Enumeration

Scans

Initial scan

Kali

nmap -A $VICTIM

Longer scan

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

Even longer scan

Kali

nmap -sC -sV -p- $VICTIM

Scan for vulnerabilities

Change ports to the ports found from previous scans

Kali

nmap -p1,2,3,4 --script=vuln $VICTIM

Ports

TCP/21 - FTP

Common Credentials

Usernames

Passwords

Access FTP

Kali

List files

Kali(ftp)

List files (using Curl)

Kali

Download files

Change to Binary mode & passive (an important setting if you're uploading/downloading binary files like pictures and/or executables!).

Kali(ftp)

Kali(ftp)

Download all files

Kali(ftp)

Download all files to the current directory (using Wget)

Kali

Upload files

If there is also a website being hosted and you can see the try adding a webshell and going to it from the browser.

Kali(ftp)

TCP/22 - SSH

SSH into host

Kali

Check this page for cracking examples

SSH

TCP/25 - SMTP

Kali

Kali

Kali

Kali

Check for vulnerabilities

Kali

Check this page for cracking examples

SMTP

UDP/53 - DNS

Find subdomains

Example

DNS, SMB, and SNMPUDP/53 - DNS

Kali

TCP/80:443 - HTTP(s)

Web Enumeration

Useful info on how to run a lot of the tools in this section.

Web Enumeration

Info gathering info

Check if any pages are listed

Check certificate for hostname. Then add to hosts file.

Examples

Spring

Create wordlist

Creating a wordlist from this site based off of what is on the website.

Examples

Password Attacks

Kali

Find Directories

Kali

Kali

Find Pages

Kali

Kali

Kali

Kali

Find pages with certain extensions

Examples

Find pages with certain extensions

Kali

web-extensions.txt

Kali

Find pages and exclude certain extensions

Example

Find pages and exclude certain extensions

Kali

Using filters

Example

Using filters

By adding -fc 403 (filter code) we'll hide from the output all 403 HTTP status codes.

Kali

Use -mc 200 (match code) instead of having a long list of filtered codes.

Kali

We can use a regexp to match all files beginning with a dot.

Kali

Fuzzing parameters

Example

Fuzzing parameters

ffuf allows you to put the keyword anywhere we can use it to fuzz for parameters.

Kali

Find Vulnerabilities

Nikto Tuning (-T) Options

Scan for misconfigurations

Scan for SQL injection vulnerabilities.

Authenticated nikito scan

Examples

ToolsRus

Kali

Check for Shellshock

Check for Heartbleed

Fuzzing Subdomains

Example

Fuzzing Domains

Kali

Example

Fuzz Subdomain

Kali

Example

Finding vhosts and subdomains

Kali

Proxifying ffuf traffic

Example

Proxifying ffuf traffic

Kali

It's also possible to send only matches to your proxy for replaying:

Kali

SQLMap

Get information

Can be used to get things like usernames and passwords or other information in the tables.

Example

SQLExpose

Kali

Get Databases

Examples

OlympusGallery

First capture the request of the page with Burp

Kali

Get tables

Kali

Get fields for specified table

Kali

Get values of specific fields

Kali

Rescan SQLMap

SQLMap will just give you the same results if you keep trying the same command, even if things have changed. Remove the cache to resolve this.

Kali

Cookies

Example

Cookies

Get the flag with developer console by checking the cookie.

HTTP Headers

Example

HTTP Headers

Run Web server

Kali

Wordpress

Scan wordpress site

Examples

Retro

Kali

Enumerate wordpress site

Examples

RetroWordpress: CVE-2021-29447

Kali

Bruteforce admin page

Kali

.git folder found

Examples

GitDumper

Kali

Jenkins

Reverse Shell

Examples

Jenkins Web

UDP/88 - Kerberos

Username Enumeration

Finds valid users

Examples

Attacktive Directory

Get Ticket

Examples

Attacktive Directory

The hash type is Kerberos 5 etype 23 AS-REP.

