#1: DNS Enumeration

nmap -T4 -sS -p 53 $IP/24

Enumerate ALL DNS records! Maybe hidden hosts in network recon

dig -t all target1 target2 target3 @$DNSSERVER

DNS recon (brute force subdomains):

dnsrecon -d $IP -t brt -D /usr/share/wordlists/dnsmap.txt
dnsenum $DOMAIN
fierce -dns $DOMAIN -wordlist dictionary.txt

Wordlists: https://github.com/rbsec/dnscan

DNS zone transfer

host -la $DOMAIN. $DNSSERVER
perl fierce.pl -dns $DOMAIN. -search $HOST
dig axfr $TARGET @$DNSSERVER
dnsrecon -d $DOMAIN -t axfr

#2: NetBIOS Enumeration

nbtscan -r $IP/24

enum4linux -a $IP

nmblookup -A $IP

#3: SMB / SAMBA Enumeration

nmap --script smb-os-discovery --open -p 139 $IP
nmap --script smb-os-discovery -p 139 --open $IP/24 -oX smb.xml
smbmap.py -H $IP
smbmap.py -H $IP -u Guest -R
smbmap.py -H $IP --upload $FILE $SHARE

Recursive download:

smbget -a smb://$IP/$FILE -R

Enumerate Users:

python /usr/share/doc/python-impacket-doc/examples/samrdump.py $IP

Enumerate shares:

crackmapexec --shares $IP/24

To list shares:

smbclient -L $IP

or,

smbmap -H $IP

To connect to a share (shell style):

smbclient //$IP/wwwroot

#4: RPC over DC Enumeration

Also known as Null Sessions.

rpcclient -U "" -c enumdomusers $IP
rpcclient -U "" $IP -N -c "lsaquery"
rpcclient -U "" $IP -N -c "lookupnames Guest"
rpcclient -U "" $IP -N -c "lookupnames Administrator"

Afterwards check https://github.com/trustedsec/ridenum.git

#5: RPC Enumeration

Look for port 111 rpcbind

rpcinfo $IP

rpcinfo -p $IP

#6: Operating System (OS) Enumeration

xprobe2 $IP

nmap -O $IP

#7: Windows Server Domain Controllers (DC) Enumeration

nmap -sS -T4 -p 3268 --open $IP/24

How to recognize a DC in a windows environment

DC Method 1: Netbios

If port 137 (TCP-UDP) open, a DC uses as a netbios suffixes:

• For unique names: <1B> Domain Master Browser (PDC)

• For group names: <1C> Domain Controllers for a domain

DC Method 2: Global Catalog Service

• Use nmap

• As a Active Directory Server open ports 3268 and 3269 (SSL) for the Global Catalog Service (LDAP protocol).

• Attention: LDAP protocol uses 389 and 636 (SSL).

DC Method #3

From the Windows machine:

echo %logonserver%

nltest /dclist:$DOMAIN

DC Method #4

msf> use post/windows/gather/enum_domain
msf> set SESSION 1
msf> run

#8: HTTP Enumeration

The following tools are useful to enumerate paths and files inside webservers, they operate in a similar way as a web crawler or web spider.

nmap --open -sV -p 80,8080,443,8000 -O $IP/24

Virtual domains

nmap --open --script=hostmap -p 80 $IP

TRACE method:

nmap --open --script=http-trace -p 80 $IP

Enumerate userdir:

nmap --open --script=http-userdir-enum $IP

Nikto scanner:

nikto -host http://$IP

Dirb scanner:

dirb http://$IP

For Wordpress (wpscan):

docker pull wpscanteam/wpscan
docker run -it --rm wpscanteam/wpscan --stealthy --url https://$DOMAIN/
docker run -it --rm wpscanteam/wpscan --url https://$DOMAIN/ --enumerate u

For Joomla:

joomscan http://$IP

Gobuster (https://github.com/OJ/gobuster):

gobuster -u https://$DOMAIN -w /usr/share/dirb/wordlists/common.txt

gobuster -u https://$DOMAIN -c 'session=123456' -t 50 -w /usr/share/dirb/wordlists/common.txt -x .php,.html

Use -k flag to not verify digital certificates in a https session.

#9: WebDAV Enumeration

davtest -cleanup -url http://$IP

cadaver http://$IP
    dav:/> put webshell.txt
    dav:/> copy webshell.txt ws.asp

#10: SNMP Enumeration

nmap -p 161 --script snmp-enum $IP

snmp-check $IP

Very useful:

snmp-check -v2c -c public $IP

python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP $IP

onesixtone -w 0 $IP

For scanning:

onesixtyone -c $COMMUNITY -i $IP_LIST_FILE

For enumeration low level (MIB):

snmpwalk -c public -v1 $IP

SNMP on different port:

snmpwalk -v 2c -c public $IP:666

snmp-check -p 6492 $IP

#11: LDAP Enumeration

ldapwhoami

ldapsearch -H ldap://$IP/

ldapsearch -x -h $IP -s base

#12: SSH Enumeration

TOOLS/enumSSH

nmap --script ssh-hostkey -p 22 --open -sS $IP/24

ssh-keyscan $IP

./TOOLS/ssh-vulnkey $IP TOOLS/ssh-blacklist/blacklist.all

#13: FTP Enumeration

nmap --script=ftp* $IP

#14: SMTP Enumeration

nmap --open --script smtp-enum-users -sS -p 25 -sV $IP/24

#15: TFTP Enumeration

nmap --open -sU -p 69 $IP/24

#16: NFS Enumeration

showmount -e $IP

showmount -a $IP

mount.nfs $IP:$DIR $LOCALDIR

#17: NTP Enumeration

Show clients that have queried this server:

ntpdc -n -c monlist $IP
nmap -sU -p 123 --script=ntp-info $IP

#18: SSL/TLS Enumeration

sslscan $IP

nmap -sV --script ssl-enum-ciphers -p 443 $IP

#19: Redis-server Enumeration

(printf "info\r\n"; sleep 1) | netcat $IP 6379

#20: SSDP server Enumeration

tcpdump -n -A host $IP & perl -e 'print "M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n"' > /dev/udp/$IP/1900

#21: Avahi-daemon / mDNS Enumeration

dig +short -p 5353 -t ptr _services._dns-sd._udp.local @$IP

#22: Mongo Enumeration

mongo --host $IP

#23: RDP Enumeration

Use rdp-sec-check tool: https://github.com/portcullislabs/rdp-sec-check/blob/master/rdp-sec-check.pl

#24: Memcached Enumeration

echo "stats" | netcat $IP 11211
echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | netcat -u $IP 11211

#25: Elasticsearch Enumeration

echo -ne "GET / HTTP/1.0\r\n\r\n" | netcat $IP 9200

Share