Table of contents [Show]
SMB Enumeration
SMB NMAP Scripts:
SMB Protocols
nmap -p 445 --script smb-protocols 10.10.10.10
//Enumerates the supported SMB protocols on the target.
SMB OS Discovery
nmap -p 445 --script smb-os-discovery 10.10.10.10
//Discovers the operating system on the SMB server.
SMB Security Mode
nmap -p 445 --script smb-security-mode 10.10.10.10
//Identifies the security mode employed by the SMB server.
SMB Enumerate Sessions
nmap -p 445 --script smb-enum-sessions 10.10.10.10
//Lists active SMB sessions on the server.
SMB Enumerate Sessions with Credentials
nmap -p 445 --script smb-enum-sessions --script-args smbusername=adminstartor,smbpassword=smbserver_771 10.10.10.10
//Enumerates sessions with specified credentials.
SMB Enumerate Shares
nmap -p 445 --script smb-enum-shares 10.10.10.10
//Lists available SMB shares on the server.
SMB Enumerate Shares with Credentials
nmap -p 445 --script smb-enum-shares --script-args smbusername=adminstartor,smbpassword=smbserver_771 10.10.10.10
//Enumerates shares with specified credentials.
SMB Enumerate Users with Credentials
nmap -p 445 --script smb-enum-users --script-args smbusername=adminstartor,smbpassword=smbserver_771 10.10.10.10 //Enumerates users with specified credentials.
SMB Server Statistics with Credentials
nmap -p 445 --script smb-server-stats --script-args smbusername=adminstartor,smbpassword=smbserver_771 10.10.10.10
//Retrieves statistics from the SMB server with specified credentials.
SMB Enumerate Domains with Credentials
nmap -p 445 --script smb-enum-domains --script-args smbusername=adminstartor,smbpassword=smbserver_771 10.10.10.10
//Enumerates domains with specified credentials.
SMB Samba:
msfconsole
[MODULE]> use auxiliary/scanner/smb/smb_version
//Uses Metasploit to gather the SMB version information.
msfconsole
[MODULE]> auxiliary/scanner/smb/smb2
//Uses Metasploit to check for SMB2 support.
Nmblookup - SMB Version
nmblookup -A 10.10.10.10
//Uses Nmblookup to obtain the SMB version information.
Smbclient - SMB Information
smbclient -L 10.10.10.10 -N
//Lists available SMB shares on the server using Smbclient.
Rpcclient - Connect to SMB Server
rpcclient -U "" -N 10.10.10.10
[rpcclient$]> srvinfo
[rpcclient$]> enumdomusers
[rpcclient$]> lookupnames admin
//Connects to the SMB server using Rpcclient and performs various actions.
Enum4Linux - SMB OS Info
enum4linux -o 10.10.10.10
//Gathers operating system information from the SMB server using Enum4Linux.
Enum4Linux - SMB Users
enum4linux -U 10.10.10.10
//Enumerates users on the SMB server using Enum4Linux.
FTP Enumeration
FTP Service Scan
nmap -p 21 -sV
//Performs a quick scan to check if the FTP port (21) is open on the target.
FTP Dictionary Attack
Hydra FTP Brute Force
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/wordlists/rockyou.txt 10.10.10.10 ftp
//Conducts a dictionary attack on the FTP server using Hydra.
Nmap FTP Brute Force
nmap 10.10.10.10 --script=ftp-brute --script-args userdb=/root/users -p 21
//Performs FTP brute force using Nmap.
FTP Anonymous Login
nmap -p 21 -sV --script-ftp-anon
//Checks if anonymous login is allowed on the FTP server.ftp 10.10.10.10
[ftp]> user: anonymous
[ftp]> pass:
Successful login with anonymous credentials.
SSH Enumeration
Quick Service & OS Scan
nmap 10.10.10.10 -p 22 -sV -O
//Performs a quick scan to check the SSH service and identify the operating system.
SSH NMAP Scripts
SSH Algorithms Enumeration
nmap 10.10.10.10 -p 22 --script ssh2-enum-algos
//Enumerates all SSH algorithms supported by the server.
SSH Host Key Retrieval
nmap 10.10.10.10 -p 22 --script ssh-hostkey --script-args ssh_hostkey=full
//Retrieves the SSH host key.
SSH Authentication Methods
nmap 10.10.10.10 -p 22 --script ssh-auth-methods --script-args="ssh.user=Jack"
//Identifies supported SSH authentication methods.
SSH Dictionary Attack
Hydra SSH Brute Force
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.10 ssh
//Conducts a dictionary attack on the SSH server using Hydra.
Nmap SSH Brute Force:
echo "administrator" > user
nmap 10.10.10.10 -p 22 --script ssh-brute --scrip-args userdb=/root/user
//Performs SSH brute force using Nmap.
msfconsole
[MODULE]> auxiliary/scanner/ssh/ssh-login
HTTP Enumeration
HTTP Service Scan
Quick Service & OS Scan
nmap 10.10.10.10 -p 80 -sV -O
//Performs a quick scan to check the HTTP service and identify the operating system.
Web App Scanning Tools
WhatWeb
whatweb 10.10.10.10
//Utilizes WhatWeb to identify vulnerabilities in the web application.
HTTP
http 10.10.10.10
//Performs an HTTP request to gather information about the web server.
Dirb
dirb http://10.10.10.10
//Uses Dirb to discover common directories and files on the web server.
HTTP IIS NMAP Scripts
HTTP Enumeration
nmap 10.10.10.10 -p 80 -sV --script http-enum
//Executes Nmap scripts to enumerate information about the HTTP service.
HTTP Headers Enumeration
nmap 10.10.10.10 -p 80 -sV --script http-headers
//Retrieves detailed HTTP headers from the web server.
