Enumeration

Nmap
Web
SMB
NFS
Linux
Windows
Exploit

Nmap

# Basic nmap usage
$ nmap [ip]
$ nmap -sC -sV -oN [file] [ip]

# -T4 = faster execution
$ nmap -A -p- -T4 -oN [file] [ip]

GoBuster

# Basic gobuster usage 
# Path: /usr/share/wordlists/dirbuster/...
$ gobuster dir -u [ip] -w [wordlist]

SMB (Server Message Block)

# SMB shares enum
# nmap (enum)
$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse [ip]

# enum4linux (path: /usr/share/enum4linux/enum4linux.pl)
$ enum4linux.pl -a [ip] | tee log.txt

# smbclient (connect)
$ smbclient //[ip]/[share name]

# smbget (download files recursively)
$ smbget -R smb://[ip]/[share name]

NFS (Network File System)

# NFS enum
# nmap
$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount [ip]

# showmount
$ showmount -e [ip]

# mount NFS volume
$ mount [ip]:/volume /mnt/[......]

Linux Basic Enum (Files)

# Files :)
# info like user names and the shell
$ cat /etc/passwd

# info like bash config & history
$ cat ~/.bashrc
$ cat ~/.bash_profile
$ cat ~/.bash_history

# ssh keys
$ cat ~/.ssh/[......]

# hostname <=> IP
$ cat /etc/hosts

Linux Basic Enum (Commands)

# Commands :)
# environment variables
$ env

# commands current user can execute with sudo
$ sudo -l

Linux Find SUID files

# Use the command 'find' 
$ find / -perm -4000 -type f 2>/dev/null

linPEAS.sh

# Basic linPEAS.sh usage 
# tee command: read stdin and write to stdout & file
$ ./linpeas.sh | tee log.txt

Windows - Useful Commands

# commands

# find files recursively 
$ dir /s /p [filename or pattern]
$ where /R C:\ [pattern]

# display alternate data stream (ADS)
$ dir /R

winPEAS.exe

# winPEAS.exe 
$ .\winPEAS.exe

Exploit Search

# SearchSploit 
# update exploitdb packages
$ searchsploit -u

# for searchsploit usage & options
$ searchsploit -h
# wes.py
# update database
$ ./windows-exploit-suggester.py --update

# suggest possible exploits
$ ./windows-exploit-suggester.py --database [yyyy-mm-dd-mssb.xlsx] --systeminfo [systeminfo.txt]