Capture The Flag Initial Recon Checklist
This section contains a checklist for initial recon of the target
# Check firewalls via wafw00f
wafw00f target.local
# FTP connect command
ftp target.tld
# FTP login as Anonymous
------------------------
# SMB Enumeration
enum4linux target.local | tee report.txt
# SMB List shares
smbclient -L \\\\target.local
# SMB Connect to a share
smbclient \\target.local\sharename -u username
# Start a nikto session
nikto -h target.local -c
# Use Gobuster
gobuster dir --no-error -t 50 -u target.tld -w $direnumCombined
# Use ferox
feroxbuster -s $feroxStatusCodes -t 50 --timeout 15 -u target.tld -w $direnumCombined -e
# Using Dirsearch
dirsearch -r -u target.tld -t 50 -w $direnumCombined
gobuster dns --no-error -t 50 -i -d target.tld -w $dnsenumCombined
gobuster vhost --no-error -t 50 -u target.tld -w $dnsenumCombined --append-domain
# Using hydra to brute force with found usernames
hydra -L username.txt -P $passrockyou -t 16 -f ssh://target.local
# For wordpress use
wpscan -u target.local
# for drupal or joomla use droopescan
droopescan scan drupal/joomla -u target.local --enumerate-plugins
# Use Vulnx to get more information on exploitable CMS
# Parameters :
# -d : get subdomain information
# -D : use dorks available on the internet
# --dns : dns information gathering
# -w : web information gathering
# -t : threads
vulnx -u target.tld -d -D -w --dns -t 50 --output /output
Last updated
Was this helpful?