Enumeration

Amass

amass enum -d [domain] > amass.txt

Assetfinder

assetfinder [domain] | grep [domain] > subdomains.txt

DNS

dnsenum --dnsserver [target ip] --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt [TLD domain]
dnsrecon -r [range] -n [dns host ip] -d [domain]

  • range should be the network, so something like 127.0.0.0/24 when on the same network

  • -d is not really useful here but it a needed flag - can flll with garbage

HTTProbe

cat hosts.txt | httprobe

This will check port 80 and 443, if we want to narrow this down to only ssl, we can add the following parameters to httprobe:

cat hosts.txt | httprobe -s -p https:443

Nmap

  • network scan

  • using list of hosts

    • -iL [host list]

  • -sT is the most stealthy scan, as it uses the entire TCP handshake to check ports

  • -sA to bypass many IPS and IDS

  • -Pn disable ping

  • -sU UDP scan

  • -p- scan all ports (not just top 1000)

  • -n disable DNS resolution

  • --disable-arp-ping disable ARP ping, good for investigating further

  • --packet-trace get more info on send and recv

  • --reason get more info on the port state

  • -D decoy - nmap inserts random IPs in the IP header of the scans

  • --source-port specify a source port, often 53 to slide through dns port

    • can also specify this in netcat when connecting to a port

NFS

  • list mounts:

    • showmount -e [ip]

  • mount share:

    • mount -t nfs -o nolock [ip]:[share] /mnt

SMB

SMB shares can be enumerated many ways

  • can add directory recursion with -r --depth [num]

  • can pass the hash with -p (password or hash)

SMTP

SNMP

SSL Certs

  • crt.sh to get cert information (goes down often)

  • Pipe this string of commands to grep, cut and awk the unique domain names

  • Example: find all dev subdomains on facebook.com:

PreviousSubnettingNextShells

Last updated