Red Team Notes
1.0.0
1.0.0
  • Introduction
  • PowerShell
    • find_files_by_name
    • powershell_web_access
    • enable_psremoting
    • powershell_sans_cheat
    • powerup_-_privilege_escalation
    • user_enumeration
    • powershell_-_quickies
    • constrained_language_breakout
    • powershell_-_get-system
    • domain_enumeration
    • powershell
    • random_powershell
  • mainframe
    • tso_commands
    • nmap_stuff_-_recon
  • Links and Random
    • Commands--mount-shares
    • Commands--responder
    • Commands--nac_testing
    • trash
    • Commands--nessus-openvas
    • Commands--named_pipes
    • ptx
    • Commands--mortar-shells
    • Redis-Cheatsheet
    • wifi_driver_stuff
    • bypassing_applocker_living_off_land
    • Commands--remote_and_local_file_inclusion
    • Commands--netcat-ftp
    • mimikatz
  • wifi-hacking
    • eaphammer
    • aircrack-ng_and_jtr_attack
    • new_page
    • cracking_wpa_attack
    • aircrack-ng
    • wifite
    • basics
    • hostapd
    • cowpatty_attack
    • rogue_access_point
    • cracking_wep_via_a_client_attack
    • handshake-via-pcap
    • clientless_wep_attack
    • fluxion
    • reaver
    • crack_wep
    • pyrit_attack
    • wep_shared_key_authentication_attack
  • mobile
    • qark
    • dex2jar
    • jd-gui
    • mobile
    • baby_steps
    • apktool
    • smali_and_baksmali
  • Cobalt-Strike
    • apache_rewrite_.htaccess
    • playbook
      • mail_and_smtp_enumeration-manipulation
      • lateral_movement
      • overpass_the_hash_with_rubeus-beacon_-_h
      • persistence
      • privilege_escalation
      • after_initial_access
    • situational_awareness_-_harmj0y
    • malleable
    • sid_hopping
    • generating_certificates
    • safety
    • random_commands
    • golden_ticket
    • go_daddy_domain
    • github_repos
    • malware_av_evasion
    • malware_av_evasion--main.go
    • c2_infrastructure
    • cobalt_strike_certificates
    • cpl_resource_runner_payload
  • Metasploit
    • nessus
    • network
    • meterpreter
  • Information Gathering Enumeration
    • 35 Searchsploit
    • 30 Find
    • 21 WinRM
    • 50 Gobuster
    • Enumeration by Port Number
    • 40 Active Directory
    • Linux Prevesc
    • pivoting
    • 20 Reconnoitre
    • Kerberos cheatsheet
    • 11 SMB Part 1
    • 00 ENUMERATION
    • 10 Nmap
    • 12-check-for-anonymous-smb
    • bruteforcing
    • 60 DNS Enumeration
    • 15 Firefox
  • Commands
    • rbash
    • tools-sources
    • tar
    • network-change-ip
    • sed_and_changing_files_for_malware_evasi
    • web_discovery
    • xxd
    • droopescan
    • c#
    • proxychains-admin-network
    • de-duplicate
    • privilege-escalation-windows_-_and_empir
    • ping_sweep
    • wget
    • snmp
    • custom-payloads
    • python
    • curl-wget
    • proxychains
    • goddi_-_domain_enumeration
    • nginx-bypass
    • outlook_and_owa
    • physical_hacking--rasperry_pi
    • have_a_shell
    • xml-xxe-xpath
    • xss-iframe
    • port-forward
    • physical_hacking
    • pack
    • client-side-iframe-attack
    • waf
    • laps
    • images-with-files-in-them
    • fresh-install
    • privilege-escalation-linux
    • masscan
    • arp-spoof
    • shellshock-squid
    • merlin
    • redis
    • get-browserdata
    • lateral_movement
    • smb-netbios-rpc
    • password-cracking
    • virtual-box_guest_additions
