footprinting

Our goal is not to get at the systems but to find all the ways to get there.

Port	Role
TCP/21	the client and server establish a control channel through `TCP port 21`. The client sends commands to the server, and the server returns status codes
TCP/20	data channel (transmission / reception)

An entry in a DNS nameserver, also known as a DNS record, contains specific information about a domain and its associated services. Each entry in a DNS nameserver is formatted in a way that helps DNS resolvers understand how to handle requests for that domain. Here’s a breakdown of what an entry typically looks like:

<NAME> <TTL> <CLASS> <TYPE> <DATA>

examples:

example.com. 3600 IN A 192.0.2.1
example.com. 3600 IN AAAA 2001:db8::1
www.example.com. 3600 IN CNAME example.com.
example.com. 3600 IN MX 10 mail.example.com.
example.com. 3600 IN NS ns1.example.com.

Footprinting the service

DIG - NS Query the DNS server can be queried as to which other name servers are known.

dig ns inlanefreight.htb @10.129.14.128

DIG - ANY Query We can use the option ANY to view all available records. This will cause the server to show us all available entries that it is willing to disclose. It is important to note that not all entries from the zones will be shown.

dig any inlanefreight.htb @10.129.14.128

DIG - AXFR Zone Transfer Zone transfer refers to the transfer of zones to another server in DNS, which generally happens over TCP port 53. This procedure is abbreviated Asynchronous Full Transfer Zone (AXFR).

dig axfr inlanefreight.htb @10.129.14.128

DIG - AXFR Zone Transfer - Internal

dig axfr internal.inlanefreight.htb @10.129.14.128

Subdomain Brute Forcing

for sub in $(cat /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

or using a tool like DNSEnum

dnsenum --dnsserver 10.129.11.220  --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

(You might also use /usr/share/wordlists/seclists/Discovery/DNS/fierce-hostlist.txt)

SMTP

SMTP runs on port 25 (TCP)

SMTP commands

connecting to the smtp server

telnet 10.129.14.128 25

❗: Sometimes we may have to work through a web proxy. We can also make this web proxy connect to the SMTP server. The command that we would send would then look something like this: CONNECT 10.129.14.128:25 HTTP/1.0

Nmap - Open Relay

sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v

Enumerating users There is a metasploit module for this

search scanner/smtp/smtp_enum

IMAP / POP3

IMAP (TCP 143) POP3 (TCP 110)

IMAP Commands

(Chatgpt is really helpful for writing imap commands)

Footprinting the service

Nmap

sudo nmap 10.129.14.128 -sV -p110,143,993,995 -sC

curl

curl -k 'imaps://10.129.14.128' --user user:p4ssw0rd

OpenSSL - TLS Encrypted Interaction POP3

openssl s_client -connect 10.129.14.128:pop3s

OpenSSL - TLS Encrypted Interaction IMAP

openssl s_client -connect 10.129.14.128:imaps

SNMP

SNMP (UDP 161)

SNMP Versions

Version	Description
SNMPv1	- no built-in authentication - does not support encryption
SNMPv2c	- does not use passwords, it uses community strings as an authentication method - does not support encryption
SNMPv3	- authentication using username and password - supports encryption - complex compared to the previous versions

Footprinting

Tools:

snmpwalk -> query the OIDs with their information (once we know the snmp version that is running on the server)

snmpwalk -v2c -c public 10.129.14.128

onesixtyone -> brute-force the names of the community strings

onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 10.129.14.128

In this case backup is the community string

braa Once we know a community string, we can use it with braa to brute-force the individual OIDs and enumerate the information behind them.

mysql

Footprinting

scanning

sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*

interacting with the database

The most important databases for the MySQL server are the system schema (sys) and information schema (information_schema). The system schema contains tables, information, and metadata necessary for management.

use sys;
show tables;
select host, unique_users from host_summary;

MSSQL

mssql (TCP 1433)

Footprinting

Nmap

sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248

MSSQL Ping in Metasploit

use auxiliary/scanner/mssql/mssql_ping
set RHOSTS 10.129.201.248
run

Connecting with Mssqlclient.py

python3 mssqlclient.py Administrator@10.129.201.248 -windows-auth

Connecting with sqsh

sqsh -S 10.129.20.13 -U username -P Password123

Connecting from windows host

C:> sqlcmd -S 10.129.20.13 -U username -P Password123

MSSQL uses T-SQL so the syntax is different from mysql here’s how to list all available databases (you should compare the results with the default databases list shown above)

select name from sys.databases

Oracle TNS

The Oracle Transparent Network Substrate (TNS) server is a communication protocol that facilitates communication between Oracle databases and applications over networks

