πReconnaissance and Initial Access
Passive Enum
whois
whois $domain -h $ip
Google Dorking
site, intext, inurl, intitle, filetype
Shodan
API Reference (python module sucks last I used it, use requests)
http.favicon.hash - mm3 hash of the base64 encoding of the favicon (very fun!). Here are some pre-hashed ones for your enjoyment.
import mm3h
import base64
with open('favicon.ico', 'rb') as f:
h = mm3h.hash(base64.b64encode(f.read()))Greynoise
Not really Enum, to be moved
Misc Passive and Semi-passive tools
securityheaders.com and ssltest
crt.sh - certificate search
Active Enum
ARP scanning
sudo arp-scan --interface=XXX 192.168.0.0/24 to scan that /24 on interface XXX (usually eth0), you can also just use --localnet instead to generate the address range based on your interface configuration.
sudo net-discover -r 192.168.0.0/24 to scan that /24 has a fancy interface vs arp-scan
SSH
Just try to sshinto it, if it's real old or something you can manually specify kex, cipher, host key with -oKexAlgorithms=+{kex}, -c {cipher}, and -oHostKeyAlgorithms=+{host_key} respectively. You might get a banner or something, not usually very useful for now.
DNS
host is used to go from domain name to ip, specify type with -t (default is A)
dnsrecon is a python script, -d for domain and -t for recon type from the following
std: SOA, NS, A, AAAA, MX and SRV.
rvl: Reverse lookup of a given CIDR or IP range.
brt: Brute force domains and hosts using a given dictionary.
srv: SRV records.
axfr: Test all NS servers for a zone transfer.
bing: Perform Bing search for subdomains and hosts.
yand: Perform Yandex search for subdomains and hosts.
crt: Perform crt.sh search for subdomains and hosts.
snoop: Perform cache snooping against all NS servers for a given domain, testing
all with file containing the domains, file given with -D option.
tld: Remove the TLD of given domain and test against all TLDs registered in IANA.
zonewalk: Perform a DNSSEC zone walk using NSEC records.DNS brute force dnsrecon -d $domain -D $list -t brt
dnsenum is better though, just pass it the domain like dnsenum $domain
In π
±οΈindows we can use nslookup to do the same as host, use -type={TXT,MX,etc} for other types and specify the dns server after the domain to use a specific one! IE nslookup -type=MX $domain $dns_server
Port Scanning
nc is awesome, as we all know, and you can actually do a port scan with it
nc -nvv -w 1 -z $ip $port_lower-$port_upper
-w is timeout, -z specifies zero i/o, -nvv is numeric IPs and extra verbosity respectively. -u can also be used for UDP, -i is delay interval
Important UDP scanning detail, ICMP contol messages are used to determine port is closed so if they're filtered by a firewall closed ports will be reported as open.
For π
±οΈindows, we can use Test-NetConnection for port scanning, cop this ps oneliner
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$nullnmap
nmap gets its own section because it's so important.
-sS "stealth" SYN scan, not even remotely stealthy anymore but used to be because connections wouldn't be logged if they weren't fully established or something.
-sT 3-way handshake connect scan, useful with "some proxies", also the default
-sU UDP scan, uses more than the ICMP method to detect ports on a per-port basis (ie SNMP enum for 161). Can be used with other scanning methods
-sC Default scripts
-sn network sweep, ICMP echo, SYN to 443, TCP ACK to 80, ICMP timestamp request
Outputs are -oN/-oX/-oS/-oG : Output scan in normal, XML, s|<rIpt kIddi3, and grepable format, respectively, to the given filename. and -oA for all of them.
-A: Enable OS detection, version detection, script scanning, and traceroute
--osscan-guess can be use to force nmap to give you OS guesses even if it's not sure
--top-ports=X for X most common TCP ports, which can be found in /usr/share/nmap/nmap-services
-p is used to specify ports, -p- is shorthand for -p 1-25565 and you can also specify ports like -p 22,23,80
--open only open ports
NSE scripts are in /usr/share/nmap/scripts and are run with --script (see help with --script-help
To add a new script, drop it into the aforementioned dir and run sudo nmap --script-updatedb
NetBIOS and SMB (139 and 445)
nmap -v -p 139,445 -oG smb.txt 192.168.50.1-254 initial enum
enum4linux -a $ip enumerate SMB, can enum less than -a like just userlist (-U)
sudo nbtscan -r 192.168.50.0/24 for netbios scanning, -r for 137 as origin, a trailing / may be required after the CIDR block (?)
nmap has a bunch of SMB scripts ls -1 /usr/share/nmap/scripts/smb*
net view \\HOST /all to view all SMB shares at \\HOST that are listable
smbclient -L \\\\{IP}to connect and list shares, add on the sharename to connect to it
SMTP (25)
nc -nv $ip 25 to connect
on π
±οΈindows use Test-NetConnection -Port 25 $IP as you expect to check that you can connect
also on π
±οΈindows, use dism /online /Enable-Feature:TelnetClient to get a telnet client on the box, which you can then use to interact with SMTP and anything else you want to telnet into
VRFY $email to check if an email is registered with the server (probably obvious, don't include domain name)
EXPN can be used to check mailing list membership
SNMP (161)
onesixone -c $community -i $ips where $community and $ip are file lists of communities and ips
snmpwalk -c $community -v{1,2c,3} -t 10 $ip to query for interesting MIBs, -c is the community, -v is SNMP version, -t is timeout. Put a MIB after that to query it.
typical usage: snmpwalk -c public -v1 -Oa $ip warning this will vomit out a ton of data, again put a MIB after to get less data lol
Windows MIBs
1.3.6.1.2.1.25.1.6.0
System Processes
1.3.6.1.2.1.25.4.2.1.2
Running Programs
1.3.6.1.2.1.25.4.2.1.4
Processes Path
1.3.6.1.2.1.25.2.3.1.4
Storage Units
1.3.6.1.2.1.25.6.3.1.2
Software Name
1.3.6.1.4.1.77.1.2.25
User Accounts
1.3.6.1.2.1.6.13.1.3
TCP Local Ports π₯
Last updated