FTP (20, 21)

  • standard: control channel on port 21, data channel on port 20
  • ftp is insecure, cleartext
  • anonymous login may be active allowing read or read/write without creds
  • tftp is an alternate version that runs on UDP. No authentication
  • depending on configuration of ftp, user/group information can be revealed for file/folder ownership if the ftp server isn't configured to mask the information
  • if recursive listing is enabled, it becomes much easier to list out subfolders and files all at once with ls -R
# scan common ports
eric@hackbook:~$ nmap -p21 -sCV -oA ftp <host>

# download all files recursively (VERY NOISY)
eric@hackbook:~$ wget -m --no-passive ftp://anonymous:[email protected]

# anonymous login via ftp
eric@hackbook:~$ ftp anonymous@host

# connect to ftp via netcat
eric@hackbook:~$ nc <target> <port>

# view files
ftp> dir

# read a file on server without downloading
ftp> more file.txt

Secure Shell SSH (22)

  • 2 versions, sshv1 is vulnerable to MITM atttacks. sshv2 has better encryption, speed, stability & security
  • 6 different auth methods including password, public-key, host-based, keyboard, chall-resp, GSSAPI
  • common misconfigurations are allowing password auth, empty passwords, root login, outdated encryption, tcp forwarding, tunnelling and the banner.
# enum with ssh-audit
# git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit
./ssh-audit.py <target>

# check auth methods
ssh -v <user>@<target>

# change auth method (useful for bruteforce)
ssh -v <user>@<target> -o PreferredAuthentications=password

# ssh with id_rsa file
# id_rsa needs to be at 600 perms, chmod 600 id_rsa
ssh -i <path_to_id_rsa> <user>@<target>

DNS (53)

  • DNS is typically unencrypted and sent over port 53. It is possible to do DNS over TLS or DNS over HTTPS to encrypt this traffic
  • if the allow-transfer option is active or set to any, then it's possible to query the entire zone file from the DNS server using dig axfr. Internal hostnames could be discovered using this method
  • DNS can be used to potentially bruteforce available subdomains using a wordlist
# DNS records
# DNS servers may ignore ANY calls and needs specific A/AAAA/MX/NS/TXT/CNAME/SOA
dig any domain.com
# use @ to specify the IP of the local dns server
dig any domain.com @10.1.1.10

# reverse lookup
dig -x <ip>

# search for config files on linux DNS servers
ls -la /etc/bind

# nameserver query
dig ns domain.com @10.1.1.10

# version query
dig CH TXT version.bind 10.1.1.10

# zone transfer
dig axfr domain.com @10.1.1.10
# if other zones appear, they can be further quiered for further info:
dig axfr internal.domain.com @10.1.1.10


# another dns recon tool similar to dnsenum
fierce --domain <domain>

# another dns enumeration tool
dnsrecon -d <domain>

SMB (137,138,139,445)

  • dangerous options can exist such as guest login, logon scripts, browsable shares
# lists the available shares on a host and skips cred request
smbclient -N -L \\\\<host>
# connects to a specific share on a host with creds
smbclient -U <username> \\\\<host>\\<sharename>

# connects with guest logon (no pwd)
smbclient -U '' -N \\\\<host>\\<sharename>

# rpc client provides a bunch of additional commands for enumeration (see below)
rpcclient -U <username> <host>
# rpcclient commands to use once logged in
# more: https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html
srvinfo # server information
enumdomains # enumerate domains
querydominfo # provides domain, server, user info of deployed domains
netshareenumall # enumerate all available shares
enumdomusers # enumerate all domain users

# impacket samr dump
samrdump.py <host>

# smbmap enumeration
smbmap -H <host>

#crackmapexec smb enumeration
crackmapexec smb <host> --shares -u <username> -p <password>

# enum4linux-ng automated enumeration
# https://github.com/cddmp/enum4linux-ng
# returns os info, shares, domains, users, groups all in one shot
enum4linux-ng.py <host> -A

NFS (111, 2049)

  • dangerous misconfigurations can grant r/w permissions, ports above 1024 used, and keeping root UID/GUID set on files.
# show available nfs shares
showmount -e <host>

# mount share to our machine
mkdir targetnfs
sudo mount -t nfs <host>:/ ./targetnfs/ -o nolock

# unmount share
sudo umount ./targetnfs

SMTP (25,465,587)

  • used for sending emails
  • SMTP is inherently insecure
    1. It's possible for SMTP to be unencrypted through port 25. SSL/TLS is typically used to combat this and can change port to 465
    2. Open mail servers do not authenticate users, thus the sender email can be spoofed. Technologies such as DKKIM, SPF, DMARC help maintain integrity of sender / sending IP to validate if it is a legitimate email
  • service can be interacted with via telnet or netcat
# nmap commands check (smtp-commands is a default script)
nmap <host> -sCV -p25 -oA <output>

