πŸ”­Reconnaissance and Initial Access

Passive Enum

whois

whois $domain -h $ip

Google Dorking

site, intext, inurl, intitle, filetype

google hacking database

Shodan

Filter Reference

API Reference (python module sucks last I used it, use requests)

http.favicon.hash - mm3 hash of the base64 encoding of the favicon (very fun!). Here are some pre-hashed ones for your enjoyment. 

import mm3h
import base64

with open('favicon.ico', 'rb') as f:
    h = mm3h.hash(base64.b64encode(f.read()))

Greynoise

Not really Enum, to be moved

Search Cheatsheet

Misc Passive and Semi-passive tools

securityheaders.com and ssltest

urlscan.io

crt.sh - certificate search

Active Enum

ARP scanning

sudo arp-scan --interface=XXX 192.168.0.0/24 to scan that /24 on interface XXX (usually eth0), you can also just use --localnet instead to generate the address range based on your interface configuration.

sudo net-discover -r 192.168.0.0/24 to scan that /24 has a fancy interface vs arp-scan

SSH

Just try to sshinto it, if it's real old or something you can manually specify kex, cipher, host key with -oKexAlgorithms=+{kex}, -c {cipher}, and -oHostKeyAlgorithms=+{host_key} respectively. You might get a banner or something, not usually very useful for now.

DNS

host is used to go from domain name to ip, specify type with -t (default is A)

dnsrecon is a python script, -d for domain and -t for recon type from the following

DNS brute force dnsrecon -d $domain -D $list -t brt

dnsenum is better though, just pass it the domain like dnsenum $domain

In πŸ…±οΈindows we can use nslookup to do the same as host, use -type={TXT,MX,etc} for other types and specify the dns server after the domain to use a specific one! IE nslookup -type=MX $domain $dns_server

Port Scanning

nc is awesome, as we all know, and you can actually do a port scan with it

nc -nvv -w 1 -z $ip $port_lower-$port_upper

-w is timeout, -z specifies zero i/o, -nvv is numeric IPs and extra verbosity respectively. -u can also be used for UDP, -i is delay interval

Important UDP scanning detail, ICMP contol messages are used to determine port is closed so if they're filtered by a firewall closed ports will be reported as open.

For πŸ…±οΈindows, we can use Test-NetConnection for port scanning, cop this ps oneliner

nmap

nmap gets its own section because it's so important.

-sS "stealth" SYN scan, not even remotely stealthy anymore but used to be because connections wouldn't be logged if they weren't fully established or something.

-sT 3-way handshake connect scan, useful with "some proxies", also the default

-sU UDP scan, uses more than the ICMP method to detect ports on a per-port basis (ie SNMP enum for 161). Can be used with other scanning methods

-sC Default scripts

-sn network sweep, ICMP echo, SYN to 443, TCP ACK to 80, ICMP timestamp request

Outputs are -oN/-oX/-oS/-oG : Output scan in normal, XML, s|<rIpt kIddi3, and grepable format, respectively, to the given filename. and -oA for all of them.

-A: Enable OS detection, version detection, script scanning, and traceroute

--osscan-guess can be use to force nmap to give you OS guesses even if it's not sure

--top-ports=X for X most common TCP ports, which can be found in /usr/share/nmap/nmap-services

-p is used to specify ports, -p- is shorthand for -p 1-25565 and you can also specify ports like -p 22,23,80

--open only open ports

NSE scripts are in /usr/share/nmap/scripts and are run with --script (see help with --script-help

To add a new script, drop it into the aforementioned dir and run sudo nmap --script-updatedb

NetBIOS and SMB (139 and 445)

nmap -v -p 139,445 -oG smb.txt 192.168.50.1-254 initial enum

enum4linux -a $ip enumerate SMB, can enum less than -a like just userlist (-U)

sudo nbtscan -r 192.168.50.0/24 for netbios scanning, -r for 137 as origin, a trailing / may be required after the CIDR block (?)

nmap has a bunch of SMB scripts ls -1 /usr/share/nmap/scripts/smb*

net view \\HOST /all to view all SMB shares at \\HOST that are listable

smbclient -L \\\\{IP}to connect and list shares, add on the sharename to connect to it

SMTP (25)

nc -nv $ip 25 to connect

on πŸ…±οΈindows use Test-NetConnection -Port 25 $IP as you expect to check that you can connect

also on πŸ…±οΈindows, use dism /online /Enable-Feature:TelnetClient to get a telnet client on the box, which you can then use to interact with SMTP and anything else you want to telnet into

VRFY $email to check if an email is registered with the server (probably obvious, don't include domain name)

EXPN can be used to check mailing list membership

SNMP (161)

onesixone -c $community -i $ips where $community and $ip are file lists of communities and ips

snmpwalk -c $community -v{1,2c,3} -t 10 $ip to query for interesting MIBs, -c is the community, -v is SNMP version, -t is timeout. Put a MIB after that to query it.

typical usage: snmpwalk -c public -v1 -Oa $ip warning this will vomit out a ton of data, again put a MIB after to get less data lol

Windows MIBs

MIB

1.3.6.1.2.1.25.1.6.0

System Processes

1.3.6.1.2.1.25.4.2.1.2

Running Programs

1.3.6.1.2.1.25.4.2.1.4

Processes Path

1.3.6.1.2.1.25.2.3.1.4

Storage Units

1.3.6.1.2.1.25.6.3.1.2

Software Name

1.3.6.1.4.1.77.1.2.25

User Accounts

1.3.6.1.2.1.6.13.1.3

TCP Local Ports πŸ”₯

NextWeb

Last updated