[*] ssh on tcp/22 [-] Bruteforce logins: hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://bagel.htb medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h bagel.htb [*] http-alt on tcp/8000 [-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists: feroxbuster -u http://bagel.htb:8000 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_feroxbuster_dirbuster.txt [-] Credential bruteforcing commands (don't run these without modifying them): hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 8000 -o "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_auth_hydra.txt" http-get://bagel.htb/path/to/auth/area medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 8000 -O "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_auth_medusa.txt" -M http -h bagel.htb -m DIR:/path/to/auth/area hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 8000 -o "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_form_hydra.txt" http-post-form://bagel.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message" medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 8000 -O "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_form_medusa.txt" -M web-form -h bagel.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message" [-] (nikto) old but generally reliable web server enumeration tool: nikto -ask=no -h http://bagel.htb:8000 2>&1 | tee "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_nikto.txt" [-] (wpscan) WordPress Security Scanner (useful if WordPress is found): wpscan --url http://bagel.htb:8000/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_wpscan.txt"