Bullet Proof Strategy
Last updated
Last updated
Linux
Windows
Kerberos open?
kerbrute user enum
Aseproast
SNMP
nmap
snmpwalk
Find service and version
Find known service bugs
Find configuration issues
Run nmap port scan / banner grabbing
Google-Fu
Every error message
Every URL path
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Every version exploit db
Every version vulnerability
Check running services
Google!
SMTP
NMAP
Hacktricks
USERENUM
HYDRA SMTP ENUM
Find service and version
Find known service bugs
Find configuration issues
Run nmap port scan / banner grabbing
Google-Fu
Every error message
Every URL path
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Every version exploit db
Every version vulnerability
DNS
autrecon manual
nslookup
dig axfr
IRC
hexchat
POP3
See if we can authenticate as a user
"LIST"
retr <numbers>
Find service and version
Find known service bugs
Find configuration issues
Run nmap port scan / banner grabbing
Google-Fu
Every error message
Every URL path
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Every version exploit db
Every version vulnerability
Ident
Channel through different ports each time
ident-user-enum
Enumerate Services with Null Sessions
LDAP
Grep Description
Look for unusual fields
Grep pwd
Grep Pwd
grep password
grep Pass
grep pass
ldapsearch
FTP
if unstable reset box
Find service and version
Find known service bugs
Find configuration issues
Run nmap port scan / banner grabbing
Google-Fu
Every error message
Every URL path
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Every version exploit db
Every version vulnerability
upload?
Identify where we are in the file system
Dont know?google!
Example /var/ftp/anon/<directory-name-ifapplies>
Download recursively all ftp directories using wget
Change binary mode to upload exe
Configuration files
ftpusers
ftp.conf
proftpd.conf
filezilla users.xml
RPC
enumdomusers
make a list of users
enumprinters
SMB
Download Files
Mount
Check for permissions smbcacls
Find service and version
Find known service bugs
Find configuration issues
Run nmap port scan / banner grabbing
Google-Fu
Every error message
Every URL path
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Every version exploit db
Every version vulnerability
REDIS
Check HACKTRICKS
Find service and version
Find known service bugs
Find configuration issues
Run nmap port scan / banner grabbing
Google-Fu
Every error message
Every URL path
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Every version exploit db
Every version vulnerability
DBS
Try PHP webshell if we have write access to the /var/www/html/ folder
Try grabbing SSH Keys or uploading them
Try uploading module.so if vulnerable version
Rsync
List shares
Download Share
Identify Where we are
If we do not know how to enumerate these services use hacktricks
Identifying default credentials and password reusage:
Look up Version plus default credentials
Try admin:admin
Try admin:password
Try root:admin
Try root:password
Try root:root
Try boxname:admin,password
Try version or app name : app name
Try admin : no pass
Try root : no pass
Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret)
Brute force
Use cewl to make a passlist if there is a webserver running
Use rockyou.txt if we know that there are users such as admin or root for those services
If we found credentials
Rerun the bruteforcing
If we are able to find credentials through our enumeration then we rerun our enumeration
This mean that we will run every null session command with the credentials that we found or we will attempt EVERY vector with the credentials
LDAP
RPC
SMB
Download Files
Mount
Check upload permissions using smbcalcls
scf
hta
odt
If SMBPass Change was given to you use smbpasswd
REDIS
Enumerate version
DBS
Try PHP webshell if we have write access to the /var/www/html/ folder
Try grabbing SSH Keys or uploading them
Try uploading module.so if vulnerable version
Kerberos based attacks
Kerberoasting
CME
WINRM
SMB
If SMBPass Change was given to you use smbpasswd
LDAP
ldapdomaindump
redo the same shit from initial time
Files of importance when looking out for this shares
Regardless NO MATTER WHAT YOU FIND YOU WILL LOOK IT UP ON GOOGLE!
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/code-review-tools
pdfs
exiftool
Credentials for mysql, postgress, mssql
Look for string "sa"
exe
buffer overflow
pngs
exiftool
conf
config
xml
Look for the file specifically on google.com and how to decrypt them
Groups.xml
gpp decrypt
VNC
vncpwd
db
sqlite
cert files for evil winrm
pfx files for evil winrm
zip
zip2john
7z
7z2john
pdfcrack
Doc
office2john
.net file
dnspy
autorecon
Rustscan
Check for potential auth owner
Take note of the app
node.js
werkzeug
IIS
nikto scan
HTTPS
Look at certificates, check brainfuck for this
sslscan
nmap heatbleed vuln
If there is proxy
use spose to enumerate behind the proxy
Navigate to site
Source Code inspection
Look for APIs
href
check comments
Hidden values
Weird Code
Passwords
Download Files
Exiftool
Enumerate version of CMS, about page, versions
Searchsploit
Find service and version
Find known service bugs
Find configuration issues
Run nmap port scan / banner grabbing
Google-Fu
Every error message
Every URL path
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Every version exploit db
Every version vulnerability
If Versions were identified such as
Wordpress
wpscan
Check plugins for vulnerabiliies
wpscan brute
Droopal
Droopescan
Check changelog.txt for version
Find endpoint_path
Attack vectors
Drupal 7.x Module Services Rce
Drupalgeddon2
DRUPALGEDDON3
Jenkins
Default Creds
Create new User
Identify version and exploits for them
Groovy Script reverse shell
Create new job
If we can build
Else use curl or cronjob method to execute the commands
Try to get reverse shell
Otherwise hunt down for the master.key and other files needed for decryption
Tomcat
Nikto scan
Search vulnerabilities via version number
Look for /manager
Use default credential list
Upload war file to get reverse shell
WebDav
Default Creds
Spray
Other Creds
Use cadaver for upload
aspx
phpMyAdmin
Try Default Creds
root:
root:password
Once in we can upload a shell using a sql query
Enumerate for usernames, emails, user info
Make a userlist using username-anarchy and other tool
Use these against any service or authentication method.