    • host_discovery-dns
    • certificate_tls_and_ssl
    • postgresql
    • physical_hacking--bash_bunny
    • powerview--new_page
    • mail_sniper
    • searchsploit
    • crackmapexec
    • user_agent
    • lolbins
    • files-inside-of-pictures
    • random_shellcode_-_scratch-pad
    • linux
    • ports
    • block-ip-iptables
    • httpscreenshot
    • dnscat
    • wp-scan
    • gather-gpp-creds
    • group-policy-decrypt-passwords
    • buffer-overflow
    • mac_address_change
    • sql
    • compiling-code
    • shell-for-buffer-overflow
    • hex_encode_command_line
    • spawn_a_better_shell_-_break_out_of_shit
    • nikto-proxy
    • osint
    • assembly
    • sshuttle
    • nmap_and_scanning
    • root_user_add
    • pass_the_hash
    • test-for-xxe
    • payloads
    • webdav
    • cut_commands
    • unicorn_scan
    • rdesktop_and_screen_for_linux
    • spooler_exploit
    • dns-zone-transfer
    • ssh
    • password-grep
  • reverse-shell-one-liners
    • ruby
    • c-language-reverse-shell
    • reverse_shell_one_liners
    • perl-reverse-shell-cgi-format
    • java_reverse_shell
    • python_reverse_shell
  • Bypass-Applocker
    • vbs_macro
    • pubprn.vbs
    • demiguise
    • mshta
    • regsvcs
    • regasm_2
    • bypass-uac
    • installutil
  • windows
    • uninstall_patches
    • passwords
    • powerview_3.0,_harmj0y
    • port_forward
    • powerview_acl_enum-abuse
    • powerview,_enumerate_groups-ac
    • search_4_loot
    • firewall
    • laps_abuse
    • enumeration
    • Windows
    • Windows_service_abuse
    • Windows Enumeration
  • mimikatz
    • mimikatz_list_modules
    • list_commands_in_module
    • mimikatz
    • remote_control_rpc
    • applocker_bypass_and_other_sn
    • mimikatz_-_start_and_stop_processes
    • base64_all_the_things
    • rdp
    • avoid_new_events
    • mimikatz_-_tokens
  • red-team
    • privilege_escalation_across_trusts
    • file_servers_and_files
    • lateral_movement
    • Commands--red_team
    • forest_enumeration
    • persistence_techniques
    • privilege_escalation
  • Start Procedure
    • Start-Procedure
  • Tools to add to Kali Linux
  • AD-notes
    • more-ad-notes
    • bloodhound
    • ad-notes-chirag
    • enumeration
    • pam_abuse
    • laps_abuse
    • domain_privilege_escalation
    • active_directory_one_liners
  • Setting up Kali Linux
    • Tools to add to Kali Linux
    • Items to Install in Kali
      • tmux
        • tmux_config
        • Setup_-_TMUX
        • tmux_cheat_sheet
      • crontab
      • rclone
      • Items_to_install_in_Kali
    • Tools to install
  • SQL
    • abusing_sql_server_trusts--privilege_escalation
    • abusing_sql_server_trusts
    • abusing_sql_server_trusts--post_exploitation_enumeration
    • 31 SQL
  • tools to install
  • command line
  • simple note
  • Enumeration
  • Tools to install on Windows
  • temp-readme
Powered by GitBook
On this page
  • Initial Scan
  • Long/Background Scan
  • UDP scan
  • Longer UDP
  • Get the ports in the right format for a targeted nmap scan
  • Scanning ipv6
  • Perform a targeted port scan
  • Webserver enumeration
  • Nmap Ping Sweep
  • Find Low-Hanging Fruit
  • OS Fingerprinting
  • Identifying NMAP Scripts
  • Identify all nmap default scripts (-sC)
  • Check for Shellshock vulnerability
  • Enumerate NetBios Users

