Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Network Scanning
- AutoRecon
- nmap scripts VULN
- gobuster - Recursive if possible
- Did you check ALL ports?
- Service Scanning
- WebApp(Where applicable)
- Nikto
- dirb
- Did we dirb recursively?
- dirbuster
- Did we dirb recursively?
- wpscan
- dotdotpwn - Directory Traversal
- view source
- davtest\cadevar
- droopscan
- joomscan
- LFI\RFI Test -fimap
- Did you include null byte %00
- SMTP-enum-users
- Sqlmap
- wfuzz
- Hydra atleast 12 miinutes
- Linux\Windows
- snmpwalk -c public -v1 ipaddress 1
- smbclient -L //ipaddress
- showmount -e ipaddress port
- rpcinfo
- Enum4Linux
- Anything Else
- nmap scripts (locate *nse* | grep servicename)
- nmap scripts vuln
- hydra
- MSF Aux Modules
- Download the software
- Exploitation
- Gather Version Numbers
- Check EVERY Port
- How to enumerate common ports
- Searchsploit
- Default Creds
- Check creds against ssh
- Check creds against applications?
- Did we try all the crednetials?
- Creds Previously Gathered
- Check creds against ssh
- Check creds against applications?
- Did we try all the crednetials?
- Enumerate SMTP/IMAP for Usernames (ENUM4LINUX SMTP-user-enum)
- Can we brute force?
- Directory traversal for credentials or useful information?
- Search github for exploits (<vulnerability> “github”)
- Have CVE? google "CVE xxxx-xxx POC"
- FTP
- Can we put?
- Binary mode for binaries
- Can we get?
- Local traversal?
- Upload to webbroot?
- Sensitive information? Credentials or hidden services?
- Check for hidden files “Ls -la”
- LFI/RFI
- Can we see Etc/Password?
- Hydra and brute force ssh
- Check obvious passwrds for applications
- Check config files in webroot or apache.config maybe even sql
- Can we wget our webserver?
- SMB
- Sensitive information? Credentials or hidden services?
- NFS
- mount -t nfs 192.168.1.72:/home/vulnix /tmp/nfs -nolock
- Encryption
- file command in terminal reveals useful information about files.
- Have credentials? Can Mount NFS?
- Grab SSH keys
- bruteforce SSH
- Tried credentials on all applications?
- Things to check
- Php? Php file upload and upload nc to the machine
- Can upload NC?
- PHP File uploader
- Web shell for command execution
- Upload for reverse shells
- Don't forget binaries can be executed too.
- Search up Kernel
- Null byte %00
- Remember that Reverse shells aren't all there is. There are bind shells and secure shells
- Staged V Unstaged Payloads
- Post Exploitation
- Search for files that might contain credentials or useful information
- Strings command to search binaries
- Check version numbers of installed applications.
- Check MySql for credentials.
- Check webroot for credentials
- Linux
- linux-local-enum.sh
- linuxprivchecker.py
- linux-exploit-suggestor.sh
- unix-privesc-check.py
- linux-smart-enumeration.sh
- Windows
- wpc.exe
- windows-exploit-suggestor.py
- windows_privesc_check.py
- windows-privesc-check2.exe
- Sherlock.ps1
- Hotpotatoe.exe
- Priv Escalation
- acesss internal services (portfwd)
- Windows
- Were we not lazy and tried everything?
- Are you sure?
- Linux
- Were were not lazy and tried everything?
- Are you sure?
- Check over nmap for services that could lead to Priv Esc
- LD PRELOAD
- Final
- Screenshot of IPConfig\WhoamI
- Copy proof.txt
- Dump hashes
- Dump SSH Keys
- Delete files
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement