Enumeration
Nmap
Web
SMB
NFS
Linux
Windows
Exploit
Nmap
# Basic nmap usage
$ nmap [ip]
$ nmap -sC -sV -oN [file] [ip]
# -T4 = faster execution
$ nmap -A -p- -T4 -oN [file] [ip]
GoBuster
# Basic gobuster usage
# Path: /usr/share/wordlists/dirbuster/...
$ gobuster dir -u [ip] -w [wordlist]
SMB (Server Message Block)
# SMB shares enum
# nmap (enum)
$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse [ip]
# enum4linux (path: /usr/share/enum4linux/enum4linux.pl)
$ enum4linux.pl -a [ip] | tee log.txt
# smbclient (connect)
$ smbclient //[ip]/[share name]
# smbget (download files recursively)
$ smbget -R smb://[ip]/[share name]
NFS (Network File System)
# NFS enum
# nmap
$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount [ip]
# showmount
$ showmount -e [ip]
# mount NFS volume
$ mount [ip]:/volume /mnt/[......]
Linux Basic Enum (Files)
# Files :)
# info like user names and the shell
$ cat /etc/passwd
# info like bash config & history
$ cat ~/.bashrc
$ cat ~/.bash_profile
$ cat ~/.bash_history
# ssh keys
$ cat ~/.ssh/[......]
# hostname <=> IP
$ cat /etc/hosts
Linux Basic Enum (Commands)
# Commands :)
# environment variables
$ env
# commands current user can execute with sudo
$ sudo -l
Linux Find SUID files
# Use the command 'find'
$ find / -perm -4000 -type f 2>/dev/null
linPEAS.sh ⚙
# Basic linPEAS.sh usage
# tee command: read stdin and write to stdout & file
$ ./linpeas.sh | tee log.txt
Windows - Useful Commands
# commands
# find files recursively
$ dir /s /p [filename or pattern]
$ where /R C:\ [pattern]
# display alternate data stream (ADS)
$ dir /R
winPEAS.exe ⚙
# winPEAS.exe
$ .\winPEAS.exe
Exploit Search
# SearchSploit
# update exploitdb packages
$ searchsploit -u
# for searchsploit usage & options
$ searchsploit -h
# wes.py
# update database
$ ./windows-exploit-suggester.py --update
# suggest possible exploits
$ ./windows-exploit-suggester.py --database [yyyy-mm-dd-mssb.xlsx] --systeminfo [systeminfo.txt]