21 - FTP
22 - SSH
TOOLS/enumSSH
nmap --script ssh-hostkey -p 22 --open -sS $IP/24
ssh-keyscan $IP
./TOOLS/ssh-vulnkey $IP TOOLS/ssh-blacklist/blacklist.all#
# Information Gathering
#
nmap -sV -sT --script ftp-* -p21 $target
# Banner
nc -vn $target 21
openssl s_client -connect $target:21 -starttls ftp
# Anonymous Login ?
ftp $target 21
# login : anonymous
# password : anonymous
# Packet Sniffing with Wireshark ?
# identify ftp traffic
wireshark
#
# BRUTEFORCE
#
wget https://raw.githubusercontent.com/rix4uni/FTPBruteForce/main/ftp-username-password.txt
# it's username:password so :
awk -F ':' '{print $1}' ftp-username-password.txt > usernames.txt
awk -F ':' '{print $2}' ftp-username-password.txt > passwords.txt
hydra -L usernames.txt -P passwords.txt ftp://$target25 - SMTP
Detect version
# metasploit
use auxiliary/scanner/smtp/smtp_versionOpen Relays
Tests if an SMTP server will accept (via a code 250) an e-mail by using a variation of testing methods
# metasploit
use auxiliary/scanner/smtp/smtp_relayUser Enumeration Utility
Allows the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of users aliases and lists of e-mail (mailing lists)). Through the implementation of these SMTP commands can reveal a list of valid users. User files contains only Unix usernames so it skips the Microsoft based Email SMTP Server. This can be changed using UNIXONLY option and custom user list can also be provided.
use auxiliary/scanner/smtp/smtp_enum53 - DNS
nmap -T4 -sS -p 53 $IP/24
# Enumerate ALL DNS records! Maybe hidden hosts in network recon
dig -t all target1 target2 target3 @$DNSSERVER
# DNS recon (brute force subdomains):
dnsrecon -d $IP -t brt -D /usr/share/wordlists/dnsmap.txt
dnsenum $DOMAIN
fierce -dns $DOMAIN -wordlist dictionary.txt
# DNS subdomains enum with ffuf
./ffuf -u http://$ip -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.test.lo"- https://github.com/rbsec/dnscan - Wordlists
Amplification
A Domain Name Server (DNS) amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of publically accessible open DNS servers to overwhelm a victim system with DNS response traffic.
auxiliary/scanner/dns/dns_amp
services -p 53 -u -R69 - TFTP
nmap --open -sU -p 69 $IP/2480,8080,443,8000 - HTTP
nmap --open -sV -p 80,8080,443,8000 $IP/24
# Virtual domains
nmap --open --script=hostmap -p 80 $IP
# TRACE method:
nmap --open --script=http-trace -p 80 $IP
# Enumerate userdir:
nmap --open --script=http-userdir-enum $IP
# Nikto scanner:
nikto -host http://$IP
# Dirb scanner:
dirb http://$IP
# For WordPress (wpscan):
docker pull wpscanteam/wpscan
docker run -it --rm wpscanteam/wpscan --stealthy --url https://$DOMAIN/
docker run -it --rm wpscanteam/wpscan --url https://$DOMAIN/ --enumerate u
# For Joomla:
joomscan http://$IP
# Gobuster (https://github.com/OJ/gobuster):
gobuster -u https://$DOMAIN -w /usr/share/dirb/wordlists/common.txt
gobuster -u https://$DOMAIN -c 'session=123456' -t 50 -w /usr/share/dirb/wordlists/common.txt -x .php,.html SSL/TLS
sslscan $IP
./testssl.sh $IP
nmap -sV --script ssl-enum-ciphers -p 443 $IPWebDAV
davtest -cleanup -url http://$IP
cadaver http://$IP
dav:/> put webshell.txt
dav:/> copy webshell.txt ws.asp88 - Kerberos
Users enumeration
The script should work against Active Directory. It needs a valid Kerberos REALM in order to operate.
