Penetration Testing Notes

Second brain for hackers

always set IP in your env

export IP=<target ip>

Initial Enumeration

Nmap

If you looking for nmap script in Kali Linux:

/usr/share/nmap/script

Fast Scan

nmap -p- --min-rate 10000 $IP

Full TCP Scan

save the output to all_tcp_port

nmap -sC -sV -p- -Pn -oA all_tcp_port_$IP $IP --open -v

UDP Scan

nmap -sU -sV --version-intensity 0 -n -T4 -oA udp_port $IP

So many port available? scan with this

nmap -p- --script "vuln and safe" -Pn -n $IP

OS Enumeration

nmap -v --script=smb-os-discovery -p T:139,445 $IP

Nmap Over Proxy

// check the port

proxychains -q nmap -sT -Pn -n $IP -oN nmapTCP -v

// more scan
proxychains -q nmap -sT -Pn -n $IP -oN nmapTCP -v -sC -sV -p<port>

Well Known Ports

http://www.onepage.co.kr/wordpress/index.php/2015/12/22/well-known-ports/

DNS Enumeration

Find IP Address

host $URLh
host -t mx $URL
host -t txt $URL

Brute Force

# sub domain
for sub in $(cat list.txt); do host $sub.example.com; done

# reverse lookup IP address
for ip in $(seq 50 100); do host 10.10.10.$ip; done |grep -v "not found"

DNS Zone Transfer

# check the dns server first
host -t ns example.com | cut -d " " -f 4

# then check the sub domain from that dns server address
#host -l <domain name> <dns server address>  
host -l example.com ns1.example.com

Bash script for DNS zone transfer, save to dns-axfr.sh, then run with this command ./dns-axfr.sh example.com

#!/bin/bash

domain=$1
if [ -z "$domain" ]
then
echo "Usage : $0 <domain>"

exit 0
fi

for server in `host -t ns $domain |cut -d " " -f 4`
do

host -l $domain $server |grep "has address"
done

Another simple way using DNSRecon

# query the DNS Zone Transfer
dnsrecon -d <domain> -t axfr

# brute force sub domain with dnsrecon
dnsrecon -d <domain> -D ./list.txt -t brt

Passive Enumeration

Whois

https://whois.domaintools.com/

other whois --> whois.arin.net

whois <domain>
whois <ip>

Google Dorking

site:example.com filetype:php -filetype:html intitle: "index of" "parent directory"

more information about google dorking:

OffSec’s Exploit Database Archivewww.exploit-db.com

Netcraft

https://searchdns.netcraft.comsearchdns.netcraft.com

Recon-ng

GitHub - lanmaster53/recon-ng: Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.GitHub

recon/domains-hosts/google_site_web and recon/hosts-hosts/resolve

Open-Source Code

search on github filename:users filename:config

automated tools --> gitrob, gitleaks, or recon-ng (with modules) this automated tools are based on regex, entropy for search userful information.

gitleaks ./gitleaks-linux-amd64 -v -r=https://github.com/

Shodan

What Is Shodan? How to Use It & Stay Protected in 2026SafetyDetectives

search

hostname: port:"22"

Security Headers Scanner

https://securityheaders.com/ (scan with this)

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Pastebin

https://pastebin.com/

Email harvesting

GitHub - laramies/theHarvester: E-mails, subdomains and names Harvester - OSINTGitHub

theharvester -d -b google

-b : data source

Password Dumps

Have I Been Pwned: Who's Been PwnedHave I Been Pwned

Social Searcher - Free Social Media Search Enginewww.social-searcher.com

Keywords Search

twitter: https://digi.ninja/projects/twofi.php

linkedin: linkedin2username

GitHub - initstring/linkedin2username: OSINT Tool: Generate username lists for companies on LinkedInGitHub

Still stuck? go here if you get stuck in your mind

Stack Overflow

search a question related with company. You can search for a user who work at the target company an look at their questions about code or software error.

OSINT Framework

go here if you get stuck in your mind

OSINT Frameworkosintframework.com

ASN Lookup

Hurricane Electric BGP Toolkitbgp.he.net

Firewall Detection

fire up wireshark
try to nc the existing port and the closed port in the target machine. If it comes differently, maybe there is a firewall.

secretdump.py

if you found a file ntds.dit (backup of the AD)

--> ntds.dit is a AD database, encrypt with SECURITY as key, and key encrypted by SYSTEM

secretdump.py -pwd-last-set -user-status -history -ntds ntds.dit -security SECURITY -system SYSTEM local

This page will be updated soon 😄

if you found file sam.bakand system.bak run the secretdump.py and get the SAM hashes

secretsdump.py  -sam sam.bak -system system.bak LOCAL

Next00 - Kali Linux Preparation

Last updated 1 year ago

hashtagInitial Enumeration

hashtagNmap

hashtagWell Known Ports

hashtagDNS Enumeration

hashtagPassive Enumeration

hashtagWhois

hashtagGoogle Dorking

hashtagNetcraft

hashtagRecon-ng

hashtagOpen-Source Code

hashtagShodan

hashtagSecurity Headers Scanner

hashtagPastebin

hashtagEmail harvesting

hashtagPassword Dumps

hashtagSocial Media

hashtagKeywords Search

hashtagStack Overflow

hashtagOSINT Framework

hashtagASN Lookup

hashtagFirewall Detection

hashtagsecretdump.py