Scanning

Machine enumeration

fping/ping # check for the presence of a machine on the network
fping -g [local network] # give all the local network addresses that are reachable
for i in {1..254}; do ping-c 1 -w 1 X.X.X.$i |grep from; done

nmap: open source port scanner (graphical → zenmap)

nmap -sV -p- [ip] # scan a machine
nmap @network/mask # scan a network

-p 80,443,8080 # check specific ports
-F # fast scanning (fewer ports scanned)
--exclude @IP # exclude an IP to scan
-sP # IP to know if the network address or hosts are up or down (MAC address is given if up)
 -sV # service version detection
 -O  # operating system detection
 -v  # verbose or -vv
 -A  # aggressive scan (OS, script, traceroute) open ports, services, version --> when you don't care how 'loud' you are

 -Pn # if I don't want to ping the host

 --script vuln # if I want to run all scripts out of the vulnerability category
# all categories: https://nmap.org/book/nse-usage.html

# Timing template. (increase the speed your scan runs at) - /!\ higher speeds are noisier, and can incur errors!
 -T5

#### Ping sweep ####
-sn [networkIp]/[mask] # to obtain a map of the network structure.

#### SAVE THE OUTPUT ####
 -oA # three major formats
 -oN # normal format
 -oG # Grepable format
 -oX # output in xml format

xsltproc filename.xml -o filename.html # You can open an easy-to-read summary in the browser.

# Gets help on all http scripts
--script-help "http-*"

rustscan -a [ip] -- [nmap_arguments]

nessus # reports potential weaknesses on the tested machines (to be downloaded from tenable)
/etc/init.d/nessusd start # start nessus
http://localhost:8834 # access to nessus + register on tenable for an activation code

Website Scanner

nikto -h [url]
wapiti

gobuster vhost -w [subdomains_list] -u [url] # look for subdomains
feroxbuster -w [wordlist_path] -x php,html,txt -u [url] # look for hidden files or directories
dirbuster
wfuzz -z file,[wordlist_path] -d "[param]=FUZZ&[param]=FUZZ" --hc 302 [url] # Fuzz parameters

URL/.git/

wget --mirror -I .git [url]/.git/
git checkout -- # if some files have been deleted, get them back
git log
git checkout [LOG-ID] # go back to a previous commit

git log --all --full-history
git show [COMMIT-ID]
git log --stat

Some automated scripts to investigate deeply. + script export.sh: Use this script to get all the history of a given file. + git-dumper: tool to dump a git repository from a website. + git-tools: A repository with 3 tools for pwn'ing websites with .git repositories available. + githacker: A Git source leak exploit tool that restores the entire Git repository, including data from stash, for white-box auditing and analysis of developers' mind.