mkdir machine && cd machine
Compile a list of accessible hosts and add it to a hosts.txt file.
Run one or more scans on the host:
- Nmap
- quick scan
sudo nmap -T 5 -sS -p- host - Aggressive scan on ports found through quick scan
sudo nmap -A -p <ports> hostsudo nmap -sV -O -A -Pn -p- -iL hosts.txt
- Autorecon
sudo su/home/kali/.local/bin/autorecon -t hosts.txt
- Incursore
mkdir incursore && cd incursoresudo ~/tools/incursore/incursore.sh -t all -H $IP
Hosts with specific port open:
nmap --open -p 111 10.11.1.0/24 -oG - | grep "/open" | awk '{ print $2 }'
Review the completed scans and mark down any notable information in your spreadsheet:
- Operating Systems
- Hostnames
- Open Ports
- Service Versions
- Anonymous or Guest access
- Random port with no info? try
nc IP PORTorecho "version" | nc IP PORT
| IP | Hostname | OS |
|---|---|---|
| 192.168.201.145 | FILES01 | Windows Server 2012 |
| Port | Service | Notes |
|---|---|---|
| 21 | vsftpd 2.0.8 or later | Anonymous Allowed |
| 22 | OpenSSH for_Windows_8.1 (protocol 2.0) | Accepts Passwords |
| 80 | Apache httpd 2.4.51 ((Win64) PHP/7.4.26) | Attendance and Payroll System |
Quick links to information by service:
| Service | Service | Service |
|---|---|---|
| [[21 - FTP]] | [[22 - SSH]] | [[23 - TELNET]] |
| [[25 - SMTP]] | [[53 - DNS]] | [[80 - WEB]] |
| [[88 - KERBEROS]] | [[111 - NFS]] | [[135 - RPC]] |
| [[445 - SMB]] | [[161 - SNMP]] | [[389 - LDAP]] |
| [[3389 - RDP]] | [[5985 - WINRM]] | [[SQL DBs]] |