# metasploit
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='XX-XXXT'" 10.74.251.24111 - RPC
# Look for port 111 rpcbind
rpcinfo $IP
rpcinfo -p $IPRPC over DC
rpcclient -U "" -c enumdomusers $IP
rpcclient -U "" $IP -N -c "lsaquery"
rpcclient -U "" $IP -N -c "lookupnames Guest"
rpcclient -U "" $IP -N -c "lookupnames Administrator"123 - NTP
# Show clients that have queried this server:
ntpdc -n -c monlist $IP
nmap -sU -p 123 --script=ntp-info $IP135,137,138,139 - NetBIOS
nbtscan -r $IP/24
enum4linux -a $IP
nmblookup -A $IP139,445 - SMB / SAMBA
nmap --script smb-os-discovery --open -p 139 $IP
nmap --script smb-os-discovery -p 139 --open $IP/24 -oX smb.xml
smbmap.py -H $IP
smbmap.py -H $IP -u Guest -R
smbmap.py -H $IP --upload $FILE $SHARE
# Recursive download:
smbget -a smb://$IP/$FILE -R
# Enumerate Users:
python /usr/share/doc/python-impacket-doc/examples/samrdump.py $IP
# Enumerate shares:
crackmapexec --shares $IP/24
# To list shares:
smbclient -L $IP
# or,
smbmap -H $IP
# To connect to a share (shell style):
smbclient //$IP/wwwroot161 - SNMP
nmap -p 161 --script snmp-enum $IP
snmp-check $IP
# Very useful:
snmp-check -v2c -c public $IP
python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP $IP
onesixtone -w 0 $IP
# For scanning:
onesixtyone -c $COMMUNITY -i $IP_LIST_FILE
# For enumeration low level (MIB):
snmpwalk -c public -v1 $IP
# SNMP on different port:
snmpwalk -v 2c -c public $IP:666
snmp-check -p 6492 $IP389 - LDAP
LDAP-rootdse
ldap-rootdse.nse : Retrieves the LDAP root DSA-specific Entry (DSE)
nmap -p 389 --script ldap-rootdse $ipLDAPsearch
nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
ldap.qfilter=users,ldap.attrib=sAMAccountName' $ip
ldapsearch -H ldap://$IP/
ldapsearch -x -h $IP -s baseldapwhoami1433 - MSSQL
Metasploit modules
auxiliary/admin/mssql/mssql_enum normal Microsoft SQL Server Configuration Enumerator
auxiliary/admin/mssql/mssql_enum_domain_accounts normal Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration
auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli normal Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration
auxiliary/admin/mssql/mssql_enum_sql_logins normal Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration
auxiliary/admin/mssql/mssql_escalate_dbowner normal Microsoft SQL Server Escalate Db_Owner
auxiliary/admin/mssql/mssql_escalate_dbowner_sqli normal Microsoft SQL Server SQLi Escalate Db_Owner
auxiliary/admin/mssql/mssql_escalate_execute_as normal Microsoft SQL Server Escalate EXECUTE AS
auxiliary/admin/mssql/mssql_escalate_execute_as_sqli normal Microsoft SQL Server SQLi Escalate Execute AS
auxiliary/admin/mssql/mssql_exec normal Microsoft SQL Server xp_cmdshell Command Execution
auxiliary/admin/mssql/mssql_findandsampledata normal Microsoft SQL Server Find and Sample Data
auxiliary/admin/mssql/mssql_idf normal Microsoft SQL Server Interesting Data Finder
auxiliary/admin/mssql/mssql_ntlm_stealer normal Microsoft SQL Server NTLM Stealer
auxiliary/admin/mssql/mssql_ntlm_stealer_sqli normal Microsoft SQL Server SQLi NTLM Stealer
auxiliary/admin/mssql/mssql_sql normal Microsoft SQL Server Generic Query
auxiliary/admin/mssql/mssql_sql_file normal Microsoft SQL Server Generic Query from File
auxiliary/analyze/jtr_mssql_fast normal John the Ripper MS SQL Password Cracker (Fast Mode)
auxiliary/gather/lansweeper_collector normal Lansweeper Credential Collector
auxiliary/scanner/mssql/mssql_hashdump normal MSSQL Password Hashdump
auxiliary/scanner/mssql/mssql_login normal MSSQL Login Utility
auxiliary/scanner/mssql/mssql_ping normal MSSQL Ping Utility
auxiliary/scanner/mssql/mssql_schemadumpInfo gathering
MSSQL Ping Utility
Queries the MSSQL instance for information. This will also provide if any ms-sql is running on different ports.
