my recon cheat-sheet
Itis always under development...because I will daily add something to it as I learn..
=================AutoRecon :
>>> python3 autorecon.py -ct 4 -cs 10 $IP
>>> python3 autorecon.py $IP
=================Nmap Automator :
>>> ./nmapAutomator.sh $IP All
=================onetwopunch :
>>> /onetwopunch.sh -t targets.txt -p all -n "-sV -O --version-intensity=9"
=================reconnoitre :
>>> reconnoitre -t $IP -o /root/machine/ --services
>>> reconnoitre -t ip --services --quick -o /root/machine/
>>> reconnoitre -t ip -o /root/machine/
=================nikto :
>>> nikto -host $IP
>>> nikto -h $IP
=================For port knocking :
>>> for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x $IP; done
=================<<SNMP>>=============================
=====SNMP-Check :
>>> snmp-check $IP
>>> snmpcheck -t $IP -c public
=====onesixtyone :
>>> onesixtyone -c names -i hosts
=====SNMPWALK :
>>> snmpwalk -c public -v1 $IP
=====SNMPENUM :
>>> perl snmpenum.pl $IP public windows.txt
=====NMAP SCRIPTS :
>>> nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt $IP
>>> nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IP
>>> nmap -sU -p 161 --script /usr/share/nmap/scripts/snmp-win32-users.nse $IP
==============================================================================
===============================Web Fuzzing=====================
=================[Gobuster]==============
======export URL :
>>> export URL="https://example.com/"
======Bust Directories :
>>> gobuster dir -u $URL -w /opt/secLists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30
======Bust Files :
>>> gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-files.txt -k -t 30
======Bust DNS :
>>> gobuster dns -d someDomain.com -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 30
=================[WFUZZ]=================
======export URL :
>>> export URL="https://example.com/FUZZ" ['/' at the end for directories ]
======Bust Directories :
>>> wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt --hc 404 "$URL"
======Bust Files :
>>> wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-files.txt --hc 404 "$URL"
======AUTHENTICATED FUZZING ( e.g. ):
>>> wfuzz -c -b "<SESSIONVARIABLE>=<SESSIONVALUE>" -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-files.txt --hc 404 "$URL"
======FUZZ DATA AND CHECK FOR PARAMETERS :
>>> export URL="https://example.com/?parameter=FUZZ
--> and/or some combination of...
>>> export URL="https://example.com/?FUZZ=data
>>> wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt "$URL"
======Can I FUZZ Post Data??? :
--> Yup.
--> Example of Command Injection POST Checks:
>>> wfuzz -c -z file,/usr/share/wordlists/Fuzzing/command-injection.txt -d "postParameter=FUZZ" "$URL"
=================================================================
====================For The Web By The Web :
>>> cewl http://example.com/
>>> cewl -d 2 -m 5 -w thatsCewl.txt https://exampledomain.com/
>>> cewl http://example.com --depth=4 --write=output.txt
===================WafW00F :
>>> wafw00f -i websites.txt
>>> wafw00f -a $URL
============================Curl Time===============================
=====Check HTTP options:
>>> curl -v -k -X OPTIONS $URL
=====If put enabled, upload:
>>> curl -v -X PUT -d '' http://$IP/test/shell.php
================================================================
===================Arjun :
Link : https://github.com/s0md3v/Arjun
>>> python3 arjun.py -u https://url.com --get
>>> python3 arjun.py -u https://url.com --post
===================ReconDog :
Link : https://github.com/s0md3v/ReconDog
>>> python ./dog.py
Last updated