ftp-syst t he program wmiexec.py from the Impacket toolkit can be used for footprinting WMI. /usr/share/doc/python3-impacket/examples/wmiexec.py Cry0l1t3:"P455w0rD!"@10.129.201.248 "hostname" using WMIexec.py WMI 135 ftp-vsftpd-backdoor ftp-vuln-cve2010-4221 nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n Nmap WinRM footprinting 5985 / 5986 WinRM e can use the tool called evil-winrm, another penetration w testing tool designed to interact with WinRM evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD! NMAP Scripts ftp-proftpd-backdoor nmap --script ftp-* -p 21 <ip> ftp-bounce using Evil-winrm ftp-libopie map -sV -sC 10.129.201.248 -p3389 --script n rdp* Perl script named rdp-sec-check.pl has also been developed by Cisco CX Security Labs that can A unauthentically identify the security settings of RDP servers based on the handshakes. ./rdp-sec-check.pl 10.129.201.248 xfreerdp /u:cry0l1t3 /p:"P455w0rd!" /v:10.129.201.248 Using xfreerdp to initiate RDP session ftp-anon Nmap Scan RDP 3389 ftp-brute RDP Security Check 21 FTP Interact with the FTP service on the target. Enumeration & Footprinting the Service Banner Grabbing rlogin 10.0.17.2 -l lordosiris rwho rusers -al 10.0.17.5 Logging in Using Rlogin Listing Authenticated Users Using Rwho 512 / 513 / 514 R-Services Listing Authenticated Users Using Rusers sudo nmap -sV -p 873 127.0.0.1 nc -nv <FQDN/IP> 21 Interact with the FTP service on the target. telnet <FQDN/IP> 21 Interact with the FTP service on the target using encrypted connection. openssl s_client -connect <FQDN/IP>:21 -starttls ftp Download all available files on the target FTP server. Scanning for Rsync using Nmap nc -nv 127.0.0.1 873 ftp <FQDN/IP> Probing for Accessible Shares Rsync wget -m --no-passive ftp://<USER>:<Pass>@<target> 873/tcp nmap -p22 <ip> -sC Send default nmap scripts for SSH rsync -av --list-only rsync://127.0.0.1/dev Enumerating an Open Share nmap -p22 <ip> -sV Retrieve version udo nmap -sU --script ipmi-version -p s 623 ilo.inlanfreight.local nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full Retrieve weak keys sf6 > use auxiliary/scanner/ipmi/ipmi_ m version sf6 > use auxiliary/scanner/ipmi/ipmi_ m dumphashes Enumerating using Metasploit Enumeration & Footprinting the Service IPMI 623 / UDP msf> use scanner/ssh/ssh_enumusers Username Enumeration Metasploit nc -vn <IP> 22 Enumeration using Banner Grabbing: ython3 mssqlclient.py Administrator@10. p 129.201.248 -windows-auth MSSQL Ping in Metasploit MSSQL 22 1433 SSH ssh <user>@<FQDN/IP> -o PreferredAuthentications=password Enforce password-based authentication. Enumeration & Footprinting the Service ssh -i private.key <user>@<FQDN/IP> Log in to the SSH server using private key. Connecting with Mssqlclient.py og in to the SSH server using the SSH L client. mysql -u root nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" Check authentication methods Metasploit Dumping Hashes scanner/mssql/mssql_ping nmap -p22 <ip> --script ssh2-enum-algos Retrieve supported algorithms Nmap scripts Enumerating using Nmap ssh <user>@<FQDN/IP> Connect to root without password Local mysql -u root -p https://github.com/rapid7/ssh-badkeys/tree/master/authorized Known badkeys A password will be asked MySQL 3306 ssh-audit.py [-1246pbcnjvlt] <host> Automated ssh-audit mysql -h <Hostname> -u root Remote mysql -h <Hostname> -u root@localhost sudo nmap 10.129.14.128 -sC -sV -p25 Nmap sf> search type:exploit platform:windows target:2008 smb m msf> searchsploit microsoft smb Metasploit Search exploit nmap -p25 --script smtp-commands 10.10.10.10 nmap -p25 --script smtp-open-relay 10.10.10.10 -v enum4linux -a [-u "<username>" -p "<passwd>"] <IP> smtp-commands enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP> SMTP Commands to use Dump interesting information Description nmap --script "safe or smb-enum-*" -p 445 <IP> rpcclient -U "" -N <IP> rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash Connect to the rpc LordOsiris Obtain Information numerating & E Footprinting Services rpcclient -U "username%passwd" <IP> /usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]<targetName or address> Dump user information AUTH PLAIN UTH is a service extension used to A authenticate the client. HELO he client logs in with its computer name and T thus starts the session. MAIL FROM The client names the email sender. RCPT TO The client names the email recipient. DATA he client initiates the transmission of the T email. RSET he client aborts the initiated transmission T but keeps the connection between client and server. VRFY he client checks if a mailbox is