Network Scanning AutoRecon nmap scripts VULN g

1.  
2. Network Scanning
3.  
4. AutoRecon
5. nmap scripts VULN
6. gobuster - Recursive if possible
7. Did you check ALL ports?
8.  
9. Service Scanning
10.  
11. WebApp(Where applicable)
12. Nikto
13. dirb
14. Did we dirb recursively?
15. dirbuster
16. Did we dirb recursively?
17. wpscan
18. dotdotpwn - Directory Traversal
19. view source
20. davtest\cadevar
21. droopscan
22. joomscan
23. LFI\RFI Test -fimap
24. Did you include null byte %00
25. SMTP-enum-users
26. Sqlmap
27. wfuzz
28. Hydra atleast 12 miinutes
29.  
30. Linux\Windows
31. snmpwalk -c public -v1 ipaddress 1
32. smbclient -L //ipaddress
33. showmount -e ipaddress port
34. rpcinfo
35. Enum4Linux
36.  
37. Anything Else
38. nmap scripts (locate *nse* | grep servicename)
39. nmap scripts vuln
40. hydra
41. MSF Aux Modules
42. Download the software
43.  
44. Exploitation
45. Gather Version Numbers
46. Check EVERY Port
47. How to enumerate common ports
48. Searchsploit
49. Default Creds
50. Check creds against ssh
51. Check creds against applications?
52. Did we try all the crednetials?
53. Creds Previously Gathered
54. Check creds against ssh
55. Check creds against applications?
56. Did we try all the crednetials?
57. Enumerate SMTP/IMAP for Usernames (ENUM4LINUX SMTP-user-enum)
58. Can we brute force?
59. Directory traversal for credentials or useful information?
60. Search github for exploits (<vulnerability> “github”)
61. Have CVE? google "CVE xxxx-xxx POC"
62.  
63.  
64. FTP
65. Can we put?
66. Binary mode for binaries
67. Can we get?
68. Local traversal?
69. Upload to webbroot?
70. Sensitive information? Credentials or hidden services?
71. Check for hidden files “Ls -la”
72.  
73. LFI/RFI
74. Can we see Etc/Password?
75. Hydra and brute force ssh
76. Check obvious passwrds for applications
77. Check config files in webroot or apache.config maybe even sql
78. Can we wget our webserver?
79.  
80. SMB
81. Sensitive information? Credentials or hidden services?
82.  
83. NFS
84. mount -t nfs 192.168.1.72:/home/vulnix /tmp/nfs -nolock
85.  
86. Encryption
87. file command in terminal reveals useful information about files.
88.  
89. Have credentials? Can Mount NFS?
90. Grab SSH keys
91. bruteforce SSH
92. Tried credentials on all applications?
93.  
94.  
95.  
96. Things to check
97. Php? Php file upload and upload nc to the machine
98. Can upload NC?
99. PHP File uploader
100. Web shell for command execution
101. Upload for reverse shells
102. Don't forget binaries can be executed too.
103. Search up Kernel
104. Null byte %00
105.  
106.  
107. Remember that Reverse shells aren't all there is. There are bind shells and secure shells
108. Staged V Unstaged Payloads
109.  
110.  
111. Post Exploitation
112.  
113. Search for files that might contain credentials or useful information
114. Strings command to search binaries
115. Check version numbers of installed applications.
116. Check MySql for credentials.
117. Check webroot for credentials
118.  
119. Linux
120. linux-local-enum.sh
121. linuxprivchecker.py
122. linux-exploit-suggestor.sh
123. unix-privesc-check.py
124. linux-smart-enumeration.sh
125.  
126. Windows
127. wpc.exe
128. windows-exploit-suggestor.py
129. windows_privesc_check.py
130. windows-privesc-check2.exe
131. Sherlock.ps1
132. Hotpotatoe.exe
133.  
134. Priv Escalation
135. acesss internal services (portfwd)
136. Windows
137. Were we not lazy and tried everything?
138. Are you sure?
139. Linux
140. Were were not lazy and tried everything?
141. Are you sure?
142. Check over nmap for services that could lead to Priv Esc
143. LD PRELOAD
144.  
145. Final
146. Screenshot of IPConfig\WhoamI
147. Copy proof.txt
148. Dump hashes
149. Dump SSH Keys
150. Delete files