Recon

#common vulnerable ports to scan 

UDP Ports: 53,69,111,161,500,623,2049

TCP Ports: 21,22,23,25,53,80,81,88,110,111,123,137-139,161,389,443,445,500,512,513,548,623-624,1099,1241,1433-1434,1521,2049,2483-2484,3268,3269,3306,3389,4333,4786,4848,5432,5800,5900,5901,6000,6001,7001,8000,8080,8181,8443,10000,16992-16993,27017,32764

#masscan against targets

masscan -p <ports> --open --banners -oG output.txt -iL targets.txt

#Nmap on:

  1. TCP + UDP

  2. Common ports first --> then ALL ports

  3. Enumerate versions

  4. Enumerate OSs

  5. Vuln scan

  6. NSE scans

  7. Run nmapAutomator in the background with "all" flag

#Enumerate HTTP-HTTPS with nmap and Aquatone

cat scans/nmap-tcp.xml | aquatone -nmap -ports xlarge -out aquatone

#wafw00f | check if WebApp is behind a firewall

wafw00f countrygarden.com.cn

#host,whois,dig,nslookup....

#Sn1p3r

#run on background and check output after you are done with manual  enum

sniper -t example.com -m stealth -o -re

#Nuclei 

#Run nuclei against webapp, run vanilla then try custom modules

sudo nuclei -u https://example.com

sudo nuclei -u https://example.com -t vulnerabilities/wordpress

#OWASP ZAP

#Good all round scan against webapp, takes a while to complete 
 so start and let run on background

#TCPDump save packet capture

tcpdump -i <interface> -s0 -w pcapfile.pcap

#Ctrl-C to stop after about 5 minutes. Replay capture and look for interesting protocols:

tcpdump -r pcapfile.pcap not <host IP address> and not arp

#DNS enum

#NMAP
sudo nmap --script dns-nsid 10.10.10.10

#DIG
dig ANY @<DNS_IP> <DOMAIN>     #Any information

#nslookup

nslookup
> SERVER <IP_DNS> #Select dns server
> 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe...
> <IP_MACHINE> #Reverse lookup of a machine, maybe...

#Metasploit
auxiliary/gather/enum_dns #Perform enumeration actions

#DNSRecon Subdomains reverse brute Force
dnsrecon -r 127.0.0.0/24 -n <IP_DNS>  #DNS reverse of all of the addresses
dnsrecon -r 127.0.1.0/24 -n <IP_DNS>  #DNS reverse of all of the addresses
dnsrecon -r <IP_DNS>/24 -n <IP_DNS>   #DNS reverse of all of the addresses

#subdomains bruteforce
dnsrecon -D subdomains-1000.txt -d <DOMAIN> -n <IP_DNS>
dnscan -d <domain> -r -w subdomains-1000.txt #Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan

#Active Directory Servers DNS enum
dig -t _gc._tcp.target.domain.com
dig -t _ldap._tcp.target.domain.com
dig -t _kerberos._tcp.target.domain.com
dig -t _kpasswd._tcp.target.domain.com
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'"

#Fierce
fierce -d target.com

#Amass
amass -ip -active -d target.com

#Responder LLMNR / NBTNS

./Responder.py -I <interface> -A
sudo responder 192.168.12.139 -I eth0 -wd

#Enumerate AD naming context

ldapsearch -x -s base namingcontexts -H ldap://<host>

#Locate AD domain controllers

First you'll need the domain name. You should be able to find that 
in the tcpdump output. Next, run:

nslookup -type=srv _ldap._tcp.<domain.name> | grep ldap | cut -d ' ' -f 6 | sed 's/\.$//g' > domaincontrollers.out

#Null session enum

ldapsearch -h <DC IP> -x -b "DC=example,DC=local"

#############################################################################
If you get usernames, run Impacket GetNPUsers.py on them and crack any hashes 
that you get. This script will attempt to list and get TGTs for those users that 
have the property 'Do not require Kerberos preauthentication' set 
UF_DONT_REQUIRE_PREAUTH). 
For those users with such configuration, a John The Ripper output will 
be generated so you can send it for cracking.

#ASREPRoasting

GetNPUsers.py [Domain Name]/ -dc-ip [DC IP address] -request

#Kerberoasting

GetUserSPNs.py -request -save -dc-ip <IP> domain/user

PreviousRules of engagementNextSocial Engineering

Last updated