Skip to content

Services

FTP (Port 21)

nmap -p 21 --script=ftp-anon 10.10.174.58

RPC / NFS (Port 111, 2049, 20048)

Interesting files : /etc/nfs.conf, /etc/fstab and /etc/exports

$ rpcinfo -p | grep nfs

100003    3   tcp   2049  nfs
100003    4   tcp   2049  nfs
100227    3   tcp   2049  nfs_acl

Nmap NSE :

$ sudo nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.220.222
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-30 13:48 CET
Nmap scan report for 10.10.220.222
Host is up (0.035s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount:
|_  /var *
| nfs-statfs:
|   Filesystem  1K-blocks  Used       Available  Use%  Maxfilesize  Maxlink
|_  /var        9204224.0  1836532.0  6877096.0  22%   16.0T        32000

Nmap done: 1 IP address (1 host up) scanned in 2.38 seconds

Show NFS mount

$ showmount -e 10.10.200.32
Export list for 10.10.200.32:
/home/ubuntu/sharedfolder *
/tmp                      *
/home/backup              *
$ sudo mkdir /mnt/nfs1
$ sudo mount -t nfs -o rw 10.10.200.32:/home/ubuntu/sharedfolder /mnt/nfs1
$ cd /mnt/nfs1
...

Mount NFS partition :

$ sudo mkdir /mnt/ntfs1
$ sudo mount -t nfs 10.10.220.222:/var /mnt/ntfs1
$ cd /mnt/ntfs1
$ ls
backups  cache  crash  lib  local  lock  log  mail  opt  run  snap  spool  tmp  www

RDP (port 3389)

$ rdesktop -u <username> -p <password> <ip>

GUI using remmina.

Samba

Port 139 and 445

$ sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.220.222
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-30 13:35 CET
Nmap scan report for 10.10.220.222
Host is up (0.042s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.10.220.222\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.220.222\anonymous:
|     Type: STYPE_DISKTREE
|     Comment:
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.220.222\print$:
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

Nmap done: 1 IP address (1 host up) scanned in 9.19 seconds

3 shares :

  1. \\10.10.220.222\IPC$
  2. \\10.10.220.222\anonymous
  3. \\10.10.220.222\print$

SMB client for linux (smbclient) :

List shares :

$ crackmapexec smb 10.10.86.204 --shares

or

$ smbclient -L 10.10.86.204
Password for [MYGROUP\xanhacks]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        nt4wrksv        Disk
SMB1 disabled -- no workgroup available
$ smbclient -U 'guest' '\\10.10.86.204\nt4wrksv'
Password for [MYGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jul 25 23:46:04 2020
  ..                                  D        0  Sat Jul 25 23:46:04 2020
  passwords.txt                       A       98  Sat Jul 25 17:15:33 2020

                7735807 blocks of size 4096. 4932712 blocks available
smb: \> get passwords.txt
getting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> mput shell.aspx
Put file shell.aspx? y
putting file shell.aspx as \shell.aspx (40.5 kb/s) (average 40.5 kb/s)

Recursively download all the files of the share using smbget -R :

$ smbget -R smb://10.10.220.222/anonymous
Password for [xanhacks] connecting to //anonymous/10.10.220.222: <press enter>
Using workgroup WORKGROUP, user xanhacks
smb://10.10.220.222/anonymous/log.txt
Downloaded 11.95kB in 1 seconds
Back to top