/cgi-bin/test.cgi
nikto -o nikto.txt -host IP
FINGERPRINTING:
Connect ports with netcat and grab the banner for version and OS info.
Confirm the OS from the official website.
HTTP/HTTPS:-
Grab the header: curl -i IP
Check robots.txt
Run gobuster, dirbuster and nikto. (Also run gobuster on already found URLs. Also on 403)
Check the source code of each page
If you find Wordpress, Drupal, Joomla, October, Tomcat, phpMyAdmin website, then go here
Check the Webapps/CMS source code online. Maybe GitHub. Check if you can find config files, README files etc which can give sensitive information.
If you find SQLi then go here
If you find LFI/RFI then go here
If you find File Uploads then go here
Collect usernames and keywords from webpages and source code and note them.
If you don't get success with anything then bruteforce the already found directories again. Check for application specific wordlists to save time.
Find exploits related to a keyword/application: "keyword exploit", "keyword exploitdb", "keyword exploit github", "keyword exploit github python", "keyword hackthebox", "keyword vulnhub", "keyword tryhackme".
Note down the Webserver, webapplication version. It will be useful to understand the machine and also find exploits regarding the same.
If webapp is misconfigured, you can guess the URL after authentication and bypass the authentcation completely.
If you don't get shell then try to URL encode or Base64enocde:
If you find a Login/Signup page then do the following:-
Check for weak credentials.
admin admin admin admin password administrator administrator administrator administrator password root root root root passwordCheck for default credentials.
Check for valid usernames by checking the error message of incorrect login/forgot password.
Guess the credentials by using the name of software/keywords. Use cewl.
Try bypassing using SQLi
Bruteforce password using Hydra
SMB:-
Run smbmap, smbclient, enum4linux.
Note down the version and check if there are exploits associated with it.
If it hosts the webpages then try to get a code execution/reverse shell using FileUpload.
SMTP:- (Used to send emails)
Check for valid user using the VRFY command
Check for version and find an exploit for it.
Check for shellshock.
Bruteforce smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.1.72
POP3:- (Used to receive emails)
Login using USER user, PASS pass
Use LIST to list the emails
Use RETR 1 to read the email
FTP:-
Try anonymous login
Check version and exploits
Try bruteforce: hydra -L -P IP ftp
SSH:-
Connect with SSH to grab the banner.
Check if it is requesting for a password prompt. If not, then it is to be authenticated via keys.
Scripts: ls -la /usr/share/nmap/scripts/*ssh*
Bruteforce with the intel found.
RPC:-
rpcinfo -s IP
NNTP (119):- (Used to read and write articles to NNTP server)
nc -nvC IP 119
HELP
LIST (If it shows 0 0 then there are no articles present.)
NFS:-
showmount -a IP
showmount -d IP
showmount -e IP
SEARCHSPLOIT:
#Basic
searchsploit <name>
#Remove dos exploits
searchsploit <name> | grep -v '/dos/'
#Search in title and remove dos exploits
searchsploit -t <name> | grep -v '/dos/'
#Remove a specific thing from PATH. (Ex: remove .php)
searchsploit --colour -t php 5.x | grep -v '/dos/' | grep -vi '\.php '
Last updated
Was this helpful?