Port and service scanning
Rustscan 🔗 Link
rustscan ip-address --ulimit 5000 -- -sC -sV -oN nmap/initial | tee r./nmap/rust_initial.txt
rustscan ip-address --ulimit 5000 -- -A nmap/initial | tee ./nmap/rust_-A.txt
Nmap
nmap -A -T4 ip-address
nmap -Pn -p- ip-address -oN .nmap/portsonly
—> cat ./nmap/ports|grep open | awk -F/ '{print $1}' ORS=','
nmap -sC -sV -oN .nmap/ports
Web Enumeration
dirserach🔗 Link
python3 /git/dirsearch/dirsearch.py -u ip-address -e html,php
Gobuster gobuster dir -u http://ip-address -w wordlists -x extentions -o output.txt
wfuzz (Subdomain fuzzering) wfuzz -c -f sub-fighter -w wordlist -u "http://hostname" -H "Host: FUZZ.hostname" --hc 404 --hw 968
(–hc, –hw = exclude commands; for the first scan not needed)
Image Enumeration
Stegcracker🔗 Link
stegcracker image wordlist
Listener
netcat listener nc -lnvp port
Pwncat🔗 Link
pwncat --config /git/pwncat/data/pwncatrc -l -p 9901
Privilege escalation
Password Hunting
Looking for Word Password in Files on system:
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2> /dev/null
grep --color=auto -rnw '/' -ie "PASS" --color=always 2> /dev/null
locate password | more
locate pass | more
locate pwd | more
SSH Keys
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
User enumeration
Hostname
whoami
; id
Sudo Run Check
sudo -l
User-list
cat /etc/passwd
; cat /etc/passwd | cur -d : -f 1
Group list
cat /etc/group
Switch user without password
sudo su -
History check
history