Services

Network Services

DNS

Info - The different DNS records

• NS: Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain
• A: (aka host records) contain the IPv4 address of a hostname (eg www.example.com)
• AAAA: (aka quad A host records) contain the IPv6 address of a hostname (eg www.example.com)
• MX: Mail Exchange records contain the names of the servers responsible for handling email for the domain
• PTR: Pointer Records are used in reverse lookup zones and can find the records associated with an IP address
• CNAME: Canonical Name Records are used to create aliases for other host records
• TXT: Text records can contain any arbitrary data

Find DNS records associated with a domain

Find the IP address (A record) of a domain:

www.megacorpone.com has address 149.56.244.87

---

Find other records (eg mx records) of a domain:

kali@kali:~$ host -t mx megacorpone.com
kali@kali:~$ host -t txt megacorpone.com

See if a particular server exists

kali@kali:~$ host idontexist.megacorpone.com

Specify which DNS server to query

Query the 192.168.50.151 DNS server for any TXT record related to the info.megacorptwo.com host:

C:\Users\student>nslookup -type=TXT info.megacorptwo.com 192.168.50.151

Find hostnames by brute forcing DNS lookups

Create a list of possible hostnames:

kali@kali:~$ cat list.txt www  

ftp
mail owa proxy router

___

DNS lookup each hostname in the list:
```bash
kali@kali:~$ for ip in $(cat list.txt); do host $ip.megacorpone.com; done
www.megacorpone.com has address 149.56.244.87  
Host ftp.megacorpone.com not found: 3(NXDOMAIN)  
mail.megacorpone.com has address 51.222.169.212
Host owa.megacorpone.com not found: 3(NXDOMAIN)
Host proxy.megacorpone.com not found: 3(NXDOMAIN)
router.megacorpone.com has address 51.222.169.214

---

More comprehensive wordlists are available in the seclists directory.

Automate DNS Enumeration with DNSRecon and DNSenum

DNSRecon:

• -d option to specify a domain name
• -t option to specify the type of enumeration to perform (eg. standard)

kali@kali:~$ dnsrecon -d megacorpone.com -t std

• -D to specify a file name (list.txt) containing potential subdomain strings
• -t to specify the type of enumeration to perform (eg brute force)

kali@kali:~$ dnsrecon -d megacorpone.com -D ~/list.txt -t brt

---

DNSEnum:

kali@kali:~$ dnsenum megacorpone.com

Transfer a domain

dig @192.168.222.122 axfr hutch.offsec

FTP

Connect to FTP server

ftp $ip

Download all files

• -m to mirror the directory and follow links recursively
• —no-passive disables passive mode

wget -m ftp://anonymous:[email protected]
wget -m --no-passive ftp://anonymous:[email protected]

LDAP

Get domain name

ldapsearch -H ldap://192.168.122.175:389/ -x -s base namingcontexts

List all available objects

Ldapsearch

# Null
ldapsearch -x -H ldap://192.168.122.175 -D '' -w '' -b "DC=megabank,DC=local"
 
# Credentialed
ldapsearch -x -H ldap://192.168.122.175 -D 'CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec' -w 'password' -b "DC=megabank,DC=local"

LAPS

ms-Mcs-AdmPwd attribute

# List all objects, then search for ms-Mcs-AdmPwd

Test credentials

CME

# /etc/hosts
192.168.237.40    dc.hokkaido-aerospace.com
 
# command
crackmapexec ldap dc.hokkaido-aerospace.com -u discovery -p 'Start123!'

From Windows - List all objects

Create the script:

enumeration.ps1

$PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName 
$LDAP = "LDAP://$PDC/$DN"
 
$direntry = New-Object System.DirectoryServices.DirectoryEntry($LDAP)
 
$dirsearcher = New-Object System.DirectoryServices.DirectorySearcher($direntry)
$dirsearcher.FindAll()

Run it:

PS C:\Users\stephanie> .\enumeration.ps1

From Linux - automated searches

LDAPsearch

ldapsearch -x -H ldap://AD_SERVER -b "dc=DOMAIN,dc=COM" -D "USERNAME@DOMAIN" -w "password"

Windapsearch

python windapsearch.py
 
# Domain admins
python3 windapsearch.py --dc-ip 172.16.5.5 -u [email protected] -p Klmcargo2 --da
 
# Privileged users
python3 windapsearch.py --dc-ip 172.16.5.5 -u [email protected] -p Klmcargo2 -PU

MSSQL

Connect to a MSSQL server

Using impacket:

• -windows-auth forces NTLM authentication (as opposed to Kerberos)

kali@kali:~$ impacket-mssqlclient Administrator:[email protected] -windows-auth

Show MSSQL version

SQL>SELECT @@version;

Enumerate the database

List all available databases:

SQL>SELECT name FROM sys.databases;
SQL> USE database-name;

The master, tempdb, model and msdb databases are default ones.

List the tables within a database:

SQL>SELECT * FROM offsec.information_schema.tables;