HTTP Methods Enumeration
nmap 10.10.10.10 -p 80 -sV --script http-methods --script-args http-method.url-path=/webdav/
//Identifies supported HTTP methods, with an additional check for the '/webdav/' path.
HTTP Apache Recon
Brute Force Directories
[MODULE]> auxiliary/scanner/http/brute_dirs
//Uses Metasploit to brute force directories on the Apache web server.
HTTP Version Detection
[MODULE]> auxiliary/scanner/http/http_v
//Identifies the version of the HTTP service using Metasploit.
Robots.txt Enumeration
[MODULE]> auxiliary/scanner/http/robots_txt
//Scans for the existence of robots.txt using Metasploit.
SQL Enumeration
Quick Service & OS Scan
nmap 10.10.10.10 -p 3306 -sV -O
//Conducts a quick scan to check the SQL service and identify the operating system.
MySQL Nmap Scripts
nmap 10.10.10.10 -p 3306 --script=mysql-empty-password
//Checks if the MySQL server allows login with an empty password.
MySQL Information Gathering
nmap 10.10.10.10 -p 3306 --script=mysql_info
//Retrieves detailed information about the MySQL service.
MySQL User Enumeration
nmap 10.10.10.10 -p p 3306 --script=mysql-users --script-args="mysqluser='root', mysqlpass=''"
//Enumerates MySQL users on the server.
MySQL Database Enumeration
nmap 10.10.10.10 -p p 3306 --script=mysql-databases --script-args="mysqluser='root', mysqlpass=''"
//Lists the databases present on the MySQL server.
MySQL Audit
nmap 10.10.10.10 -p p 3306 --script=mysql-audit --script-args="mysql-audit.username='root', mysql-audit.password='', mysql-audit.filename='/usr/share/nmap/uselib/data/mysql-cis.audit'
//Performs an audit on MySQL for security compliance.
MySQL Query Execution
nmap 10.10.10.10 -p p 3306 --script=mysql-query --script-args="mysqluser='root', mysqlpass='', query='select count(*) from books.authors;'"
//Executes a specific query on the MySQL server.MySQL Login:
mysql -h 10.10.10.10 -u root
//Logs into the MySQL server using the 'root' user.
MySQL Dictionary Attack
[MODULE]> auxiliary/scanner/mysql/mysql_login
//Performs a dictionary attack on the MySQL server using Metasploit.
Hydra
hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 10.10.10.10 MySQL
MSSQL Nmap Scripts
MSSQL Information Gathering
nmap 10.10.10.10 -p 1433 --script ms-sql-info
//Gathers information about the MSSQL service.
MSSQL NTLM Information
nmap 10.10.10.10 -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433
//Retrieves NTLM information from the MSSQL server.
MSSQL Brute Force
nmap 10.10.10.10 -p 1433 --script ms-sql-brute --script-args userdb=/usr/share/wordlist/common_users.txt,passdb=/root/Desktop/wordlist/100-common-passwords.txt
//Performs a brute force attack on the MSSQL server.
MSSQL Empty Password Check
nmap 10.10.10.10 -p 1433 --script ms-sql-empty-password
//Checks if the MSSQL server allows login with an empty password.
MSSQL Query Execution
nmap 10.10.10.10-p 1433 --script ms-sql-query --script-args mssql.username=admin,mssql.password=password,ms-sql-query.query="SELECT * FROM master..syslogins" -oN output.txt
//Executes a specific query on the MSSQL server and saves the output to a file.
MSSQL Dump Hashes
nmap 10.10.10.10-p 1433 --script ms-sql-dump-hashes --script-args mssql.username=admin,mssql.password=password
//Dumps password hashes from the MSSQL server.
MSSQL XP Command Shell
nmap 10.10.10.10-p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=password
//Executes an XP command shell on the MSSQL server.
MSSQL XP Command Shell with Specific Command
nmap 10.10.10.10 -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=password,ms-sql-xp-cmdshell.cmd='type C:\flag.txt'
//Executes a specific command using XP command shell on the MSSQL server.
MSSQL Login
[MODULE]> auxiliary/scanner/mssql/mssql_login
//Attempts to login to the MSSQL server using Metasploit.
MSSQL Enumeration
[MODULE]> auxiliary/admin/mssql/mssql_enum
//Enumerates information about the MSSQL server using Metasploit.
MSSQL Enumeration of SQL Logins
[MODULE]> auxiliary/admin/mssql/mssql_enum_sql_logins
//Enumerates SQL logins on the MSSQL server using Metasploit.
MSSQL Command Execution
[MODULE]> auxiliary/admin/mssql/mssql_exec
//Executes commands on the MSSQL server using Metasploit.
MSSQL Enumeration of Domain Accounts
[MODULE]> auxiliary/admin/mssql/mssql_enum_domain_accounts
//Enumerates domain accounts on the MSSQL server using Metasploit.
Conclusion
In conclusion, mastering the art of information gathering is fundamental in the realm of ethical hacking and penetration testing. This compilation of notes, crafted by Amr Elsagaei, serves as a valuable reference throughout the eLearnSecurity Junior Penetration Tester (eJPT) journey.
These insights into network mapping, service enumeration, and vulnerability assessment techniques equip aspiring security professionals with the skills needed to identify and address potential threats. It's important to approach ethical hacking with responsibility and ethical standards, ensuring the integrity of security testing.
As you progress through your eJPT certification, continually expanding your knowledge and staying abreast of emerging tools and methodologies will contribute to a successful and rewarding journey in the field of cybersecurity
Check out: System-Host Based Attacks | eJPT
Leave a comment
Your email address will not be published. Required fields are marked *
