Footprinting.md
1 --- 2 abbr: 3 - "TFTP: Trivial File Transfer Protocol" 4 - "FTP: File Transfer Protocol" 5 - "VM: Virtual Machine" 6 - "SMB: Server Message Block" 7 - "ACL: Access Control List" 8 - CIFS:Common Internet File System 9 - "API: Application Programming Interface" 10 - "NBNS: NetBIOS Name Server" 11 - "WINS: Windows Internet Name Service" 12 - "SAM: Security Authentication Module" 13 - "NFS: Network File System" 14 - "DNS: Domain Name System" 15 - "TLD: Top Level Domain" 16 - "AXFR: Asynchronous Full Transfer Zone" 17 - "SMTP: Simple Mail Transfer Protocol" 18 - "MUA: Mail User Agent" 19 - "MTA: Mail Transfer Agent" 20 - "MSA: Mail Submission Agent" 21 - "MDA: Mail Delivery Agent" 22 - "IMAP: Internet Message Access Protocol" 23 - "POP3: Post Office Protocol 3" 24 - "SNMP: Simple Network Management Protocol" 25 - "IoT: Internet of Things" 26 - "MIB: Management Information Base" 27 - "OID: Object Identifier Registry" 28 - "ASN.1: Abstract Syntax Notation One" 29 - "RDBMS: Relational Database Management System" 30 - "TNS: Transparent Network Substrate" 31 - "IPMI: Intelligent Platform Management Interface" 32 - "PSU: Power Supply Unit" 33 - "RDP: Remote Desktop Protocol" 34 - "NAT: Network Address Translation" 35 - "NLA: Network Level Authentication" 36 - "WinRM: Windows Remote Management" 37 - "SOAP: Simple Object Access Protocol" 38 - "WinRS: Windows Remote Shell" 39 - "WMI: Windows Management Instrumentation" 40 - "WMIC: Windows Management Instrumentation Console" 41 --- 42 ## Enumeration Principles 43 44 Information can be gathered from [[Domain Name|Domain]], [[IP|IP address]], accessible services and other sources 45 46 Understand how the company works, what services is being used and third-party vendor it uses, current security measures and more 47 48 A wrong approach would be like brute-force authentication services like [[SSH]], [[RDP]] and [[WinRM]], this is very noisy and you could get blocked 49 50 ```ad-tip 51 Our goal is to find all the ways to get into a system 52 ``` 53 54 Ask yourself these questions: 55 - What can we see? 56 - What reasons can we have for seeing it? 57 - What image does what we see create for us? 58 - What do we gain from it? 59 - How can we use it? 60 - What can we not see? 61 - What reasons can there be that we do not see? 62 - What image results for us from what we do not see 63 64 ## Enumeration Methodology 65 66 Having a standard methodology help up keep our bearing and help avoid missing anything 67 68 ![[Pasted image 20251125231037.png]] 69 70 #### Layers 71 72 | **Layer** | **Description** | **Information Categories** | 73 | ------------------------ | ------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------- | 74 | `1. Internet Presence` | Identification of internet presence and externally accessible infrastructure. | Domains, Subdomains, vHosts, ASN, Netblocks, IP Addresses, Cloud Instances, Security Measures | 75 | `2. Gateway` | Identify the possible security measures to protect the company's external and internal infrastructure. | Firewalls, DMZ, IPS/IDS, EDR, Proxies, NAC, Network Segmentation, VPN, Cloudflare | 76 | `3. Accessible Services` | Identify accessible interfaces and services that are hosted externally or internally. | Service Type, Functionality, Configuration, Port, Version, Interface | 77 | `4. Processes` | Identify the internal processes, sources, and destinations associated with the services. | PID, Processed Data, Tasks, Source, Destination | 78 | `5. Privileges` | Identification of the internal permissions and privileges to the accessible services. | Groups, Users, Permissions, Restrictions, Environment | 79 | `6. OS Setup` | Identification of the internal components and systems setup. | OS Type, Patch Level, Network config, OS Environment, Configuration files, sensitive private files | 80 81 Description of all the layers of the image above are as below: 82 - Layer No.1: Internet Presence 83 - Find the targets that we can investigate 84 - Find for additional hosts 85 - Find domains, subdomains, netblocks 86 - **The goal is to identify all possible target systems and interface that can be tested** 87 - Layer No.2: Gateway 88 - Try to understand the interface of a reachable target 89 - Understand how the target is protected and where is it in the network 90 - **The goal is to understand what we are dealing with and what to watch out for** 91 - Layer No.3: Accessible Services 92 - Scan to find all services that it offers 93 - Need to know what each service do, why it is installed by admin 94 - **This layer aims to understand the reason and functionality of the target system, gain knowledge on it and exploit it ** 95 - Layer No.4: Processes 96 - Know what process performs what task and what command or function calls it 97 - **The goal is to understand these factors and identify dependencies between them** 98 - Layer No.5: Privileges 99 - Each service and binary runs through a specific user in a group with permission and privilege defined by admin 100 - Provide limited functionality 101 - Happens often in [[Active Directory]] infrastructure where user are responsible for multiple admin areas 102 - **Crucial to identify these and understand what is and is not possible with these privileges** 103 - Layer No.6: OS Setup 104 - Collect info about [[Operating System]] its setup 105 - Give good overview of internal security 106 - **The goal is to see how admin manage the systems and what sensitive internal info can be obtained from them** 107 108 #### Footprinting Principles 109 110 | No | Principle | 111 | --- | ------------------------------------------------------ | 112 | 1. | Consider all points of view | 113 | 2. | Distinguish between what we see and what we do not see | 114 | 3. | Always ways to gain more info, understand the target | 115 116 This methodology is not a step-by-step guide but a guide 117 118 ## Domain Information 119 120 Navigate as "customers" or "visitors" to their main website. Read through the texts keeping in mind what tech and structures are needed for these services 121 122 This part is the combination of the first and second principle discussed in [[Footprinting#Footprinting Principles| Footprinting Principles]] 123 124 Take a developer's view and look at the whole thing in their point of view which allows us insights into the functionality 125 126 First point of presence on the [[Internet]] may be [[SSL|SSL Cert]] from company's main website, most likely the certificate is used for several domains and most are likely still active 127 128 Another source to find subdomains is [crt.sh](https://crt.sh/) 129 130 [Shodan](https://www.shodan.io/) can be used to find device and system permanently connected to [[Internet]]. Using [Shodan](https://www.shodan.io/) we can find devices and systems, such as surveillance cameras, server, traffic lights and various network components 131 132 ## Cloud Resources 133 134 Most companies have presences in the cloud now 135 136 The configuration made by the company's administrators could make the cloud resources vulnerable 137 138 Some cloud services that could be access if configured incorrectly are: 139 - S3 buckets([[AWS]]) 140 - blobs ([[Azure]]) 141 - cloud storage ([[GCP]]) 142 143 During an [[IP|IP lookup]] we might see that one IP belongs to [[AWS]] like `s3-website-us-west-2.amazonaws.com` 144 145 You can also find cloud storage using [[Google Dorks]] like **inurl:** or **intext:** 146 `intext:companyname inurl:amazonaws.com` 147 148 We can use [domain.glass](https://domain.glass) to tell us about the company's infrastructure which might also show [[Cloudflare|Cloudflares's]] security assessment. This can be noted for the [[Footprinting#Layers|second layer (gateway)]] 149 150 Another one that is useful is [GrayHatWarfare](https://buckets.grayhatwarfare.com) which could show [[AWS]], [[Azure]], or [[GCP]] cloud storage. 