Common Service Attacks - Revision history

Booda: /* Email - SMTP */

2023-10-10T18:17:39Z

Email - SMTP

← Older revision		Revision as of 18:17, 10 October 2023
Line 179:		Line 179:
	* PHP database management tool: https://www.adminer.org		* PHP database management tool: https://www.adminer.org

	=== ~~Email -~~ SMTP ===		=== SMTP ===

	=== DNS ===		=== DNS ===

Booda: /* SSH */

2023-10-07T16:48:27Z

SSH

← Older revision		Revision as of 16:48, 7 October 2023
Line 44:		Line 44:

	* SSH Hacking Cheat Sheet: https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh		* SSH Hacking Cheat Sheet: https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh
			* SSH Forward Agent exploitation: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation

	==== Brute-Force ====		==== Brute-Force ====

Booda: /* RDP */

2023-10-07T16:38:16Z

RDP

← Older revision		Revision as of 16:38, 7 October 2023
Line 94:		Line 94:
	'''Note:''' Be careful to not lockout accounts!		'''Note:''' Be careful to not lockout accounts!

	* <code>python [https://github.com/galkan/crowbar crowbar.py] -b rdp -s ~~192~~.~~168~~.~~220~~.~~142~~/32 -U [https://github.com/danielmiessler/SecLists/tree/master/Usernames users.txt] -c 'Password@123'</code>		* <code>python [https://github.com/galkan/crowbar crowbar.py] -b rdp -s 10.10.10.11/32 -U [https://github.com/danielmiessler/SecLists/tree/master/Usernames users.txt] -c 'Password@123'</code>

	=== VPN ===		=== VPN ===

Booda: /* Password Spray */

2023-09-23T15:08:53Z

Password Spray

← Older revision		Revision as of 15:08, 23 September 2023
Line 94:		Line 94:
	'''Note:''' Be careful to not lockout accounts!		'''Note:''' Be careful to not lockout accounts!

	* <code>python [https://github.com/galkan/crowbar crowbar.py] -b rdp -s 192.168.220.142/32 -U [https://github.com/danielmiessler/SecLists/tree/master/Usernames users.txt] -c '~~password~~@123'</code>		* <code>python [https://github.com/galkan/crowbar crowbar.py] -b rdp -s 192.168.220.142/32 -U [https://github.com/danielmiessler/SecLists/tree/master/Usernames users.txt] -c 'Password@123'</code>

	=== VPN ===		=== VPN ===

Booda: /* Enumeration */

2023-09-23T15:08:31Z

Enumeration

← Older revision		Revision as of 15:08, 23 September 2023
Line 85:		Line 85:

	==== Enumeration ====		==== Enumeration ====
	We can use the [https://nmap.org/nsedoc/scripts/rdp-enum-encryption.html nmap] [https://nmap.org/nsedoc/scripts/rdp-ntlm-info.html scripting engine (NSE)] set of [https://nmap.org/nsedoc/scripts/rdp-vuln-ms12-020.html RDP scripts] to start enumerating RDP:		We can use the [https://nmap.org/nsedoc/scripts/rdp-enum-encryption.html nmap] [https://nmap.org/nsedoc/scripts/rdp-ntlm-info.html scripting engine (NSE)] set of [https://nmap.org/nsedoc/scripts/rdp-vuln-ms12-020.html RDP scripts] to start enumerating RDP to discover more information about our target.

	* <code>nmap -sV -p 3389 --script rdp-* 10.10.10.11 -oA results</code>		* <code>nmap -sV -p 3389 --script rdp-* 10.10.10.11 -oA results</code>

Booda: /* RDP */

2023-09-23T15:06:23Z

RDP

← Older revision		Revision as of 15:06, 23 September 2023
Line 79:		Line 79:

	=== RDP ===		=== RDP ===
			Remote Desktop Protocol (RDP) allows you to control a system remotely as if you were sat at the keyboard physically (with some delay). RDP runs on port 3389 by default, doesn't use multi-factor authentication by default and due to organizations having poor password policies RDP has been a great way to gain initial access into company networks. The added benefit is using a legitimate account already registered on the network and by using windows built in RDP client detection for an intrusion is not as obvious or easy to detect.

			* Basic authentication: <code>xfreerdp /u:Administrator /p:Password@123 /v:10.10.10.11:3389</code>
			* RDP Hacking Cheat Sheet: https://book.hacktricks.xyz/network-services-pentesting/pentesting-rdp

			==== Enumeration ====
			We can use the [https://nmap.org/nsedoc/scripts/rdp-enum-encryption.html nmap] [https://nmap.org/nsedoc/scripts/rdp-ntlm-info.html scripting engine (NSE)] set of [https://nmap.org/nsedoc/scripts/rdp-vuln-ms12-020.html RDP scripts] to start enumerating RDP:

			* <code>nmap -sV -p 3389 --script rdp-* 10.10.10.11 -oA results</code>

			==== Password Spray ====
			Assuming your target uses weak and guessable credentials and hasn't implemented multi-factor authentication we can start a brute-force attack against RDP in the hopes of finding an easy way in through poorly implemented authentication.

			'''Note:''' Be careful to not lockout accounts!

