Pentesting Quick Reference OSCP and Beyond
  • Basic Tools & Techniques
  • Linux Basics
  • Windows Basics
  • Shells
  • Uploading Shells/ Transferring Files
  • FootPrinting
  • Host Discovery
  • Scanning
  • Vulnerability assessment
  • Metasploit and Meterpreter
    • Payloads
  • Brute Forcing/ Password Cracking
    • Attacking LSASS Passwords
    • Credentials Hunting Windows
    • Credential Hunting in Linux
    • Passwd, Shadow & Opasswd
    • Pass the Hash (PtH)
    • Protected Files
    • Protected Archives
    • Password Policies
    • Password Managers
    • Breached Credentials
  • Linux Remote Management Protocols
  • Windows Remote Management Protocols
  • Port 20/21 - FTP Pentesting
  • Port 23 Telnet
  • Port 25 - SMTP
  • IMAP/ POP3
  • Port 53 DNS
  • Port 445 - SMB
  • Port 111 -RPC Bind
  • Port 135 - RPC
  • Port 137 NetBios
  • Port 161 SNMP
  • Port 1433 - MSSQL
  • Port 1521 Oracle TNS
  • Port 1833 - MQTT
  • Port 2049 - NFS
  • Port 3306 MySQL
  • Port 3389 - RDP
  • Port 5985 - Winrm
  • Port 632 (UDP) IPMI
  • Redis (6379)
  • Port 10000 Webmin
  • Privilege Escalation
    • Windows Priv esc
    • Linux Priv esc
  • Active Directory
    • AD Basics
      • AD Management Basics
    • Initial Enumeration of AD
      • Enumerating AD Users
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Password Spraying - Making a Target User List
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
      • Enumerating Security Controls
    • LLMNR Poisoning
    • SMB/ NTLM Relay Attacks
    • Pass the Ticket
      • Pass the Ticket (PtT) from Windows
      • Pass the Ticket (PtT) from Linux
    • AD Shell
    • AD Enumeration
      • Credentialed Enumeration - from Linux
      • Credentialed Enumeration - from Windows
      • Living off the Land
    • AS-REP roasting
    • Kerberosting
      • Kerberos "Double Hop" Problem
    • Access Control List (ACL) Abuse Primer
      • ACL Enumeration
      • ACL Abuse Tactics
      • DCSync
        • DCSync Example Forest HTB
    • BloodHound
    • Bloodhound CE
    • Privilege Escaltion
    • Bleeding Edge Vulnerabilities
    • Miscellaneous Misconfigurations
    • Attacking Active Directory & NTDS.dit 1
    • Domain Trusts
      • Attacking Domain Trusts - Child -> Parent Trusts - from Windows
      • Attacking Domain Trusts - Child -> Parent Trusts - from Linux
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    • Hardening Active Directory
    • Additional AD Auditing Techniques
    • HTB AD Enumeration & Attacks - Skills Assessment Part I
  • Web Pentesting
    • Subdomains, directories and Vhost listing
    • Command Injection
    • XSS
    • SQL Injection
    • Authentication Bypass
  • Cryptography
  • More Resources
  • Forensics
  • IoT Security
  • API Security
  • Binary Exploitation
    • Assembly Cheatsheat for Hackers
    • Malware Analysis
      • Basic Static Malware Analysis
  • Boxes/ Machines
    • Try Hack Me
      • Vulnversity
      • Basic Pentesting
      • Kenobi
      • Steel Mountain
    • Vulnhub
      • Tiki
    • HTB
      • Beep
      • Active
      • Forest
      • Devel
    • Metasploitable 2
    • PWN.COLLEGE Talking Web
    • PWN COLLGE Web Hacking
  • Private Challenges
    • Pwn
    • Forensics
  • Misc tools
    • NetExec
  • SOC Analyst Resources
  • OSCP Tips and Misc
  • Mobile Hacking
  • Buffer Overflow
  • Wordpress
  • Web3 and Blockchain Security
  • WIFI Hacking
    • WPS Hacking
    • Misc Tools
Powered by GitBook
On this page

