Methodology

NMAP:-

Nmap default scan: nmap -sC -sV -Pn -oA initial IP
Nmap fullscan: nmap -p- -Pn -sT -oN full.txt IP
Nmap fullserv scan: nmap -Pn -sV -p IP
Nmap scripts: nmap --script vuln -p IP
Nmap UDP scan: nmap -sU -Pn IP
Nmap UDP fullscan: nmap -sU -p- -Pn IP
Nmap Aggresive scan: nmap -A -Pn IP
Re-run the nmap full port scan again after 1-2hrs to check if all the ports were discovered.
Nmap Scripts: /usr/share/nmap/scripts/
nmap IP --script=... --script-args uri=/cgi-bin/admin.cgi --script-args uri=/cgi-bin/test.cgi
nikto -o nikto.txt -host IP

FINGERPRINTING:

Connect ports with netcat and grab the banner for version and OS info.
Confirm the OS from the official website.

HTTP/HTTPS:-

Grab the header: curl -i IP
Check robots.txt
Run gobuster, dirbuster and nikto. (Also run gobuster on already found URLs. Also on 403)
Check the source code of each page
Check the Webapps/CMS source code online. Maybe GitHub. Check if you can find config files, README files etc which can give sensitive information.
Collect usernames and keywords from webpages and source code and note them.
If you don't get success with anything then bruteforce the already found directories again. Check for application specific wordlists to save time.
Find exploits related to a keyword/application: "keyword exploit", "keyword exploitdb", "keyword exploit github", "keyword exploit github python", "keyword hackthebox", "keyword vulnhub", "keyword tryhackme".
Note down the Webserver, webapplication version. It will be useful to understand the machine and also find exploits regarding the same.
If webapp is misconfigured, you can guess the URL after authentication and bypass the authentcation completely.
If you don't get shell then try to URL encode or Base64enocde:

If you find a Login/Signup page then do the following:-

Check for weak credentials.

admin
admin    admin
admin    password
administrator
administrator    administrator
administrator    password
root
root    root
root    password

Check for default credentials.
Check for valid usernames by checking the error message of incorrect login/forgot password.
Guess the credentials by using the name of software/keywords. Use cewl.

SMB:-

Run smbmap, smbclient, enum4linux.
Note down the version and check if there are exploits associated with it.

SMTP:- (Used to send emails)

Check for valid user using the VRFY command
Check for version and find an exploit for it.
Check for shellshock.
Bruteforce smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.1.72

POP3:- (Used to receive emails)

Login using USER user, PASS pass
Use LIST to list the emails
Use RETR 1 to read the email

FTP:-

Try anonymous login
Check version and exploits
Try bruteforce: hydra -L -P IP ftp

SSH:-

Connect with SSH to grab the banner.
Check if it is requesting for a password prompt. If not, then it is to be authenticated via keys.
Scripts: ls -la /usr/share/nmap/scripts/*ssh*
Bruteforce with the intel found.

RPC:-

rpcinfo -s IP

NNTP (119):- (Used to read and write articles to NNTP server)

nc -nvC IP 119
HELP
LIST (If it shows 0 0 then there are no articles present.)

NFS:-

showmount -a IP
showmount -d IP
showmount -e IP

SEARCHSPLOIT:

#Basic
searchsploit <name>
#Remove dos exploits
searchsploit <name> | grep -v '/dos/'
#Search in title and remove dos exploits
searchsploit -t <name> | grep -v '/dos/'
#Remove a specific thing from PATH. (Ex: remove .php)
searchsploit --colour -t php 5.x | grep -v '/dos/' | grep -vi '\.php '

PreviousIntroduction NextCheatsheet

Last updated 3 years ago

Was this helpful?

#Basic searchsploit <name> #Remove dos exploits searchsploit <name> | grep -v '/dos/' #Search in title and remove dos exploits searchsploit -t <name> | grep -v '/dos/' #Remove a specific thing from PATH. (Ex: remove .php) searchsploit --colour -t php 5.x | grep -v '/dos/' | grep -vi '\.php '