Make a passlist out of cewl
username:username
username:password
Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret)
Enumerate for Upload
Enumerate what extentions we can use to upload
Pair this with FTP, REDIS, and other forms of upload capability.
AT THIS POINT THIS IS WHERE IT MATTERS TO TAKE INTO ACCOUNT WHAT THE VERSION AND TECHNOLOGY BEHIND THE APPLICATION IS, IF THERE IS NO IDENTIFABLE EXPLOIT THAT MEANS THAT THIS IS A WEBSITE MADE BY THE CREATORS OF THE BOX. WE HAVE TO TAKE INTO ACCOUNT NOW THAT WE COULD POSSIBLY HAVE SQLI, CODE INJECTION. OUR PAYLOADS HAVE TO MATCH THE TECHNOLOGY BEHIND THE WEBSITE.
Logical reasoning
Look at the application from a bad guy perspective, what does it do? what is the most valuable part? Some applications will value things more than others, for example a premium website might be more concerned about users being able to bypass the pay wall than they are of say cross-site scripting
Look at the application logic too, how is business conducted?
401 OR 403? Try bypassing that
Use hacktricks for this, I also have a script that does it for you.
nikto
google everything that this returns
there was a box about the api that was exploitable by looking it up on nikto scan (Restack API)
Enumerate directories
dirsearch
/boxname/
gobuster
if cgi-bin folder was found (shellshock)
/cgi-bin/ dirb scan
dirb scan normal
Rerun initial enum for this such as source code inspection
Enumerate hidden params
arjun
wfuzz
ffuff
Guess parameters. If there's a POST forgot_pass.php with an email param, try GET /forgot_pass.php?email=%0aid.
Enumerate parameters for RFI, and LFI
Remember relativity and using LFI to expose other services that we could authenticate as.
Check for RCE methods, like every single one of them.
Enumerate SSRF if there is some sort of browser.
Capture hashes via responder
Every parameter or input has to be checked for sql injection
Try enabling the shells depending on the database that is open
otherwise haha xd try to enumerate tables and the whole jargon
Play with post and get requests, this could lead to something displaying
Google everything
This can be done with curl and BurpSuite
Guess post parameters based on the output, check the werkzeug section of the blog
Play with weak cookies and parameters
Look for weak encryption maybe we could decrypt these into passwords and mess with them by changing them to admin.
Log in forms
default creds google
cewl to make passlist
cewl to make user list
version:version
combine them both
authetication bypass
boxname:boxname
admin:version
name:version
php type juggling
Credentials somewhere else in the box.
Bruteforce
THESE ARE THE THREE PRINCIPLES OF GETTING IN. THERE IS EITHER A VULNERABLE SERVICE, THIS MAYBE HAS TO BE CHAINED WITH ANOTHER VULNERABILITY. THEN THERE IS PASSWORD SPRAYING, THIS IS BASICALLY CONSITUTES TO DEFAULT CREDS, PASSWORD RESUSAGE, AND THE LAST IS BRUTEFORCING
Any known vulnerability?
Check https://nvd.nist.gov/
Check on google
We do not have version? But exploits avaliable
Prioritize RCE exploits
Try THEM ALL!!!
and redo the above
IF WE HAVE CODE EXECUTION
Attempt to get reverse shells
if a technique does not work, do every single fucking reverse shell
python, nc , in every motherfucking way https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
Troubleshoot the exploit maybe the command needs a certain syntax look at the methodology section of the blog in exploitation
Also play with this remember the mongodb exploit from the labs.
Also try bash -c instead of just the normal bash -i reverse shell.
ALWAYS USE AND CHANNEL THROUGH OPEN PORTS FOR THE REVERSE SHELL
if we do get code execution but no reverse shell because of whatever firewall, our best choice is to look if we can output files in a way where we can use them against other services, these could be used to gain access and uploading shit.
