Network Services
Enumeration
Service version detection and default nmap
scripts
Services
FTP
Anonymous Login
Brute Force
SSH
Any version of OpenSSH prior to 7.7 is vulnerable to user enumeration (CVE-2018-15473) if not patched. To exploit this vulnerability, we can use the following script:
Brute Force
HTTP/HTTPS
Enumerate basic files and directories with nmap scripts
Web Technologies
I also recommend using the Wappalizer
browser extension
File and Directory Enumeration
Gobuster
Useful parameters:
-t, --threads Concurrent threads
--exclude-length Exclude content length
-s, --status-codes White list status codes
-b, --status-codes-blacklist Black list status codes
-r, --follow-redirect Follow redirects
--proxy Use Proxy <type:host:port>
-k, --no-tls-validation Skip TLS verification
--timeout HTTP Timeout
Wfuzz
Useful parameters:
-t <threads> Concurrent threads
-L, --follow Follow redirects
-p Use Proxy <host:port:type>
--hc/hl/hw/hh Hide code/lines/words/chars
--sc/sl/sw/sh Show code/lines/words/chars
Subdomain Enumeration
Gobuster
Wfuzz
Exploitation
Once the web is enumerated, you may want to exploit some web vulnerabilities:
pageWeb VulnerabilitiesSMB
System enumeration with enum4linux
Shares Enumeration
On windows systems you may need to escape backlashes: \\\\<target>\\<share>
RPC
Automated Enumeration
Manual Enumeration
Last updated