List the records within a table:

SQL>select * from offsec.dbo.users;

Check user permissions

Is current user a sys admin?

select IS_SRVROLEMEMBER('sysadmin');    // 1 if true

What is the current user

select system_user;

Impersonate another users

# See which users can be impersonated
select distinct b.name from sys.server_permissions a inner join sys.server_principals b on a.grantor_principal_id = b.principal_id were a.permission_name = 'IMPERSONATE'
 
# Impersonate a user
EXECUTE AS LOGIN = 'user';
SELECT SYSTEM_USER;

MySQL

Connect to a MySQL server

Using mysql command:

kali@kali:~$ mysql -u root -p'root' -h 192.168.50.16 -P 3306

Enumerate MySQL properties

Version:

MySQL [(none)]> select version();
MySQL [(none)]> select @@version;

Current database user:

MySQL [(none)]> select system_user();

Enumerate the database

Show available databases:

MySQL [(none)]> show databases;

Select a database:

MySQL [(none)]> use DATABASE;

Show tables:

MySQL [(none)]> show tables;

Base64 decode a column (e.g. password column)

SELECT username, CONVERT(FROM_BASE64(FROM_BASE64(password)), CHAR) FROM users;

Create a file with custom content

INTO OUTFILE

SELECT "file content" INTO OUTFILE "C:/path/to/file.php";

RPC

Connect

RPCClient

rpcclient -U "" -N 10.10.10.169
rpcclient -U 'admin%password' 192.169.209.40

Commands

HackTricks article for more

enumerdomusers  # list users
queryuser 0x457  # user information
querydispinfo  # display user text info field
querygroupmem <0xrid> # get group members

Extract usernames to a file

Enumdomusers

rpcclient -U 'discovery%Start123!' -c 'enumdomusers' 192.168.209.40 | awk -F'[][]' '{print $2}'

Force reset a user's password

setinfo

setuserinfo2 MOLLY.SMITH 23 'Password123!'

SMB

Nmap SMB enumeration

Script location:

kali@kali:~$ ls -1 /usr/share/nmap/scripts/smb*

Using a script in a scan:

kali@kali:~$ nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152

---

Discovering hosts running an SMB server:

kali@kali:~$ nmap -v -p 139,445 -oG smb.txt 192.168.50.1-254

nbtscan to find NetBIOS names

This can reveal NetBIOS names:

kali@kali:~$ sudo nbtscan -r 192.168.50.0/24

List available shares

Net

C:\Users\student>net view \\dc01 /all

smbclient

smbclient -N -L //192.168.63.205
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //192.168.50.205
smbclient -p 18000 -NL //192.168.63.205  # unusual port

CME

bubbleman@htb$ sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --shares
 
# Spider crawl a particular share
bubbleman@htb$ sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'

smbmap

bubbleman@htb$ smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5

Connect to a share

smbclient

smbclient -N //192.168.24.168/share/  # Anonymous
smbclient -U 'username' //192.168.24.168/share/   # Authenticated

Recursively list files

smbclient

smbclient -N //10.10.10.100/sharename -c 'recurse;ls'

smbmap

bubbleman@htb$ smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R 'Department Shares' [--dir-only]

Recursively download files

smbclient

smbclient -N //10.10.10.100/Replication
mask ""
recurse ON
Prompt OFF
mget *

Snaffler

Execute

Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data

SMTP

Info - The Simple Mail Transport Protocol (SMTP) is a mail server for delivering emails

Enumerate valid users

The following example shows how the server will confirm or deny whether a particular user exists:

kali@kali:~$ nc -nv 192.168.50.8 25
(UNKNOWN) [192.168.50.8] 25 (smtp) open
220 mail ESMTP Postfix (Ubuntu)  
VRFY root  
252 2.0.0 root  
VRFY idontexist

550 5.1.1 <idontexist>: Recipient address rejected: User unknown in local recipient table

___
A Python script which opens a TCP socket, connects to the SMTP server, and issues a VRFY command for a given username.
>[!code]- smtp.py
>```python
>#!/usr/bin/python
>
>import socket import sys
>
>if len(sys.argv) != 3:  
>print("Usage: vrfy.py \<username> <target_ip>") sys.exit(0)
>
># Create a Socket  
>s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
>
># Connect to the Server  
>ip = sys.argv[2]  
>connect = s.connect((ip,25))
>
># Receive the banner banner = s.recv(1024)
>
>print(banner)
>
># VRFY a user  
>user = (sys.argv[1]).encode() s.send(b'VRFY ' + user + b'\r\n') result = s.recv(1024)
>
>print(result)
>
># Close the socket s.close()
>```

We can run the script by providing the username to be test as the first argument and the target IP as the second argument:
```bash
kali@kali:~/Desktop$ python3 smtp.py root 192.168.50.8

