forked from Shiva108/CTF-notes
-
Notifications
You must be signed in to change notification settings - Fork 0
/
enum_oscp.html
190 lines (101 loc) · 4.92 KB
/
enum_oscp.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
<h1>Enumeration Roadmap (for OSCP Labs):</h1>
<h2>Step 1: Nmap basic scan</h2>
nmap -Pn -p- -vv <ip address>
nmap -Pn -p- -sU -vv <ip address>
Fast:
nmap -sSCV -Pn -A -v <ip> -oX name.xml
<h2> 2: Nmap version and vulnerability Scan:</h2>
Nmap -Pn -sV -O -pT:{TCP ports found in step 1},U:{UDP ports found in step 1} -script *vuln* <ip address>
Grab banners manually for more clarity:
nc -nv <ip-address> <port>
<h2>Step 3: Any web port(s) for further enumeration?</h2>
Nikto -port {web ports} -host <ip address> -o <output file.txt> -C all
Dirb http{s}://<ip address>:<port> /usr/share/wordlists/dirb/{common/small/vulns}.txt
Gobuster -u http://<ip-address> -w /usr/share/Seclists/Discovery/Web_Content/common.txt
/usr/share/secLists/Discovery folder has some great word lists
If only web port visible try a bigger list in dirb: /usr/share/wordlist/dirb/big.txt
Use Burpsuite as needed
Do you see any interesting directory containing sensitive data?
Do you see any LFI/RFI vulnerability posted by Nikto? Try fimap: fimap -u <ip-address>
<h2>Step 4: Are there any exploits available publicly from the services discovered from Step 2?</h2>
Searchsploit <service name>
http://www.securityfocus.com/vulnerabilities
Copy exploit to local dir:
searchsploit -m <ID>
<h2>Step 5: Manual Poking for Web Pages</h2>
Check the Page Source, Inspect elements, view cookies, tamper data, use curl/wget
Google alien terms!
Anything sensitive there?
Any version info?
Search repository online (like GitHub) if the application used is open source: this may assist in site enumeration and guessing versions etc.!
Check HTTP Options
Check for Input Validation in forms (like: 1′ or 1=1 limit 1;# AND 1′ or 1=1–)
NULL or null
Possible error messages returned.
‘ , ” , ; , <!
Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
– , = , + , ”
Used to craft SQL Injection queries.
‘ , &, ! , ¦ , < , >
Used to find command execution vulnerabilities.
../
Directory Traversal Vulnerabilities.
<h2>Step 6: Are there any NETBIOS, SMB, RPC ports discovered from Step 1?</h2>
enum4linux -a <ip address>
Rpcclient <ip address> -U “” -N
Rpcinfo: What services are running?
Rpcinfo -p <target ip>
Is portmapper running? Is rlogin running? Or NFS or Mountd?
http://etutorials.org/Networking/network+security+assessment/Chapter+12.+Assessing+Unix+RPC+Services/12.2+RPC+Service+Vulnerabilities/
Showmount -e <ip address>/<port>
Can you mount the smb share locally?
Mount -t cifs //<server ip>/<share> <local dir> -o username=”guest”,password=””
Rlogin <ip-address>
Smbclient -L \\<ip-address> -U “” -N
Nbtscan -r <ip address>
Net use \\<ip-address>\$Share “” /u:””
Net view \\<ip-address>
Check NMAP Scripts for SMB, DCERPC and NETBIOS
<h2>Step 7: Any SMTP ports available?</h2>
Enumerate Users:
Mail Server Testing
Enumerate users
VRFY username (verifies if username exists – enumeration of accounts)
EXPN username (verifies if username is valid – enumeration of accounts)
<H2>Step 8: How about SNMP ports?</H2>
Default Community Names: public, private, cisco, manager
Enumerate MIB:
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports
Use tools:
Onesixtyone – c <community list file> -I <ip-address>
Snmpwalk -c <community string> -v<version> <ip address>
Eg: enumerating running processes:
root@kali:~# snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2
<H2>Step 9: FTP Ports Discovered</H2>
Is anonymous login allowed?
If yes, is directory listing possible? Can a file be ‘get’ or ‘send’?
Use browser:
ftp://<ip-address> , What do you find?
<H2>Step 10: Password Cracking / Brute Forcing</H2>
Try this as the last resort or in case the Passwd/Shadow/SAM files are in possession:
For linux, first combine passwd & shadow files:
unshadow [passwd-file] [shadow-file] > unshadowed.txt
Then, use John on the unshadowed file using a wordlist or rules mangling :
john –rules –wordlist=<wordlist file> unshadowed.txt
Identifying Hash: hash-identifier
For other services, use Medusa or Hydra. Eg:
Hydra -L <username file> -P <Password file> -v <ip-address> ssh
Medusa -h <ip-address> -U <username file> -P <password file> -M http -m DIR:/admin -T 30
Using hashcat for cracking hashes:
For WordPress MD5 with salt:
hashcat -m 400 -a 0 <hash file> <wordlist file>
Sample Password list: /usr/share/wordlist/rockyou.txt
<h2>Step 11: Packet Sniffing</h2>
Use Wireshark / tcpdump to capture traffic on the target host:
“tcpdump -i tap0 host <target-ip> tcp port 80 and not arp and not icmp -vv”