Host Discovery & Reconnaissance
Host Discovery
# Initial Host Discovery
nmap -sn <IP>/24 -oG hosts.gnmap
# Export hosts into a hostlist
grep "Up" hosts.gnmap | awk '{print $2}' > hosts.txtReconnaissance
Port Scanning
# Port scan
nmap -sS -p- --open -Pn -n --min-rate 5000 -iL hosts.txt -oN ports.txt
# Parse ports to a -p<ports> format
grep '^[0-9]' ports.txt | cut -d '/' -f1 | sort -u | xargs | tr '' ','
# Service and Version and NSE Detection Scan
nmap -sCV --open -Pn -p<ports> -iL hosts.txt -oN scan.txtFTP Enumeration
# Nmap FTP Enumeration
nmap -p21 --script=ftp* <IP>
# FTP Anonymous Login
ftp <IP>
Login: anonymous
Password: SSH Enumeration
# Nmap FTP Enumeration
nmap -p22 --script=--script="ssh-auth-methods,ssh-hostkey,ssh2-enum-algos" <IP>
# SSH Login
ssh <USER>@<IP>HTTP Enumeration
# Nmap Enumeration
nmap --script=http-enum -p80,8080,8000 <IP>
# WhatWeb Enumeration
whatweb <IP:PORT>
# Gobuster Directory Brute-Forcing
gobuster dir -u http://<IP>:<PORT>/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-words.txtSMB Enumeration
# Enumerate Accessible shares
smbclient -L //<IP>/ -N
# Full Enumeration with Enum4Linux
enum4linux <IP>
# SMB Login Brute-Force with CrackMapExec
crackmapexec smb <IP> -u <users.txt> -p <pass.txt>
# SMB Shares Login Brute-Force with CrackMapExec
crackmapexec smb <IP> -u <users.txt> -p <pass.txt> --shares
# Enumerate if EternalBlue exploitation is available
nmap -p<PORT> --script smb-vuln-ms17-010 <IP>MySQL Enumeration
# Enumerate MySQL With Nmap
nmap -p <PORT> --script ms-sql* <IP>
# Login on the Database using MySQL
mysql -u <user> -p -h <IP>
RDP Enumeration
# Login on the service using xFreeRDP
xfreerdp /:u<username> /p:<password> /v:<IP>WinRM Enumeration
# Login on the service using Evil-WinRM
evil-winrm -i <IP> -u <username> -p <password>NFS Enumeration
showmount -e <IP>
mkdir /tmp/nfs
sudo mount -t nfs <ip>:/<share> /tmp/nfsLast updated