Network Discovery

Use nmap to identify live hosts on 10.10.10.4/24 network

# nmap 10.10.10.4/24
# nmap 10.10.10.1-255
# nmap 10.10.10.4    
# nmap -A  10.10.10.4          : Scan Top 1000 ports et get services versions
# nmap -sV -sC -p- 10.10.10.4  : Scan all 65535 TCP ports
# nmap -sU 10.10.10.4          : Scan UDP ports
    -sV : Attempts to determine the version of the service running on port
    -sC : Scan with default NSE scripts. Considered useful for discovery and safe
    -A  : Enables OS detection, version detection, script scanning, and traceroute
    -p- : Port scan all ports
    -sU : UDP ports (very slow)
    -oN nmap.log : output file
 

The three scripts can be launch in parallel in three different xterms.

Despite they can run on any port, services such as ftp, web, or ldap generally use the ports reserved for them. Port 80 for example is used by web servers for HTTP. Port 443 is the port for HTTPS.

TCP
    20: ftp data
    21: ftp control
    22: ssh
    23: telnet
    25: SMTP (mail)
    37: Time protocol
    53: Bind/DNS
    69: TFTP (Trivial FTP)
    80: HTTP
    109: POP2
    110: POP3
    111: RPC Remote Procedure Call
    137: Netbios Name Service
    138: Netbios Datagram Service
    139: Netbios Session Service
    143: IMAP (mail)
    161: SNMP
    220: IMAP
    389: LDAP
    443: HTTPS
    445: MS Active Directory, SMB
    464: Kerberos
    1521: Oracle Database
    3000: Node JS
    3306: MySQL
UDP
    69: TFTP
    161: SNMP

http://www.0daysecurity.com/penetration-testing/enumeration.html 

Ftp servers are used to transfer files.
Once logged in with a login/password, it is possible to move through the directory tree to upload/download files.
By default, the protocol is optimised for text files. Do not forget to activate the binary mode if necessary.
A guest or anonymous account allows on certain servers to freely download public documents.
The login is 'anonymous', the password is conventionally the guest's email.

$ ftp 10.0.0.11
Name (10.0.0.11:yolo): anonymous
Password: yolo@yolospacehacker.com
ftp> pwd 
ftp> cd docs
ftp> ls 
ftp> bin
ftp> get flag.txt
ftp> put backdoor.php
ftp> bye

22 is the ssh port, which allows remote access to a terminal.
It is possible to connect with a login/password.

$ ssh yolo@10.0.0.11

It is also possible to log in with a private key file.

$ ssh -i id_rsa yolo@10.0.0.11

The private key file should only be read by its owner.

$ chmod 600 id_rsa

The robots.txt file, when it exists, is stored at the root of a website. It contains a list of the resources of the site that are not supposed to be indexed by search engine spiders.
By convention, robots read robots.txt before indexing a website.
Its content may therefore be of interest to us.

http://10.10.10.8/robots.txt
Plus d'info : https://en.wikipedia.org/wiki/Robots_exclusion_standard

Developers sometimes leave useful information or even passwords in code comments. These are often urls, or form fields used for testing.

Comments in the HTML or JS source code of the pagee
/* Secret code */
<!--- Secret code --->
Hidden HTML elements
<p hidden>Secret code.</p>
<label style='display: none'>Secret code.</label>

Bruteforcing a website consists in testing the presence of accessible pages, such as /register, /register.php, /admin, /upload, /users/login.txt, /admin/password.sav, ... For this there are lists of directories and filenames frequently found on web servers.

Once web server langage/framework is known (php, java, cgi / wordpress, joomla, ...), it is possible to use optimized lists, and search only the appropriate extensions.: php, php4, php5, exe, jsp, ...
It is also possible to search for files with interesting extensions. : cfg, txt, sav, jar, zip, sh, ...


Usual web brute force software :

  • dirb: Command line. To be used for a quick check, with its list 'common.txt'.
  • gobuster: Command line. To be used with the list 'directory-list-2.3-medium.txt' from dirbuster
  • dirbuster: GUI. With a Gui, but not the best choice.

It is crucial to choose the right list of directories/filenames:

  • /usr/share/wordlists/dirb/common.txt: Small well-constructed list
  • /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt: Big list. Should covers all CTFs.
  • https://github.com/danielmiessler/SecLists : Once comfortable with the two previous lists, it is possible to find more optimized lists at this address.
  • On Kali and Parrot distributions, the /usr/share/wordlists directory contains links to many lists. Take the time to look at it in detail.


