Steinz Security

In lot of scenarios, we usually don't have access to GUI access to web applications but in most of the scenarios - you can find curl installed on the test machine - so, below is a simple cheat sheet to run basic checks #Get request using Curl curl -I http://10.10.10.10 # Send Post Request curl --data "param1=value1&param2=value2" http://10.10.10.10 #Check for Trace Method curl -k -v -X TRACE http://10.10.10.10 #PUT Request curl -X PUT -d "PUT request data" http://10.10.10.10 curl -kL https://10.10.10.10 -T file.txt #HEAD Request curl -I http://10.10.10.10 #Test DEBUG Method --> if Response "OK" --> DEBUG is enabled curl -X DEBUG https://10.10.10.10 -k -v -H "Command: stop-debug" #Ignore SSL warnings curl -k http://10.10.10.10 #Follow Redirection curl -L http://10.10.10.10 #Add headers in a JSON GET request curl -i -H "Accept: application/json" -H "Content-Type: application/json" http://10.10.10.10 #

Citrix Servers - Ports 1604 - Citrix MetaFrame ICA 1494/tcp open citrix-ica Citrix Metaframe XP ICA - Citrix VDI (Virtual Delivery Agent) 2598/tcp open citriximaclient #Below 4 are used in Load Balancers 3008/tcp open ssl/midnight-tech? 3009/tcp open ssl/mep Citrix NetScaler Metric Exchange Protocol 3010/tcp open gw?                     Citrix NetScaler Gateway 3011/tcp open mep Citrix NetScaler Metric Exchange Protocol nmap -sS -sU --script citrix-enum-apps,citrix-enum-servers -i ips.txt -Pn -oA citrix For Citrix ADC - Default Username/Password : nsroot/nsroot Finding Citrix ADC Version https://10.10.10.10/nitro/v1/config/nsversion or curl -X GET -H "Content-Type: application/json" -u nsroot:examplepassword http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/nsversion curl -X GET -H "Content-Type: application/json" -u <username>:<examplepassword> http://<Citrix-ADC-IP-address(NSIP)>/nit

 SMB Enum Scripts and Checklists Enumerating SMB Shares my $host = "10.10.10.10"; my $filename = "/usr/share/wordlists/SecLists/blob/master/Discovery/Web-Content/common.txt"; open(my $fh, '<', $filename) or die $!; while (my $word = <$fh>) { chomp($word); ## Try to login with a username and no password my $result = qx( smbclient //$host/$word -N 2>/dev/null ); ## ACCESS_DENIED means the share exists ## BAD_NETW_NAME means the share does not exist if ($result =~ /NT_STATUS_ACCESS_DENIED/g ) { print "[+] Share Found @ //$host/$word\n"; next; } }

  CPANEL Ports cPanel 2082 cPanel - SSL 2083 WHM 2086 WHM - SSL 2087 Webmail 2095 Webmail - SSL 2096 SFTP Shared/Reseller Servers 2222 Webdisk 2077 Webdisk - SSL 2078 SSH Shared/Reseller Servers 2222 Plesk Control Panel 8880 Plesk Control Panel - SSL 8443 Plesk Windows Webmail (SmarterMail) 9998** DotNet Panel 9001 NDMP Port 10000 - NDMP nmap -p 10000 --script ndmp-fs-info,vuln -sVC -d 10.10.10.10 Port 30000 - NDMPS nmap -p 30000--script ndmp-fs-info,vuln -sVC -d 10.10.10.10 NetApp NDFS Common Ports Parallel Virtual File System (PVFS) TCP port 3334 - Heap Over flow nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 Docker Port - 2375 2375: unencrypted docker socket, remote root passwordless access to the host 2376: tls encrypted socket, most likely this is your CI servers 4243 port as a modification of the https 443 port 2377: swarm mode socket, for swarm managers, not for docker clients 5000: docker registry service 4789 and 7946

 Penetration testing Routers & Switches Routersploit Nipper-ng  dig nslookup port 1999 snmpsniff (v1 is vulnerable) test for NTP  Routersploit git clone https://www.github.com/threat9/routersploit.git/ cd routersploit python3 -m pip install -r requirements.txt python3 rsf.py search exploit search scanner use scanners/autopwn set target 10.10.10.10 Attacking Switches using Yersinia on Spanning Tree Protocol (STP) good doc https://github.com/tomac/yersinia #launch GUI yersinia -G # yersinia protocol -h #Start SPN attack and capture the traffic - sensitive info will be exposed to the network VLAN Enumeration and Hopping and Trunking git clone https://github.com/nccgroup/vlan-hopping.git ./frogger.sh #VLAN hopping/ Truking can be done via yersina as well #Create a new fake Trunk and let the switch believe that you are a trunk and ge the info via VLAN hopping yersinia -G go to DTP --> enable trunking # Test for Finger Services finger -l 10.10.10.10 finger -l user@10.10.10.10 Tes