By default, the listener listens for incoming connections on the TCP/1521 port

Footprinting

Nmap

sudo nmap -p1521 -sV 10.129.204.235 --open

A System Identifier (SID) is a unique name that identifies a particular database instance

Nmap - SID Bruteforcing

sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute

ODAT

odat all -s 10.129.204.235

SQLplus - Log In

sqlplus scott/tiger@10.129.204.235/XE

Oracle RDBMS - Interaction

select table_name from all_tables;
select * from user_role_privs;

Oracle RDBMS - Database Enumeration This is possible if the user has sysdba privilege

sqlplus scott/tiger@10.129.204.235/XE as sysdba
select * from user_role_privs;

Oracle RDBMS - Extract Password Hashes

select name, password from sys.user$;

Oracle RDBMS - File Upload (WEB) On Windows:

echo "Oracle File Upload Test" > testing.txt
./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt

On Linux:

echo "Oracle File Upload Test" > testing.txt
./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile /var/www/html testing.txt ./testing.txt

Finally, we can test if the file upload approach worked with curl. Therefore, we will use a GET http://<IP> request, or we can visit via browser.

curl -X GET http://10.129.204.235/testing.txt

if this worked then we can upload a web shell to the target

IPMI

Intelligent Platform Management Interface IPMI (UDP 623) IPMI provides sysadmins with the ability to manage and monitor systems even if they are powered off or in an unresponsive state. It operates using a direct network connection to the system’s hardware and does not require access to the operating system via a login shell

Baseboard Management Controller (BMC)

A micro-controller and essential component of an IPMI.
The most common BMCs we often see during internal penetration tests are HP iLO, Dell DRAC, and Supermicro IPMI.
If we can access a BMC during an assessment, we would gain full access to the host motherboard and be able to monitor, reboot, power off, or even reinstall the host operating system.
Gaining access to a BMC is nearly equivalent to physical access to a system.
Many BMCs expose a web-based management console.

Footprinting

Nmap

sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local

Metasploit Version Scan

use auxiliary/scanner/ipmi/ipmi_version
set rhosts 10.129.42.195
run

Default passwords

When dealing with BMCs, these default passwords may gain us access to the web console or even command line access via SSH or Telnet.

Dangerous settings If default credentials do not work to access a BMC, we can turn to a flaw in the RAKP protocol in IPMI 2.0. During the authentication process, the server sends a salted SHA1 or MD5 hash of the user’s password to the client before authentication takes place. This can be leveraged to obtain the password hash for ANY valid user account on the BMC.

These password hashes can then be cracked offline using a dictionary attack using Hashcat mode 7300. In the event of an HP iLO using a factory default password, we can use this Hashcat mask attack command hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u which tries all combinations of upper case letters and numbers for an eight-character password.

Metasploit Dumping Hashes

use auxiliary/scanner/ipmi/ipmi_dumphashes
set OUTPUT_JOHN_FILE hashes.john
set rhosts 10.129.42.195
run

cracking hashes once we retrieve the hashes returned by metasploit we can crack those using john

/usr/sbin/john \  john \
    --fork=15 \
    --wordlist=/usr/share/wordlists/rockyou.txt \
    --format=rakp \
    --session=ipmi \
    hashes.john

SSH

ssh (TCP 22)

Footprinting

ssh-audit.py 10.129.14.132

Allowing password authentication allows us to brute-force a known username for possible passwords

Rsync

Rsync is a fast and efficient tool for locally and remotely copying files. (By default, it uses port TCP 873)

Rsync can be abused, most notably by listing the contents of a shared folder on a target server and retrieving files. This can sometimes be done without authentication. Other times we will need credentials. If you find credentials during a pentest and run into Rsync on an internal (or external) host, it is always worth checking for password re-use as you may be able to pull down some sensitive files that could be used to gain remote access to the target.