Last updated 2 years ago

1. Vulnerability assessment using openVAS

2. Vulnerability assessment using Nessus

Windows version. Scanning with a policy

3. Vulnerability assessment using GFI LanGuard

Windows tool

4. Nikto scanner

Nikto help

start the scan

-h specifies the targer

-Tuning scan perimenters, x specifies run all scans against the target

Finding cgi directories

saving the scan

-o filename where result will be saved

-F file type

Scanning on other ports

Nikto Plugins

Some interesting plugins include:

We can specify the plugin we wish to use by using the-Plugin argument and the name of the plugin we wish to use...For example, to use the "apacheuser" plugin, our Nikto scan would look like so:

Tuning Your Scan for Vulnerability Searching

Nikto has several categories of vulnerabilities that we can specify our scan to enumerate and test for. The following list is not extensive and only include the ones that you may commonly use. We can use the -Tuningflag and provide a value in our Nikto scan:

Saving Your Findings

Rather than working with the output on the terminal, we can instead, just dump it directly into a file for further analysis - making our lives much easier!

Nikto is capable of putting to a few file formats including:

  • Text File

  • HTML report

We can use the -o argument (short for -Output) and provide both a filename and compatible extension. We can specify the format (-f) specifically, but Nikto is smart enough to use the extension we provide in the-o argument to adjust the output accordingly.

For example, let's scan a web server and output this to "report.html": nikto -h http://ip_address -o report.html

Verbosing our Scan

We can increase the verbosity of our Nikto scan by providing the following arguments with the-Display flag. Unless specified, the output given by Nikto is not the entire output, as it can sometimes be irrelevant (but that isn't always the case!)

Plugins further extend the capabilities of Nikto. Using information gathered from our basic scans, we can pick and choose plugins that are appropriate to our target. You can use the --list-plugins flag with Nikto to list the plugins or .

Plugin Name
Description
Category Name
Description
Tuning Option
Argument
Description
Reasons for Use
nikto -H
nikto -h islamabadtrafficpolice.gov.pk -Tuning x
nikto -h certifiedhacker.com -Cgidirs all
nikto -h certifiedhacker.com -o result -F txt
nikto -h 10.10.10.1 -p 80,8000,8080

apacheusers

Attempt to enumerate Apache HTTP Authentication Users

cgi

Look for CGI scripts that we may be able to exploit

robots

Analyse the robots.txt file which dictates what files/folders we are able to navigate to

dir_traversal

Attempt to use a directory traversal attack (i.e. LFI) to look for system files such as /etc/passwd on Linux (http://ip_address/application.php?view=../../../../../../../etc/passwd)

nikto -h 10.10.10.1 -Plugin apacheuser

File Upload

Search for anything on the web server that may permit us to upload a file. This could be used to upload a reverse shell for an application to execute.

0

Misconfigurations / Default Files

Search for common files that are sensitive (and shouldn't be accessible such as configuration files) on the web server.

2

Information Disclosure

Gather information about the web server or application (i.e. verison numbers, HTTP headers, or any information that may be useful to leverage in our attack later)

3

Injection

Search for possible locations in which we can perform some kind of injection attack such as XSS or HTML

4

Command Execution

Search for anything that permits us to execute OS commands (such as to spawn a shell)

8

SQL Injection

Look for applications that have URL parameters that are vulnerable to SQL Injection

9

1

Show any redirects that are given by the web server.

Web servers may want to relocate us to a specific file or directory, so we will need to adjust our scan accordingly for this.

2

Show any cookies received

Applications often use cookies as a means of storing data. For example, web servers use sessions, where e-commerce sites may store products in your basket as these cookies. Credentials can also be stored in cookies.

E

Output any errors

This will be useful for debugging if your scan is not returning the results that you expect!

Vulnerability assessment

PreviousScanningNextMetasploit and Meterpreter
  • 1. Vulnerability assessment using openVAS
  • 2. Vulnerability assessment using Nessus
  • 3. Vulnerability assessment using GFI LanGuard
  • 4. Nikto scanner
  • Nikto Plugins
  • Tuning Your Scan for Vulnerability Searching
  • Saving Your Findings
  • Verbosing our Scan
view the whole list in an easier to read format online
https://localhost:8834localhost
LogoGFI LanGuard