Skip to content

Latest commit

 

History

History
112 lines (87 loc) · 3.12 KB

1.4-Linux-Scanning.md

File metadata and controls

112 lines (87 loc) · 3.12 KB
Raw

Pre-Intrusion phase (Linux)

Scanning

Nmap (Network scanning)

# quick scan all
nmap -A -T4 <target>
# quick fully scan
nmap -sS -sV -sC -T4 <target>
# scan windows machine
nmap -sS -sV -Pn <target>
# host discovery
nmap -sn -n <subnet>
# nmap scripts
ls /usr/share/nmap/scripts | grep <script>
  • -A: Enable OS detection, version detection, script scanning, and traceroute
  • -sS: TCP SYN Stealth scan
  • -sV: Probe open ports to determine service/version info
  • -O: Enable OS detection
  • -p <port ranges>: Only scan specified ports (-p- for all)
  • -sC: scan with default scripts
  • -Pn: Treat all hosts as online
  • --script=vuln: detect vulnerability script on target
  • --script=http-enum: enumeration web scan

Masscan (Fast network scanning)

masscan -p80,8000-8100 --rate 20000 10.0.0.0/8

RustScan (Modern Port Scanner)

rustscan -a <ip>

GoBuster (Directory scanning)

gobuster dir -u <url> -w /usr/share/wordlists/dirb/common.txt -t 30
gobuster dns -d <domain> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 30
gobuster fuzz -u <url>/?p=FUZZ -w /usr/share/wordlists/wfuzz/general/common.txt -t 30
  • dir: scan for directories
  • dns: scan for subdomain
  • fuzz: use fuzz mode for parameters
  • -u: Target URL
  • -d: Target domain
  • -w: the wordlist we are using to scan

Dirb (Directory scanning)

dirb <url>

Gospider (Directory scanning)

gospider -o output -c 10 -d 1 -t 30 -s "<url>"

FFuf (Fast directory scanning & custom payload)

ffuf -u http://target/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200 -fc 204,301,302,307,401,403,405,500
ffuf -u http://target/login.php?FUZZ=1 -c -w /usr/share/wordlists/dirb/common.txt -fw 39
ffuf -u http://target/login.php -c -w /usr/share/wordlists/dirb/common.txt -X POST -d 'user=admin&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
  • -u: Target URL
  • -w: Wordlist file path
  • -mc: Match HTTP status codes, or "all" for everything
  • -fc: Filter HTTP status codes from response
  • -fl: Filter by amount of lines in response
  • -fs: Filter HTTP response size
  • -fw: Filter by amount of words in response
  • -c: Colorize output
  • -X: HTTP method to use
  • -d: POST data
  • -H: Header "Name: Value", separated by colon

WFuzz (Web application fuzzer)

wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt http://example.com/FUZZ/note.txt
wfuzz -c -z file,wordlist.txt -d "username=FUZZ&password=FUZZ" -u http://example.com/login.php
wfuzz -d -c -z file,big.txt http://example.com/login.php?id=FUZZ
  • -c: Shows the output in color
  • -z file,<wordlist>: Specifies what will replace FUZZ in the request
  • --hc/hl/hw/hh: Hide responses with the specified code/lines/words/chars
  • -d postdata: Use to post data (ex: "id=FUZZ&catalogue=1")

Ajrun (HTTP parameter discovery)

arjun -u https://api.example.com/endpoint

Nikto (Web server scanner)

nikto -host <target>