Perform a full port scan using Nmap:
nmap $IP -p- -sC -sV
Perform a no-ping scan (useful if ICMP is blocked):
nmap $IP -p- -sC -sV -Pn
Enumerate services and versions on open ports.
Check for default credentials on common services (FTP, SSH, SMB, etc.).
Perform directory and file enumeration on web servers (if any):
Use tools like:
Dirbuster
Dirb dirb http://$IP /path/to/wordlist
dirb http://$IP /path/to/wordlist
wfuzz - wfuzz -c -z file,/pasth/to/wordlist -u http://$IP/FUZZ
wfuzz -c -z file,/pasth/to/wordlist -u http://$IP/FUZZ
curl https://example.com/wordlist.txt | wfuzz -c -w - http://target/FUZZ - here -w - instructs Wfuzz to read from standard input instead of a local file
curl https://example.com/wordlist.txt | wfuzz -c -w - http://target/FUZZ
-w -
Gobuster - gobuster dir -u http://$IP -w /path/to/wordlist
gobuster dir -u http://$IP -w /path/to/wordlist
ffuf - ffuf -w /path/to/wordlist -u http://$IP/FUZZ
ffuf -w /path/to/wordlist -u http://$IP/FUZZ
Use vulnerability scanners like Nikto, OpenVAS, or Nessus to identify potential vulnerabilities
Manually check for known exploits of identified services
Attempt to exploit known vulnerabilities:
Use Metasploit Framework or manual exploitation methods
Look for misconfigurations or weak points (like weak passwords)
Check for privilege escalation opportunities
Linux
https://gtfobins.github.io/arrow-up-right
https://github.com/Frissi0n/GTFONowarrow-up-right
LinPEASarrow-up-right
Windows
WinPEASarrow-up-right
Document any loot (passwords, keys, confidential data)
CrackMapExec
Impacket
When successful, enumerate the system for the flag
Last updated 2 months ago
