Port and service scanning

Rustscan 🔗 Link
rustscan ip-address --ulimit 5000 -- -sC -sV -oN nmap/initial | tee r./nmap/rust_initial.txt

rustscan ip-address --ulimit 5000 -- -A nmap/initial | tee ./nmap/rust_-A.txt

Nmap
nmap -A -T4 ip-address

nmap -Pn -p- ip-address -oN .nmap/portsonly
—> cat ./nmap/ports|grep open | awk -F/ '{print $1}' ORS=','

nmap -sC -sV -oN .nmap/ports

Web Enumeration

dirserach🔗 Link
python3 /git/dirsearch/dirsearch.py -u ip-address -e html,php

Gobuster gobuster dir -u http://ip-address -w wordlists -x extentions -o output.txt

wfuzz (Subdomain fuzzering) wfuzz -c -f sub-fighter -w wordlist -u "http://hostname" -H "Host: FUZZ.hostname" --hc 404 --hw 968
(–hc, –hw = exclude commands; for the first scan not needed)

Image Enumeration

Stegcracker🔗 Link
stegcracker image wordlist

Listener

netcat listener nc -lnvp port

Pwncat🔗 Link

pwncat --config /git/pwncat/data/pwncatrc -l -p 9901

Privilege escalation

Password Hunting
Looking for Word Password in Files on system:

grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null

grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2> /dev/null

grep --color=auto -rnw '/' -ie "PASS" --color=always 2> /dev/null

locate password | more

locate pass | more

locate pwd | more

SSH Keys

find / -name authorized_keys 2> /dev/null

find / -name id_rsa 2> /dev/null

User enumeration

Hostname
whoami ; id

Sudo Run Check
sudo -l

User-list
cat /etc/passwd ; cat /etc/passwd | cur -d : -f 1

Group list
cat /etc/group

Switch user without password
sudo su -

History check
history