Methodology

From enum to root.

Recon

NMAP

# nmap tcp
sudo nmap -sV -sC -T4 -p- 10.13.37.11

# nmap udp
sudo nmap -sU "$IP"

Whois, DNS, dig

# dig dns
dig -x 10.129.45.223 @10.129.45.223
dig afxr 10.129.45.223 @10.129.45.223
dig any 10.129.45.223

Subdomain/vhost enumerations

# find vhosts
ffuf -w /home/kali/Downloads/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://infiltrator.htb -H "Host: FUZZ.infiltrator.htb"

  1. Use tools, whatweb and wappalyzer

# whatweb
whatweb --aggressive https://www.example.com

Last updated

Was this helpful?