			* <code>python [https://github.com/galkan/crowbar crowbar.py] -b rdp -s 192.168.220.142/32 -U [https://github.com/danielmiessler/SecLists/tree/master/Usernames users.txt] -c 'password@123'</code>

	=== VPN ===		=== VPN ===

Booda: /* Injection */

2023-09-22T15:57:10Z

Injection

← Older revision		Revision as of 15:57, 22 September 2023
Line 148:		Line 148:

	==== Injection ====		==== Injection ====
	[https://github.com/jhaddix/tbhm/blob/master/06_SQLi.md SQL Injection (SQLi)] is a type of attack whereby the targets application has a vulnerable parameter that we can inject SQL code into and start accessing, editing and deleting data from and bypass logins. To quickly test a login page for SQLi bypass you can either [https://enlacehacktivista.org/index.php?title=Exploitation#Payloads try different payloads] or capture the login request with [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon#Intercepting_proxies an intercept proxy] and run <code>[https://github.com/sqlmapproject/sqlmap sqlmap] -r login_test.txt ~~--random-agent~~ --dbs</code>.		[https://github.com/jhaddix/tbhm/blob/master/06_SQLi.md SQL Injection (SQLi)] is a type of attack whereby the targets application has a vulnerable parameter that we can inject SQL code into and start accessing, editing and deleting data from and bypass logins. To quickly test a login page for SQLi bypass you can either [https://enlacehacktivista.org/index.php?title=Exploitation#Payloads try different payloads] or capture the login request with [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon#Intercepting_proxies an intercept proxy] and run <code>[https://github.com/sqlmapproject/sqlmap sqlmap] -r login_test.txt --dbs</code>.

	We can use various tools and techniques to discover SQLi such as crawling an application for endpoints and parameters using web crawlers, and then passing that output to [https://github.com/sqlmapproject/sqlmap sqlmap] to start testing parameters for SQLi vulnerabilities (very loud).		We can use various tools and techniques to discover SQLi such as crawling an application for endpoints and parameters using web crawlers, and then passing that output to [https://github.com/sqlmapproject/sqlmap sqlmap] to start testing parameters for SQLi vulnerabilities (very loud).

Booda: /* Injection */

2023-09-22T15:56:08Z

Injection

← Older revision		Revision as of 15:56, 22 September 2023
Line 148:		Line 148:

	==== Injection ====		==== Injection ====
	[https://github.com/jhaddix/tbhm/blob/master/06_SQLi.md SQL Injection (SQLi)] is a type of attack whereby the targets application has a vulnerable parameter that we can inject SQL code into and start accessing, editing and deleting data from and bypass logins.		[https://github.com/jhaddix/tbhm/blob/master/06_SQLi.md SQL Injection (SQLi)] is a type of attack whereby the targets application has a vulnerable parameter that we can inject SQL code into and start accessing, editing and deleting data from and bypass logins. To quickly test a login page for SQLi bypass you can either [https://enlacehacktivista.org/index.php?title=Exploitation#Payloads try different payloads] or capture the login request with [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon#Intercepting_proxies an intercept proxy] and run <code>[https://github.com/sqlmapproject/sqlmap sqlmap] -r login_test.txt --random-agent --dbs</code>.

	We can use various tools and techniques to discover SQLi such as crawling an application for endpoints and parameters using web crawlers, and then passing that output to [https://github.com/sqlmapproject/sqlmap sqlmap] to start testing parameters for SQLi vulnerabilities (very loud).		We can use various tools and techniques to discover SQLi such as crawling an application for endpoints and parameters using web crawlers, and then passing that output to [https://github.com/sqlmapproject/sqlmap sqlmap] to start testing parameters for SQLi vulnerabilities (very loud).

Booda: /* Injection */

2023-09-22T15:51:28Z

Injection

← Older revision		Revision as of 15:51, 22 September 2023
Line 153:		Line 153:

	* <code>[https://github.com/nmap/nmap nmap] -sV -p 80,443 --script [https://nmap.org/nsedoc/scripts/http-sql-injection.html http-sql-injection] 10.10.10.11</code>		* <code>[https://github.com/nmap/nmap nmap] -sV -p 80,443 --script [https://nmap.org/nsedoc/scripts/http-sql-injection.html http-sql-injection] 10.10.10.11</code>
	* <code>[https://github.com/projectdiscovery/katana katana] -u https://enlacehacktivista.org -o target_params.txt</code>		* Crawl your target: <code>[https://github.com/projectdiscovery/katana katana] -u https://enlacehacktivista.org -o target_params.txt</code>
	** <code>[https://github.com/sqlmapproject/sqlmap sqlmap] -m target_params.txt --batch --answer="redirect=N"</code>		** Test for SQLi (bulk): <code>[https://github.com/sqlmapproject/sqlmap sqlmap] -m target_params.txt --batch --answer="redirect=N"</code>

	==== Exfiltration ====		==== Exfiltration ====

Booda: /* SQL */

2023-09-22T15:46:06Z

SQL

← Older revision		Revision as of 15:46, 22 September 2023
Line 130:		Line 130:
	* Basic authentication: <code>mysql -u root -pPassword@123 -h 10.10.10.11</code>		* Basic authentication: <code>mysql -u root -pPassword@123 -h 10.10.10.11</code>
	** https://github.com/fortra/impacket/blob/master/examples/mssqlclient.py		** https://github.com/fortra/impacket/blob/master/examples/mssqlclient.py
	* Hacking SQL Cheat Sheet: https://book.hacktricks.xyz/network-services-pentesting/pentesting-~~mssql-microsoft-sql-server~~		* Hacking SQL Cheat Sheet: https://book.hacktricks.xyz/network-services-pentesting/pentesting-mysql
	** https://book.hacktricks.xyz/network-services-pentesting/pentesting-~~mysql~~		** https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
	* Hacking SQL: https://github.com/NetSPI/PowerUpSQL/wiki		* Hacking SQL: https://github.com/NetSPI/PowerUpSQL/wiki
	==== Enumeration ====		==== Enumeration ====