Enumeration

nmap Network discovery

nmap -sn -PE -sP -PA80,22  SUBNET

Bash Network discovery

#!/bin/bash
for lastOctet in {1..254}; do
    ping -c 1 192.168.1.$lastOctet | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 &
done

UDP Scan

  • -sU : scan UDP
  • -sV : fingerprint

Quick UDP Scan (top 200)

nmap --top-ports 200 -sU -sV -oA /tmp/output IP 

DNS Scan

Looking for reverse PTR on subnet

dnsrecon -n DNSServer -r SUBNET 

HTTP

test connection with dnsname

check robots.txt

curl http://10.11.1.8/robots.txt >robots.txt

Directory scan :

dirb http://$target

gobuster -u http://$target -w /usr/share/wordlist/dirbuster/directory-list -o output.log -t 50

Check backup file

eg. index.bak, index.html~, copy of index.html

nmap --script=http-backup-finder $target

Enumeration wordpress

wpscan --url http://example.com/ --enumerate u

SMTP

nmap –script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1

SSH

User enumeration (CVE-2018-15473)

python ssh-enum.py --port 22 --threads 5 --outputFile ssh_users.txt --outputFormat list --userList list.txt 10.11.1.24

  • ssh-enum.py (6 ko)
  • # FTP ```nmap -sV -Pn -vv -p21 --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 192.168.2.120``` # SNMP ```snmp-check 192.168.2.1 -t 1 -v2c -c public``` # SMB ```nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 192.168.2.120``` ```enum4linux -a 192.168.2.120``` # DNS ## Resolve an IP using DIG ```dig @8.8.8.8 google.com``` ## Find Mail servers for a domain ```dig @8.8.8.8 google.com -t mx``` ## Zone Transfer ```dig @192.168.100.2 domain.com.local -t axfr``` ```nslookup / ls -d domain.com.local```