Detect SNMP-devices: nmap -sU --open -p 161 10.11.1.1-254 -oG mega-snmp.txt onesixtyone Brute force of community strings against IPs. The following example tries to log in into SMTP devises via a given IP and given community names. echo public > community echo private >> community echo manager >> community for ip in $(seq 1 254);do echo 10.11.1.$ip;done…
Enumeration Mandatory
Note: 139 = NetBIOS is a session layer protocol and service and different from 445 SMB. Enumeration Mandatory If you have no credentials yet: If you have already user credentials: On Windows Optional
Enumeration Mandatory Get a list of registered programs via rpcbind/v2 (previous portmapper!):rpcinfo -p $target Get a list of registered programs via rpcbind/3:rpcinfo -s $target If successful: Connect with the RPC console:rpcclient -U "" $target Enumerate with the queries on the RPC protocol post. Optional Try to brute-force accounts (no lock here!) Try other enumeration tools from the…
Enumeration Mandatory Show users and processes from known ports:ident-user-enum $target 139 445 … <- add all known ports here
Enumeration Mandatory Check if the target exposes open shares:showmount -e $target If there are some, try to mount them. If you can mount them, check if you can write files and set the s flag. (If in export no_root_squash is defined.) If yes, create a new file with a suid bit. Optional Try to use another NFS…
Enumeration Tools kerbrutepython3 /opt/kerbrute/kerbrute.py -domain thinc.local -users /usr/share/seclists/Usernames/Names/names.txt -dc-ip $target Alternative https://github.com/ropnop/kerbrute msf> use auxiliary/gather/kerberos_enumusers Perform ASREPRoast
Manual enumeration Subdomain enumeration Put usual domain names (Seclists!) and iterate them with the bash $ for ip in $(cat list.txt); do host $ip.domain.com; done IP enumeration Enumerate an IP range to find domains $ for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found" Zone transfer Perform a DNS zone…
Enumeration Mandatory Grab the banner. Tools Patator (brute force)
Notes If the server needs old crypto, use -oKexAlgorithms=+diffie-hellman-group1-sha1 OpenSSH 7.7. allows to enumerate existing users. It could be possible on Windows 10 ssh-agent to extract the keys. Keys Get fingerprints nmap -p22 --script ssh-hostkey $target Get hostkeys nmap -p22 --script ssh-hostkey --script-args ssh_hostkey=full $target Extract fingerprints from existing key file: ssh-keygen -E md5 -lf /tmp/found_keyssh-keygen -E sha1…
Enumeration Mandatory Try to access ssh ‑v $target Optional Reuse existing credentials Brute-force with existing usernames (Password-spraying) Try ssh-audit $target Try known usernaes with username as password or other found strings. Privilege Escalation Find .ssh directory on the file system and check all files within. Check sshd_config file. Check SSH version for exploits.
Enumeration Check the certificate Perform SSL-Scan Go to Checklist 80 HTTP Optional if vulnerable against heartbleed, use msf> use openssl_heartbleed. Don’t forget to use set ACTION KEYS or similar (see info)
Enumeration Mandatory Check anonymous login Try to create AND upload a file: mkdir test put /tmp/test test Check login with at least the following credentials: admin / admin admin / password Optional Download everything with wget and look for .dot files! Check login with newly found users Brute-force login Make sure to check admin / admin and other usual combinations…
Each installation has the following directory structure: /document root /_vti_bin shtml.exe /_vti_adm admin.exe /_vti_aut author.exe The shtml.exe is for executing web browser guest’s code for a web page. author.exe and admin.exe not. Tools Sparty: Frontpage Security Audit tool.
Enumeration Mandatory Open the site in a Browser. Maybe a CUPS interface is available. Performnmap -p 631 $target --script cups-info Try the PRET Printer Exploitation Toolkit is useful for printer hacking. See also HTB Laser (ippsec)python pret.py $target pcl
Checkout a repo: svn checkout svn://... Show log svn log Show infos svn info Show all branches svn ls svn://$victim --verbose The first number from the previous command shows the revision. To see the content of a repo for another revision, add the r flag: svn ls svn://$victim --verbose -r 1 svn ls svn://$victim --verbose -r 2…
This site contains links to tools / techniques which can run in the background during an engagement. Linux Windows
responder: Listen with responder on a network and wait for AD systems to ask for a DC. This can reveal a NTLM hash. (Source) Start responder on the own system: sudo responder -I tun0 --wpad Connect from the target system to this system via smb. In the Windows explorer, or in the command line via dir…
Main concepts: Tenant The “space” which an organization “rents”. Has a name. Users Groups Applications Identity model Cloud only Accounts are only in foreign systems (“cloud”) Synchronized Accounts are created and managed on-premise and synchronized to foreign systems (“cloud”) Federated Accounts are created, managed and authentificated on-premise; foreign systems (“cloud”) are also checking againts a on-premise system.…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';