Footprinting

Infrastructure Based Enumeration

  • domain information
    • dns records dig any inlanefreight.com
  • cloud resources
    • check hosted servers for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done
  • staff
    • linkedin and github

Host Based Enumeration

  • ftp
    • download all ftp files wget -m --no-passive ftp://anonymous:anonymous@10.129.14.136
    • nmap scripts sudo nmap --script-updatedb , find / -type f -name ftp* 2>/dev/null | grep scripts
    • connect normally ftp <ip> <port>
  • smb
    • connect to share smbclient -N -L //10.129.14.128
    • rpcclient to get info rpcclient -U "" 10.129.14.128
    • rpcclient commands querydominfo
    • bruteforce user ids for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
    • impacket samrdump.py 10.129.14.128
    • smbmap smbmap -H 10.129.14.128
    • crackmapexec crackmapexec smb 10.129.14.128 --shares -u '' -p ''
    • enum4linux ./enum4linux-ng.py 10.129.14.128 -A
  • nfs
    • /etc/exports contains default configuration for nfs
    • adding new config echo '/mnt/nfs 10.129.14.0/24(sync,no_subtree_check)' >> /etc/exports, systemctl restart nfs-kernel-server , exportfs
    • ports used are tcp 111 and 2049
    • nmap --script nfs*
    • show available shares showmount -e 10.129.14.128
    • mounting a share sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock
    • root_squash permission for privilege escalation
  • dns
    • SOA records dig soa www.inlanefreight.com
    • local dns config cat /etc/bind/named.conf.local
    • bind9 dns server might have vulns like https://www.exploit-db.com/exploits/6122 dns poison
    • check NS query dig ns inlanefreight.htb @10.129.14.128
    • version query dig CH TXT version.bind 10.129.120.85
    • any query dig any inlanefreight.htb @10.129.63.9
    • zone transfer, if allow-transfer is enabled, dig axfr inlanefreight.htb @10.129.14.128
    • subdomain bruteforce for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done, dnsenum dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb
    • might need to check the records of subdomains too
    • bruteforce dnsenum --dnsserver 10.129.63.9 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt dev.inlanefreight.htb
  • smtp
    • port 25 and 587
    • sending email process: client (MUA) -> submission agent (MSA) -> open relay (MTA) -> mail deliver
    • smtp config cat /etc/postfix/main.cf | grep -v "#" | sed -r "/^\s*$/d"
    • using telnet to interact with mailserver telnet 10.129.14.128 25
    • using nmap sudo nmap 10.129.14.128 -sC -sV -p25
    • open relay script sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v
    • username bruteforce https://github.com/Pusher91/SMTP-VRFY-Bruteforce
    • msf module smtp_enum
  • imap / pop3
    • ports pop3 is 110, 995 and imap is 143, 993
    • nmap scan is sudo nmap 10.129.14.128 -sV -p110,143,993,995 -sC
    • login curl -k 'imaps://10.129.14.128' --user user:p4ssw0rd
    • pop3 login openssl s_client -connect 10.129.14.128:pop3s
    • imap login openssl s_client -connect 10.129.14.128:imaps
    • getting imap contents login username pass , . select INBOX, . search all, . fetch 1 (BODY[TEXT]), . fetch 1 (BODY[HEADER.FIELDS (FROM TO SUBJECT DATE)] BODY[TEXT]), 1 FETCH 1 BODY[]
    • pain as hell https://forum.hackthebox.com/t/footprinting-imap-pop3/250254/94?page=2 using IMAP commands
    • another resource https://www.atmail.com/blog/imap-commands/
  • snmp
    • config file cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'
    • footprint with snmpwalk, onesixtyone and braa
    • snmpwalk get OID info snmpwalk -v2c -c public 10.129.14.128
    • onesixtyone bruteforce community strings onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt 10.129.14.128
    • after getting community string, use braa braa <community string>@<IP>:.1.3.6.*
    • wordlist generator crunch https://secf00tprint.github.io/blog/passwords/crunch/advanced/en
    • nmap udp scan with -sU
  • mysql
    • config file cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d'
    • nmap scan sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*
    • connect with pass mysql -u robin -p robin -h 10.129.197.210
    • common commands show databases;, use <database>;, show tables;, show columns from <table>;, select * from <table>;, select * from <table> where <column> = "<string>";
  • mssql
    • ms sql server can be managed with SSMS (sql server management studio), locate mssqlclient
    • permission is usually NT SERVICE\MSSQLSERVER
    • nmap scan sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
    • msf module scanner/mssql/mssql_ping
    • connect with python3 mssqlclient.py Administrator@10.129.201.248 -windows-auth
  • oracle tns
    • config files tnsnames.ora and listener.ora are in $ORACLE_HOME/network/admin
    • oracle tools https://github.com/quentinhardy/odat
    • test odat odat.py -h
    • nmap scan sudo nmap -p1521 -sV 10.129.204.235 --open
    • SID bruteforce sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute
    • enum all odat.py all -s 10.129.204.235
    • connect sqlplus sqlplus scott/tiger@10.129.204.235/XE
    • commands select table_name from all_tables;, sqlplus scott/tiger@10.129.204.235/XE as sysdba
    • extract password hash select name, password from sys.user$;
    • upload file ./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt
  • ipmi
    • its host management software
    • nmap scan sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local
    • msf modules like ipmi_version and ipmi_dumphashes, can set PASS_FILE too to crack without hashcat ez
    • not important, but hacking bmc using intercepted hash hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
    • hashcat need the --username flag if hash has a username

Remote Management Protocols

  • linux remote management protocols
    • ssh, public key cat /etc/ssh/sshd_config | grep -v "#" | sed -r '/^\s*$/d'
    • ssh-audit https://github.com/jtesta/ssh-audit
    • bruteforce ssh with prefer password ssh -v cry0l1t3@10.129.14.132 -o PreferredAuthentications=password
    • rsync rsync -av --list-only rsync://127.0.0.1/dev
    • all r-commands https://en.wikipedia.org/wiki/Berkeley_r-commands
    • trusted hosts/users cat /etc/hosts.equiv and cat .rhosts
    • scan r-services sudo nmap -sV -p 512,513,514 10.0.17.2
    • using rlogin rlogin 10.0.17.2 -l htb-student
    • using rwho to see users, rusers to provide who is logged in
  • windows remote management protocols
    • rdp, nmap scan nmap -sV -sC 10.129.201.248 -p3389 --script rdp*
    • rdp check setting, developed by cisco https://github.com/CiscoCXSecurity/rdp-sec-check
    • rdp connect with xfreerdp or rdesktop like xfreerdp /u:cry0l1t3 /p:"P455w0rd!" /v:10.129.201.248
    • winrm, nmap scan nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n
    • winrm connect evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!
    • wmi, connect with impacket /usr/share/doc/python3-impacket/examples/wmiexec.py Cry0l1t3:"P455w0rD!"@10.129.201.248 "hostname"
    • wmi is on port 135 and move to random port after connecting
cpts

Written By

GitHub Contributor Team