151 152 Also try the abbreviations of the company name 153 154 ## Staff 155 156 Finding employees on social media can reveal alot about the team's infrastructure 157 158 Which can lead us to identifying their technology, programming language and software application choices 159 160 You can find the organisations employee on sites like [[LinkedIn]] or [[Xing]] 161 162 Job posting could also tell us about the company's infrastructure 163 164 ## FTP 165 166 [[FTP]] runs on the application layer of the [[TCP]]/[[IP]] protocol stack. 167 168 Client and server establish control channel on [[TCP]] port 21 169 Data channel is on [[TCP]] port 20 170 171 There are *active* and *passive* [[FTP]] 172 - active 173 - Client establish connection on [[TCP]] port 21, inform server which client-side port port the server can transmit its response. 174 - If [[Firewall]] protects the client server will not be able to reply because outside-in connection is blocked 175 - passive 176 - Server announce the port which client can establish data channel 177 - Since client initiate connection, [[Firewall]] does not block the transfer 178 179 [[FTP]] knows different commands and status codes. A list of all possible status code can be found [here](https://en.wikipedia.org/wiki/List_of_FTP_server_return_codes) 180 181 ### [[TFTP]] 182 183 Does not provide user authentication and uses [[UDP]] 184 185 Operate exclusively in directories with files shared for all users. Can be written and read globally. 186 187 Let us take a look at a few commands of `TFTP`: 188 189 | **Commands** | **Description** | 190 | ------------ | -------------------------------------------------------------------------------------------------------------------------------------- | 191 | `connect` | Sets the remote host, and optionally the port, for file transfers. | 192 | `get` | Transfers a file or set of files from the remote host to the local host. | 193 | `put` | Transfers a file or set of files from the local host onto the remote host. | 194 | `quit` | Exits tftp. | 195 | `status` | Shows the current status of tftp, including the current transfer mode (ascii or binary), connection status, time-out value, and so on. | 196 | `verbose` | Turns verbose mode, which displays additional information during file transfer, on or off. | 197 198 ### Default Configuration 199 200 Most used [[FTP]] server on [[Linux]]-based distro is [[vsFTPd]] 201 202 Default config for [[vsFTPd]] can be found in `/etc/vsftpd.conf` 203 204 Try installing [[vsFTPd]] server on a VM and look at its configuration 205 206 `/etc/ftpusers` are used to deny certain users access to [[FTP]] service 207 208 There are many settings on a [[FTP]] server such as allowing for **anonymous** user 209 210 As soon as you connect to [[vsFTPd]], you get response code **220** and banner of the [[FTP]] server 211 212 To login as **anonymous** user, type in `anonymous` into the name upon connection to server 213 214 [[fail2ban]] is now a standard implementation on any infra that logs IP, so brute-forcing might not be a good idea 215 216 ```bash 217 # To download all available files 218 wget -m --no-passive ftp://anonymous:anonymous@10.129.14.136 219 220 # Connecting to the service 221 ftp 10.129.14.136 222 nc -nv 10.129.14.136 21 # netcat 223 telnet 10.129.14.136 21 # telnet 224 openssl s_client -connect 10.129.14.136:21 -starttls ftp # openssl (for server runs [[TLS]]/[[SSL]] encryption) 225 ``` 226 227 #### vsFTPd Config File 228 229 | **Setting** | **Description** | 230 | ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | 231 | `listen=NO` | Run from inetd or as a standalone daemon? | 232 | `listen_ipv6=YES` | Listen on IPv6 ? | 233 | `local_enable=YES` | Allow local users to login? | 234 | `dirmessage_enable=YES` | Display active directory messages when users go into certain directories? | 235 | `use_localtime=YES` | Use local time? | 236 | `xferlog_enable=YES` | Activate logging of uploads/downloads? | 237 | `connect_from_port_20=YES` | Connect from port 20? | 238 | `secure_chroot_dir=/var/run/vsftpd/empty` | Name of an empty directory | 239 | `pam_service_name=vsftpd` | This string is the name of the PAM service vsftpd will use. | 240 | `rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem` | The last three options specify the location of the RSA certificate to use for SSL encrypted connections. | 241 | `rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key` | | 242 | `ssl_enable=NO` | | 243 | `anonymous_enable=NO` | Enable Anonymous access? | 244 | `anon_upload_enable=YES` | Allowing anonymous to upload files? | 245 | `anon_mkdir_write_enable=YES` | Allowing anonymous to create new directories? | 246 | `no_anon_password=YES` | Do not ask anonymous for password? | 247 | `anon_root=/home/username/ftp` | Directory for anonymous. | 248 | `write_enable=YES` | Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE? | 249 | `chown_uploads=YES` | Change ownership of anonymously uploaded files? | 250 | `chown_username=username` | User who is given ownership of anonymously uploaded files. | 251 | `chroot_local_user=YES` | Place local users into their home directory? | 252 | `chroot_list_enable=YES` | Use a list of local users that will be placed in their home directory? | 253 | `hide_ids=YES` | All user and group information in directory listings will be displayed as "ftp". | 254 | `ls_recurse_enable=YES` | Allows the use of recurse listings. | 255 256 ### Footprinting the Service 257 258 [[Nmap#Nmap Scripting Engine|NSE]] has many different scripts for specific services 259 260 ```bash 261 # updating [[Nmap#Nmap Scripting Engine|NSE]] scripts 262 sudo nmap --script-updatedb 263 ``` 264 265 `--script-trace` allows the ability to trace the progress of [[Nmap#Nmap Scripting Engine|NSE]] scripts at the network level 266 267 #### Useful NSE Scripts 268 269 | Script | Function | 270 | -------- | --------------------------------------------------------- | 271 | ftp-anon | Checks whether the [[FTP]] server allows anonymous access | 272 | ftp-syst | Executes the **STAT** command | 273 ## SMB 274 275 Regulates access to files and entire directories and other network resources as printers, routers, or interfaces released from the network. 276 277 [[SMB]] enables the client to communicate with other participants to access files or services 278 279 [[SMB]] typically use [[TCP]] 280 281 [[SMB]] can provide arbitrary parts of its local file system as shares 282 283 Access rights are defined by ACL, which have **execute**,**read** and **full access** 284 285 ### Samba 286 287 Alternative implementation of [[SMB]] for [[UNIX]]-based [[Operating System|OS]] 288 289 [[Samba]] implement [[CIFS]] network protocol, which is a dialect of [[SMB]] allowing to also communicate with newer [[Windows]] system 290 291 When using Samba to transmit command to older NetBIOS, connection is on [[TCP]] port 137,138,139 292 293 [[CIFS]] operates on [[TCP]] port 445 294 295 | **SMB Version** | **Supported** | **Features** | 296 | --------------- | ----------------------------------- | ---------------------------------------------------------------------- | 297 | CIFS | Windows NT 4.0 | Communication via NetBIOS interface | 298 | SMB 1.0 | Windows 2000 | Direct connection via TCP | 299 | SMB 2.0 | Windows Vista, Windows Server 2008 | Performance upgrades, improved message signing, caching feature | 300 | SMB 2.1 | Windows 7, Windows Server 2008 R2 | Locking mechanisms | 301 | SMB 3.0 | Windows 8, Windows Server 2012 | Multichannel connections, end-to-end encryption, remote storage access | 302 | SMB 3.0.2 | Windows 8.1, Windows Server 2012 R2 | | 303 | SMB 3.1.1 | Windows 10, Windows Server 2016 | Integrity checking, AES-128 encryption | 304 305 With [[SMB]] version 3, Samba can be a full member of an [[Active Directory]] domain. 306 With [[SMB]] version 4, Samba provides an [[Active Directory]] domain controller. 307 308 [[Samba]] is suitable for [[Linux]] and [[Windows]], each host participate in the same *workgroup* 309 - Workgroup 310 - name that identifies a collection of computers and their resource on an [[SMB]] network. 