From 8c1ce1f35f08ff58e988e7941016a8d53c63e920 Mon Sep 17 00:00:00 2001 From: Phil Date: Fri, 24 Dec 2021 13:39:21 +0000 Subject: [PATCH] Added netdiscover --- README.md | 72 ++++++++++++++++++++++++++++++------------------------- 1 file changed, 39 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index f051bf0..5c78b5c 100644 --- a/README.md +++ b/README.md @@ -5,11 +5,6 @@ ### enumeration -* Passive Recon - * Shodan - * Wayback Machine - * The Harvester - * Active Recon * Nmap * Masscan @@ -17,6 +12,11 @@ * RPCClient * Enum4all +* Passive Recon + * Shodan + * Wayback Machine + * The Harvester + * List all the subdirectories and files * Gobuster * Backup File Artifacts Checker @@ -30,46 +30,49 @@ -* Basic Scan -``` -sudo nmap -sSV -p- IP -oA nmap/initial -T4 -sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv -``` - * -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports - * -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000) - * -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE" - * -iL INPUTFILE tells Nmap to use the provided file as inputs +##### Nmap - -* CTF Scan ``` nmap -sV -sC -oA nmap/basic IP -``` - * -sV : Probe open ports to determine service/version info - * -sC : to enable the script - * -oA : to save the results -After this quick command you can add "-p-" to run a full scan while you work with the previous result -``` -nmap -sV -sC -oA -p- nmap/initial IP +nmap [Scan Type] [Options] {target specification} ``` -* Aggressive Nmap -``` -nmap -A -T4 scanme.nmap.org -``` - * -A: Enable OS detection, version detection, script scanning, and traceroute - * -T4: Defines the timing for the task (options are 0-5 and higher is faster) +* HOST DISCOVERY: + - -sL: List Scan - simply list targets to scan + - -sn/-sP: Ping Scan - disable port scan + - -Pn: Treat all hosts as online -- skip host discovery +* SCAN TECHNIQUES: + - -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans + - -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans -* Masscan +* PORT SPECIFICATION: + - -p : Only scan specified ports + - Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 + +* SERVICE/VERSION DETECTION: +-sV: Probe open ports to determine service/version info + +* OUTPUT: +-oN/-oX/-oS/-oG : Output scan in normal, XML,Output in the three major formats at once +-v: Increase verbosity level (use -vv or more for greater effect) + +* MISC: -6: Enable IPv6 scanning -A: Enable OS detection, version detection, script scanning, and traceroute + +##### Masscan ```bash masscan IP -p 1-65535 --rate 100 -oX masscan.xml ``` +##### Netdiscover -* Using DirBuster or GoBuster +```` +netdiscover -i +``` + +##### DirBuster / GoBuster ```bash ./gobuster -u http://buffered.io/ -w /secondary/wordlists/more-lists/dirb/ -t 10 @@ -328,6 +331,7 @@ This is the most popular method for spawnings a tty shell. The target server sho | * From within vi: | :!bash , :set shell=/bin/bash:shell | | * From within nmap: | !sh | + - To make the Shell Usable: ``` Ctrl+Z stty raw -echo @@ -335,7 +339,7 @@ fg export TERM=xterm ``` -## Stage 3 +## Stage 3 - Post Exploitation ### Lets Have a Look Around @@ -348,12 +352,14 @@ export TERM=xterm |Windows x86 | https://github.com/carlospolop/PEASS-ng/raw/master/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe | * GTFObins + > https://gtfobins.github.io/ + * Linux Tools | | Command| |---|--------| -| SUID | find / -type f -user root -perm -4000 2>/dev/null| +| SUID | find / -type f -user root -perm -4000 2>/dev/null |