Discovery¶
DNS¶
-
dnsenum
# dnsenum # [--noreverse] # [--recursion] # <domain> dnsenum google.com -
gobuster
# gobuster vhost # [-H, --headers="<key>:<value>" ...] # [--exclude-length={ <length> | <length>-<length> },...] # [--append-domain] # --domain=<domain> # -w, --wordlist=<wordlist> # -u, --url=<url> gobuster vhost --exclude-length=100,200-300 --append-domain --domain=${domain:?} --wordlist=/usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt --url=http://${domain:?} -
knockpy.py
DNS Lookup¶
-
dig
# dig # [@<server>] # { <name> | -x <addr> } ... # [ A | MX | NS | TXT | CNAME | <type> ] # [{ +trace | +https | +nssearch | +<option> } ...] dig @8.8.8.8 www.google.com A dig www.google.com A +trace dig google.com +nssearch dig -x 8.8.8.8 -
nslookup
# nslookup # [{ # -type={ A | <type> } # -<option>[=<value>] # } ...] # { <name> | <addr> } # [<server>] nslookup -type=A www.google.com 8.8.8.8 nslookup 8.8.8.8 -
drill
# drill # [-T] (enable trace) # { # <name> # -x <addr> # (rDNS) # } # [@<server>] (specify DNS server) # [ A | <type> ] drill www.google.com @8.8.8.8 A drill -T www.google.com # trace drill -x 8.8.8.8
Port¶
/dev/tcp/<HOST>/<PORT>- nc / ncat / socat
-
Nmap
# nmap # [-v] (verbose) # [-n] (disable DNS resolution) # [-T{0..5}] (5 is fastest) # [-A] (same as -O -sV -sC --traceroute) # [-O] (enable OS detection) # [-Pn] (skip host discovery) # [-sn] (disable port scan) # [-sV] (show service version info) # [-sS] (TCP SYN, default) # [-sU] (UDP scan) # [-sC] (same as --script=default) # [--script={ "http-*" | default | vuln | * | <pattern> },...] # [--script-trace] # (show all data sent and received) # [--script-help <pattern>] # (/usr/share/nmap/scripts) # [ # -p- (all ports) # -p{[ T: | U: ]{ <port> | <port>-<port> },...},... # --top-ports <n> # ] # { <hostname> | <ip> | <range> | <subnet> } # Scan with default setting. nmap -A ${host:?} # Scan HTTP service. nmap --script="http-*" -p80 ${host:?} # Scan all TCP ports. nmap -v -n -T5 -sS -p- ${host:?} # Scan ports with version info. nmap -v -n -sV -p22,80,443 ${host:?}
Service¶
HTTP¶
$ certutil.exe -urlcache -f <url> <filename>- HTTPie
-
dirsearch
# dirsearch # [-m, --http-method=<method>] # [-H, --header="<name>: <value>" ...] # [--cookie="<name>=<value>;..."] # [-e, --extensions={<extension>|php|asp},...] # (only replaces %EXT% by default) # [-f, --force-extensions] # [--prefixes=<prefix>,...] # [--suffixes=<suffix>,...] # [-r, --recursive] # [--crawl] # [-i, --include-status={<code>|<code>-<code>},...] # [-x, --exclude-status={<code>|<code>-<code>},...] # [--exclude-text=<text> ...] # [--exclude-regex=<regex> ...] # [--exclude-redirect=<redirect url> ...] # -u, --url=<url> dirsearch -r -u ${url:?} -
gobuster
# gobuster dir gobuster dir --url ${url:?} --wordlist ${wordlist:-/usr/share/wordlists/dirb/common.txt} -t ${threads:-100} -
dirb
# dirb # [-H <header_string>] # [-c <cookie_string] # [-X {<extension>|.html}] # [-N <status_code>] # (ignore responses with this code) # <url> # [<wordlist>,...] dirb ${url:?} ${wordlist} -
dirbuster
# dirbuster -
feroxbuster
-
wfuzz
wfuzz -c -z file,${wordlist:-/usr/share/wordlists/dirb/common.txt} -hc ${hidecode:-404} ${url:?}/FUZZ #Hide all results with same line count to the result queried by parameter <baseArg1> and <baseArg2>. wfuzz -c -z file,${wordlist:?} -hl ${hideline:-BBB} ${url:?}/?FUZZ{<baseArg1>}=,FUZ2Z{<baseArg2>}= -
ffuf
Git¶
- git-dumper
LDAP¶
-
ldapsearch
ldapsearch -x -H ldap://${host:?} -b "" -s base "(objectClass=*)" -
ldapdomaindump
Kerberos¶
SMB¶
-
smbclient
# smbclient # [--user=<user>] # [--password=<password>] # { # -L \\<host> # (list all) # \\<host>\<path> # } smbclient -L '\\'${host:?} -
enum4linux
-
smbmap
# smbmap # [-u <username>] # [-p <password>] # { -H <host> | --host-file <file> } smbmap -u ${user:?} -p ${pass:?} -H ${host:?}
SNMP¶
-
snmpwalk
snmpwalk -v2c -c public <site>
WinRM¶
- evil-winrm
- impacket
Telnet¶
- telnet