311 - Can contain multiple workgroup on the network at any time 312 313 [[NetBIOS]] provides an API for networking computers. Blueprint for an application to connect and share data with other computers 314 315 When is machine is online, it needs a name and is given either its hostname which is reserved or NBNS 316 317 NBNS is later made into WINS 318 319 ```bash 320 # Connecting to Samba server into the share 321 smbclient //10.129.15.128/sharename 322 323 # Display all the server's share 324 smbclient -L //10.129.15.128 325 326 # Display all the server's share which allows anonymous access 327 smbclient -N -L //10.129.15.128 328 329 # Execute local system commands 330 !commandname 331 !cat flag.txt # example 332 333 # Checking connection, who, which host & share is connected 334 smbstatus 335 ``` 336 337 With domain-level security [[Samba]] server is a member of [[Windows]] domain. Each [[Active Directory|domain]] have a [[Active Directory|domain controller]]. Usually a [[Windows|Windows NT server]] providing password auth 338 339 Each domain controller keep track of users and passwords in their own [[NTDS.dit]] & [[SAM]] 340 341 #### Samba Configuration Settings 342 | **Setting** | **Description** | 343 | ------------------------------ | --------------------------------------------------------------------- | 344 | `[sharename]` | The name of the network share. | 345 | `workgroup = WORKGROUP/DOMAIN` | Workgroup that will appear when clients query. | 346 | `path = /path/here/` | The directory to which user is to be given access. | 347 | `server string = STRING` | The string that will show up when a connection is initiated. | 348 | `unix password sync = yes` | Synchronize the UNIX password with the SMB password? | 349 | `usershare allow guests = yes` | Allow non-authenticated users to access defined share? | 350 | `map to guest = bad user` | What to do when a user login request doesn't match a valid UNIX user? | 351 | `browseable = yes` | Should this share be shown in the list of available shares? | 352 | `guest ok = yes` | Allow connecting to the service without using a password? | 353 | `read only = yes` | Allow users to read files only? | 354 | `create mask = 0700` | What permissions must be assigned to the newly created files? | 355 | `writable = yes` | Allow users to create and modify files? | 356 | `enable privileges = yes` | Honor privileges assigned to specific SID? | 357 | `directory mask = 0777` | What permissions must be assigned to the newly created directories? | 358 | `logon script = script.sh` | What script needs to be executed on the user's login? | 359 | `magic script = script.sh` | Which script should be executed when the script gets closed? | 360 | `magic output = script.out` | Where the output of the magic script needs to be stored? | 361 362 #### RPCclient 363 364 A tool to perform [[RPC|MS-RPC]] functions 365 366 Command below is how to connect to server using rpcclient, make the string empty for anonymous user 367 `rpcclient -U "user" 10.128.23.234` 368 369 Allowing anonymous users might lead to discovery of other user 370 371 One you know the group's **RID** we can use that to retrieve information from the entire group 372 373 You could brute for User **RID** or use [samrdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/samrdump.py) 374 `for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done 375 376 ##### RPCclient Functions 377 | **Query** | **Description** | 378 | ------------------------- | ------------------------------------------------------------------ | 379 | `srvinfo` | Server information. | 380 | `enumdomains` | Enumerate all domains that are deployed in the network. | 381 | `querydominfo` | Provides domain, server, and user information of deployed domains. | 382 | `netshareenumall` | Enumerates all available shares. | 383 | `netsharegetinfo <share>` | Provides information about a specific share. | 384 | `enumdomusers` | Enumerates all domain users. | 385 | `queryuser <RID>` | Provides information about a specific user. | 386 All the information that could be obtained above could be obtained using [SMBMap](https://github.com/ShawnDEvans/smbmap),[enum4linux-ng](https://github.com/cddmp/enum4linux-ng) and [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) 387 388 ## NFS 389 390 [[NFS]] has the same purpose as [[SMB]] but its a completely different protocol 391 392 Used to access file systems over a network 393 394 Only used between [[Linux]] and [[UNIX]] systems 395 396 [[NFS]] client cannot communicate directly with [[SMB]] servers 397 398 | **Version** | **Features** | 399 | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 400 | `NFSv2` | It is older but is supported by many systems and was initially operated entirely over [[UDP]]. | 401 | `NFSv3` | It has more features, including variable file size and better error reporting, but is not fully compatible with NFSv2 clients. | 402 | `NFSv4` | It includes Kerberos, works through firewalls and on the Internet, no longer requires portmappers, supports ACL, applies state-based operations, and provides performance improvements and high security. It is also the first version to have a stateful protocol. | 403 404 [[NFS]] version 4.1 provide support to leverage cluster server deployment, session trunking mechanism ([[NFS]] multipathing), uses only one [[UDP]] and [[TCP]] port 2049 to run the service 405 406 [[NFS]] protocol does not have authentication and authorization, instead rely on [[RPC]] protocol's options 407 408 Most common authentication is [[UNIX]] **UID**/**GID** and **group membership** 409 410 The client and server do not necessarily have the same mapping of **UID**/**GID** to users and groups. [[NFS]] should only be used with this authentication method in trusted networks 411 412 ### Default Configuration 413 414 [[NFS]] does not have as many options as [[FTP]] and [[SMB]] 415 416 `/etc/exports` contains a table of physical filesystem on [[NFS]] server accessible by the client. 417 418 **NFS Export Table** shows which options it accepts and thus indicate which options are available to us 419 420 | **Option** | **Description** | 421 | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | 422 | `rw` | Read and write permissions. | 423 | `ro` | Read only permissions. | 424 | `sync` | Synchronous data transfer. (A bit slower) | 425 | `async` | Asynchronous data transfer. (A bit faster) | 426 | `secure` | Ports above 1024 will not be used. | 427 | `insecure` | Ports above 1024 will be used. | 428 | `no_subtree_check` | This option disables the checking of subdirectory trees. | 429 | `root_squash` | Assigns all permissions to files of root UID/GID 0 to the UID/GID of anonymous, which prevents `root` from accessing files on an NFS mount. | 430 | `nohide` | If another file system was mounted below an exported directory, this directory is exported by its own exports entry. | 431 | `no_root_squash` | All files created by root are kept with the UID/GID 0. | 432 433 ```ad-info 434 Ports above 1024 is not secure because only root can use the first 1024 ports 435 ``` 436 437 [[Nmap#Nmap Scripting Engine|NSE]] script named **rcpinfo** retrieves all running [[RPC]] service, their name and description and the port they use 438 439 You can also run all scripts for [[NFS]] as below 440 ` sudo nmap --script nfs* 10.122.234.23 -sV -p111,2049` 441 442 ```bash 443 # showing all available [[NFS]] shares 444 showmount -e 10.129.23.43 445 446 # mounting [[NFS]] share 447 sudo mount -t nfs 10.129.14.128:/ ./dir-in-local-system/ -o nolock 448 ``` 449 450 ## DNS 451 452 Allow you to go to youtube.com instead of 172.217.14.238 453 454 There are server type of [[DNS]] server that are used worldwide 455 - [[DNS]] root server 456 - Operates at the [[DNS]] hierarchy top, responding to queries by directing them to TLD servers based on domain extensions like .com or .org; there are 13 logical root server clusters worldwide. 