ShifraBlog
  • Shifra Blog 😀
  • Math🔬
    • Math Articles
      • Applied Mathematics
  • Write Up📝
    • INE ePTS
      • Black Box 1
      • Black Box 2
      • Black Box 3
      • Black Box 3 - Remastered
    • Log4j Vulnerability (Log4Shell)
  • PenTesting🧪
    • eJPT
      • 🔎Reconnaissance
      • 🐱‍💻Google Dorks
      • 🌐Web Attacks
      • ⚙️System Attacks
      • 📶Network Attacks
      • 🔐Password Attacks
      • 💻Networking
      • Pentesting Approach
  • Tools 🧰
    • Nmap
    • Shodan
    • 🐱‍👤Hashcat
    • 🐲Hydra
    • 🔍Nessus
    • 🔬Metasploit
      • Meterpreter
    • 👂Netcat
  • ☁️Database / Servers
    • 👨‍💻Access Tricks
  • 🛂Physical Pentesting
    • 🔑Lost Passwords
Powered by GitBook
On this page
  • Network Mapping:
  • Ping Sweep (don't show error) check out Bash tut.
  • Nmap sweep
  • OS Fingerprinting:
  • p0f
  • Nmap OS Fingerprinting
  • Nmap Vul Assessment:
  • 📂Find Files:
  • Find User:
  • Finding URLs:

Was this helpful?

  1. PenTesting🧪
  2. eJPT

🔎Reconnaissance

Col. of recon tips/tools from ePTS course + other recourses

PreviouseJPTNext🐱‍💻Google Dorks

Last updated 3 years ago

Was this helpful?

Network Mapping:

Ping Sweep (don't show error) 

fping -a -g <net_id>/<mask> 2>/dev/null

Nmap sweep

Use wildcard (*) to sweep through a network + -sn for ping scan:

nmap -sn 192.168.0.* -oN discovery.nmap
nmap -sn 10.142.11.0/24

use -iL to get a list of IP's from a file:

nmap -sn -iL ip_list.txt

you can also use other types of host scanning (not just ping scan):

p0f

Nmap OS Fingerprinting

use -Pn to skip ping scan (done on the Net Mapping Step)

sudo nmap -Pn -sV -O -A -T4 -p- --open -iL <target(s)>

--osscan-limit great when you fastly want to fingerprint thousands of hosts

-sV: identify the Deamon running version.

-A: Enables OS, Version detection, executes in-build scripts for further snum.

-sS: TCP SYN port scan.

-sU: UDP port scan.

-p-400: scan for the first 400 ports (1-400).

-n/-R: no DNS resolve / Always DNS resolve [defualt: sometimes].

Nmap Vul Assessment:

sudo nmap --script vuln --script-args=unsafe=1 -iL <file>

📂Find Files:

After exploiting a Windows machine you can find what you want with:

dir /s /b <file>

Find User:

assuming you comprised a server (gained a shell) how to find the name of the user managing it:

ps aux | grep apache
cat etc/passwd
find / -iname <flag> 2>/dev/null

In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).

Enumerates all the binaries that have SUID permission:

find / -perm -u=s -type f 2>/dev/null

-perm -u=s : rhe trick is in this flag by find.

find all writable files:

find -type f -maxdepth 1 -writable

example of finding SUID be usful:

Finding URLs:

Simple way to extract all JS URLs for potentially secret / sensitive information:

cat scope.txt | subjs | tee js_url | uniq | tee js_url 2>/dev/null

OS Fingerprinting:

passively analyze capture traffic (where Nmap props are blocked or you can't actively fingerprint)Nmap.

full story here:

🖥️
documentation
https://alvinsmith.gitbook.io/progressive-oscp/untitled/vulnversity-privilege-escalation
https://0n3z3r0n3.medium.com/tryhackme-vulnversity-1b1c7d96bca4
🗺️
check out Bash tut.
11 Ways to Find User Account Info and Login Details in LinuxTecmint: Linux Howtos, Tutorials &amp; Guides
Logo
depends on engagement choose lighter/aggressive.