Without data, you’re just another person with an opinion.
Edwards Deming
Recent Posts
Bloodhound Cheatsheet – Custom Queries, Neo4j, etc.
This document contains both Custom Queries that you can import/run directly in Bloodhound, as well as as custom queries that you can run from within the Neo4j GUI directly. Importing Custom Queries to Bloodhound CompassSecurity / BloodHoundQueries There is an awesome project over at https://github.com/CompassSecurity/BloodHoundQueries. You can quickly install the custom queries by running the…
Wireshark Filters Cheatsheet
There are literally hundreds of these type of posts on the internet, with one of my favorites being https://wiki.wireshark.org/CaptureFilters. However, I wanted to create this ‘short’ list that contains my favorite go-to’s after performing Man in the Middle attacks. This post will be updated as time goes on. Understanding the Packet Capture Before diving too…
Enumerating SNMP for Pentesting (UDP Ports 161, 162)
This post contains various commands and methods for performing enumeration the SNMP service. This article will be expanded upon as time goes on. Using NMAP Bruteforcing community strings:sudo nmap -sU -p 161 –script snmp-brute <ipAddr> Bruteforcing community strings with custom wordlist:sudo nmap -sU -p 161 –script snmp-brute –script-args snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <ipAddr> Enumerate users on remote machine:sudo…
Active & Passive Recon Cheatsheet
This post contains various commands and methods for performing passive recon of a target. This article will be expanded upon as time goes on. Performing Whois lookups We can utilize public WHOIS databases to perform lookups on domains. https://lookup.icann.org/ It may also be worthwhile utilizing other services, such as Namecheap. Once you know who the…
Network Enumeration and Host Discovery Cheatsheet
This post contains various commands and methods for performing enumeration of a network. This article will be expanded upon as time goes on. Quick Host Discovery using ARP Protocol Using NETDISCOVER to perform an ARP scan:sudo netdiscover -i <interface> -r <targetSubnet> Using ARP-SCAN to perform an ARP scan:sudo arp-scan -I <interface> <targetSubnet> Identifying your Immediate…
Enumerating NFS Shares (Port 2049)
NFS shares are not only common to come across during the OSCP and in capture the flag events like Hack The Box, but they’re also common to see during internal pentest engagements. This post intends to serve as a guide for enumerating a NFS share and different opportunities for abusing their functionality. Note: In Linux…
Enumerating WinRM (Port 5985)
This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 5985 on a machine. This list is far from exhaustive and will be updated as time progresses. Getting a Shell w/ EvilWinRM You can download this tool from Github at the following location.https://github.com/Hackplayers/evil-winrm With that tool…
Enumerating DNS (Port 53)
This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 53 on a machine. This list is far from exhaustive and will be updated as time progresses. Enumerating Hostname of Server Run the following commands to see if you can make the server leak its own…
Enumerating LDAP Port (389)
This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 389 on a machine. This list is far from exhaustive and will be updated as time progresses. Let’s start by performing a search with simple authentication: ldapsearch -h <targetIP> -x If you get results back, let’s…
Enumerating IPSEC IKE/ISAKMP Ports (500, 4500, etc.)
If you find UDP ports 500 or 4500, the box is likely running some sort of IPSEC VPN tunnel. This post intends to serve as a guide for enumerating these ports and a list of tools that can help you. Table of Contents Helpful CommandsInstalling IPSEC VPN Client on LinuxInstalling IPSEC VPN Client on WindowsTroubleshooting…
Enumerating FTP for Pentesting (Port 21)
Basic Enumeration Attempt to connect anonymously by issuing the below command and specifying the following credentials; anonymous:anonymous. ftp <ipAddress> You can perform banner grabbing w/ the following Metasploit module. use auxiliary/scanner/ftp/ftp_version You can perform brute force with the following Metasploit module. use auxiliary/scanner/ftp/ftp_login Transferring Files If you have valid credentials, you can use the following…
Enumerating HTTP Ports (80, 443, 8080, etc.)
When enumerating, we want to be able to identify the software/versions that are fulfilling the following roles. This document intends to serve as a guide for hunting for the answers. Web Application – WordPress, CMS, Drupal, etc.Web Technologies – Node.js, PHP, Java, etc.Web Server – Apache, IIS, Nginx, etc.Database – MySQL, MariaDB, PostgreSQL, etc.OS -…
Enumerating SMB, RPC, and NetBIOS for Pentesting (Ports 445, 135-139)
This post contains various commands and methods for performing enumeration of the SMB, RPC, and NetBIOS services. This article will be expanded upon as time goes on. Using NMAP Scan for popular RCE exploits.sudo nmap -p 139,445 –script smb-vuln* <ip-addr> -oA nmap/smb-vuln Identify the SMB/OS version. nmap -v -p 139,445 –script=smb-os-discovery.nse <ip-addr> Enumerate users once…
Stay Involved
Get new content delivered directly to your inbox.
Infinite Logins 