See whether a SMTP server is running using a Windows machine

Test whether an SMTP server is running:

PS C:\Users\student> Test-NetConnection -Port 25 192.168.50.8

---

Interact with the SMTP server:

(Requires admin privileges) - we can interact with the SMTP server from the Windows machine we can use the Microsoft version of the Telnet client:

PS C:\Windows\system32> dism /online /Enable-Feature /FeatureName:TelnetClient

(Doesn’t require admin privileges) - run the telnet binary (might need to transfer it first):

c:\windows\system32\telnet.exe
C:\Windows\system32>telnet 192.168.50.8 25

SNMP

Commonly used SNMP tree branches

Enumerate the SNMP port

With Nmap:

kali@kali:~$ sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt

Brute force the community string (password)

First we must build a text file containing the community strings to brute force (community) and another one containing the IP addresses to scan:

kali@kali:~$ echo public > community
kali@kali:~$ echo private >> community
kali@kali:~$ echo manager >> community
 
kali@kali:~$ for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips
 
kali@kali:~$ onesixtyone -c community -i ips

Enumerate the SNMP tree

Using snmpwalk, enumerate the entire MIB tree:

• -c to specify the community string
• -v to specify the SNMP version number
• -t 10 to increase the timeout period to 10 seconds

kali@kali:~$ snmpwalk -c public -v1 -t 10 192.168.50.151

Eg., enumerate all currently running process:

kali@kali:~$ snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2

---

Using snmp-check, enumerate the tree and obtain key information:

kali@kali:~$ snmp-check 192.168.221.42

HTTP

WordPress

Enumerate plugins

# All plugins (ap)
wpscan scan --url http://10.10.110.100:65000/wordpress/ -e ap
 
# Vulnerable plugins (vp)
wpscan scan --url http://10.10.110.100:65000/wordpress/ -e vp

Enumerate users

wpscan --url http://10.10.110.100:65000/wordpress/ -e u 

Enumerate themes

# All themes
wpscan scan --url http://10.10.110.100:65000/wordpress/ -e at
 
# Vulnerable themes
wpscan scan --url http://10.10.110.100:65000/wordpress/ -e vt

Brute force http-post login

Hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!"

Create a wordlist from website

CeWL

• Defaults to a depth of 2
• -d 5 changes depth to 5

cewl http://10.10.110.100:65000/wordpress/

WebDav

Connect (might need credentials)

cadaver http://192.168.122.120

 Upload a file

put /location/to/local/file.txt