457 - Authoritative name server 458 - Holds the definitive [[DNS]] records (e.g., A, MX) for specific domains or zones, providing final answers to resolvers without caching external data; includes primary (read/write) and secondary (read-only backups) variants 459 - Non-authoritative name server 460 - Refers to recursive resolvers or caching servers that provide answers from their cache or by querying others, but lack ultimate authority over any zone; they do not store final records 461 - Caching server 462 - Stores recent [[DNS]] query results locally to speed up repeated lookups, reducing upstream traffic; acts as a recursive resolver but emphasizes temporary data retention over authority 463 - Forwarding server 464 - Delegates all queries to designated upstream [[DNS]] servers (e.g., [[ISP]] or public resolvers) instead of resolving recursively itself, simplifying local management and improving privacy 465 - Resolver 466 - Typically a recursive resolver on client devices or stubs that initiates queries, traversing root → TLD → authoritative servers until obtaining the IP address, then caches for efficiency 467 468 For security there are now solution for [[DNS]] encryption such as *DNS over TLS* or *DNS over HTTPS*, there are also network protocol **DNSCrypt** that encrypts traffic between computer and name server 469 470 [[DNS]] stores additional information about services associated with a domain. Because of this we can know which specific server is the e-mail server 471 472 | **DNS Record** | **Description** | 473 | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 474 | `A` | Returns an IPv4 address of the requested domain as a result. | 475 | `AAAA` | Returns an IPv6 address of the requested domain. | 476 | `MX` | Returns the responsible mail servers as a result. | 477 | `NS` | Returns the DNS servers (nameservers) of the domain. | 478 | `TXT` | This record can contain various information. The all-rounder can be used, e.g., to validate the Google Search Console or validate SSL certificates. In addition, SPF and DMARC entries are set to validate mail traffic and protect it from spam. | 479 | `CNAME` | This record serves as an alias for another domain name. If you want the domain www.hackthebox.eu to point to the same IP as hackthebox.eu, you would create an A record for hackthebox.eu and a CNAME record for www.hackthebox.eu. | 480 | `PTR` | The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names. | 481 | `SOA` | Provides information about the corresponding DNS zone and email address of the administrative contact. | 482 483 ### Default Configuration 484 485 All [[DNS]] servers work with three different types of configuration files: 486 1. local [[DNS]] configuration files 487 2. zone files 488 3. reverse name resolution files 489 490 [[Bind9]] is typically used on [[Linux]]-based distributions. Its local configuration files is divided into two sections: 491 - general settings 492 - zone entries for individual domains 493 494 The local configuration files are usually: 495 - `named.conf.local` 496 - `named.conf.options` 497 - `named.conf.log` 498 499 Global options affect all zone. Zone option affects its assigned zones 500 If an options is both global and zone-specific, zone option takes precedence 501 502 We can define different zones in `named.conf.local`. Each zone will have their own configuration files 503 504 The zone file is a file that describes [[DNS]] zone with the **BIND** file format. 505 506 A zone file needs exactly one SOA record and atleast one NS record 507 508 ### Dangerous Settings 509 510 We can find vulnerabilities targetting [[Bind9]] at [CVEdetails](https://www.cvedetails.com/product/144/ISC-Bind.html?vendor_id=64) or SecurityTrails 511 512 Some settings below can lead to vulnerabilities such as the ones below 513 514 | **Option** | **Description** | 515 | ----------------- | ------------------------------------------------------------------------------ | 516 | `allow-query` | Defines which hosts are allowed to send requests to the DNS server. | 517 | `allow-recursion` | Defines which hosts are allowed to send recursive requests to the DNS server. | 518 | `allow-transfer` | Defines which hosts are allowed to receive zone transfers from the DNS server. | 519 | `zone-statistics` | Collects statistical data of zones. | 520 521 ### Footprinting 522 523 We can use [[dig]] to gain information on the [[DNS]] 524 ```bash 525 # ask 124.23.42.12 what is the [[IP]] for domain.com 526 dig ns domain.com @124.23.43.12 527 528 # query 123.456.78.90 about the TXT record for version.bind(`version.bind` is a special name that many DNS servers respond to with their version string) 529 dig CH TXT version.bind 123.456.78.90 530 531 # show all entries that 123.456.89.90 is wants to share with us about domain.com 532 dig any domain.com @123.456.78.90 533 534 # show all available information on the AXFR zone transfer 535 dig axfr domain.com @123.456.78.90 536 ``` 537 538 Zone transfer refers to transfer of zones to another server in [[DNS]], happens over [[TCP]] port 53 539 This process is typically called the AXFR 540 541 Zone file is usually the same on alot of name servers. Synchronisation between server is realised by zone transfer using **rndc-key** that can be found in the configuration file 542 543 ```ad-note 544 Zone transfer involves the mere transfer of files or records and the detection of discrepencies in the data sets of the servers involved 545 ``` 546 547 [[DNS]] server that is the direct source for synchronising a zone file is called a master, and the ones that obtains the zone data from master is called the slave 548 549 Slave will fetch SOA record from master at certain refresh time and compare its serial number. If master serial number bigger, it does not match anymore 550 551 We can use [DNSenum](https://github.com/fwaeytens/dnsenum) to gain information on the [[DNS]] 552 `dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb 553 ` 554 ## SMTP 555 556 Protocol for sending email in an [[IP]] network. 557 558 [[SMTP]] is usually combined with [[IMAP]] or [[POP3]] protocols 559 560 [[SMTP]] server accept connection request on port 25 and [[TCP]] port 587 561 562 [[TCP]] port 587 is used to receive mail from authenticated users/server using the **STARTTLS** command to switch from plaintext to encrypted connection 563 564 The client authenticate using username and password at the beginning of connection, then only can transmit email 565 566 Client give the server the message's sender and recipient address, email content and others. Once it is transmitted, connection is terminated 567 568 [[SMTP]] usually send data unencrypted over port 25, and uses [[TCP]] port 465 for data with [[SSL]]/[[TLS]] encryption 569 570 Big function of [[SMTP]] server is prevent spam bu allowing only authorised users to send e-mails 571 572 ### SMTP in Action 573 574 When a user sends and email, the email gets turned into a header and a body by the [[SMTP]] client which is also known as MUA. It is then uploaded to the [[SMTP]] server. 