Recon and Enumeration¶

miscellaneous recon and enumeration stuff

nmap¶

nmap -sC -sV -oA outfile IP

DNS¶

nslookup
> server IP

dig axfr @ IP alt-hostname

Wordpress¶

wpscan --url http://TARGET --enumerate u --log

vhost discovery:¶

from github.com/jobertabma/virtual-host-discovery

Create a wordlist from SecLists fierce_hostlist:

sed 's/$/.\%s/g' /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt > ~/opt/virtual-host-discovery/fierce-hostlist.txt

# get Content Length webpage without virtual host (to be used as a filter):
content_length=$(curl -sI http://cache.htb | grep 'Content-Length' | cut -d " " -f 2)

ruby ~/opt/virtual-host-discovery/scan.rb --ip=10.10.10.188 --port 80 --host=htb --ignore-content-length=$content_length --wordlist=~/opt/virtual-host-discovery/fierce_hostlist.txt

Look for git repos:¶

find -type d -name ".git" 2>/dev/null

GitTools¶

https://github.com/internetwache/GitTools