Penetration Testing Notes

Second brain for hackers

always set IP in your env

export IP=<target ip>

Initial Enumeration

Nmap

If you looking for nmap script in Kali Linux:

/usr/share/nmap/script

Fast Scan

nmap -p- --min-rate 10000 $IP

Full TCP Scan

save the output to all_tcp_port

nmap -sC -sV -p- -Pn -oN all_tcp_port_$IP $IP --open -v

UDP Scan

nmap -sU -sV --version-intensity 0 -n -T4 -oN udp_port $IP

So many port available? scan with this

nmap -p- --script "vuln and safe" -Pn -n $IP

OS Enumeration

nmap -v --script=smb-os-discovery -p T:139,445 $IP

Nmap Over Proxy

// check the port

proxychains -q nmap -sT -Pn -n $IP -oN nmapTCP -v

// more scan
proxychains -q nmap -sT -Pn -n $IP -oN nmapTCP -v -sC -sV -p<port>

Well Known Ports

http://www.onepage.co.kr/wordpress/index.php/2015/12/22/well-known-ports/

DNS Enumeration

Find IP Address

host $URLh
host -t mx $URL
host -t txt $URL

Brute Force

# sub domain
for sub in $(cat list.txt); do host $sub.example.com; done

# reverse lookup IP address
for ip in $(seq 50 100); do host 10.10.10.$ip; done |grep -v "not found"

DNS Zone Transfer

# check the dns server first
host -t ns example.com | cut -d " " -f 4

# then check the sub domain from that dns server address
#host -l <domain name> <dns server address>  
host -l example.com ns1.example.com

Bash script for DNS zone transfer, save to dns-axfr.sh, then run with this command ./dns-axfr.sh example.com

#!/bin/bash

domain=$1
if [ -z "$domain" ]
then
echo "Usage : $0 <domain>"

exit 0
fi

for server in `host -t ns $domain |cut -d " " -f 4`
do

host -l $domain $server |grep "has address"
done

Another simple way using DNSRecon

LogoGitHub - darkoperator/dnsrecon: DNS Enumeration ScriptGitHub
DNSRecon
# query the DNS Zone Transfer
dnsrecon -d <domain> -t axfr

# brute force sub domain with dnsrecon
dnsrecon -d <domain> -D ./list.txt -t brt

Passive Enumeration

Whois

https://whois.domaintools.com/

other whois --> whois.arin.net

whois <domain>
whois <ip>

Google Dorking

site:example.com filetype:php -filetype:html intitle: "index of" "parent directory"

more information about google dorking:

https://www.exploit-db.com/google-hacking-databasewww.exploit-db.com

Netcraft

https://searchdns.netcraft.com

Recon-ng

LogoGitHub - lanmaster53/recon-ng: Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.GitHub

recon/domains-hosts/google_site_web and recon/hosts-hosts/resolve

Open-Source Code

search on github filename:users filename:config

automated tools --> gitrob, gitleaks, or recon-ng (with modules) this automated tools are based on regex, entropy for search userful information.

gitleaks ./gitleaks-linux-amd64 -v -r=https://github.com/

Shodan

LogoWhat Is Shodan? How to Use It & How to Stay Protected [2023]SafetyDetectives

search

hostname: port:"22"

Security Headers Scanner

https://securityheaders.com/ (scan with this)

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Pastebin

https://pastebin.com/

Email harvesting

LogoGitHub - laramies/theHarvester: E-mails, subdomains and names Harvester - OSINTGitHub
theharvester -d -b google

-b : data source

Password Dumps

Social Media

Keywords Search

twitter: https://digi.ninja/projects/twofi.php

linkedin: linkedin2username

Still stuck? go here if you get stuck in your mind

Stack Overflow

search a question related with company. You can search for a user who work at the target company an look at their questions about code or software error.

OSINT Framework

go here if you get stuck in your mind

ASN Lookup

Firewall Detection

  1. fire up wireshark

  2. try to nc the existing port and the closed port in the target machine. If it comes differently, maybe there is a firewall.

secretdump.py

if you found a file ntds.dit (backup of the AD)

--> ntds.dit is a AD database, encrypt with SECURITY as key, and key encrypted by SYSTEM

secretdump.py -pwd-last-set -user-status -history -ntds ntds.dit -security SECURITY -system SYSTEM local

This page will be updated soon 😄

if you found file sam.bakand system.bak run the secretdump.py and get the SAM hashes

secretsdump.py  -sam sam.bak -system system.bak LOCAL
Next00 - Kali Linux Preparation

Last updated