# Penetration Testing Notes

always set `IP` in your env

```
export IP=<target ip>
```

## Initial Enumeration

### Nmap

If you looking for nmap script in Kali Linux:

`/usr/share/nmap/script`

**Fast Scan**

```bash
nmap -p- --min-rate 10000 $IP
```

**Full TCP Scan**

save the output to `all_tcp_port`

```bash
nmap -sC -sV -p- -Pn -oA all_tcp_port_$IP $IP --open -v
```

**UDP Scan**

```bash
nmap -sU -sV --version-intensity 0 -n -T4 -oA udp_port $IP
```

So many port available? scan with this

```bash
nmap -p- --script "vuln and safe" -Pn -n $IP
```

**OS Enumeration**

```bash
nmap -v --script=smb-os-discovery -p T:139,445 $IP
```

**Nmap Over Proxy**

```
// check the port

proxychains -q nmap -sT -Pn -n $IP -oN nmapTCP -v

// more scan
proxychains -q nmap -sT -Pn -n $IP -oN nmapTCP -v -sC -sV -p<port>
```

## Well Known Ports

<http://www.onepage.co.kr/wordpress/index.php/2015/12/22/well-known-ports/>

### DNS Enumeration

**Find IP Address**

```bash
host $URLh
host -t mx $URL
host -t txt $URL
```

**Brute Force**

```bash
# sub domain
for sub in $(cat list.txt); do host $sub.example.com; done

# reverse lookup IP address
for ip in $(seq 50 100); do host 10.10.10.$ip; done |grep -v "not found"
```

**DNS Zone Transfer**

```bash
# check the dns server first
host -t ns example.com | cut -d " " -f 4

# then check the sub domain from that dns server address
#host -l <domain name> <dns server address>  
host -l example.com ns1.example.com
```

Bash script for DNS zone transfer, save to `dns-axfr.sh`, then run with this command `./dns-axfr.sh example.com`

```bash
#!/bin/bash

domain=$1
if [ -z "$domain" ]
then
echo "Usage : $0 <domain>"

exit 0
fi

for server in `host -t ns $domain |cut -d " " -f 4`
do

host -l $domain $server |grep "has address"
done
```

Another simple way using **DNSRecon**

{% embed url="<https://github.com/darkoperator/dnsrecon>" %}
DNSRecon
{% endembed %}

```bash
# query the DNS Zone Transfer
dnsrecon -d <domain> -t axfr

# brute force sub domain with dnsrecon
dnsrecon -d <domain> -D ./list.txt -t brt
```

## Passive Enumeration

### Whois

<https://whois.domaintools.com/>

other whois --> whois.arin.net

```bash
whois <domain>
whois <ip>
```

### Google Dorking

```
site:example.com filetype:php -filetype:html intitle: "index of" "parent directory"
```

more information about google dorking:

{% embed url="<https://www.exploit-db.com/google-hacking-database>" %}

### Netcraft&#x20;

{% embed url="<https://searchdns.netcraft.com>" %}

### Recon-ng

{% embed url="<https://github.com/lanmaster53/recon-ng>" %}

recon/domains-hosts/google\_site\_web and recon/hosts-hosts/resolve

### Open-Source Code

search on github `filename:users filename:config`

automated tools --> gitrob, gitleaks, or recon-ng (with modules) this automated tools are based on regex, entropy for search userful information.

```
gitleaks ./gitleaks-linux-amd64 -v -r=https://github.com/
```

### Shodan

{% embed url="<https://www.safetydetectives.com/blog/what-is-shodan-and-how-to-use-it-most-effectively/>" %}

**search**

```
hostname: port:"22"
```

### Security Headers Scanner

<https://securityheaders.com/> (scan with this)&#x20;

<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options>

### Pastebin

<https://pastebin.com/>

### Email harvesting

{% embed url="<https://github.com/laramies/theHarvester>" %}

```
theharvester -d -b google
```

**-b** : data source

### Password Dumps

{% embed url="<https://haveibeenpwned.com/PwnedWebsites>" %}

### Social Media

{% embed url="<https://www.social-searcher.com/>" %}

### Keywords Search

**twitter**: <https://digi.ninja/projects/twofi.php>

**linkedin:** linkedin2username

{% embed url="<https://github.com/initstring/linkedin2username>" %}

**Still stuck?**\
go here if you get stuck in your mind

### Stack Overflow

search a question related with company. You can search for a user who work at the target company an look at their questions about code or software error.

### OSINT Framework

go here if you get stuck in your mind

{% embed url="<https://osintframework.com/>" %}

### ASN Lookup

{% embed url="<https://bgp.he.net/>" %}

## Firewall Detection

1. fire up wireshark
2. try to nc the existing port  and the closed port in the target machine. If it comes differently, maybe there is a firewall.

## secretdump.py

if you found a file `ntds.dit` (backup of the AD)

\--> ntds.dit is a AD database, encrypt with SECURITY as key, and key encrypted by SYSTEM

```bash
secretdump.py -pwd-last-set -user-status -history -ntds ntds.dit -security SECURITY -system SYSTEM local
```

> This page will be updated soon :smile:

if you found file `sam.bak`and `system.bak` run the secretdump.py and get the SAM hashes

```
secretsdump.py  -sam sam.bak -system system.bak LOCAL
```

<figure><img src="https://1855963211-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaDjlLLsWaat1v8p89kgM%2Fuploads%2FtrOHI8eBPrDclUdTEs5Y%2Fimage.png?alt=media&#x26;token=75429d90-f4b1-48ce-a35c-be86e22ea29a" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacker-mind.gitbook.io/hacker-mind/penetration-testing-notes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.