Penetration Testing Notes
Second brain for hackers
always set IP
in your env
export IP=<target ip>
Initial Enumeration
Nmap
If you looking for nmap script in Kali Linux:
/usr/share/nmap/script
Fast Scan
nmap -p- --min-rate 10000 $IP
Full TCP Scan
save the output to all_tcp_port
nmap -sC -sV -p- -Pn -oA all_tcp_port_$IP $IP --open -v
UDP Scan
nmap -sU -sV --version-intensity 0 -n -T4 -oA udp_port $IP
So many port available? scan with this
nmap -p- --script "vuln and safe" -Pn -n $IP
OS Enumeration
nmap -v --script=smb-os-discovery -p T:139,445 $IP
Nmap Over Proxy
// check the port
proxychains -q nmap -sT -Pn -n $IP -oN nmapTCP -v
// more scan
proxychains -q nmap -sT -Pn -n $IP -oN nmapTCP -v -sC -sV -p<port>
Well Known Ports
http://www.onepage.co.kr/wordpress/index.php/2015/12/22/well-known-ports/
DNS Enumeration
Find IP Address
host $URLh
host -t mx $URL
host -t txt $URL
Brute Force
# sub domain
for sub in $(cat list.txt); do host $sub.example.com; done
# reverse lookup IP address
for ip in $(seq 50 100); do host 10.10.10.$ip; done |grep -v "not found"
DNS Zone Transfer
# check the dns server first
host -t ns example.com | cut -d " " -f 4
# then check the sub domain from that dns server address
#host -l <domain name> <dns server address>
host -l example.com ns1.example.com
Bash script for DNS zone transfer, save to dns-axfr.sh
, then run with this command ./dns-axfr.sh example.com
#!/bin/bash
domain=$1
if [ -z "$domain" ]
then
echo "Usage : $0 <domain>"
exit 0
fi
for server in `host -t ns $domain |cut -d " " -f 4`
do
host -l $domain $server |grep "has address"
done
Another simple way using DNSRecon
# query the DNS Zone Transfer
dnsrecon -d <domain> -t axfr
# brute force sub domain with dnsrecon
dnsrecon -d <domain> -D ./list.txt -t brt
Passive Enumeration
Whois
https://whois.domaintools.com/
other whois --> whois.arin.net
whois <domain>
whois <ip>
Google Dorking
site:example.com filetype:php -filetype:html intitle: "index of" "parent directory"
more information about google dorking:
Netcraft
Recon-ng
recon/domains-hosts/google_site_web and recon/hosts-hosts/resolve
Open-Source Code
search on github filename:users filename:config
automated tools --> gitrob, gitleaks, or recon-ng (with modules) this automated tools are based on regex, entropy for search userful information.
gitleaks ./gitleaks-linux-amd64 -v -r=https://github.com/
Shodan
search
hostname: port:"22"
Security Headers Scanner
https://securityheaders.com/ (scan with this)
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Pastebin
https://pastebin.com/
Email harvesting
theharvester -d -b google
-b : data source
Password Dumps
Social Media
Keywords Search
twitter: https://digi.ninja/projects/twofi.php
linkedin: linkedin2username
Still stuck? go here if you get stuck in your mind
Stack Overflow
search a question related with company. You can search for a user who work at the target company an look at their questions about code or software error.
OSINT Framework
go here if you get stuck in your mind
ASN Lookup
Firewall Detection
fire up wireshark
try to nc the existing port and the closed port in the target machine. If it comes differently, maybe there is a firewall.
secretdump.py
if you found a file ntds.dit
(backup of the AD)
--> ntds.dit is a AD database, encrypt with SECURITY as key, and key encrypted by SYSTEM
secretdump.py -pwd-last-set -user-status -history -ntds ntds.dit -security SECURITY -system SYSTEM local
This page will be updated soon 😄
if you found file sam.bak
and system.bak
run the secretdump.py and get the SAM hashes
secretsdump.py -sam sam.bak -system system.bak LOCAL

Last updated