Its still a work-in-progress
| README.md | ||
CTF_CheatSheet
Stage 1 - Lay of the Land
enumeration
-
Passive Recon
- Shodan
- Wayback Machine
- The Harvester
-
Active Recon
- Nmap
- Masscan
- Network discovery
- RPCClient
- Enum4all
-
List all the subdirectories and files
- Gobuster
- Backup File Artifacts Checker
-
Web Vulnerabilities
- Repository Github
- Burp
- Web Checklist
- Nikto
- Payment functionality
-
Basic Scan
sudo nmap -sSV -p- IP -oA nmap/initial -T4
sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports • the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000) • -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE" • -iL INPUTFILE tells Nmap to use the provided file as inputs
- CTF Scan
nmap -sV -sC -oA nmap/initial IP
• -sV : Probe open ports to determine service/version info
• -sC : to enable the script
• -oA : to save the results
After this quick command you can add "-p-" to run a full scan while you work with the previous result
nmap -sV -sC -oA -p- nmap/initial IP
- Aggressive Nmap
nmap -A -T4 scanme.nmap.org
• -A: Enable OS detection, version detection, script scanning, and traceroute
• -T4: Defines the timing for the task (options are 0-5 and higher is faster)
- Masscan
masscan IP -p 1-65535 --rate 100 -oX masscan.xml
- Using DirBuster or GoBuster
./gobuster -u http://buffered.io/ -w /secondary/wordlists/more-lists/dirb/ -t 10
-u url
-w wordlist
-t threads
More subdomain :
./gobuster -m dns -w subdomains.txt -u google.com -i
gobuster -w wordlist -u URL -r -e /secondary/wordlists/more-lists/dirb/