575 576 The software basis of sending and receiving emails are called MTA. MTA is responsible for receiving the email, checks the size and spam, then stores it 577 578 Sometimes MUA will first send the email to MSA which will check it for validity then forward it to the MTA. MSA is also called the **relay server** 579 580 Once the email have been received and filtered by the MTA, the MDA will stored it into the recipient's mailbox 581 582 | Client (`MUA`) | `➞` | Submission Agent (`MSA`) | `➞` | Open Relay (`MTA`) | `➞` | Mail Delivery Agent (`MDA`) | `➞` | Mailbox (`POP3`/`IMAP`) | 583 | -------------- | --- | ------------------------ | --- | ------------------ | --- | --------------------------- | --- | ----------------------- | 584 585 [[SMTP]] has two disadvantage inherent to the network protocol 586 1. Sending email using [[SMTP]] does not return a delivery confirmation 587 2. Users are not authenticated when connection established, making the sender in the email body unreliable 588 589 Both of this weakness allows it to be exploited and will not be covered here 590 591 ### Default Configuration 592 593 [[SMTP]] server is only responsible for sending and forwarding emails which makes then configurable in many ways 594 595 Sending and communication are done by special commands allowing the [[SMTP]] server to do what the user requires 596 597 | **Command** | **Description** | 598 | ------------ | ------------------------------------------------------------------------------------------------ | 599 | `AUTH PLAIN` | AUTH is a service extension used to authenticate the client. | 600 | `HELO` | The client logs in with its computer name and thus starts the session. | 601 | `MAIL FROM` | The client names the email sender. | 602 | `RCPT TO` | The client names the email recipient. | 603 | `DATA` | The client initiates the transmission of the email. | 604 | `RSET` | The client aborts the initiated transmission but keeps the connection between client and server. | 605 | `VRFY` | The client checks if a mailbox is available for message transfer. | 606 | `EXPN` | The client also checks if a mailbox is available for messaging with this command. | 607 | `NOOP` | The client requests a response from the server to prevent disconnection due to time-out. | 608 | `QUIT` | The client terminates the session. | 609 610 To interact with the [[SMTP]] server, we can use the `telnet` tool to initialize a TCP connection with the [[SMTP]] server. The actual initialization of the session is done with the command mentioned above, `HELO` or `EHLO`. 611 612 The command `VRFY` can enumerate existing users on the system. [[SMTP]] server may issue *code 252* and confirm the existence of a user that don't even exist on the system. 613 614 The mail header carry interesting information, also provides info on the sender and recipient among other things 615 616 To not get filtered as spam, users can use relay server the recipient trust. 617 618 Allowing open relay [[SMTP]] server is common and allows any device on the internet to send emails through it 619 `mynetworks = 0.0.0.0/0` 620 621 To avoid this you can limit email sending from local networks of the server or use authenticated relay. 622 623 We can use `smtp-open-relay` with [[Nmap#Nmap Scripting Engine|NSE]] to check if the [[SMTP]] server has an open relay 624 625 ## IMAP/POP3 626 627 [[IMAP]] allows online management of email directly on server, support folder structure 628 629 [[POP3]] provides listing, retrieving and deleting email on the email server 630 631 | Feature | POP3 | IMAP | 632 | ----------------------------- | ----------------------------------------------------------- | ----------------------------------------------- | 633 | Storage Location | Downloads to local device; server copies deleted by default | Keeps originals on server; syncs across devices | 634 | Multi-Device Access | Single device only | Multiple devices simultaneously | 635 | Email Organization | No server-side folders or changes | Supports folders, search, and edits on server | 636 | Offline Access | Full emails available offline after download | Partial caching; changes sync when online | 637 | Speed | Faster due to full local download | Slower from server queries | 638 | Directionality<br> | Unidirectional (local changes not on server) | Bidirectional (changes sync both ways) | 639 | Unencrypted Port | 110 | 143 | 640 | Secure Port ([[SSL]]/[[TLS]]) | 995 | 993 | 641 642 ```bash 643 # Reading mail with user credentials using curl 644 curl -k 'imaps://10.129.14.128' --user user:p4ssw0rd 645 # or 646 curl -k 'imaps://10.129.14.128' --user user:p4ssw0rd -v 647 648 # Reading mail using OpenSSL 649 openssl s_client -connect 10.129.14.8:pop3s 650 # or 651 openssl s_client -connect 10.129.14.128:imaps 652 ``` 653 ### Default Configuration 654 655 #### IMAP Commands 656 657 | **Command** | **Description** | 658 | ------------------------------- | ------------------------------------------------------------------------------------------------------------ | 659 | `1 LOGIN username password` | User's login. | 660 | `1 LIST "" *` | Lists all directories. | 661 | `1 CREATE "INBOX"` | Creates a mailbox with a specified name. | 662 | `1 DELETE "INBOX"` | Deletes a mailbox. | 663 | `1 RENAME "ToRead" "Important"` | Renames a mailbox. | 664 | `1 LSUB "" *` | Returns a subset of names from the set of names that the User has declared as being `active` or `subscibed`. | 665 | `1 SELECT INBOX` | Selects a mailbox so that messages in the mailbox can be accessed. | 666 | `1 UNSELECT INBOX` | Exits the selected mailbox. | 667 | `1 FETCH <ID> all` | Retrieves data associated with a message in the mailbox. | 668 | `1 FETCH <ID> BODY[TEXT]` | Retrieve the body of the email | 669 | `1 CLOSE` | Removes all messages with the `Deleted` flag set. | 670 | `1 LOGOUT` | Closes the connection with the IMAP server. | 671 More flags [here](https://www.atmail.com/blog/imap-commands/?source=post_page-----5e5c99547f8a---------------------------------------) 672 673 #### POP3 Commands 674 675 | **Command** | **Description** | 676 | --------------- | ----------------------------------------------------------- | 677 | `USER username` | Identifies the user. | 678 | `PASS password` | Authentication of the user using its password. | 679 | `STAT` | Requests the number of saved emails from the server. | 680 | `LIST` | Requests from the server the number and size of all emails. | 681 | `RETR id` | Requests the server to deliver the requested email by ID. | 682 | `DELE id` | Requests the server to delete the requested email by ID. | 683 | `CAPA` | Requests the server to display the server capabilities. | 684 | `RSET` | Requests the server to reset the transmitted information. | 685 | `QUIT` | Closes the connection with the POP3 server. | 686 687 Misconfigured self hosted email server, could allow attacker to read all emails sent and received. Some of the configuration includes 688 689 | **Setting** | **Description** | 690 | ------------------------- | ----------------------------------------------------------------------------------------- | 691 | `auth_debug` | Enables all authentication debug logging. | 692 | `auth_debug_passwords` | This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged. | 693 | `auth_verbose` | Logs unsuccessful authentication attempts and their reasons. | 694 | `auth_verbose_passwords` | Passwords used for authentication are logged and can also be truncated. | 695 | `auth_anonymous_username` | This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism. | 696 697 ## SNMP 698 699 Used to monitor network devices, handle configuration tasks and change settings remotely 700 701 Protocol for monitoring and managing network devices 702 703 [[SNMP]]-enabled hardware includes routers, switches, servers, IoT devices and other devices that can be queried and controlled using this standard protocol 704 705 [[SNMP]] transmit control commands using agents over [[UDP]] port 161. Used to set values, change options & settings with these commands 706 707 [[SNMP]] enabled **traps** over [[UDP]] port 162. Packets sent from the [[SNMP]] server to client without being explicitly requested. These **traps** is sent to the client once a specified events occurs on the server 708 709 A good overview of this can be found [here](https://www.youtube.com/watch?v=2IXP0TkwNJU) 710 711 ```bash 712 # Query the OIDs with their information 713 snmpwalk -v2c -c public 10.129.14.128 714 715 # Brute-force the community string 716 onesixtyone -c /path/to/wordlist.txt 10.129.14.123 717 718 # Brute-force individual OIDs and enumerate the information behind them 719 braa <community string>@10.129.14.123:.1.3.6.