Active Information Gathering required in Penetration Testing

Title: Active Information Gathering required in Penetration Testing_2Author: ajayverma

File Enumeration

Find UID 0 files root execution

/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null

Get handy linux file system enumeration script (/var/tmp)
wget https://highon.coffee/downloads/linux-local-enum.sh chmod +x ./linux-local-enum.sh ./linux-local-enum.sh

Find executable files updated in August
find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug

Find a specific file on linux
find /. -name suid\*

Find all the strings in a file
strings <filename>

Determine the type of a file
file <filename>
HTTP Enumeration

Search for folders with gobuster:
gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip

OWasp DirBuster - Http folder enumeration - can take a dictionary file

Dirb - Directory brute force finding using a dictionary file
dirb http://$ip/ wordlist.dict dirb <http://vm/>

Dirb against a proxy

dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129

Nikto
nikto -h $ip

HTTP Enumeration with NMAP
nmap --script=http-enum -p80 -n $ip/24

Nmap Check the server methods
nmap --script http-methods --script-args http-methods.url-path='/test' $ip

Get Options available from web server curl -vX OPTIONS vm/test

Uniscan directory finder:
uniscan -qweds -u <http://vm/>

Wfuzz - The web brute forcer

wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test

wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"

wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ

Recurse level 3

wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ

Open a service using a port knock (Secured with Knockd)
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done

WordPress Scan - Wordpress security scanner
wpscan --url $ip/blog --proxy $ip:3129

RSH Enumeration - Unencrypted file transfer system
auxiliary/scanner/rservices/rsh_login

Finger Enumeration

finger @$ip

finger batman@$ip

TLS & SSL Testing
./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha > OUTPUT-FILE.html

Proxy Enumeration (useful for open proxies)
nikto -useproxy http://$ip:3128 -h $ip

Steganography

apt-get install steghide

steghide extract -sf picture.jpg

steghide info picture.jpg

apt-get install stegosuite

The OpenVAS Vulnerability Scanner

apt-get update
apt-get install openvas
openvas-setup

netstat -tulpn

Login at:
https://$ip:9392

Dislike

Submitted On: 2019-05-16 16:22:30