https://book.hacktricks.xyz/pentesting/pentesting-ftp
- Fingerprint:
nc -nv <ip> 21- Anonymous Access:
ftp <ip>ftp> anonymousftp> pass- Browser Access:
ftp://anonymous:anonymous@10.10.10.98- Commands:
- Binary Mode:
binary- Upload File:
put <file>- Upload Multiple Files:
mput <file1> <file2>- Download File:
get <file>- Download Multiple Files:
mget <file1> <file2>mget *- Nmap Scripts:
nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -p 21 <ip>- Config Files:
- ftpusers
- ftp.conf
- proftpd.conf
https://book.hacktricks.xyz/pentesting/pentesting-ssh
- Fingerprint:
nc -nv <ip> 22- Public SSH key scan:
ssh-keyscan -t rsa <IP> -p 22- Known bad keys: rapid7/ssh-badkeys
- Config Files:
- ssh_config
- sshd_config
- authorized_keys
- ssh_known_hosts
- .shosts
https://book.hacktricks.xyz/pentesting/pentesting-telnet
- Fingerprint:
telnet <ip>
https://book.hacktricks.xyz/pentesting/pentesting-smtp
- Fingerprint:
nc -nv <ip> 25- Commands:
- Username Exists:
VRFY <username>- Username Valid:
EXPN <username>- Nmap Scripts:
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 <ip>- User Bruteforce:
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t <ip>- Config Files:
- sendmail.cf
- submit.cf
https://book.hacktricks.xyz/pentesting/pentesting-dns
- Fingerprint:
nc -nv <ip> 53- Get Records (ns, mx, txt, cname):
host -t <record> <ip>nslookup <ip>dig axfr <domain> @<ip>
- Add domains found to host file (/etc/host)
- Config Files:
- host
- resolv.conf
https://book.hacktricks.xyz/pentesting/69-udp-tftp
- Fingerprint:
nc -nv <ip> 69- Commands:
- Binary Mode:
binary- Upload File:
put <file>- Upload Multiple Files:
put <file1> <file2>- Download File:
get <file>- Download Multiple Files:
get <file1> <file2>get *- Nmap Scripts:
nmap --script=tftp-enum.nse -p 69 <ip>- Run Command:
winexe -U <username> //<ip> "cmd.exe /c <command>" --system
https://book.hacktricks.xyz/pentesting/pentesting-finger
- Fingerprint:
nc -nv <ip> 79
Nmap Scripts:
nmap --script=krb5-enum-users --script-args="krb5-enum-users.realm='<domain>'" -p 88 <ip>
https://book.hacktricks.xyz/pentesting/pentesting-web
- Fingerprint:
nc -nv <ip> 80/443- Directories:
nikto -host http(s)://<ip>:<port> (-ssl)dirsearch -w /path/to/wordlist -t 30 --full-url -e <extensions> -u http(s)://<ip>:<port>ffuf -w /path/to/wordlist -e <extensions> -u <target>/FUZZ- Subdomains/Vhosts:
- Subdomains:
curl -s -H "Host: nonexistent.<target>" http://<target> | wc -c&ffuf -w /path/to/subdomain/wordlist -u https://<target> -H "Host: FUZZ" -fs <previous output>- Vhosts:
curl -s -H "Host: nonexistent.<target>" http://<target> | wc -c&ffuf -w /path/to/vhost/wordlist -u https://<target> -H "Host: FUZZ.<target>" -fs <previous output>- SSL:
- Cert Info (get usernames/vhosts):
sslscan <ip>- Heartbleed:
nmap --script=ssl-heartbleed -p 443 <ip>- Check Input Validation (injection vectors):
- SQL:
' or 1=1 #- XSS:
<script>alert(‘XSS’)</script>- Path Traversal:
http://<url>/../..- Format String:
%n%x%s- Command Execution:
pwdmay need to escape first (‘ & ! ¦ < >)- Errors:
NULL- Check Page Source: hidden values, dev comments, data leakage, passwords, etc.