Was this helpful?

  1. Information Gathering Enumeration

10 Nmap

Initial Scan

nmap -sC -sV -oA </path/to/file_to_output_to>

-sC Default Scripts -sV Enumerate Versions -oA Output All Formats

Long/Background Scan

nmap -p- -T5 -oA </path/to/file_to_output_to>

-p- All Ports: 1-65535 -T5 Very Aggressive Fast Scan (not recommended) -oA Output All Formats

UDP scan

Quick UDP nmap -sU -v -oA </path/to/file_to_output_to>

Longer UDP

nmap -v -sC -sV -sU -Pn --disable-arp-ping -oA

Get the ports in the right format for a targeted nmap scan

a=`grep -oP '\d{1,5}/open' kioptrix2.short.gnmap |sort -u |sed -e 's/\/open//g' |tr '\n' ','`; a=${a::-1}

-o Print only the matching part (not the entire line) -P interpret as Perl-compatible regex '\d{1,5}/open' Our regex to grep for (1 to 5 occurrences of any digit followed by /open)

Scanning ipv6

nmap -sC -sV -oA scans/mischief-ipv6 -6 dead:beef::250:56ff:feb2:0190

Perform a targeted port scan

nmap -p $a -sC -sV -oA </path/to/file_to_output_to> --script vuln

Webserver enumeration

nmap -p 80,443,8000,8080,8443 --script=http-enum

Nmap Ping Sweep

nmap -sn 10.11.0.0/16 -oG ping_sweep.txt grep Up ping_sweep.txt |cut -f2 -d " " OR nmap -sn 10.11.1.1-254 -oG ping_sweep.txt grep Up ping_sweep.txt |cut -f2 -d " "

Keep in mind that systems that have ICMP disabled will not respond to ping sweeps even though they are in fact online 
    this method is good/effecient but not definitive

Find Low-Hanging Fruit

nmap -sT -A --top-ports=20 10.11.1.1-254 -oG top_port_sweep.txt grep open top_port_sweep.txt |cut -f2 -d " "

Machines that prove to be rich in services, or otherwise interesting, would then be individually port scanned, using a more exhaustive port list

OS Fingerprinting

nmap -O 10.0.0.19 will attempt to guess the underlying operating system, by inspecting the packets received from the target

kerberos (TCP 88) + LDAP (TCP 389) = Active Directory Domain Controller

Identifying NMAP Scripts

locate -r '.nse$' | xargs grep categories |grep 'default|version' |grep smb

Identify all nmap default scripts (-sC)

grep -r categories /usr/share/nmap/scripts/*.nse |grep default |awk -F: '{print $1}' |awk -F/ '{print $6}'

Check for Shellshock vulnerability

nmap -p 80 --script=http-shellshock --script-args uri=/cgi-bin/test.cgi --script-args uri=/cgi-bin/admin.cgi 10.11.1.71

    for the --script-args uri use the cgi URIs that you found using ka 

e.g. 
    gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://10.11.1.71:80/ -s '200,204,301,307,403,500' -e | tee 'alpha/10.11.1.71/scans/10.11.1.71_80_gobuster_cgi

View the arguments of an nmap script nmap --script-help

e.g. nmap --script-help "irc-unrealircd-backdoor"

Enumerate NetBios Users

nmap -sC --script=smb-enum-users

Stealth (SYN) scans Sends the initial SYN packets and waits for the SYN/ACK packet from the server Does not respond to the SYN/ACK packet with ACK; thus does not complete the three-way handshake Called "stealth" scans because this method used to evade detection from primitive firewalls; however, this is definitely not the case with modern firewalls you will be detected doing this, so the term "stealth" can be misleading

UDP scans are often unreliable as firewalls and routers may drop ICMP packets * But it is a mistake to neglect them TCP is only half of the equation

Previous00 ENUMERATIONNext12-check-for-anonymous-smb

Last updated 3 years ago

Was this helpful?