* 720 ``` 721 ### MIB 722 723 MIB is used to ensure [[SNMP]] works across manufacturer with different client-server combinations 724 725 Independent format used for storing device information 726 727 MIB is a text file in which all queryable [[SNMP]] object are listed in a standardised tree hierarchy 728 729 Contains atleast one OID(Unique Address & Name, type of access rights, description of object) 730 731 MIB files are written in ASN.1 732 733 MIB explain where to find which information and what it looks like 734 735 ### OID 736 737 Represents a node in a hierarchical namespace 738 739 The OID contains a sequence of numbers which identifies each node, allowing its position in the tree to be determined 740 741 ### SNMPv1 742 743 Used for network management and monitoring 744 745 Support retrieval of information from network devices, configuration of devices, **traps** 746 747 ```ad-important 748 SNMPv1 does not have built-in authentication mechanism 749 ``` 750 751 SNMPv1 also does not support encryption 752 753 Uses **community string**, which works like a password and can be intercepted since there is no encryption 754 755 ### SNMPv2c 756 757 Similar to SNMPv1 in terms of security 758 759 ### SNMPv3 760 761 Provides authentication with username and password. 762 763 Support encryption of data 764 765 Needs more configuration compared to older versions 766 767 ### Default Configuration 768 769 The default configuration are typically stored in `/etc/snmp/snmpd.conf` 770 771 Some dangerous settings that the administrator can make with SNMP are: 772 773 | **Settings** | **Description** | 774 | ------------------------------------------------ | ------------------------------------------------------------------------------------- | 775 | `rwuser noauth` | Provides access to the full OID tree without authentication. | 776 | `rwcommunity <community string> <IPv4 address>` | Provides access to the full OID tree regardless of where the requests were sent from. | 777 | `rwcommunity6 <community string> <IPv6 address>` | Same access as with `rwcommunity` with the difference of using IPv6. | 778 779 ## MYSQL 780 781 [[MySQL]] works based on the [client-server principle](https://www.geeksforgeeks.org/system-design/client-server-model/) 782 783 These databases are typically stored as a single file with the file extension `.sql` 784 785 Default port are [[TCP]] port 3306 786 787 [[MySQL]] runs by using [[SQL]] and is vulnerable to [[SQL Injection]]. The commands of [[SQL]] is covered [[SQL|here]] 788 789 [[MariaDB]] is a fork of [[MySQL]] made by the chief developer of [[MySQL]] when it was acquired by [[Oracle]] 790 791 ```bash 792 # running all mysql related script from [[Nmap#Nmap Scripting Engine|NSE]] 793 sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql* 794 795 # logging in to mysql with username and pass 796 mysql -u username -pSekurity -h 10.129.234.12 797 ``` 798 799 Some important database for [[MySQL]] servers are **system schema(sys)** and **information schema(information_schema)** 800 801 Below are the standard command we will use inside [[MySQL]] 802 803 | **Command** | **Description** | 804 | ---------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | 805 | `show databases;` | Show all databases. | 806 | `use <database>;` | Select one of the existing databases. | 807 | `show tables;` | Show all available tables in the selected database. | 808 | `show columns from <table>;` | Show all columns in the selected table. | 809 | `select * from <table>;` | Show everything in the desired table. | 810 | `select * from <table> where <column> = "<string>";` | Search for needed `string` in the desired table. | 811 812 To learn more on this read [[SQL]] 813 814 ### Dangerous Settings 815 816 Many things can be misconfigured with [[MySQL]]. We can look in more detail at the [MySQL reference](https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html) to determine which options can be made in the server configuration. The main options that are security-relevant are: 817 818 | **Settings** | **Description** | 819 | ------------------ | ------------------------------------------------------------------------------------------------------------ | 820 | `user` | Sets which user the MySQL service will run as. | 821 | `password` | Sets the password for the MySQL user. | 822 | `admin_address` | The IP address on which to listen for TCP/IP connections on the administrative network interface. | 823 | `debug` | This variable indicates the current debugging settings | 824 | `sql_warnings` | This variable controls whether single-row INSERT statements produce an information string if warnings occur. | 825 | `secure_file_priv` | This variable is used to limit the effect of data import and export operations. | 826 827 ## MSSQL 828 829 [[Microsoft]]'s RDBMS, closed source and written to run on [[Windows]] 830 831 Used for application that run on [[Microsoft]]'s [[.NET]] framework since its got strong native support for [[.NET]] 832 833 [[SQL Server Management Studio]] can be installed with [[MSSQL]] or installed separately 834 835 There are many other database client that can access [[MSSQL]] 836 837 Most pentester would use [[Impacket mssqlclient.py]] since its some pre-installed on many distro 838 839 Below are the system database of [[MSSQL]] that would help us understand the structure of all databases 840 841 | Default System Database | Description | 842 | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | 843 | `master` | Tracks all system information for an SQL server instance | 844 | `model` | Template database that acts as a structure for every new database created. Any setting changed in the model database will be reflected in any new database created after changes to the model database | 845 | `msdb` | The SQL Server Agent uses this database to schedule jobs & alerts | 846 | `tempdb` | Stores temporary objects | 847 | `resource` | Read-only database containing system objects included with SQL server | 848 849 ### Default Configuration 850 851 When admin installs [[MSSQL]] to be network accessible, it will likely run as **NTSERVICE\MSSQLSERVER** 852 853 Connecting from client-side is possible through Windows Authentication, encryption is not enforced by default 854 855 **Windows Authentication** means the [[Operating System]] will process the login request and use the [[SAM]] database or [[Active Directory|domain controller]] 856 857 ```bash 858 # [[Nmap#Nmap Scripting Engine|NSE]] scan with scripts 859 sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248 860 861 # [[MSSQL]] scan with [[Metasploit]] 862 msfconsole 863 use scanner/mssql/mssql_ping 864 865 # Connecting with mssqlclient.py 866 python3 mssqlclient.py Adminstrator@10.129.201.248 -windows-auth 867 868 ``` 869 870 ### Dangerous Settings 871 872 Not setting [[MSSQL]] to use encryption to connect to [[MSSQL]] server 873 874 Use of self-signed certificate when encryption is being used. Able to spoof self-signed certificates 875 876 Use of [named pipes](https://docs.microsoft.com/en-us/sql/tools/configuration-manager/named-pipes-properties?view=sql-server-ver15) 877 878 Default **sa** credentials. Admin might forgot to disable this account 879 880 ## Oracle TNS 881 882 A communication protocol that facilitate communication between [[Oracle]] databases and applications over network 883 884 Supports network protocol such as [[IPX]]/[[SPX]] and [[TCP]]/[[IP]] protocol stack 885 886 Over time, [[TNS]] supports [[IP#IPv6|IPv6]] and [[SSL]]/[[TLS]] encryption which makes it more suitable for: 887 - Name resolution 888 - Connection management 889 - Load balancing 890 - Security 891 892 The listener listens for incoming connections on [[TCP]] port 1521 port, but can be changed in the configuration files 893 894 [[TNS]] supports [[TCP]]/[[IP]], [[UDP]], [[IPX]],[[SPX]] and [[AppleTalk]] 895 896 [[TNS]] can be remotely managed in **Oracle 8i/9i** but not in **Orcle 10g/11g** 897 898 ```bash 899 # Scanning the [[TNS]] version if the port is open 900 sudo nmap -p1521 -sV 10.129.204.243 --open 901 902 # Brute focing SID values using [[Nmap#Nmap Scripting Engine|NSE]] 903 sudo nmap -p1521 -sV 10.129.241.245 --open --script oracle-sid-brute 904 905 # Scanning the [[TNS]] using odat using all its modules 906 ./odat.py all -s 10.123.34.212 907 908 # Using sqlplus to connect to [[Oracle Database]] 909 sqlplus username/password@123.123.43.23/XE 910 # If you get the error *sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory* execute