🔢Enumeration Cheatsheet

General Enumeration:

```
nmap -vv -Pn -A -sC -sS -T 4 -p- 10.0.0.1
```
- Verbose, syn, all ports, all scripts, no ping
```
nmap -v -sS -A -T4 x.x.x.x
```
- Verbose, SYN Stealth, Version info, and scripts against services.
```
nmap –script smb-check-vulns.nse –script-args=unsafe=1 -p445 [host]
```
- Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover
```
netdiscover -r 192.168.1.0/24
```

FTP Enumeration (21):

nmap –script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.0.0.1

SSH (22):

```
ssh INSERTIPADDRESS 22
```

SMTP Enumeration (25):

nmap –script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1

```
nc -nvv INSERTIPADDRESS 25
```
```
telnet INSERTIPADDRESS 25
```

Finger Enumeration (79):

Download script and run it with a wordlist: http://pentestmonkey.net/tools/user-enumeration/finger-user-enum

Web Enumeration (80/443):

dirbuster (GUI)
```
dirb http://10.0.0.1/
```
```
nikto –h 10.0.0.1
```

Pop3 (110):

```
telnet INSERTIPADDRESS 110
```
```
USER [username]
```
```
PASS [password]
```
- To login
```
LIST
```
- To list messages
```
RETR [message number]
```
- Retrieve message
```
QUIT
```
- quits

RPCBind (111):

```
rpcinfo –p x.x.x.x
```

SMB\RPC Enumeration (139/445):

```
enum4linux –a 10.0.0.1
```
nbtscan x.x.x.x
- Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
```
py 192.168.XXX.XXX 500 50000 dict.txt
```

python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX

nmap IPADDR --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse

```
smbclient -L //INSERTIPADDRESS/
```
- List open shares

smbclient //INSERTIPADDRESS/ipc$ -U john

SNMP Enumeration (161):

```
snmpwalk -c public -v1 10.0.0.0
```
```
snmpcheck -t 192.168.1.X -c public
```
```
onesixtyone -c names -i hosts
```

nmap -sT -p 161 192.168.X.X -oG snmp_results.txt

```
snmpenum -t 192.168.1.X
```

Oracle (1521):

```
tnscmd10g version -h INSERTIPADDRESS
```
```
tnscmd10g status -h INSERTIPADDRESS
```

Mysql Enumeration (3306):

nmap -sV -Pn -vv  10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122

DNS Zone Transfers:

nslookup -> set type=any -> ls -d blah.com

```
dig axfr blah.com @ns1.blah.com
```
- This one works the best in my experience

dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

Mounting File Share

```
showmount -e IPADDR
```
```
mount 192.168.1.1:/vol/share /mnt/nfs  -nolock
```
- mounts the share to /mnt/nfs without locking it
```
mount -t cifs -o username=user,password=pass,domain=blah //192.168.1.X/share-name /mnt/cifs
```
- Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)

net use Z: \\win-server\share password  /user:domain\janedoe /savecred /p:no

Mount a Windows share on Windows from the command line

```
apt-get install smb4k –y
```
- Install smb4k on Kali, useful Linux GUI for browsing SMB shares

Fingerprinting: Basic versioning / finger printing via displayed banner

```
nc -v 192.168.1.1 25
```
```
telnet 192.168.1.1 25
```

Exploit Research

```
searchsploit windows 2003 | grep -i local
```
- Search exploit-db for exploit, in this example windows 2003 + local esc

Compiling Exploits

```
gcc -o exploit exploit.c
```
- Compile C code, add –m32 after ‘gcc’ for compiling 32 bit code on 64 bit Linux

i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe

Compile windows .exe on Linux

Packet Inspection:

```
tcpdump tcp port 80 -w output.pcap -i eth0
```
- tcpdump for port 80 on interface eth0, outputs to output.pcap

PreviousRecon Cheatsheet NextShells and Reverse Shells Cheat Sheet

Last updated 1 year ago

Was this helpful?