Penetration Testing

This page is under construction

This page will be moved to https://app.gitbook.com/@j-s-tymchuk/s/penetration-testing-playbook/

Quick Links

Enumeration
Reverse Shells
Buffer Overflow
Passwords
Privilege Escalation
Metasploit

Enumeration

Port Scanning with NMAP

nmap -sC -sV -O -oN nmap.txt [target]

nmap -sC -sV -O -oN nmap.txt [target]Default Scripts , version, OS fingerprinting with output file
nmap -p- -oN allports.txt [target]All TCP Ports
nmap -p- -sU [target]All UDP Ports
nmap smb sweep
nmap

Port 80/443 – HTTP/S & Web Ports

nmap -p 80,443 --scripts=http-vuln* -oN httpvuln.txt [target]
nmap -p 80,443 --scripts=http* -oN httpall.txt [target]
nikto -h [target]
gobuster -u http://[target] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster -u https://[target] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
gobuster -u http://[target] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.php,.jsp,.xml,.html
nc [target] 80

Port 139,445 – SMB

Tool Descriptions

  • nmblookup – collects NetBIOS over TCP/IP client used to lookup NetBIOS names.
  • smbclient – an ftp-like client to access SMB shares
  • rpcclient – tool to execute client side MS-RPC functions
  • enum4linux – enumerates various smb functions
  • smbmap show you shares on the host, if you get username/pass, rerun the command with the arguments
nmblookup -A [target]
rpcclient -U "" [target]
enum4linux -a [target]
smbclient -L //[target]
smbclient //MOUNT/share -I [target] -N
smbmap -H [target]
smbmap -H [target]-d [domain] -u [user] -p [password]
nmap -p U:139,T:445 --script=smb-vuln* -oN smbvuln.txt [target]
nmap -p U:139,T:445 --script=smb* -oN smbnmap.txt [target]
nmap -p 445 --script=smb-enum-shares --script-args smbuser=username,smbpass=password [target] 
nmap -p U:137,T:139--script=smb-enum-users -oN smbusers.txt [target]

Auxiliary Modules for Metasploit

  • auxiliary/scanner/smb/pipe_auditor
  • auxiliary/scanner/smb/pipe_dcerpc_auditor
  • auxiliary/scanner/smb/smb2
  • auxiliary/scanner/smb/smb_enumshares
  • auxiliary/scanner/smb/smb_enumusers
  • auxiliary/scanner/smb/smb_login
  • auxiliary/scanner/smb/smb_version

Manually Finding Samba Version using NGREP

ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]'
smbclient -L [target]
or 
enum4linux -a [target]

Port 21 – FTP

nmap -p 21 --script=ftp* -oN ftpnmap.txt [target]
ftp [target]
wget -m --no-passove ftp://anonymous:anonymous@[target]

Auxiliary Modules for Metasploit

  • auxiliary/scanner/ftp/anonymous
  • auxiliary/scanner/ftp/ftp-login
  • auxiliary/scanner/ftp/ftp-version

Port 161 – SNMP

snmpcheck -t [target] -c public
snmpwalk -c public -v1 [target] 1
snmpenum -t [target]
onesixtyone -c names -i hosts
nmap -sV -p 161 --script=snmp-info [target subnet]/24
ls /usr/share/metasploit-framework/data/wordlists/snmp*

Port 25 – SMTP

nc [target] 25
telnet [target] 25

Port 3306 – SQL