below 911 sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig 912 913 # Using sqlplus to connect to [[Oracle Database]] as db admin 914 sqlplus username/password@123.23.23.12/XE as sysdba 915 916 # Uploading a file using odat.py 917 # note the default paths are 918 # linux: /var/www/html 919 # windows: C:\inetpub\wwwroot 920 ./odat.py utlfile -s 10.124.234.23 -d XE -U username -P password --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt 921 # Testing if uploaded file is present 922 curl -X GET http://10.123.34.23/testing.txt 923 ``` 924 925 Below are some of the basic usage once connected to [[Oracle Database]] 926 927 ```bash 928 # list all tables 929 select table_name from all_tables; 930 931 # show all user privilege 932 select * from user_role_privs; 933 934 # showing user and the password hash 935 select name, password from sys.user$; 936 ## IPMI 937 ``` 938 939 940 ### Default Configuration 941 942 The default configuration of the [[TNS]] listener includes afew basic features 943 944 [[TNS]] is often used with other [[Oracle]] service like [[DBSNMP]], [[Oracle Database]], [[Oracle Application Server]], [[Oracle Enterprise Manager]], [[Oracle Fusion Middleware]], web servers and many more 945 946 **Oracle 9** have a default password while **Oracle 10** has no default password 947 948 [[DBSNMP]] also uses a default password which is `dbsnmp` 949 950 Client-side [[Oracle Net Services]] software uses `tnsnames.ora` to resolve service names to network address 951 Listener process uses `listener.ora` file to determine the services it should listen to and the behaviour of the listener 952 953 Each database or service has a unique entry in `tnsnames.ora` file, which the necessary information for clients to connect to the service 954 955 ```bash 956 # Simple tnsnames.ora file 957 # Service named ORCL listening to TCP port 1521 on IP 10.129.11.102 958 # Clients should use the service name orcl when connecting 959 ORCL = 960 (DESCRIPTION = 961 (ADDRESS_LIST = 962 (ADDRESS = (PROTOCOL = TCP)(HOST = 10.129.11.102)(PORT = 1521)) 963 ) 964 (CONNECT_DATA = 965 (SERVER = DEDICATED) 966 (SERVICE_NAME = orcl) 967 ) 968 ) 969 ``` 970 971 `listener.ora` is a *server-side configuration*, defines listener process's properties and parameters, which receive incoming client request and forward tot he appropriate [[Oracle]] database instance 972 973 ```bash 974 SID_LIST_LISTENER = 975 (SID_LIST = 976 (SID_DESC = 977 (SID_NAME = PDB1) 978 (ORACLE_HOME = C:\oracle\product\19.0.0\dbhome_1) 979 (GLOBAL_DBNAME = PDB1) 980 (SID_DIRECTORY_LIST = 981 (SID_DIRECTORY = 982 (DIRECTORY_TYPE = TNS_ADMIN) 983 (DIRECTORY = C:\oracle\product\19.0.0\dbhome_1\network\admin) 984 ) 985 ) 986 ) 987 ) 988 989 LISTENER = 990 (DESCRIPTION_LIST = 991 (DESCRIPTION = 992 (ADDRESS = (PROTOCOL = TCP)(HOST = orcl.inlanefreight.htb)(PORT = 1521)) 993 (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)) 994 ) 995 ) 996 997 ADR_BASE_LISTENER = C:\oracle 998 ``` 999 1000 [[Oracle Database]] are protected using [[PL/SQL Exclusion List]] 1001 1002 A user-created file that needs to be placed in `$ORACLE_HOME/sqldeveloper` directory 1003 1004 In [[Oracle Database]] **SID** is a unique name that identifies a particular database instance. An instance is a set of process and memory structure that interact to manage the database data. 1005 1006 **SID** is important because it specified the exact instance of database the client wants to connect to. If wrong **SID** specified, connection will fail. 1007 1008 When a client connect to an [[Oracle Database]], it specifies the **SID** along with its connection string, if no **SID** defined, the default that is defined in the `tnsnames.ora` is used 1009 1010 Once created can be loaded into the database instance 1011 1012 Serves as a blacklist that cannot be accessed through [[Oracle Application Server]] 1013 1014 | **Setting** | **Description** | 1015 | -------------------- | ------------------------------------------------------------------------------------------------------------------------ | 1016 | `DESCRIPTION` | A descriptor that provides a name for the database and its connection type. | 1017 | `ADDRESS` | The network address of the database, which includes the hostname and port number. | 1018 | `PROTOCOL` | The network protocol used for communication with the server | 1019 | `PORT` | The port number used for communication with the server | 1020 | `CONNECT_DATA` | Specifies the attributes of the connection, such as the service name or SID, protocol, and database instance identifier. | 1021 | `INSTANCE_NAME` | The name of the database instance the client wants to connect. | 1022 | `SERVICE_NAME` | The name of the service that the client wants to connect to. | 1023 | `SERVER` | The type of server used for the database connection, such as dedicated or shared. | 1024 | `USER` | The username used to authenticate with the database server. | 1025 | `PASSWORD` | The password used to authenticate with the database server. | 1026 | `SECURITY` | The type of security for the connection. | 1027 | `VALIDATE_CERT` | Whether to validate the certificate using SSL/TLS. | 1028 | `SSL_VERSION` | The version of SSL/TLS to use for the connection. | 1029 | `CONNECT_TIMEOUT` | The time limit in seconds for the client to establish a connection to the database. | 1030 | `RECEIVE_TIMEOUT` | The time limit in seconds for the client to receive a response from the database. | 1031 | `SEND_TIMEOUT` | The time limit in seconds for the client to send a request to the database. | 1032 | `SQLNET.EXPIRE_TIME` | The time limit in seconds for the client to detect a connection has failed. | 1033 | `TRACE_LEVEL` | The level of tracing for the database connection. | 1034 | `TRACE_DIRECTORY` | The directory where the trace files are stored. | 1035 | `TRACE_FILE_NAME` | The name of the trace file. | 1036 | `LOG_FILE` | The file where the log information is stored. | 1037 1038 ## IPMI 1039 1040 [[IPMI]] is a set of standardised specification for hardware-based host management systems used for system management and monitoring. 1041 1042 An autonomous subsystem and works independently of host's [[BIOS]], [[CPU]], firmware and [[Operating System]] 1043 1044 Able to manage and monitor systems even when they are powered off or unresponsive. 1045 1046 Direct network connection to system's hardware, hence bypassing [[Operating System]] and [[BIOS]] 1047 1048 [[IPMI]] is typically used in three ways: 1049 1. Before the [[Operating System]] booted to modify [[BIOS]] 1050 2. When host is powered on 1051 3. Access host after system failure 1052 1053 Can be used to monitor temp, volt, fan, and PSU 1054 1055 Systems using [[IPMI]]v2 can be administered via [[Serial Over LAN]], giving the ability to view serial console output in band 1056 1057 To function [[IPMI]] requires the following components: 1058 - Baseboard Management Controller(BMC) - A micro-controller and essential component of an [[IPMI]] 1059 - Intelligent Chassis Management Bus(ICMB) - An interface that permits communication from one chassis to another 1060 - Intelligent Platform Management Bus(IPMB) - extends the BMC 1061 - IPMI Memory - stores tings such as system event log, repository store data, and more 1062 - Communication Interfaces - local system interfaces, serial and [[Local Area Network|LAN]] interfaces, [[ICMB]] and PCI Management BUS 1063 1064 ```bash 1065 # Scanning with [[Nmap]] using a script 1066 sudo nmap -sU --script ipmi-version -p 623 ilo.inlanefreight.htb 1067 1068 # Scanning with Metasploit 1069 msfconsole 1070 use auxiliary/scanner/ipmi/ipmi_version 1071 1072 # Getting hashes with Metasploit 1073 msfconsole 1074 user auxiliary/scanner/ipmi/ipmi_dumphashes 1075 ``` 1076 1077 1078 Common credentials for [[IPMI]] 1079 1080 | Product | Username | Password | 1081 | --------------- | ------------- | ------------------------------------------------------------------------- | 1082 | Dell iDRAC | root | calvin | 1083 | HP iLO | Administrator | randomized 8-character string consisting of numbers and uppercase letters | 1084 | Supermicro IPMI | ADMIN | ADMIN | 1085 1086 The server sends a salted [[SHA1]] or [[MD5]] hash of all user's password to the client before authentication takes place. We can use [[Hashcat]] to crack these password offline using `-m 7300` 1087 1088 ## General Linux Footprinting 1089 1090 ### SSH 1091 1092 [[SSH]] can be authenticated using these authentication methods: 1093 1. Password authentication 1094 2. Public-key authentication 1095 3. Host-based authentication 1096 4. Keyboard authentication 1097 5. Challenge-response authentication 1098 6. GSSAPI authentication 1099 1100 Below are some dangerous settings in [[SSH]] configuration that could lead to trouble 1101 1102 | **Setting** | **Description** | 1103 | ---------------------------- | ------------------------------------------- | 1104 | `PasswordAuthentication yes` | Allows password-based authentication. | 1105 | `PermitEmptyPasswords yes` | Allows the use of empty passwords. | 1106 | `PermitRootLogin yes` | Allows to log in as the root user. | 1107 | `Protocol 1` | Uses an outdated version of encryption. | 1108 | `X11Forwarding yes` | Allows X11 forwarding for GUI applications. | 1109 | `AllowTcpForwarding yes` | Allows forwarding of TCP ports. | 1110 | `PermitTunnel` | Allows tunneling. | 1111 | `DebianBanner yes` | Displays a specific banner when logging in. | 1112 1113 ```bash 1114 # Checks client-side and server-side configuration and show general info about client and server 1115 git clone https://github.com/jtesta/ssh-audit.git 1116 ./ssh-audit.py 112.23.23.123 1117 ``` 1118 1119 ### Rsync 1120 1121 Tool for copying files locally and remotely 1122 1123 Uses [[TCP]] port 873 and can be configured to use [[SSH]] for secure file transfer 1124 1125 [Guide](https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsync) covering how to abuse [[Rsync]] 1126 1127 ```bash 1128 # Probing the service to see what we can gain access to 1129 nc -nv 111.12.23.42 873 1130 1131 # Enumerate a share called dev based on the probing done above 1132 rsync -av --list-only rysnc://111.12.23.42/dev 1133 1134 # Sync all files to our host from share called dev 1135 rsync -av rsync://111.12.23.42/dev 1136 1137 # Sync all files to our host from share called dev if configured to use SSH for file transfer 1138 rsync -av rsync://111.12.23.42/dev -e ssh 1139 ``` 1140 1141 ### R-Services 1142 1143 [[R-Services]] suite of services hosted to enable remote access or issue command between [[UNIX]] hosts over [[TCP]]/[[IP]] 1144 1145 Replaced by [[SSH]], due to inherent security flaws built into them 1146 1147 Uses [[TCP]] port 512,513,514. Only accessible through a program called **r-comamnds** 1148 1149 The [R-commands](https://en.wikipedia.org/wiki/Berkeley_r-commands) suite consists of the following programs: 1150 1151 - rcp (`remote copy`) 1152 - rexec (`remote execution`) 1153 - rlogin (`remote login`) 1154 - rsh (`remote shell`) 1155 - rstat 1156 - ruptime 1157 - rwho (`remote who`) 1158 1159 | **Command** | **Service Daemon** | **Port** | **Transport Protocol** | **Description** | 1160 | ----------- | ------------------ | -------- | ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 1161 | `rcp` | `rshd` | 514 | TCP | Copy a file or directory bidirectionally from the local system to the remote system (or vice versa) or from one remote system to another. It works like the `cp` command on Linux but provides `no warning to the user for overwriting existing files on a system`. | 1162 | `rsh` | `rshd` | 514 | TCP | Opens a shell on a remote machine without a login procedure. Relies upon the trusted entries in the `/etc/hosts.equiv` and `.rhosts` files for validation. | 1163 | `rexec` | `rexecd` | 512 | TCP | Enables a user to run shell commands on a remote machine. Requires authentication through the use of a `username` and `password` through an unencrypted network socket. Authentication is overridden by the trusted entries in the `/etc/hosts.equiv` and `.rhosts` files. | 1164 | `rlogin` | `rlogind` | 513 | TCP | Enables a user to log in to a remote host over the network. It works similarly to `telnet` but can only connect to Unix-like hosts. Authentication is overridden by the trusted entries in the `/etc/hosts.equiv` and `.rhosts` files. | 1165 1166 [[R-Services]] rely on trusted information sent from remote client to host machine they are trying to authenticate to 1167 1168 Utilise [[Pluggable Authentication Modules]] for user authentication, can be bypassed using `etc/hosts.equiv` and `.rhosts` files on the system. 1169 1170 `hosts.equiv` and `.rhosts` files contain *Hostnames and [[IP]]* users the trusted by when connection are made 1171 1172 ```ad-note 1173 The `hosts.equiv` file is recognized as the global configuration regarding all users on a system, whereas `.rhosts` provides a per-user configuration. 1174 ``` 1175 1176 ```bash 1177 # Logging in using rlogin 1178 rlogin 10.0.17.2 -l johnwick 1179 1180 # Listing authenticated user 1181 rwho 1182 rusers -al 10.0.17.5 1183 ``` 1184 1185 ## General Windows Footprinting 1186 1187 Remote management is enabled by default starting with [[Windows]] server 2016 1188 1189 ### RDP 1190 1191 Developed for remote access to a computer running [[Windows]] 1192 1193 Allows display and control command to be transmitted with encryption over [[IP]] networks using [[TCP]] port 3389 or connection-less [[UDP]] port 3389 1194 1195 Network firewall and server firewall must allow connections from the outside 1196 1197 If [[NAT]] is used, port forwarding must be set up on the NAT router to the server 1198 1199 [[RDP]] has encryption via [[TLS]]/[[SSL]] since [[Windows]] Vista 1200 1201 Many [[Windows]] system do not insist on this but accept encryption via **[[RDP]] security** 1202 1203 Client cannot distinguish between a genuine certificate from a forged one 1204 1205 [[RDP]] is installed by default on [[Windows]] server and can be activated using the **Server Manager**. Come with default setting to allow connections only to hosts with [[Network Level Authentication]] 1206 1207 ```bash 1208 # Scanning RDP service with all RDP related scripts 1209 nmap -sV -sC 10.128.24.11 -p3389 --script rdp* 1210 1211 # Scanning RDP service with individual packet tracking and content inspection 1212 # Might be identified by threat hunters and [[EDR]] because of RDP cookies(mstshash=nmap) 1213 nmap -sV -sC 10.129.201.238 -p3389 --packet-trace --disable-arp-ping -n 1214 1215 # Identifying security settings of RDP servers based on the handshake 1216 sudo cpan 1217 # or 1218 git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git 1219 ./rdp-sec-check.pl 10.129.201.248 1220 1221 # Authenticating and conning to RDP servers 1222 xfreerdp /u:username /p:"Password1!" /v:10.129.201.248 1223 ``` 1224 1225 ### WinRM 1226 1227 Integrated remote management protocol based on the command line. 1228 1229 [[WinRM]] uses [[SOAP]] to establish connection to remote hosts and their application 1230 1231 [[WinRM]] contains WinRS which lets us execute arbitrary commands on the remote system 1232 1233 ```bash 1234 # Scanning for WinRM service 1235 nmap -sC -sV 10.129.101.234 -p5985,5986 --disable-arp-ping -n 1236 1237 # Connecting to WinRM service 1238 evil-winrm -i 10.129.201.248 -u username -p Password! 1239 1240 # Connecting to WinRM service, then running scripts and executables 1241 evil-winrm -i 10.129.201.248 -u username -p Password! -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/' 1242 ``` 1243 1244 ### WMI 1245 1246 Allows read and write access to almost all settings on [[Windows]] systems 1247 1248 Typically accessed via [[PowerShell]], [[VBScript]] or WMIC 1249 1250 [[WMI]] is not a single program but consists of several programs and various databases 1251 1252 Uses [[TCP]] port 135 and after connection established, it moves to a random port 1253 1254 ```bash 1255 # Connecting to WMI services 1256 ./wmiexec.py username:"Password"@10.129.23.12 "hostname" 1257 ```