THINK ABOUT SITUATIONAL AWARENESS. Where can we upload? can we use these files to our advantage, remember the thing about redis.
Did we get credentials for any database that are valid ?
Check RCE methods
Enumerate the database
If base
d on our enumeration we found some sort of userlist
Make a list with these with different naming conventions
Validate these users with kerbrute.
If the users are valid
ASEPROAST
Make a passlist with how we usually do
use cewl if there is a webserver
user:user
user:password
user:''
user:boxname
Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret)
Validate these creds with CRackmapexec
ldap
smb
If we get pwned!
psexec
winrm
However Rerun all enumeration from before if we find these are valid
Kebroast
Same principle as other things discussed, we make a list out of everything we see and every username, name, version is valuable to us.
Enumerate current user and its permissions
Check the privileges
Impersoante
SeLoadDriver
SeRestore
Transfer winpeas
Transfer PowerUp
Seatbelt
Sherlock
Rubeus
SharpHound
General users enum
General groups enum
Check if current user has these tokens:
Windows version
Installed patches and updates
Architecture
Environment variables
Drives
ARE THE RUNNIGN SERVICES RUNNING AS OTHER USERS? CAN WE MODIFY THE WEBSTE MAYBE BY PASTING A PHP FILE THAT RUNS AS THE USER WHO HOSTS THE WEBSITE
TRANSFER PLINK
List all NICs, IP and DNS
List routing table
List ARP table
List current connections
List current connections correlated to running service (requires elevated privs)
List firewall state and config
List firewall's blocked ports
Disable firewall
List network shares
SNMP config
Go from medium mandatory level to high mandatory level
TRY KNOWN PASSWORDS!
Creds from config files (Try different words e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth):
Creds from local DBs
Creds from Windows Vault
Creds from Registry
Creds from Unattend or Sysprep Files
Creds from Log Files
Creds from IIS web config
Check other possible interesting files
Creds from WiFi
Creds from sticky notes app
Creds stored in services
Creds from Powershell History
Creds from alternate data stream
SAM & SYSTEM bak
Cloud credentials
Cached GPP password
Saved RDP connections
Remote desktop credential manager
SCClient \ SCCM
Check recycle bin
Services running on localhost
Kernel version
Software versions
Service versions
Services
Can we restart the machine?
Can we start and stop the service?
Check permissions
Unquoted Service Path
Change service binary path
DLL Hijacking / Overwrite service binary
Registry modify permissions
Installed applications
DLL Hijacking for installed applications
Write permissions
PATH DLL Hijacking
AlwaysInstallElevated set in Registry
Scheduled tasks
Executable file writeable
Dependency writeable
Sensitive files readable
SAM Hive
SYSTEM Hive
Windows Subsystem For Linux
Navigate to the fileystem and look for weird folders that contain weird scripts that run every so often, replace them if we can.
Principles to becoming root!
cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash
Adding a new user
Make the user run commands without needing password sudo -l
Upgrade shell using socat, else python
Are we in a dock container? If so this can be seen by doing an ls -la. See how to escape from the notes
Run linpeas.sh
Run SUDO Killer if we have full SSH creds
Run SUI3Emum
Go Thru the linpeas.sh output
PwnKit? This is an easy win.
enumerate users
Look for other users
Try to switch users and rerun enumeration
Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret)
Enumerate groups
Are these exploitable?
lxd
davfs
sudo
fail2ban
Any accessible sensitive file?
/etc/passwd
/etc/shadow
/etc/sudoers
Configuration files
/root/.ssh/id_rsa
entire root folder
Check env info
Look through SUID set
refer to gtfobins for this
Can we write them?
google everything
LOOK EVEN FOR CUSTOM ONES AND USE THEM!
Are these missing libraries?
Do we have write access to the LDLIBRARYPATH? IF yes
Generate our own .so file and paste it in the writable path
Enumerate internal running services
If there is a website play with curl
Are these running as other users that we can become?
If there is a database running we can enuemrate for credentials to test for UDF
mysql -uroot -pdasdasd
Remote port forward if we have SSH access.
Init, init.d systemd Services?
Can we overwrite them?
Can we start or stop the service
Can we reboot the machine?
Check for Cronjobs
Can we overwrite them
Are these missing a library when running?
Can we overwrite the library path
GOOGLE EVERYTHING HERE ,some custom scripts have vulnerable expressions.
Password Search
Try known passwords
Search creds from config files (Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret):
Search creds in common files:
Search creds from local DBs
Search creds from bash history:
Search creds from memory:
SSH keys:
Search rsync config file
Transfer Linux Exploit Suggester
Try the most probable exploits
Enumerate processes that run as root and look for weird things.
use PSPY
Enumerate the file system and see if there are weird files that we can overwrite
check /opt and /srv, expecting to find both empty
you could also try find / -name "*.py"
Check for weird folders and see if tehre are any bash scripts that we could also modify
python scripts
perl i dont know