- Config Files: depends on server type, use info from fingerprint to research
- Log Files: depends on server type, use info from fingerprint to research
https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88 > https://book.hacktricks.xyz/windows/active-directory-methodology/kerberos-authentication
https://book.hacktricks.xyz/pentesting/pentesting-pop
- Fingerprint:
nc -nv <ip> 110- Commands:
- Login:
USER <username>PASS <password>- List Emails:
list- View Email:
retr <id>
https://book.hacktricks.xyz/pentesting/pentesting-rpcbind
- Get Info:
rpcinfo -p <ip>rpcclient -U "" <ip>
srvinfoenumdomusersenumdomgroupsgetdompwinfoquerydominfonetshareenumnetshareenumall
https://book.hacktricks.xyz/pentesting/135-pentesting-msrpc
- Nmap Scripts:
nmap --script=msrpc-enum -p 135 <ip>
https://book.hacktricks.xyz/pentesting/137-138-139-pentesting-netbios
https://book.hacktricks.xyz/pentesting/pentesting-smb
- Fingerprint:
nc -nv <ip> 139/445- List Shares:
smbclient -L \\\\<ip>- Get Shares:
smbclient \\\\<ip>\\\\<share>rpcclient -U " " 10.11.1.111- Null Sessions:
smbclient //<ip>/IPC$ -Nrpcclient -U "" -N <ip>(see rpcbind above for available commands)- Nmap Scripts:
nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 <ip>- SID Lookup: Impacket -
lookupsid.py <username>:<password>@<ip>- WinRM:
evil-winrm -i <ip> -u <username> -p <password>
https://book.hacktricks.xyz/pentesting/pentesting-snmp
- Get Info:
snmp-check <ip> -c <public|private|community>- Nmap Scripts:
nmap --script=snmp-netstat,snmp-processes -p 161,162 <ip>
https://book.hacktricks.xyz/pentesting/pentesting-264-check-point-firewall-1
https://book.hacktricks.xyz/pentesting/pentesting-ldap
ldapsearch -h <ip> -p 389 -x -b "dc=<domain>,dc=<tld>"ldapsearch -x -h <ip> -D '<DOMAIN>\<username>' -w '<password-hash>'ldapdomaindump <ip> -u '<DOMAIN>\<username>' -p '<password-hash>'
https://book.hacktricks.xyz/pentesting/ipsec-ike-vpn-pentesting
https://book.hacktricks.xyz/pentesting/515-pentesting-line-printer-daemon-lpd
https://book.hacktricks.xyz/pentesting/554-8554-pentesting-rtsp
https://book.hacktricks.xyz/pentesting/1026-pentesting-rusersd
https://book.hacktricks.xyz/pentesting/1099-pentesting-java-rmi
https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
- Nmap Scripts:
nmap --script=ms-sql-info.nse -p 1433 <ip>- Admin Login:
sqsh -S <ip> -U sa
https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener
https://book.hacktricks.xyz/pentesting/nfs-service-pentesting
- List Mounts:
showmount -e <ip>- Mount Filesystem:
mount <ip>:/ /<localdir>
https://book.hacktricks.xyz/pentesting/3260-pentesting-iscsi
https://book.hacktricks.xyz/pentesting/3299-pentesting-saprouter
https://book.hacktricks.xyz/pentesting/pentesting-mysql
- Nmap Scripts:
nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse -p 3306 <ip>- Admin Login:
mysql --host=<ip> -u root -p
https://book.hacktricks.xyz/pentesting/pentesting-rdp
- Nmap scripts:
nmap --script=rdp-vuln-ms12-020.nse -p 3389 <ip>- Connect:
rdesktop -u <username> -p <password> <ip>
https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd
https://book.hacktricks.xyz/pentesting/5353-udp-multicast-dns-mdns
https://book.hacktricks.xyz/pentesting/pentesting-postgresql
https://book.hacktricks.xyz/pentesting/5671-5672-pentesting-amqp
https://book.hacktricks.xyz/pentesting/pentesting-vnc
- Nmap Scripts:
nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 <ip>
https://book.hacktricks.xyz/pentesting/5984-pentesting-couchdb
https://book.hacktricks.xyz/pentesting/5985-5986-pentesting-winrm
- Connect:
- Password:
evil-winrm -i <ip> -u <username> -p <password>- Hash:
evil-winrm -i <ip> -u <username> -H <hash>
https://book.hacktricks.xyz/pentesting/6379-pentesting-redis
https://book.hacktricks.xyz/pentesting/8009-pentesting-apache-jserv-protocol-ajp
https://book.hacktricks.xyz/pentesting/9200-pentesting-elasticsearch
https://book.hacktricks.xyz/pentesting/50030-50060-50070-50075-50090-pentesting-hadoop