Enumeration for the win - The intent of this lesson is to provide an overview of basic enumeration tactics and then dive deep into specific tools used for common ports found in penetration testing. For example, if we find port 80 open on a scan (HTTP), we will likely want to know what service is running and enumerate that service for potential exploits at a high level. At a deep level, we will want to explore the app with tools such as Nikto, Dirbuster/Dirb, and Burp Suite to really enumerate the app where tools like Nmap and Nessus fail to go deep enough.

Notes

If you see a test page, it indicates poor hygiene.

Unless it's a web app assessment, you don't need to discuss headers e.g. (from nikto) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type Want to do a bruteforce attack on SSH at some point to make sure their SIM catches it Penetration Tester - make a lot of noise Red Team - try not to trigger anything

HTB: OneTwoSeven - Retired

$ nmap -T4 -p- <ip>
$ nmap -sU -T4 <ip>

open ports: 22,80, 60080

$ nmap -A -T4 -p22,80,60080

# cannot access filtered port at 10.10.10.133:60080, so add to local DNS file

$ gedit /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
10.10.10.133    onetwoseven.htb

........

smbclient

smbclient -L \\\\10.10.10.4
smbclient \\\\10.10.10.4\\IPC$

searchsploit

searchsploit apache 1.3
searchsploit apache 1.3.20 //more specific but would hide 1.3.X vulns