Recon and Enumeration

Useful tools to know: - Recon/People Searching

• Google (specifically Google Dorking)
• Wikipedia
• PeopleFinder.com
• who.is
• sublist3r
• hunter.io
• builtwith.com
• wappalyzer

Enum tools:

• dirb (used to find commonly-named directories on a website)
• dirbuster (has a GUI)
• enum4linux (SMB/SAMBA vulnerabilities)
• metasploit (Mainly for exploitation but also recon and scanning)
• Burp Suite (Intercept network traffic and find directories)

Priv esc tools/techniques:

Many ways of priv esc, below an example of methods/tools

• Cracking password hashes found on the target
• Finding a vulnerable service or version of a service which will allow you to escalate privilege THROUGH the service
• Password spraying of previously discovered credentials (password re-use)
• Using default credentials
• Finding secret keys or SSH keys stored on a device which will allow pivoting to another machine
• Running scripts or commands to enumerate system settings like 'ifconfig' to find network settings, or the command 'find / -perm
• Find set capabiltities - getcap -r / 2>/dev/null
• -4000 -type f 2>/dev/null' to see if the user has access to any commands they can run as root