available for T message transfer. EXPN he client also checks if a mailbox is T available for messaging with this command. NOOP he client requests a response from the T server to prevent disconnection due to timeout. QUIT The client terminates the session. /usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]<targetName or address> /usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]<targetName or address> 25 / 587 /usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address> SMTP Enumeration & Footprinting the Service Map possible RPC endpoints /usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address> crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>] his info should already being gathered T from enum4linux and enum4linux-ng crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>] crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u <username> -p <password>] ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " " Enumerate Users, Groups & Logged On Users rpcclient -U "" -N 10.10.10.10 lookupsid.py -no-pass hostname.local Enumeration & Footprinting the Service Impacket - Enumerate local users use auxiliary/scanner/smb/smb_lookupsid 137 / 138 / 139 / 445 Metasploit - Enumerate local users Banner Grabbing samrdump.py 10.129.14.128 nc -vn <IP> 25 Brute Forcing User RIDs Username guessing using smtp-user-enum num4linux - General enumeration - anonymous e session enum4linux -a <target> enum4linux -a <target> -u <user> -p <pass> smtp-user-enum -M VRFY -U footprinting-wordlist.txt -p 25 -w 15 -t 10.129.114.201 enum4linux -u <user> -p <pass> -U <target> enum4linux -u <user> -p <pass> -G <target> enum4linux - Users enumeration Mounting NFS Share Enum4Linux-ng - Enumeration smbclient -L smbclient //<target>/<share$> -U username%password NFS Enumeration NMAP List NFS exports and check permissions Useful nmap scripts Like showmount -e Useful metasploit modules nfs-ls nfs-showmount Disk statistics and info from NFS share Scan NFS mounts and list permissions nfs-statfs scanner/nfs/nfsmount Download files ist shares on a machine using NULL L Session Enumerating IMAP/POP3 using Nmap onnect to a valid share with username + C password smbclient -L <target-IP> -U username%password List files on a specific share sudo nmap -sC -sV -v -p 110,143,993,995 <Target IP> Connecting to IMAP using openssl openssl s_client -connect <Target IP>:imaps Connecting to POP3 using openssl openssl s_client -connect <Target IP>:pop3s ist shares on a machine using a valid L username + password smbclient //<target>/<share$> -c 'ls' password -U username smbclient //<target>/<share$> -c 'cd folder; ls' password -U username 2049 / 111 enum4linux - Password policy mbclient //<IP>/<share> s > mask "" > recurse > prompt > mget * mount -t nfs <TargetIP>:/ ./<Internalfolder mount point>/ -o nolock sudo nmap -p 111,2049 -sV -sC <TargetIP> enum4linux - Group and members enumeration enum4linux -u <user> -p <pass> -P <target> showmount -e <TargetIP> Show available NFS Shares num4linux - General enumeration - authenticated e session curl -k 'imaps://1.2.3.4/' --user user:pass 1. Listing mailboxes LIST "" "*" smbclient 110 / 143 / 993 / 995 List files on a specific share folder inside the share IMAP / POP3 Enumeration & Footprinting the Service If credentials are obtained we can get information using cURL curl -k 'imaps://1.2.3.4/INBOX?ALL' --user user:pass 2. Listing messages in a mailbox SELECT INBOX and then SEARCH ALL ownload a file from a specific share D folder smbclient //<target>/<share$> -c 'cd folder;get desired_file_name' password -U username smbclient //<target>/<share$> -c 'put /var/www/my_local_file.txt .\target_folder\target_file.txt' password -U username . searching for drafts with password in mail 3 body Copy a file to a specific share folder curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass SELECT Drafts and then FETCH 1 BODY[] smbclient //<target>/<share$> -c 'mkdir .\target_folder\new_folder' password -U username Create a folder in a specific share folder nc -nv <IP> 143 smbclient //<target>/<share$> -c 'rename current_file.txt new_file.txt' password -U username Banner grabbing Rename a file in a specific share folder openssl s_client -connect <IP>:993 -quiet snmpwalk -v2c -c public 10.129.14.128 nesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt <Target o IP> braa <community string>@<IP>:.1.3.6.* Connecting using SNMPwalk neSixtyOne for bruteforcing SNMP O community strings braa to brute-force the individual OIDs and enumerate the information Enumeration & Footprinting the Service SNMP 161 / 162 / 10161 / 10162 /udp
