eg: Test-NetConnection -ComputerName target_ip -Port 80 -InformationLevel "Detailed"
https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=win10-ps
1..10 | % {"192.168.0.$"} | ForEach-Object { Test-Connection -Count 1 -ComputerName $ 2>$null}
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
https://rules.sonarsource.com/php/RSPEC-5335
nmap -sSV --script ftp-anon.nse -p21 IP -T4 --reason
- Disable FTP and use SSH
- Disable FTP Anonymous Login
https://antnix07.blogspot.com/2018/01/disable-anonymous-user-in-ftp-server-on.html
nmap -sU -p 53 --script dns-cache-snoop <ip_address>
- Leave recursion enabled if the DNS Server resides on a corporate network that cannot be reached by untrusted clients
- Do not allow public access to DNS Servers performing recursion
- Disable recursion
https://support.microsoft.com/en-us/help/2678371/microsoft-dns-server-vulnerability-to-dns-server-cache-snooping-attack
msf > use auxiliary/scanner/dns/dns_amp
- Restrict access to your DNS server from public network or reconfigure it to reject such queries
nmap -Pn -sU -p 53 --script=dns-recursion <ip_address>
- Restrict recursive queries to the hosts that should use this nameserver (such as those of the LAN connected to it)
- If bind 8 is in use, use the instruction 'allow-recursion' in the 'options' section of the named.conf
- If bind 9 is in use, define a grouping of internal addresses using the 'acl' command
Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'
If another name server is in use, consult its documentation.
dig axfr @<ip_address> <domain.name>
N/A
#openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
import http.server, ssl
server_address = ('192.168.0.5', 443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,
server_side=True,
certfile='server.pem',
ssl_version=ssl.PROTOCOL_TLSv1)
httpd.serve_forever()
nmap -sV -T5 -Pn -p 80 --script http-headers IPs
https://github.com/koenbuyens/securityheaders
https://csp.withgoogle.com/docs/index.html
https://www.attosol.com/http-security-headers-with-nginx/
https://www.saotn.org/remove-iis-server-version-http-response-header/
https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
What benefit using etag?
The ETag HTTP response header is an identifier for a specific version of a resource. It lets caches be more efficient and save bandwidth, as a web server does not need to resend a full response if the content has not changed. Additionally, etags help prevent simultaneous updates of a resource from overwriting each other
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag
Sometimes ETag header providing sensitive information that could aid an attacker, such as the inode number
https://www.tenable.com/plugins/nessus/88098
https://www.securityfocus.com/bid/6939/discuss
https://tecadmin.net/what-is-inode-number-in-linux/
IIS : https://www.saotn.org/remove-etags-http-header-iis/
nmap -sV -T5 -Pn -p 80 --script http-headers IPs -v
https://hostadvice.com/how-to/how-to-disable-the-vulnerability-of-options-method-in-iis-and-apache/
nmap -sV -p161 --script snmp-info IP --reason -T4
nmap -sU -p161 --script snmp-info IP --reason -T4
snmpwalk -c public/private/any -v1/2c IP
N/A
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt
Change the default community string “public” to something complex
snmpbulkget -v2c -Cn0 -Cr2500 -Os -c public 1.3.6.1.2.1
Restrict and monitor access to this service, and consider changing the default 'public' community string
- Check for cipher strength
nmap -sSCV -Pn --script ssl-enum-ciphers -p443 IP
sslscan IP
https://github.com/rbsec/sslscan
https://github.com/nabla-c0d3/sslyze
https://testssl.sh/
Windows: https://www.nartac.com/Products/IISCrypto/
https://www.phr33fall.co.uk/ssl-tls-issues-server-2012/ (Manual Solution)
nmap -sV -T5 -Pn -p 445 --script smb-protocols IPs
nmap -sV -T5 -Pn -p 445 --script smb-security-mode IPs
https://support.microsoft.com/en-my/help/161372/how-to-enable-smb-signing-in-windows-nt
nmap -p445 --script smb-vuln-ms17-010
Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.
smbclient -L <ip_address>
Disable the SMB service if not required.
Network Level Authentication (NLA) Disabled
Terminal Services Encryption Level is Medium or Low, or
Terminal Services Encryption Level is not FIPS-140 Compliant
https://github.com/portcullislabs/rdp-sec-check
videos:https://www.youtube.com/watch?v=nyBOJwvUaKQ
Link:https://www.phr33fall.co.uk/windows-rdp-hardening/
https://www.mssqltips.com/sqlservertip/2495/identify-sql-server-tcp-ip-port-being-used/
https://www.sqlshack.com/overview-of-sql-server-ports/
