Initial Reconnaissance

• Perform a full port scan using Nmap:

  • nmap $IP -p- -sC -sV

• Perform a no-ping scan (useful if ICMP is blocked):

  • nmap $IP -p- -sC -sV -Pn

Enumeration

• Enumerate services and versions on open ports.

• Check for default credentials on common services (FTP, SSH, SMB, etc.).

• Perform directory and file enumeration on web servers (if any):

  • Use tools like:

  • Dirbuster

  • Dirb dirb http://$IP /path/to/wordlist

  • wfuzz - wfuzz -c -z file,/pasth/to/wordlist -u http://$IP/FUZZ

  • Gobuster - gobuster dir -u http://$IP -w /path/to/wordlist

  • ffuf - ffuf -w /path/to/wordlist -u http://$IP/FUZZ

Vulnerability Scanning

• Use vulnerability scanners like Nikto, OpenVAS, or Nessus to identify potential vulnerabilities

• Manually check for known exploits of identified services

Exploitation

• Attempt to exploit known vulnerabilities:

  • Use Metasploit Framework or manual exploitation methods

• Look for misconfigurations or weak points (like weak passwords)

Post-Exploitation

• Check for privilege escalation opportunities

  • Linux

    • https://gtfobins.github.io/

    • https://github.com/Frissi0n/GTFONow

    • LinPEAS

  • Windows

    • WinPEAS

• Document any loot (passwords, keys, confidential data)

• When successful, enumerate the system for the flag