My extended cheatsheet is CHEATSHEET.md.
Here is my general workflow:
- Scan host with nmap.
- Poke at each service you find for 20 mins tops.
- Use service-specific enumeration techniques from the CHEETSHEET.
- Gain initial access with whatever exploit you can find.
- Get a stable interactive shell.
- Perform OS-specific enumeration once on box with user-level access, looking for privesc vectors.
- Take notes of possible privesc vectors. Only try each one for 20 mins max before going round-robin to next.
- Perform OS- or service-specific privesc to get root!
- If box is part of network (e.g. Active Directory), gather useful data (creds) to help pivot.
These are some commands I use all the time:
# Prefer rustscan for speed, but sometimes too fast and ports not detected sudo rustscan --ulimit 5000 -a $VICTIM_IP -- -v -n -Pn --script "default,safe,vuln" -sV -oA tcp-all # nmap scripts are located at: /usr/share/nmap/scripts # Use ls, grep, etc. to find useful stuff. # Also check the script-help nmap --script-help="nfs-*"- Check service versions with
searchsploit - Read ALL output!
- Don't forget UDP!
- (advanced) Don't forget IPv6
# check what technologies a website is using whatweb -v -a3 http://10.10.10.123 | tee whatweb.log # scan for web directories ulimit -n 8192 # prevent file access error during scanning gobuster dir -ezqrkw /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 -x "html,htm,txt,sh,php,cgi" -o gobust.log -u http://10.10.10.123 - Check out
robots.txtandsitemap.xml(should be in nmap output) - Examine SSL certs for emails & domains
- Look for software versions (help/about pages?), check in
searchsploit - View source, look for link directories and juicy comments
- Try default creds for login portals
- Try SQLi in all form fields and URL query params
- Try LFI/RFI in URL query params
- Try command injection in form fields
- Try NoSQL injection in form fields
Attacking common web frameworks:
# Wordpress sites: wpscan --update --url http://$VICTIM_IP/ | tee wpscan.log # see cheatsheet for agressive scan# general enumeration scan. Also try with usernames: guest, administrator # add: -u guest enum4linux -aMld 10.10.10.123 | tee enum4linux.log # list available shares smbmap -H $VICTIM_IP # try with '-u guest' if getting "[!] Authentication error" # recursively list directory contents smbmap -R -H $VICTIM_IP # tar entire smb share locally smbclient //10.10.10.123/SHARENAME -N -Tc smbfiles.tar # interactive SMB session without creds smbclient -N //$VICTIM_IP/SHARENAME # or with creds smbclient '\\TARGET_IP\dirname' -W DOMAIN -U username > help # view available commands # ls, cd, get, put # recursively get all files: > recurse on > prompt off > mget *# basic SA env uname -a cat /etc/*release ip a netstat -untap ps -ef wwf sudo -l cat /etc/passwd cat /etc/crontab # find world-writable files find / -mount -type f -perm -o+w 2>/dev/null- Look for plaintext credentials in config files, web source, shell history
- Download and run
linpeas.shon the host