🔎Reconnaissance
Col. of recon tips/tools from ePTS course + other recourses
🗺️ Network Mapping:
Ping Sweep (don't show error) check out Bash tut.
Nmap sweep
Use wildcard (*) to sweep through a network + -sn for ping scan:
use -iL to get a list of IP's from a file:
you can also use other types of host scanning (not just ping scan):
🖥️ OS Fingerprinting:
p0f
passively analyze capture traffic (where Nmap props are blocked or you can't actively fingerprint)Nmap. documentation
Nmap OS Fingerprinting
use -Pn to skip ping scan (done on the Net Mapping Step)
--osscan-limit great when you fastly want to fingerprint thousands of hosts
-sV: identify the Deamon running version.
-A: Enables OS, Version detection, executes in-build scripts for further snum.
-sS: TCP SYN port scan.
-sU: UDP port scan.
-p-400: scan for the first 400 ports (1-400).
-n/-R: no DNS resolve / Always DNS resolve [defualt: sometimes].
Nmap Vul Assessment:
Nmap Vul Assessment:📂Find Files:
📂Find Files:After exploiting a Windows machine you can find what you want with:
Find User:
assuming you comprised a server (gained a shell) how to find the name of the user managing it:
In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).
Enumerates all the binaries that have SUID permission:
-perm -u=s : rhe trick is in this flag by find.
find all writable files:
example of finding SUID be usful:
https://alvinsmith.gitbook.io/progressive-oscp/untitled/vulnversity-privilege-escalation
full story here: https://0n3z3r0n3.medium.com/tryhackme-vulnversity-1b1c7d96bca4
Finding URLs:
Simple way to extract all JS URLs for potentially secret / sensitive information:
Last updated