Dirb

Dirb is usually preinstalled on Kali or Parrot. If not:

sudo apt-get install -y dirb

Run a quick scan with dirb, whith its default 'common.txt' list:

dirb http://10.10.10.11

Find files with .php file extension:

dirb http://10.10.10.11  -X .php


Gobuster
https://github.com/OJ/gobuster

Download and install in /opt

wget https://github.com/OJ/gobuster/releases/download/v3.0.1/gobuster-linux-amd64.7z
sudo apt install p7zip-full
7z x gobuster-linux-amd64.7z
sudo cp gobuster-linux-amd64/gobuster /opt/gobuster
chmod a+x /opt/gobuster

Bruteforce http://10.10.10.11, with the list 'directory-list-2.3-medium.txt', and file extensions html,php,txt:

/opt/gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.11  -l -x html,php,txt

For an HTTPS url, add the command line option

-k : skip HTTPS ssl verification
Wfuzz

Fuzz an id from 000 to 020

wfuzz -z range,000-020 http://satctrl.bahamas.ysh/?id=FUZZ

Fuzz a parameter name

wfuzz -z file,./burp-parameter-names.txt "http://satctrl.bahamas.ysh/action.php?FUZZ=aaaaaaa"

Ctrl-C, identify the number of characters in the answers. For example 400.
Rerun using the --hh option to exclude responses of this size, and to easily identify responses that generate a different page.

wfuzz -z file,./burp-parameter-names.txt "http://satctrl.bahamas.ysh/action.php?FUZZ=aaaaaaa" --hh 400    

Fuzzing the value of a url parameter

wfuzz -z file,./burp-parameter-names.txt "http://satctrl.bahamas.ysh/action.php?command=FUZZ"

Ctrl-C, identify the number of characters in the answers. For example 400.
Rerun using the --hh option to exclude responses of this size, and to easily identify responses that generate a different page.

wfuzz -z file,./burp-parameter-names.txt "http://satctrl.bahamas.ysh/action.php?FUZZ=aaaaaaa" --hh 400    

Fuzzing an fqdn prefix

wfuzz -z file,./burp-parameter-names.txt "http://FUZZ.bahamas.ysh"
wfuzz -z file,./burp-parameter-names.txt "http://FUZZ.bahamas.ysh" --hh 400    

Usefull lists
subdomains-top1million-5000.txt
burp-parameter-names.txt
From: https://github.com/danielmiessler/SecLists

Hydra
hydra -l admin -P /usr/share/wordlists/rockyou.txt  -f 10.10.10.157 http-get /monitoring
-l login 
-P password file 
-f server adress
http-get : HTTP request type
/monitoring : url path
Hydra
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.11 http-post-form '/admin/login.php:username=^USER^&password=^PASS^:F=Wrong password:H=Cookie\: PHPSESSIONID=ms0t93n23mc2bn2512ncv1ods4' -V

Beware if the answer is a 302 Redirect, hydra will not follow and will generate a false positive.

Hydra
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.4 http-get-form '/login.php:username=^USER^&password=^PASS^:F=Login failed:H=Cookie\: PHPSESSIONID=ms0t93n23mc2bn2512ncv1ods4' -V

Beware if the answer is a 302 Redirect, hydra will not follow and will generate a false positive.

Wordpress

URLs format:

Posts : /index.php?p=22
        /index.php/2017/04/12/hello-world/
        /index.php/jobs/apply/8/
Login : /wp-login/
        /wp-login.php
Uploaded files : /wp-content/uploads/%year%/%month%/%filename%

Config file and database credentials

/var/www/html/   
wordpress/wp-config.php
wordpress/htdocs/wp-config.php
Wpscan

Wpscan knows the structure of a wordpress site and will make brute force to identify the pages, the posts, the users, the theme, the plugins.
Wordpress flaws are mainly due to non-updated plugins.

wpscan --url http://10.10.10.10/wordpress/ -e
--url : wordpress url
-e : enum pages, posts, users, theme, plugins, ...

Login bruteforce

wpscan --url http://10.10.10.10/wordpress/  -P rockyou.txt -U admin

POP3 protocol is used to get your mails from a distant server.
If you have the login/password, connect thanks to netcat or telnet

$ nc 10.0.12.10 110

Once connected, authenticate with login/password

USER XXXXXX
PASS XXXXXX

Get the mails list

LIST

Read mail number 1

RETR 1

Quit the server.

QUIT

Use hydra to bruteforce POP3 authent.

hydra -V -l username -P wordlist.txt 10.0.12.10 pop3

You have found database credentials in config file. Let use mysql client to connect and dump the database.

mysql --host=HOST -u USER -p
--host xx : Server IP or name
-u xx     : login
-p        : manually enter the password.

List databases.

show databases; 

Ignore internal databases and choose the application database.
The database 'information_schema' contains internal information of mysql or mariadb. It can generally be ignored.
Select the aplication database, list tables, then dump interresting tables such as 'users'.

use DATABASE;
show tables;     
SELECT * FROM TABLENAME;
quit;

Pour rendre certains services invisibles aux scans, les serveurs peuvent utiliser une fonctionnalité de Port Knocking.
Les ports sensibles ne sont ouverts qu'une fois une séquence particulière de paquets reçus, idéalement en UDP.
Cette fonctionnalité peut être implémentée directement dans le routeur, le firewall ou l'application.

Envoyer un unique paquet vide en UDP sur le port 1337

nc -u -z localhost 1337

Envoyer une série de paquets vides sur les port UDP 1337 4444 6666

nc -u -z localhost 1337 4444 6666

Envoyer un unique paquet contenant le message KnockKnockKnock sur le port UDP 1337

printf KnockKnockKnock | nc -u -q1 localhost 1337

Envoyer une série de paquets contenant le message KnockKnockKnock sur les port UDP 1337 4444 6666

for i in 1337 4444 6666; do printf Knock | nc -u -q1 localhost $i; done