# nmap open relay check
nmap <host> --script smtp-open-relay -p25 -v -oA <output>

# use telnet or netcat to connect to SMTP to run further commands
# confirm connection
EHLO <server>

# enumerate users (status 252 may confirm users that don't exist)
VRFY <username>

# send mail
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA <body>
.
QUIT

# enumerate users via script
# -m may need increased for slower systems
smtp-user-enum -M VRFY -U userlist.txt -t <ip>

IMAP/POP3 (143,993/110,995)

  • IMAP is a full email/folder management protocol. POP3 is meant for basic retrieval and deletion
  • also inherently insecure, by default sends in cleartext. Encryption can be added on, and may use port 993 or 995
  • can be misconfigured to have debug logging for authentication or allow anonymous login
# scan common ports
nmap -p110,143,993,995 -sCV -oA imap_pop3 <host>

# detailed script scans (can take ~10m, has brute force checks)
nmap -p110,143,993,995 --script imap*,pop3* -oA imap_pop <host>



# POP3 connect TLS/SSL encrypted
openssl s_client -connect <host>:pop3s
# POP3 commands
USER <username> # login user
PASS <password> # login password
STAT # requests number of saved emails
LIST # requests number & size of emails
RETR <id> # get email by ID
CAPA # display server capabilities
QUIT

# IMAP connect TLS/SSL encrypted
openssl s_client -connect <host>:imaps
# IMAP commands (may require a tag before like "a LOGIN ...")
LOGIN <user> <pass> # login
LIST "" **  # list all directories
SELECT <mailbox> # Selects a mailbox, if emails exist, ID will print after
FETCH <id> all # Fetches email header, subject, flags
FETCH <id> rfc822 # fetches email as would be seen in an email client
LOGOUT

SNMP (udp161,162)

  • v1 has no auth and is cleartext. v2 uses a community string for auth and is cleartext. v3 offers encryption and credentialed auth
  • OIDs can be enumerated with snmpwalk or searched online here: Object Identifiers Registry
  • misconfigurations include no authentication required, or no lockdown on where SNMP requests can come from
  • printers are a good example of devices that use snmp and by default tend to be cleartext. IT administrators should ensure the printers can only communicate snmp with designated print servers, and if possible use snmpv3 with credentials instead of the community strings
# brute force snmp community strings for snmp v1/2
# seclists/Discovery/SNMP/snmp-onesixtyone.txt is a good list
onesixtyone -c <wordlist> <host>

# connect to specific known snmp with community string and dump all OIDs
snmpwalk -v 2c -c <community_string> <host>

# alternative to snmpwalk for bruteforcing OIDs
# OID can be a wildcard like :.1.3.6.*
braa <community_string>@<host>:<oid_prefix_*>

MySQL (3306)

  • open-source database solution supported by Oracle
    • MariaDB is a fork of MySQL, also supported by Oracle
  • common misconfigurations include the configuration file containing user, password & admin listening IP in cleartext
    • additionally verbose debug options being active can reveal further sensitive information to probe for additional information on a database
# scan standard port
nmap <target> -sCV -oA mysql -p3306 --script mysql*

# connect (no space after -p for password)
mysql -u <username> -p<password> -h <target>
# mysql commands
> show databases; # list out databases
> select version(); # print current mysql version
> use <>; # switch to a different database
> show tables; # show tables in selected database
> show columns from <table>; # show columns in table
> select * from <table>; # query table for information

Microsoft SQL (1433)

  • closed-source Microsoft provided database system
  • Originally Windows only, but now supports linux / mac OS
  • Typically accessed via GUI SSMS tool
    • can be accessed via other methods, such as impacket's mssqlclient
  • authentication can be configured to use Windows authentication and Windows / AD will handle authentication
  • misconfigurations can include no encryption, self-signed certs, named pipes, weak or default sa credentials
# precursor nmap script scan
nmap <target> -sCV -oA mssql_init --p1433

# nmap script scan, requires information about port, username, password, instance
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248 -oA mssql_enum

# metasploit scanner 
msfconsole
> use auxiliary/scanner/mssql/mssql_ping
> set RHOST <target>
> run

# connect with impacket
mssqlclient.py <windowsuser>:<pass>@<target> -windows-auth # windows auth
mssqlclient.py <windowsuser>@<target> -windows-auth -hashes <hash> # pass the hash
mssqlclient.py <user>:<pass>@<target> # db local cred auth

# impacket commands
> enum_db # enumerate databases
> enum_links # enumerate linked servers
> enum_logins # enumerate logged in users
> enum_users # enumerate users
> select * from information_schema.tables; # list tables
> SELECT table_catalog, table_schema, table_name, column_name FROM   
  INFORMATION_SCHEMA.COLUMNS; # get columns in table, can be filtered with where
> use <database>; # set db as active
> select <columns> from <table>; # get info from table in selected db 