use auxiliary/scanner/mssql/mssql_ping
services -p 1433 -R1521 - ORACLE
We need 4 things to connect to an Oracle DB.
- IP.
- Port.
- Service Identifier (SID).
- Username/ Password.
Detect version
# metasploit
use auxiliary/scanner/oracle/tnslsnr_version
services -p 1521 -u -RGet SID
Oracle Service Identifier: By querying the TNS Listener directly, brute force for default SID’s or query other components that may contain it.
# Oracle TNS Listener SID Enumeration: This module simply queries the TNS listner for the Oracle SID. With Oracle 9.2.0.8 and above the listener will be protected and the SID will have to be bruteforced or guessed.
use auxiliary/scanner/oracle/sid_enum
# Oracle TNS Listener SID Bruteforce: This module queries the TNS listner for a valid Oracle database instance name (also known as a SID). Any response other than a “reject” will be considered a success. If a specific SID is provided, that SID will be attempted. Otherwise, SIDs read from the named file will be attempted in sequence instead.
use auxiliary/scanner/oracle/sid_bruteBruteforce
use auxiliary/scanner/oracle/oracle_login1900 - SSDP
tcpdump -n -A host $IP & perl -e 'print "M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n"' > /dev/udp/$IP/19002049 - NFS
showmount -e $IP
showmount -a $IP
mount.nfs $IP:$DIR $LOCALDIR3268 - DC Enumeration
nmap -sS -T4 -p 3268 --open $IP/24How to recognize a DC in a Windows environment
- DC Method 1: Netbios If port 137 (TCP-UDP) open, a DC uses as a netbios suffixes:
- For unique names: <1B> Domain Master Browser (PDC)
- For group names: <1C> Domain Controllers for a domain
- DC Method 2: Global Catalog Service
- Use nmap
- As a Active Directory Server open ports 3268 and 3269 (SSL) for the Global Catalog Service (LDAP protocol).
- Attention: LDAP protocol uses 389 and 636 (SSL).
- DC Method #3 From the Windows machine:
echo %logonserver%
nltest /dclist:$DOMAIN- DC Method #4
msf> use post/windows/gather/enum_domain
msf> set SESSION 1
msf> run5353 - avahi-daemon / mDNS
dig +short -p 5353 -t ptr _services._dns-sd._udp.local @$IP5432 - POSTGRESQL
Detect version
# metasploit
use auxiliary/scanner/postgres/postgres_versionLogin utility
# metasploit
use auxiliary/scanner/postgres/postgres_loginFlag injection
# metasploit
# Identify PostgreSQL 9.0, 9.1, and 9.2 servers that are vulnerable to command-line flag injection through CVE-2013-1899. This can lead to denial of service, privilege escalation, or even arbitrary code execution
use auxiliary/scanner/postgres/postgres_dbname_flag_injection6379 - Redis-server
(printf "info\r\n"; sleep 1) | netcat $IP 63799200 - elasticsearch
echo -ne "GET / HTTP/1.0\r\n\r\n" | netcat $IP 920011211 - memcached
echo "stats" | netcat $IP 11211
echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | netcat -u $IP 1121127017,27018,27019,27020 - MongoDB
mongo --host $IP