Enumeration

nmap Network discovery

nmap -sn -PE -sP -PA80,22  SUBNET

Bash Network discovery

#!/bin/bash
for lastOctet in {1..254}; do
    ping -c 1 192.168.1.$lastOctet | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 &
done

UDP Scan

  • -sU : scan UDP
  • -sV : fingerprint

Quick UDP Scan (top 200)

nmap --top-ports 200 -sU -sV -oA /tmp/output IP 

DNS Scan

Looking for reverse PTR on subnet

dnsrecon -n DNSServer -r SUBNET 

HTTP

test connection with dnsname

check robots.txt

curl http://10.11.1.8/robots.txt >robots.txt

Directory scan :

dirb http://$target

gobuster -u http://$target -w /usr/share/wordlist/dirbuster/directory-list -o output.log -t 50

Check backup file

eg. index.bak, index.html~, copy of index.html

nmap --script=http-backup-finder $target

Enumeration wordpress

wpscan --url http://example.com/ --enumerate u

SMTP

nmap –script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1

SSH

User enumeration (CVE-2018-15473)


<section class="attachments ">
	<label>
		<i class="fas fa-paperclip" aria-hidden="true"></i>
		ssh-enum
	</label>
	
		
	
	<div class="attachments-files">
	
		
		
			
				<li>
					<a href="/enumeration/_index.files/ssh-enum.py" >
						ssh-enum.py
					</a>
					(6 ko)
				</li>
			
		
	
	<div>
	

# FTP

nmap -sV -Pn -vv -p21 –script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 192.168.2.120```

SNMP


# SMB

nmap -p 445 -vv –script=smb-enum-shares.nse,smb-enum-users.nse 192.168.2.120```


# DNS

## Enumeration

sublist3r -d domainname```

Resolve an IP using DIG


## Find Mail servers for a domain

dig @8.8.8.8 google.com -t mx```

Zone Transfer


nslookup / ls -d domain.com.local```



# Mysql

nmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 INSERTIPADDRESS -p 3306```