# reveal installed instances from registry
(get-itemproperty 'HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server').InstalledInstances

# check if service is running 
Get-Service -Name <instance_name>

Oracle TNS (1521)

  • networking suite that facilitates communications between multiple Oracle databases and applications
  • supports encryption, host whitelisting, and authentication
  • oracle 9 has default CHANGE_ON_INSTALL password, Oracle 10 has no default password, oracle dbsnmp uses dbsnmp password
  • $ORACLE_HOME/network/admin/tnsnames.ora shows service/db names, location and connection name
  • odat is auseful tool for enumerating and exploiting vulns
# verify open default port
nmap -p1521 -sV 10.129.204.235 --open
# nmap brute force SID for connection
nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute

# Oracle Database Attacking Tool (ODAT) full enum
# attempts to guess SIDs, service names, creds, ports, files
# sudo apt install odat
# this method requires sudo to run odat to avoid perm errors
sudo odat all -s 10.129.204.235
sudo odat all -s 10.129.204.235 -d <SID> # if SID is known, can be provided

# connect
# if a shared library error appears see:
# https://stackoverflow.com/questions/27717312/sqlplus-error-while-loading-shared-libraries-libsqlplus-so-cannot-open-shared
# needs installed from oracle
sqlplus <user>/<pass>@10.129.204.235/<SID> # normal privs
sqlplus <user>/<pass>@10.129.204.235/<SID> as sysdba # attempt dba privs
# db commands
> select table_name from all_tables; # print tables
> select * from user_role_privs; # view user roles and privileges
> select name, password from sys.user$; # extract password hashes (needs dba privs)


# ODAT File Upload
# <dir>: windows C:\\inetpub\\wwwroot linux /var/www/html
# certain file uploads (like executables) could trigger AV, IDS or IPS
sudo  odat utlfile -s 10.129.204.235 -d <SID> -U <user> -P <pass> --sysdba --putFile <dir> testing.txt ./testing.txt

# confirm file upload
curl -X GET http://10.129.204.235/testing.txt

IPMI (udp/623)

  • autononmous subsystem for allowing admins to manage and monitor systems, even if they are off or unresponsive
  • systems that use the IPMI protocol are called Baseboard Management Controllers (BMCs)
  • these BMCs may have default passwords
    • Dell iDRAC - root:calvin
    • HP iLO - Administrator (password is a random 8 char ALPHAnumeric string)
    • Supermicro IPMI - ADMIN:ADMIN
  • IPMI 2.0 has a flaw in the RAKP protocol that sends a salted SHA1/MD5 hash of a valid users password to the client, before authentication takes place.
    • This can be used to take the hash and crack with hashcat mode 7300
    • HP iLO can be brute-forced due to the pattern
# enumerate port with nmap
nmap -sU --script ipmi-version -p623 <target>

# enumerate with metasploit
msfconsole
> use auxiliary/scanner/ipmi/ipmi_version
> set rhosts <target>
> run

# retrieve BMC Hash (wordlists can be changed with other options here)
msfconsole
> use auxiliary/scanner/ipmi/ipmi_dumphashes
> set rhosts <target>
> run

# crack BMC Hash for HP iLO
hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

RSync (873)

  • fast & efficient tool for copying files
# nmap scan verifying default port
nmap -sV -p 873 <target>

# connecting
nc -nv <target> <port>
# commands if connection success
> list # lists available shares

# enumerate share
rsync -av --list-only rsync://<target>/<share>

R-Commands (512,513,514)

  • suite of tools for managing linux boxes that allows remote copy, execution, login, shell, who
  • /etc/hosts.equiv shows a list of trusted hosts that are granted with no further auth
  • .rhosts is also a per user configuration that allows a blind trust
  • this suite is superseded by ssh, however legacy systems may still have it in use
# nmap simple check
nmap -sV -p 512,513,514 <target>

RDP (3389)

  • Microsoft's Remote Desktop Protocol
  • pre-installed on all windows machines, and is enabled by default
# nmap rdp scripts
# the cookies have mstshash=nmap baked in, which can trigger alerts
nmap -sV -sC -p3389 --script rdp* <target>

# enumerate security settings / encryption methosd
# https://github.com/CiscoCXSecurity/rdp-sec-check
./rdp-sec-check.pl <target>

# connect via linux
xfreerdp /u:<user> /p:<password> /v:<target>

WinRM (5985/5986)

  • must be explicitly enabled and configured Win10+
  • 5985 HTTP / 5986 HTTPS
  • allows for remote management of windows machines, typically servers
# basic nmap
nmap -sVC <target> -p5985,5986 --disable-arp-ping -n

# connect
evil-winrm -i <target> -u <user> -p <pass>

WMI (135)

  • Windows Management Instrumentation, allows read and write access to almost all windows settings
# impacket's wmiexec.py
wmiexec.py <user>:<pass>@<target> "hostname"