- Can you ping the target?
- Is your VPN still connected?
- Start the scans: What is open?
- Use
autorecon 10.10.10.10 -v
- Once completed, rescan all ports with service detection
nmap -sS -sV -sC 10.10.10.10 | tee nmap_output.txt
- Consider running some targeted scripts against services running.
nmap --script "http*" 10.10.10.10 -p 8080 -vv | tee nmap_http_scripts.txt
- Identify the Ports and Services running.
- Go To:
/web/web-servers.md
- Find out CMS type and version --> check
exploitdb
- Look for usernames
- Run
nikto
,gobuster
--> try and map out the website robots.txt
file?- Default Credentials
admin:admin
administrator:administrator
admin:administrator
admin:password
administrator:password
admin admin123
admin root123
admin password1
admin administrator1
admin changeme1
admin password123
admin qwerty123
admin administrator123
admin changeme123
- The best one for Linux and Windows
/shells/web-shells/php-reverse-shell/src/php_reverse_shell.php
- Try
anonymous
login method - If you can get a username from another port try
hydra
- Make sure to connect to it as the
root
user from your local box - Remember the difference between Active and Passive mode
- Be on the look out for LFI on a web server --> Private keys
- Think about Hydra if you can find a username
/recon-enumeration/recon-enumeration.md
/recon-enumeration/recon-enumeration.md
- Check for shares that are accessible
/recon-enumeration/recon-enumeration.md
--> SMB Enumeration section- Use
smbmap
,nmap --script
,enum4linux
,smbclient
,rpcclient
- Check all enum4linux output especially toward the bottom for potential usernames
- Can be brute forced with
medusa
, andnmap --script "smb-brute"
/recon-enumeration/recon-enumeration.md
- Redis Section
/recon-enumeration/recon-enumeration.md
- Rsync Section
/windows-priv-esc/win-priv-esc.md
- Set up secondary Shell with
msfvenom
andmulti/handler
- Check for hidden files as well
- Can you enable RDP and use
xfreerdp
to mount your kali share to the target?
/lin-priv-esc/lin-priv-esc.md
- Set up secondary Shell with
msfvenom
andmulti/handler
- Always stabilize your shells!
- Get
lse.sh
andlinpeas.sh
on the box and in/dev/shm
/lin-priv-esc/priv-esc-scripts/