Share

Initial foothold

Every time you start on a new machine there are some steps you need to perform to get an initial foothold. So let’s write them down so you (and me) can always have a cheat sheet close by 🙂

To make this example I have used the lab provided by INE in their Penetration Testing Student path (btw, a great learning source!).

Network discovery

First, we need to find all live hosts on the network and save it to a file with -oN switch.

 nmap -sn 192.168.60.0/24 -oN discover.nmap

Now we can sort the addresses and save them to a file for further investigation. We are excluding my own address which ends with 11 and removing all other unnecessary information, so we are left with only IPs.

 cat discover.nmap | grep for | grep -v "\.11" | cut -d " " -f 5 > ips.txt

TCP Portscan

 nmap -Pn -iL ips.txt
  • -Pn to assume the host is alive
  • -iL to use a list of IPs as input (ips.txt)

UDP scan

 nmap -sU -sV -iL ips.txt
  • -sU for UDP scan
  • -sV for version identification
  • -iL to use a list of IPs as input (ips.txt)

OS and service scan

nmap -A -p22,80 IP
  • -A for detailed information and running some scripts
  • -p for running on a specific port

Vulnerability scan

nmap --script vuln -p22,80 IP
  • –script vuln for running a vulnerability scan
  • -p for running on a specific port

All-in-one

nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open
  • -sV for version identification
  • -n for disabling reverse DNS lookup
  • -v for Verbose
  • -Pn to assume the host is alive
  • -p- to scan all the ports
  • -T4 to speed things up
  • -iL to use a list of IPs as input (ips.txt)
  • –open to see just open ports and not closed/filtered ones
  • -A for detailed information and running some scripts

Nikto scan

Nikto is a vulnerability scanner that scans webservers. Run it to see if there are some obvious vulnerabilities.

 nikto -h http://IP

Directory scan

Gobuster is traditional directory brute-force scanners like DirBuster and DIRB. The advantage over those two is the speed, however, it lacks recursive directory searching (for directories more than one level deep)

 gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://IP/ -x php,txt,html,sh,cgi -q

If you can’t find much try also different wordlist:

/usr/share/dirb/wordlists/common.txt

/usr/share/wordlists/rockyou.txt

What’s next

Now that we got our initial foothold, we can analyze all the information we found, and check any Web Servers, FTP, SSH connections. How to do it will probably be a topic in the near (or far xD ) future.