Kali Quick Notes
SSH Service
Enable SSH at system start up
sudo systemctl enable ssh
Start SSH Service
sudo systemctl start ssh
Toggle 2
Host Command
Automate DNS Zone Transfer Script
#!/bin/bash
# Simple Zone Transfer Bash Script
# $1 is the first argument given after the bash script
# Check if argument was given, if not, print usage
if [ -z “$1” ]; then
echo “[*] Simple Zone transfer script”
echo “[*] Usage : $0
exit 0
fi
# if argument was given, identify the DNS servers for the domain
for server in $(host -t ns $1 | cut -d ” ” -f4); do
# For each of these servers, attempt a zone transfer
host -l $1 $server |grep “has address”
done
Host Command - Query Name Server
Display NS for domain
host -t ns zonetransfer.me
Attempt zone transfer from DNS server
host -l zonetransfer.me nsztm2.digi.ninja
Toggle Title
for ip in $(cat list.txt); do host $ip.zonetransfer.me; done
for ip in $(cat /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt); do host $ip.zonetransfer.me; done
Toggle Title
How to install and use seclists with host command
sudo apt-get install seclists
ls -lh /usr/share/seclists/
DNS Tools
DNS Recon
DNS Recon
Options to make note of
-d DOMAIN, –domain DOMAIN
-n NS_SERVER, –name_server NS_SERVER
-D DICTIONARY, –dictionary DICTIONARY
-t brt – Brute force domain name attack
dnsrecon -d zonetransfer.me -D /usr/share/dnsrecon/namelist.txt -t brt
example command
Enumerate domain name
dnsrecon -d
DNS Enum
dnsenum zonetranser.me
Port Scanning
Net Cat
Install Netcat
sudo apt install netcat-traditional
Netcat - TCP Scan
To scan an ip address for specific ports
nc -nvv -w 1 -z (ip address) (port number-port number)
Netcat - UDP Scan
nc -nv -u -z -w 1 (ip address) (udp port number-udp port number)
Nmap
Default Scan - Top 1000 ports - Syn Scan
Default Scan – Scan top 1000 most popular ports
Will preform a Syn can by default
nmap "ip address"
Run a Connect Scan
Run a Connect Scan
nmap -sT (ip address)
Nmap Ping Scan
Nmap Ping Scan
nmap -sp "IP Address"
Scan Specify Ports
Scan Specific Ports
nmap -p 1-65535 localhost
nmap -p 80,443 8.8.8.8
UDP Scanning
To run a UDP Scan
sudo nmap -sU (ip address)
Network Sweeping
To scan specific ports on large number of hosts
ICMP to all
TCP SYN Packet to port 443
ACT ACK Packet to port 80
ICMP time stamp request
nmap -sn (192.168.1.1-254)
Output to grapable file
Specify output file in greppable file format
nmap -v -sn (ip address) -oG ping-sweep.txt
Search file for clients with UP
grep open web-sweep.txt | cut -d" " -f2
TCP Connect scan on top 20 ports
nmap -sT -A --top-ports=20 (ip address range) -oG top-port-sweep.txt
OS Fingerprinting
sudo nmap -O (ip address)
Banner Grabbing
nmap -sV -sT (ip address)
NSE Scripts
NSE SMB Detection Scan
nmap (ip address) --script=smb-os-discovery
Netbios and SMB
Scan for NetBios & SMB
nmap -v -p 139,445 -oG smb.txt (ip address range)
Scan using the nbtscan tool
sudo nbtscan -t (ip address range)
vulnerability scanning
sudo apt-get update && apt-get dist-upgrade
sudo apt-get install openvas
sudo gvm-setup
sudo gvm-start
http://localhost:9392
Toggle 1
Toggle 2