System Hacking 💻

We start by gathering information about the target system, such as its operating system, services running, and open ports. Use this to identify potential vulnerabilities that can be exploited.

Identify target

Nmap

Focus on most used service ports. Scan specific ports quickly and 'stealthy'
nmap -sS -p 21,22,80,443 <IP>

Scan only the top used ports only (fast scan)
nmap --top-ports 100 -T4 <HOST_IP>

Aggressive scan with OS detection, version detection, script scanning, and traceroute
nmap -sS -A -p- -T4 --script=vuln -oN full-scan <IP>

Treat host as online, scan all ports, run default scripts, detect service versions, timeout 4s, and save output to a file
nmap -vv -Pn -p- -sC -sV -T4 -oN complete-scan <HOST_IP>

No scan is truly undetectable, but these options reduce the chance of triggering IDS/IPS alerts
nmap -sS -T0 --randomize-hosts --data-length 50 <TARGET_IP>
# A stealthy scan, paranoid timing(less likely to be detected), randomize order, and add random data to packet to evade detection

Scan for vulnerabilities using NSE scripts:

Aggressive script scan, identify services/version info, output scan to file
nmap -sC -sV -oN initial <HOST_IP>

Use default 'vuln' category scripts agains known services
nmap -p 80,443,21,22,445 --script vuln <HOST_IP>

List web directories and files
nmap -p 80,443 --script http-enum <HOST_IP>

Scan for SSL/TLS ciphers for HTTPS services
nmap -p 443 --script ssl-enum-ciphers <HOST_IP>

Netdiscover

Active ARP reconnaissance tool to discover live hosts in a local network
netdiscover -i eth0 -r 10.0.0/24

Hydra

Brute force SSH login
hydra -l <username> -P <full path to pass> <HOST_IP> -t 4 ssh

Brute force HTTP login
hydra -l <username> -P rockyou.txt <HOST_IP> http-post-form "<path>:username=^USER^&password=^PASS^:<invalid response>"

Web reconnaissance

If Ports 80 (HTTP) or 443 (HTTPS) are open, it usually suggests the presence of a web service. Let's try to find flags, discover directories and identify version-specific vulnerabilities.

Check for hidden files (robots.txt)
curl http://<HOST_IP>/robots.txt

Identify the Web Server and Version
curl -I <HOST_IP>

info

Look at the Server: header to identify the web server.

If Port 80 is Closed but Expected to be Open, this might indicate:

Intrusion Detection System (IDS) active
Port knocking mechanism in place

Example output
nmap -p 80 <HOST_IP>

PORT     STATE  SERVICE
80/tcp   closed http

Rescan with a delay. Sometimes Port availability changes after time
sleep 10 & nmap -p 80 <HOST_IP>

Use TCP connect scan to bypass SYN scan restriction. SYN Scans (-sS) may be blocked or filtered by firewall, while -sT (full TCP handshake) can bypass it in some setups
nmap -sT -p 80 <HOST_IP>

info

Each CMS (WordPress, Joomla, Drupal) has know vulnerabilities and common misconfigurations.

Frameworks (developer toolkit to build apps like Django, Rails, Laravel) have distinct attack surfaces, e.g. Django apps often leak /admin/ panel or Laravel apps might expose .env config files.

Let's use whatweb or wappalyzer to analyze HTTP responses, headers, cookies, and HTML code to guess:

If the target is running WordPress (CMS) → Try wpscan
If the target is running Django (framework) → Look for Django debug mode, admin panel
If the target is running React.js (frontend) → Might indicate a modern SPA with a backend API to target

WhatWeb

Identify websites, recognises web technologies including CMS and frameworks
whatweb -v -a 2 --log whatweb.txt <HOST_IP>

To enumerate web services and endpoints
nmap -sV -p- --script=http-vuln* -oN nmap_http <HOST_IP>

Gobuster

To find directories/files
gobuster dir -u <HOST_IP> -w /usr/share/wordlists/dirb/common.txt

WPscan

If WhatWeb reports WordPress
wpscan --url <HOST_IP> --enumerate p,t,u --disable-tls-checks --format json --output wpscan.json

Nikto

Web scanner to find various vulnerabilities in web servers
nikto -h <HOST_IP> -p 80,443 -output nikto_scan.txt

Identify target​

Nmap​

Netdiscover​

Hydra​

Web reconnaissance​

WhatWeb​

Gobuster​

WPscan​

Nikto​