Enumeration

nmap Network discovery

nmap -sn -PE -sP -PA80,22  SUBNET

Bash Network discovery

#!/bin/bash
for lastOctet in {1..254}; do
    ping -c 1 192.168.1.$lastOctet | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 &
done

UDP Scan

  • -sU : scan UDP
  • -sV : fingerprint

Quick UDP Scan (top 200)

nmap --top-ports 200 -sU -sV -oA /tmp/output IP 

DNS Scan

Looking for reverse PTR on subnet

dnsrecon -n DNSServer -r SUBNET 

HTTP

test connection with dnsname

check robots.txt

curl http://10.11.1.8/robots.txt >robots.txt

Directory scan :

dirb http://$target

gobuster -u http://$target -w /usr/share/wordlist/dirbuster/directory-list -o output.log -t 50

Check backup file

eg. index.bak, index.html~, copy of index.html

nmap --script=http-backup-finder $target

Enumeration wordpress

wpscan --url http://example.com/ --enumerate u

SMTP

nmap –script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1

SSH

User enumeration (CVE-2018-15473)

python ssh-enum.py --port 22 --threads 5 --outputFile ssh_users.txt --outputFormat list --userList list.txt 10.11.1.24

<div class="attachments-files">

	
	
		
            <li>
                <a href="/enumeration/_index.files/ssh-enum.py" >
                    ssh-enum.py
                </a>
                (6 ko)
            </li>
		
	

<div>

FTP

nmap -sV -Pn -vv -p21 --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 192.168.2.120

SNMP

snmp-check 192.168.2.1 -t 1 -v2c -c public

SMB

nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 192.168.2.120

enum4linux -a 192.168.2.120

DNS

Enumeration

sublist3r -d domainname

Resolve an IP using DIG

dig @8.8.8.8 google.com

Find Mail servers for a domain

dig @8.8.8.8 google.com -t mx

Zone Transfer

dig @192.168.100.2 domain.com.local -t axfr

nslookup / ls -d domain.com.local

dnsrecon -a -d zonetransfer.me

Mysql

nmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 INSERTIPADDRESS -p 3306