Probing for Accessible Shares

nc -nv 127.0.0.1 873

then

#list

We do this to list shares

rsync -av --list-only rsync://127.0.0.1/dev

If Rsync is configured to use SSH to transfer files, we could modify our commands to include the -e ssh flag, or -e "ssh -p2222" if a non-standard port is in use for SSH

R-Services

R-Services are a suite of services hosted to enable remote access or issue commands between Unix hosts over TCP/IP.
r-services were the de facto standard for remote access between Unix operating systems until they were replaced by the Secure Shell (SSH) protocols and commands due to inherent security flaws built into them
Much like telnet, r-services transmit information from client to server(and vice versa.) over the network in an unencrypted format, making it possible for attackers to intercept network traffic (passwords, login information, etc.) by performing man-in-the-middle (MITM) attacks.

R-services span across the ports 512, 513, and 514 and are only accessible through a suite of programs known as r-commands.

R-Services Commands
Scanning for R-Services

sudo nmap -sV -p 512,513,514 10.0.17.2

Logging in Using Rlogin

rlogin 10.0.17.2 -l htb-student

Listing Authenticated Users Using Rwho

rwho

Listing Authenticated Users Using Rusers This will give us more information

rusers -al 10.0.17.5

RDP

The Remote Desktop Protocol (RDP) is a protocol developed by Microsoft.

typically utilizing TCP port 3389 as the transport protocol. However, the connectionless UDP protocol can use port 3389 also for remote administration.

Footprinting

Nmap

nmap -sV -sC 10.129.201.248 -p3389 --script rdp*

Initiate an RDP Session

xfreerdp /u:cry0l1t3 /p:"P455w0rd!" /v:10.129.201.248

WinRM

The Windows Remote Management (WinRM) is a simple Windows integrated remote management protocol based on the command line. WinRM uses the Simple Object Access Protocol (SOAP) to establish connections to remote hosts and their applications.

WinRM relies on TCP ports 5985 and 5986 for communication, with the last port 5986 using HTTPS

Footprinting

Nmap

nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n

Interacting with WinRM

evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!

WMI

Windows Management Instrumentation (WMI) allows read and write access to almost all settings on Windows systems. Understandably, this makes it the most critical interface in the Windows environment.
WMI is typically accessed via PowerShell, VBScript, or the Windows Management Instrumentation Console (WMIC). WMI is not a single program but consists of several programs and various databases, also known as repositories.

Footprinting the Service

The initialization of the WMI communication always takes place on TCP port 135, and after the successful establishment of the connection, the communication is moved to a random port. For example, the program wmiexec.py from the Impacket toolkit can be used for this.

wmiexec.py Cry0l1t3:"P455w0rD!"@10.129.201.248 "hostname"

Introduction to Nmap

There are many scanning types that can be done with nmap

SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan

The TCP SYN scan is the default: Quick overview Our machine first sends a TCP SYN segment

Response	Explanation
SYN-ACK	If our target sends an `SYN-ACK` flagged packet back to the scanned port, Nmap detects that the port is open
RST	If the packet receives an `RST` flag, it is an indicator that the port is `closed`
nothing	If Nmap does not receive a packet back, it will display it as `filtered`

Host Discovery

Scan network range

Discovering online systems (ping sweep)

sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

Scan a list of IPs

In case we have a list of IP addresses in a file we can scan those by giving the file to nmap

sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

Host and Port Scanning

scanning the top 100 ports

sudo nmap 10.129.2.28 --top-ports=100

sudo nmap -F 10.129.2.28

scanning all ports

sudo nmap 10.129.2.28 -p-

scanning a port range

sudo nmap 10.129.2.28 -p22-445

UDP scan

sudo nmap -F -sU 10.129.2.28

Service enumeration

nc -nv 10.129.2.28 25

Firewall and IDS/IPS Evasion

When a port is shown as filtered, it can have several reasons. In most cases, firewalls have certain rules set to handle specific connections.

Determine Firewalls and Their Rules ACK scan

Firewalls and IDS/IPS systems typically block incoming SYN packets making the usual SYN (-sS) and connect (-sT) scans ineffective. Thus using an ACK scan (-sA) might be a good idea because the firewall cannot determine whether the connection was first established from the external network or the internal network.

(You should also enable the –packet-trace option, read the SA R S or A in that section)

R	RESET
SA	SYN-ACK
S	SYN
A	ACK

Scan by using different source ip

sudo nmap 10.129.2.28 -n -Pn -p445 -S 10.129.2.200 -e tun0

DNS Proxying

SYN-Scan from DNS port

If a port comes up as filtered, you can try to scan it using 53 (DNS) as a source port number

sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

If it’s now shown as open then you can connect (once again using 53 as a source port number)

nc -nv --source-port 53 10.129.2.28 50000

Keyboard shortcuts

notebook