¶ Enumeration
¶ nmap
Recommend starting point:
nmap -sC -sV -p- $TARGET
Explanation of options:
sCuse default scriptssVProbe open ports to determine what service and version is running-p-Scans the whole range of ports. Alteranitvely can be used to specify a particular range by using-p-100,600-which would scan ports 100 through 600 (inclusive).$TARGETcould either be a single IP or IP range. This can be done in CIDR format
¶ Recon
¶ Gobuster
Gobuster can be used to brute force directory structure as well as vhosts.
¶ dir
gobuster dir -u <URL>[:PORT] -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
Explanation of options:
dirtells gobuster that we are looking for subdirectories-u <URL>[:PORT]what URL to scan and optionally what port to use. Note: when specifying a port, URL will need to be in the form of "http://<IP or DNS name>:<PORT>".-wspecifies a word list. Example above is the location in Kali, unsure of locations in other distributions.
¶ vhost
gobuster vhost -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt -u <URL>[:PORT]
Explanation of options:
vhosttells gobuster that we are looking for vhosts (www., mail., ftp. and so on)-wspecifies a word list. Example above is the location in Kali, unsure of locations in other distributions.-u <URL>[:PORT]what URL to scan and optionally what port to use. Note: when specifying a port, URL will need to be in the form of "http://<IP or DNS name>:<PORT>".
¶ Reverse Shell
¶ NetCat
Start netcat listener using:
nc -nvlp 4444
Explanation of options:
-nspecifies numeric only, no DNS-vmakes the output verbose (add anothervto make it very verbose)-lturns on listen mode for incoming connections-pspecifies the port to listen on; "4444" in the example above
Output example:
-Shows incoming connection from 10.129.231.252
¶ Upgrade Shell
When obtaining a reverse shell, you might wish to upgrade it in order to make it more usable. There are a few methods to do this.
python3 -c 'import pty;pty.spawn("/bin/bash/");'. This should work if python3 is installed and/bin/bashis availablepython -c 'import pty;pty.spawn("/bin/bash/");'. This will run with python2script /dev/null -c bash
Example:
¶ Burpsuite
¶ Configure Firefox to work with Burpsuite
Go to Settings -> Network Settings and set as per the following screenshot:
