Penetration Testing Notes

Second brain for hackers

always set IP in your env

export IP=<target ip>

Initial Enumeration

Nmap

If you looking for nmap script in Kali Linux:

/usr/share/nmap/script

Fast Scan

nmap -p- --min-rate 10000 $IP

Full TCP Scan

save the output to all_tcp_port

nmap -sC -sV -p- -Pn -oA all_tcp_port_$IP $IP --open -v

UDP Scan

nmap -sU -sV --version-intensity 0 -n -T4 -oA udp_port $IP

So many port available? scan with this

nmap -p- --script "vuln and safe" -Pn -n $IP

OS Enumeration

nmap -v --script=smb-os-discovery -p T:139,445 $IP

Nmap Over Proxy

// check the port

proxychains -q nmap -sT -Pn -n $IP -oN nmapTCP -v

// more scan
proxychains -q nmap -sT -Pn -n $IP -oN nmapTCP -v -sC -sV -p<port>

Well Known Ports

http://www.onepage.co.kr/wordpress/index.php/2015/12/22/well-known-ports/

DNS Enumeration

Find IP Address

host $URLh
host -t mx $URL
host -t txt $URL

Brute Force

# sub domain
for sub in $(cat list.txt); do host $sub.example.com; done

# reverse lookup IP address
for ip in $(seq 50 100); do host 10.10.10.$ip; done |grep -v "not found"

DNS Zone Transfer

# check the dns server first
host -t ns example.com | cut -d " " -f 4

# then check the sub domain from that dns server address
#host -l <domain name> <dns server address>  
host -l example.com ns1.example.com

Bash script for DNS zone transfer, save to dns-axfr.sh, then run with this command ./dns-axfr.sh example.com

#!/bin/bash

domain=$1
if [ -z "$domain" ]
then
echo "Usage : $0 <domain>"

exit 0
fi

for server in `host -t ns $domain |cut -d " " -f 4`
do

host -l $domain $server |grep "has address"
done

Another simple way using DNSRecon

# query the DNS Zone Transfer
dnsrecon -d <domain> -t axfr

# brute force sub domain with dnsrecon
dnsrecon -d <domain> -D ./list.txt -t brt

Passive Enumeration

Whois

https://whois.domaintools.com/

other whois --> whois.arin.net

whois <domain>
whois <ip>

Google Dorking

site:example.com filetype:php -filetype:html intitle: "index of" "parent directory"

more information about google dorking:

Netcraft

Recon-ng

recon/domains-hosts/google_site_web and recon/hosts-hosts/resolve

Open-Source Code

search on github filename:users filename:config

automated tools --> gitrob, gitleaks, or recon-ng (with modules) this automated tools are based on regex, entropy for search userful information.

gitleaks ./gitleaks-linux-amd64 -v -r=https://github.com/

Shodan

search

hostname: port:"22"

Security Headers Scanner

https://securityheaders.com/ (scan with this)

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Pastebin

https://pastebin.com/

Email harvesting

theharvester -d -b google

-b : data source

Password Dumps

Social Media

Keywords Search

twitter: https://digi.ninja/projects/twofi.php

linkedin: linkedin2username

Still stuck? go here if you get stuck in your mind

Stack Overflow

search a question related with company. You can search for a user who work at the target company an look at their questions about code or software error.

OSINT Framework

go here if you get stuck in your mind

ASN Lookup

Firewall Detection

  1. fire up wireshark

  2. try to nc the existing port and the closed port in the target machine. If it comes differently, maybe there is a firewall.

secretdump.py

if you found a file ntds.dit (backup of the AD)

--> ntds.dit is a AD database, encrypt with SECURITY as key, and key encrypted by SYSTEM

secretdump.py -pwd-last-set -user-status -history -ntds ntds.dit -security SECURITY -system SYSTEM local

if you found file sam.bakand system.bak run the secretdump.py and get the SAM hashes

secretsdump.py  -sam sam.bak -system system.bak LOCAL
Next00 - Kali Linux Preparation

Last updated