TCP/110 - POP3

Logging in with credentials

Examples

TCP/110 - POP3

Check this page for cracking examples

POP3

TCP/135 - RPC

Kali

Login with credentials

Examples

Gatekeeper

Kali

TCP/139 - NetBIOS

Examples

SMB port 139

Enumerate SMB

Kali

Examples

GatekeeperVulnNet: Internal

Kali

Examples

Attacktive Directory

Kali

UDP/161 - SNMP

Collect Information

Examples

DNS, SMB, and SNMP

Kali

TCP/389 - LDAP

Enumerating Active Directory

Examples

Enumerating Active Directory

Breaching Active Directory

Examples

Breaching Active Directory

Exploiting Active Directory

Examples

Exploiting Active Directory

Persisting Active Directory

Examples

Persisting Active Directory

TCP/445 - SMB

Scanning

Examples

Basic Pentesting

Kali

Common Credentials

Usernames

List Shares

Option #1

Examples

GatekeeperAttacktive DirectoryBasic Pentesting

Kali

Option #2

Examples

DNS, SMB, and SNMP

Victim

Download files

Option #1

Kali

Option #2

Kali

Option #3

Kali

Upload files

Option #1

Kali

Detect Vulnerabilities

TCP/667 - IRC

TCP/873 - RSYNC

Check Modules

List files

Example

TCP/873 - RSYNC

Transfer files

Example

TCP/873 - RSYNC

TCP/2049 - NFS

Mount drive

Examples

VulnNet: Internal

Upload ID_RSA key to login

Create mount

Interesting loot to look for

Privilege Escalation

Example of how you can get root shell. All commands except the last one are run on our Kali machine where we can control the permissions fully. Then we just run the exploit as the normal user we already have access to.

TCP/3306 - SQL

examples

TCP/3306 - MySQL

Kali(mysql)

TCP/3389 - RDP

Scan

Kali

Login to host

Kali

Kali

Examples

RetroBlaster

Kali

Kali

TCP/5000 - Docker Registry

Add repositories

Example

The Great EscapeUmbrella

Kali

daemon.json

Kali

Wait 30 seconds

Kali

List repositories

Example

The Docker RodeoTCP/5000 - Docker RegistryUmbrella

Kali

Get tags of a repository

Example

The Docker RodeoTCP/5000 - Docker RegistryUmbrella

Kali

Get manifests

Example

The Docker RodeoTCP/5000 - Docker RegistryUmbrella

Inside the manifest we can find potential credentials

Kali

Download the Docker image to find info

Example

Download the Docker image we are going to decompile using

Kali

Enter image

Example

The Great Escape

Kali

Uploading Malicious Docker Images

Example

Vulnerability #3: Uploading Malicious Docker Images

Kali

Docker file example

RCE via Exposed Docker Daemon

Example

Vulnerability #4: RCE via Exposed Docker Daemon

Escape via Exposed Docker Daemon

Example

Vulnerability #5: Escape via Exposed Docker Daemon

Shared Namespaces

Example

Vulnerability #6: Shared Namespaces

Misconfigured Privileges

Example

Vulnerability #7: Misconfigured Privileges (Deploy #2)

Privilege Escalation with 2 shells and host mount

Example

Privilege Escalation with 2 shells and host mount

If you have access as root inside a container that has some folder from the host mounted and you have escaped as a non privileged user to the host and have read access over the mounted folder. You can create a bash suid file in the mounted folder inside the container and execute it from the host to privesc.

Victim(root)

Victim(claire-r)

TCP/5327 - Postgres

TCP/5985 - WinRM or wsman

See TCP/5986 - WinRM for WinRM information

TCP/5986 - WinRM

Dump Hashes

Dump hashes of other users if the user you have access to has the privilege's to do so. If it does we can potentially use these hashes with evil-winrm to login as these other users.

Examples

Attacktive Directory

Kali

Login with found username and password

Examples

Tampering With Unprivileged Accounts

Login with found username and hash

Examples

Attacktive DirectoryWindows Local Persistence

TCP/6379 - Redis

Example

TCP/6379 - Redis

Get Users hash

Example

TCP/6379 - Redis

Kali(redis-cli)

Kali

(You can write anything in place of share, the share does not need to exist)

Kali(redis-cli)

TCP/7070 - AnyConnect

Example

Annie

Exploit: https://www.exploit-db.com/raw/49613

For code above and just had to change the shellcode and ip variable.

Kali

Kali

TCP/11211 - Memcache

Dump cache

Example

TCP/11211 - Memcache

Victim

TCP/27017 - MongoDB

Example

Road

Find Info in DB

Victim

Victim(mongo)

Knock

Example

The Great Escape

Usually used in CTFs. Knock on certain ports in a certain pattern to open up more ports.

Kali

PreviousAboutNextGaining Access

Last updated