# Enumeration ## Wordlists * [Seclists](https://github.com/danielmiessler/SecLists) * Subdomain enumeration: /Discovery/DNS (subdomain\*) * Pages, Extensions, Directory, Parameters: /Discovery/Web-Content (directory-list\*.txt, web-extensions.txt, burp-parameter-names.txt) * LFI wordlist: /Fuzzing/LFI * [Crunch](https://secf00tprint.github.io/blog/passwords/crunch/advanced/en) Word list generator ## Port mapping ### Nmap

Flag	Description
`-sC`	Run scripts
`-sV`	Version scan
`-p <ports>`	Specify ports. Can be a list, can contain ranges
`-p-`	Scan all 65535 ports
`--script=<script name>` `-sC`	Run a specific script from `usr/share/nmap/scripts`
`-A`	Enable OS detection, version detection, script scanning, and traceroute (Loud)
`--open`	Show only open ports
`-oA <name_of_files>`	Save in all output formats with prefix of `name_of_files`
`-sn`	Disables port scanning
`-iL <file>`	Scans a list of hosts from a file
`--reason`	Displays the reason for specific result.
`--packet-trace`	Shows all packets sent and received
`-F`	Fast Scan. Top 100 ports
`--top-ports=10`	Scans the specified top ports that have been defined as most frequent.
`-n`	Disable DNS resolution
`--disable-arp-ping`	Disables ARP ping.
`--stats-every=5s`	Shows status every 5 seconds
`-v` or `-vv`	Verbositiy level, increasing
`-A`	Performs service detection, OS detection, traceroute and uses defaults scripts to scan the target.
`--min-rate <number>`	Speed optimization parameter
`-T <0-5>`	Aggressiveness
`--source-port 53`	Performs the scans from specified source port.
`--script-updatedb`	Update scripts DB

Some useful nmap scripts (`/usr/share/nmap/scripts/`): * [smb-os-discovery.nse](https://nmap.org/nsedoc/scripts/smb-os-discovery.html) (usually on `-p 445`) * http-enum (example on port `-p 80`) Some nmap usages examples: * `-p 21 --packet-trace -Pn -n --disable-arp-ping` to scan port 21 and get a detailed information for the packet as the answer #### Scan types

Flag	Description
`-PE`	Performs the ping scan by using 'ICMP Echo requests' against the target. Usually in combination with `--disable-arp-ping` to disable ARP Scanning
`-sS`	(Default as Root) SYN Scan
`-sT`	(Default as non-Root) TCP Scan
`-sU`	Performs a UDP scan.
`-sV`	Performs a service scan.
`-sA`	TCP ACK scan (hard to filter)
`-Pn`	Disable the ICMP echo requests (avoid checking if host is alive)

#### Types of ports states

State	Description
`open`	This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.
`closed`	When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an `RST` flag. This scanning method can also be used to determine if our target is alive or not.
`filtered`	Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
`unfiltered`	This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
`open\|filtered`	If we do not get a response for a specific port, `Nmap` will set it to that state. This indicates that a firewall or packet filter may protect the port.
`closed\|filtered`	This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.

XML (`-oX`) output to HTML tool: xsltproc ## Fuzzing ### Ffuf Typical Usage ```bash ffuf -w ./SecLists/example.txt:FUZZ -u http://domain.com/FUZZ ``` Recursive search ```bash -recursion -recursion-depth 1 ``` File extension ```bash -e .php ``` Setting and/or fuzz headers (example: VHosts) ```bash -H "Host: FUZZ.domain.com" ``` Filter or Match ```bash -f* -m* ``` Example: Filter (remove) by response size anything of size 600 ``` -fs 600 ``` HTTP Verb ```bash -X POST ``` Data ```bash -d "" ``` Ignore comments ```bash -ic ``` Colorize output ```bash -c ``` Output to file ```bash -o ``` ### PHP Config file defualt positions `X.Y` is the php version Nginx: `/etc/php/X.Y/fpm/php.ini` Apache: `/etc/php/X.Y/apache2/php.ini` ## SNMP Simple Networking Management Protocol Can provide information such as process parameters, routing information, versions and services bound to interfaces `snmpwalk` is used to interact with it * Example: `snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0` [onesixtyone](https://github.com/trailofbits/onesixtyone) can bruteforce the community string names * Example with included bruteforce file: `onesixtyone -c dict.txt 10.129.42.254` ## Gobuster DNS, vhost, and directory brute-forcing ### Directory mode `gobuster dir` option

Flag	Description
-u <URL>	Defines the target URL
-w <path_to_wordlist>	Defines the wordlist

### DNS mode

Flag	Description
-d <domain>	Defines the target domain
-w <path_to_wordlist>	Defines the wordlist (example: `SecLists/Discovery/DNS/namelist.txt`)

## FTP If it has SSL we can use openssl to connect: ```shell-session openssl s_client -connect 10.129.14.136:21 -starttls ftp ``` ## Custom Wordlist Generation (CeWL) {% embed url="" %} ## Others * Webserver banner: Find in header, can use `curl -IL` * [EyeWitness](https://github.com/FortyNorthSecurity/EyeWitness) * Whatweb: handy tool and contains much functionality to automate web application enumeration