Every time you start on a new machine there are some steps you need to perform to get an initial foothold. So let’s write them down so you (and me) can always have a cheat sheet close by 🙂
To make this example I have used the lab provided by INE in their Penetration Testing Student path (btw, a great learning source!).
Network discovery
First, we need to find all live hosts on the network and save it to a file with -oN switch.
nmap -sn 192.168.60.0/24 -oN discover.nmap
-
- Network discovery
Now we can sort the addresses and save them to a file for further investigation. We are excluding my own address which ends with 11 and removing all other unnecessary information, so we are left with only IPs.
cat discover.nmap | grep for | grep -v "\.11" | cut -d " " -f 5 > ips.txt
-
- Sorted addresses
TCP Portscan
nmap -Pn -iL ips.txt
- -Pn to assume the host is alive
- -iL to use a list of IPs as input (ips.txt)
-
- TCP Portscan
UDP scan
nmap -sU -sV -iL ips.txt
- -sU for UDP scan
- -sV for version identification
- -iL to use a list of IPs as input (ips.txt)
OS and service scan
nmap -A -p22,80 IP
- -A for detailed information and running some scripts
- -p for running on a specific port
Vulnerability scan
nmap --script vuln -p22,80 IP
- –script vuln for running a vulnerability scan
- -p for running on a specific port
All-in-one
nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open
- -sV for version identification
- -n for disabling reverse DNS lookup
- -v for Verbose
- -Pn to assume the host is alive
- -p- to scan all the ports
- -T4 to speed things up
- -iL to use a list of IPs as input (ips.txt)
- –open to see just open ports and not closed/filtered ones
- -A for detailed information and running some scripts
Nikto scan
Nikto is a vulnerability scanner that scans webservers. Run it to see if there are some obvious vulnerabilities.
nikto -h http://IP
Directory scan
Gobuster is traditional directory brute-force scanners like DirBuster and DIRB. The advantage over those two is the speed, however, it lacks recursive directory searching (for directories more than one level deep)
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://IP/ -x php,txt,html,sh,cgi -q
If you can’t find much try also different wordlist:
/usr/share/dirb/wordlists/common.txt
/usr/share/wordlists/rockyou.txt
What’s next
Now that we got our initial foothold, we can analyze all the information we found, and check any Web Servers, FTP, SSH connections. How to do it will probably be a topic in the near (or far xD ) future.
