👩‍💼Shenzi

nmap 192.168.142.55

nmap -p 21,80,135,139,443,445,3306 -sC -sV -A 192.168.142.55

Will try first smb enumerationm as smb is enabled

smb-os-discovery NSE Script

nmap --script smb-os-discovery 192.168.142.55

smb-enum-shares NSE Script

nmap --script smb-enum-shares -p139,445 192.168.142.55

nmap --script smb-vuln* 192.168.142.55

SMB Enumeration: Enum4Linux

enum4linux 192.168.142.55

SMB Enumeration: Hostname

nmblookup

nmblookup -A 192.168.142.55

nbtscan

nbtscan 192.168.142.55

nbstat NSE Script

nmap --script nbstat.nse 192.168.142.55

nbtstat

nbtstat -A 192.168.142.55

Ping

ping -a 192.168.142.55

smb-os-discovery NSE Script

nmap --script smb-os-discovery 192.168.142.55

SMB Enumeration: Share and Null Session

SMBMap

smbmap -H 192.168.142.55

smbmap -H 192.168.142.55 -u raj -p 123

smbclient

smbclient -L 192.168.142.55

smbclient //192.168.142.55/Shenzi

get file.txt

smbclient -L 192.168.142.55 -U raj%123

smbclient //192.168.142.55/Shenzi -U raj%123

get passwords.txt

Net view

net view \\192.168.142.55 /All

Web Enumeration

Now we will browse the ip

will try gobuster/ffuf/wfuzz/dirb/dirsearch/nikto

Kali Linux default wordlists:

• /usr/share/wordlists/dirbuster/directory-list-2.3-*.txt

• /usr/share/wordlists/dirbuster/directory-list-1.0.txt

• /usr/share/wordlists/dirb/big.txt

• /usr/share/wordlists/dirb/common.txt

• /usr/share/wordlists/dirb/small.txt

• /usr/share/wordlists/dirb/extensions_common.txt — Useful for when fuzzing for files!

wfuzz

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 http://192.168.210.55/FUZZ

Gobuster and Modes

“dir” Mode:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.210.55/

“dns” mode:

gobuster dns -d http://192.168.210.55/ -w /usr/share/spiderfoot/spiderfoot/dicts/subdomains.txt

“vhost“ mode:

gobuster vhost -u http://192.168.210.55/ -w /usr/share/set/src/fasttrack/wordlist.txt

ffuf

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.210.55/FUZZ -fl 480

dirsearch

dirsearch -u http://192.168.210.55/ -e php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

dirb

dirb http://192.168.210.55/

nikto

nikto -h http://192.168.210.55/

feroxbuster

feroxbuster -u http://192.168.210.55/ --no-recursion -vv

whatweb

whatweb -a 3 http://192.168.210.55/

wafw00f

wafw00f -a http://192.168.210.55/

Web content enumeration tools in 2021SEC-IT Blog

find / -type f -name "common.txt" 2>/dev/null

gobuster dir -u http://94.237.59.63:55455/ -w /usr/share/dirb/wordlists/common.txt

gobuster dir -u http://IP_ADDRESS -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 100 -x txt,php,js --no-error -z > gobuster-dir.txt

gobuster dir -u http://IP_ADDRESS -w /usr/share/wordlists/seclists/Discovery/Web-Content/IIS.fuzz.txt -t 100 -x txt,php,js --no-error -z

Fuzzing

Searching for helpful PHP files

gobuster fuzz -u http://IP_ADDRESS -w /usr/share/wordlists/seclists/Discovery/Web-Content/PHP.fuzz.txt

There are hundreds of wordlists just in SecList to choose from. It's worth taking the time to browse the repo just to know what there is available when you might need it.

wfuzz

An alternative to GoBuster would be wfuzz, which is a dedicated fuzzer. I used this in the Robust room walkthrough. I won't cover it in detail as it offers similar functionality to what we explored above.

wfuzz --sc 200 -u http://192.168.163.200/FUZZ.php -w /usr/share/wordlists/wfuzz/general/big.txt

Note : we have tried son many possible ways and n othing identified,now we will think what directory can be installed wordpress"shenzi" because the disk name and share path name is shenzi so we will try shenxi path or wordpress installation.