enumeration and methodology

I think of providing my first method when i start a new box, feel free to add your method.
nmap IP
nmap -sS -v -A IP
uniscan -u IP -qweds
nikto -host IP
dirb IP

I prefer dirbuster (yes i know GUI) but it feel it works better for me then dirb does

YES dirbuster is more faster

nmap -sC -sV -oA filename IP
nmap -sU -p1-1000 IP >> filename
dirbuster
nikto -h IP

namp -sC -sS -sV -F IP <–FOR QUICK START MY PENETRATION
namp -sV -p- IP

It’s fun to find new command examples, but I don’t see normal os tools very often. There’s some real jems out there if you go looking. These are my favorite methods for saving command results, they’ve saved me a lot of time and hassle.

tee reads from stdin and writes to stdout and a file, so all the output of your command shows up in your terminal as normal, but it’s also logged to a file. Just add “| tee filename” to your command to save the output to a file so you can reference it later.
e.g. nmap -sS -A --top-ports 1000 target.ip | tee nmap.txt
I never run an nmap without it. :wink:

script is also a lifesaver. It works like it’s own shell, but writes all output to a script file. This is great for logging a reverse shell locally. It doesn’t just save text output, formatting is also preserved. To make it easier I have this in my .bashrc:

logme () { export SCRIPTFILE="$(date +%s)-${$}" echo "Starting tty logging to ~/scripts/${SCRIPTFILE}..." script -c /bin/bash -q "~/scripts/${SCRIPTFILE}" } scriptfile () { echo "${SCRIPTFILE}"; }

When I’m about to do something that I want to keep all the details of, I just type logme in my terminal and I’m good to go. Everything that happens in the terminal is saved to the script file. I can run scriptfile to see what file I’m using in the current terminal in case I have multiple scripts running at once. When you’re done, you can just cat your script file to replay all the output from your terminal whenever you need it.

Happy hacking…

Thanks for the tips everyone. I do have a question though when it comes to all the different enumeration tools: What do you see as the benefit to running (for example) nikto and uniscan and dirb all against the same host.

I get that the idea is to get as much info as possible, but what are the key differences between them that make them each valuable in their own right?

@rgon91 the three tools you mention are used for different purposes… Each one is better depending on what you are looking for… with the default configuration for example with nikto you find server vulns and misconfigurations and some interesting dir, but with dirb or dirbuster you will find much more dirs and files.

Just to add in here for web host scanning, you should also check for Virtual Hosts. This is typically done by using Burp Repeater and manipulating the header of the request (see Ippsec video on Bank for an example). Although this is effective in a CTF scenario it doesn’t crossover into the field very well where Virtual Hosts will rarely match the machine name that the header is being served from. This is why I built: GitHub - codingo/VHostScan: A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.

You can quickly test for virtual hosts against a HackTheBox machine using:

python VHostScan.py -t <ip> -w ./wordlists/hackthebox.txt -oN /tmp/vhostcheck.txt

Alternatively, if you were using this against a bug bounty host or a machine in the field you could do:

python VHostScan.py -t <ip> --ssl -oN /tmp/vhostcheck.txt

Which will enforce the default wordlist. DNS lookups automatically append to the wordlist being used with your scan as well.

If you’re generating wordlists on the fly you can also do

cat newwordlist.txt | python VHostScan.py -t <ip> -

@cdf123 said:
script is also a lifesaver. It works like it’s own shell, but writes all output to a script file. This is great for logging a reverse shell locally. It doesn’t just save text output, formatting is also preserved. To make it easier I have this in my .bashrc:

logme () { export SCRIPTFILE="$(date +%s)-${$}" echo "Starting tty logging to ~/scripts/${SCRIPTFILE}..." script -c /bin/bash -q "~/scripts/${SCRIPTFILE}" } scriptfile () { echo "${SCRIPTFILE}"; }

Is that code written as straight bash script or a C based language? I’ve gotten scrambled from my classes and feel pretty stupid. lol

Those are bash functions, I’m just using a more strict syntax for them. Bash treats “$var” and “${var}” the same, the difference is “${var}text” works where “$vartext” is a different variable.

Thank you! I’m still new to bash scripting and only would consider myself slightly proficient with python so far. Most of my coding experience is self taught and necessity based.

nmap -sT -p0- --min-rate 1000 --max-retries 2 -Pn -iL iplist -oA TCPFullPort
nmap -sU -F --min-rate 1000 -n -Pn --max-retries 2 -iL iplist -oA UDPFast
Nessus Professional - Advanced Scan with a Full Port Scan, SSL/TLS Checking on all ports, ping remote host disabled.

There’s a number of timing options I also tweak, usually I aim to atleast get a UDP Fast conducted, depending on the network a --top-ports=1000 for TCP scans is usually enough to get started while awaiting the completion of a full port. It’s the same for conducting a service scan - Service scans, DNS resolution etc all add time onto scanning.

Improvise, Adapt, Overcome when it comes to scanning, and pretty much all aspects of pentesting.

Web App Stuff:
I use Burp Pro, and the majority of the time I use the content discovery tool within. It can be slow, but i find it the best at discovering content and directories. I also use a mixture of dirb and uniscan.

I use Nikto every so often, however it is false positive ■■■■. When conducting a web app test, I use tools that cater to the technolagies used, e.g. testssl, wpscan.

I have a number of Burp Pro plugins, that also aid with testing.

I can also highly reccomend that one downloads SecLists from Github, the vectors available are extremely useful, such as polyglots.

Oh, props to cdf123 for mentioning | tee, although I don’t tee my nmap output :wink: but everything else is gold.

For anyone who cant afford the pro version of Nessus I’ve been using openvas OpenVAS 8.0 Vulnerability Scanning | Kali Linux Blog
apt-get install openvas
openvas-setup
This will take AGES to install, but it’s really good!

I also found a good resource of lots of privilege escalation scripts here for Windows, Linux and MAC

Just a few i have come up with over the years. if its a range you want to scan

nmap -sn -n -oG - x.x.x.0/24 | awk ‘/Up/{print $2}’ > list.txt && nmap -v -A -Pn -n -iL list.txt > list_scan.txt

if its just an IP you want to scan

nmap -v -A -Pn -n x.x.x.x > file

i always tend to output to a file

I have seen a lot of you are using nmap, but why no one use the -oA parameters to output the result?
Is there something different with your method?

Because, with the -oA parameters, you can have different format of output files. Iin my case I use .nmap and .xml (last one converted in HTML) . May be I’m “wrong” by do this in that way or may be there is something I don’t understand.

I often use the vulners script with nmap.

nmap ip
nmap -p- ip
nmap -sC -sV -A -p (ports) ip

@1nitiative said:
I have seen a lot of you are using nmap, but why no one use the -oA parameters to output the result?
Is there something different with your method?

Because, with the -oA parameters, you can have different format of output files. Iin my case I use .nmap and .xml (last one converted in HTML) . May be I’m “wrong” by do this in that way or may be there is something I don’t understand.

@ippsec is using the same parameter, but I think just -N or | tee as @cfg123 written is enough for a single machine discovery. As I said, if you are pentesting a real network with tons of machines, xml output from nmap will be valueable.