Common Service Attacks

From Enlace Hacktivista
Revision as of 18:17, 10 October 2023 by Booda (talk | contribs) (→‎Email - SMTP)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

NOTE: This page is under construction


Network services as listed below commonly run standard default ports. Whilst most of your targets (especially internally) may run on default standard ports that you would expect services to run on it's important to look for non-standard, high ports as some sysadmins run their infrastructure under "Security Through Obscurity". To do this we can use third-party services such as Shodan and Censys and port scanners such as nmap.


File Transfer Protocol (FTP) is commonly used to store and transfer files and runs on port 21 by default. FTP if configured properly cannot be accessed without being vulnerable or using weak credentials. However if the server has misconfigurations (anonymous authentication) and weak credentials are in place then potentially it can be accessed. After which we can login, see if we have write permissions, steal data or upload a web shell to perform further post exploitation and lateral movement.

Basic FTP authentication (CLI):

  • Basic FTP login: ftp 21
  • Feature rich (CLI) FTP client: ncftp -u admin -p Password123
  • A nice feature rich GUI FTP client:

Anonymous Login

A common security oversight and misconfiguration is an FTP server allowing anonymous login and it becomes even better if we have write permissions! To check for this misconfifration you can either manually try and login with anonymous:anonymous or use the nmap scripting engine to check automatically for you.

Check for FTP anonymous login:

  • ftp (anonymous:anonymous)
  • sudo nmap -sC -sV -p 21 -oA results


Brute-Force attacks stuff logins with thousands and hundreds of thousands (even millions) of login attempts using a password word list against a user or a list of users guessing the users password until it finds the right one. If we cant get access to the FTP using the anonymous login method and assuming the sysadmin uses weak and guessable credentials we may be able to brute-force the login and break our way in. Note that this is a very loud and proud method and is not recommended if you're trying to be stealthy.

Brute-force using medusa and rockyou:

FTP Bounce

An FTP Bounce attack is an old attack against FTP where we can effectively use the target (hacked) server as a proxy to access other internal systems on the network externally. We can use this method to port scan an internal network however this is by default not available on modern FTP servers but is still worth checking for just in case your target is vulnerable to this attack.

nmap -Pn -v -n -p 80 -b anonymous:anonymous@ <internal address>


Once you find your way into an FTP server which has data that you want to exfiltrate on mass you can use wget to mass exfiltrate all the data from the server to your server.

Exfiltrate all data from the target server:


Secure shell (SSH) used commonly to remotely login to Linux servers by default runs on port 22, often changed to port 2222 and has root user enabled with password authentication allowed. Most secure SSH servers will use key authentication with the root user disabled for remote authentication and will change the default port to a non-standard port to either try and hide the SSH or reduce the noise that bots make spraying the logins all day.


A common attack vector used against SSH is a password based attack where you pump the server logs full of passwords and usernames until a match is found and then we're able to login.

We can also use metasploit (auxiliary/scanner/ssh/ssh_login, scanner/ssh/ssh_enumusers, auxiliary/fuzzers/ssh/ssh_version_2) to perform a brute-force attack against SSH:

use auxiliary/scanner/ssh/ssh_login
set RPORT 22
set USERNAME root
set PASS_FILE /usr/share/wordlists/password/rockyou.txt

Cracking Keys

Perhaps you have found a local file inclusion (LFI) vulnerability on your targets server and you exploit this not only to retrieve the /etc/passwd file but also to retrieve the servers SSH private key (/home/user/.ssh/id_rsa). However the key is password protected and as such we'll need to crack it in order to be able to use it to remotely authenticate onto the target server.

  1. To begin cat the id_rsa file and copy into a local file in order to crack.
  2. Create hash: python /usr/share/john/ id_rsa > id_rsa_crackme.txt
  3. Crack the hash: john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_crackme.txt
  4. Now change the file permissions to chmod 600 id_rsa
  5. Now we use the cracked key to ssh into our target! ssh -i id_rsa user@

Assuming now that you have in fact cracked the ssh private key and are able to use it to authenticate onto the server just enter the key's password once prompted and you'll be able to login successfully.


To exfiltrate data via SSH unless otherwise through the means of a backdoor is by using secure copy (scp) where we can copy files off the server and onto ours to exfiltrate our targets data.

  • scp user@ ~/Downloads



Remote Desktop Protocol (RDP) allows you to control a system remotely as if you were sat at the keyboard physically (with some delay). RDP runs on port 3389 by default, doesn't use multi-factor authentication by default and due to organizations having poor password policies RDP has been a great way to gain initial access into company networks. The added benefit is using a legitimate account already registered on the network and by using windows built in RDP client detection for an intrusion is not as obvious or easy to detect.


We can use the nmap scripting engine (NSE) set of RDP scripts to start enumerating RDP to discover more information about our target.

  • nmap -sV -p 3389 --script rdp-* -oA results

Password Spray

Assuming your target uses weak and guessable credentials and hasn't implemented multi-factor authentication we can start a brute-force attack against RDP in the hopes of finding an easy way in through poorly implemented authentication.

Note: Be careful to not lockout accounts!


Virtual Private Networks in the corporate sense (VPNs) are used to connect remotely into the corporations internal network from anywhere outside the network. This allows employees, IT staff, help desk and third parties to connect and access internal resources. We can abuse this trust relationship by either hacking the VPN through common and known vulnerabilities or we can brute-force/password spray looking to find weak and guessable credentials where the accounts don't implement multi-factor authentication.


There are many critical vulnerabilities that affect many different VPNs which we can scan and exploit to gain initial access into your targets network. Here we list some (not all) critical VPN vulnerabilities that are worth scanning for and exploiting.

  1. CVE-2018-13379
  2. CVE-2019-11510
  3. CVE-2019-19781
  4. CVE-2019-11539
  5. CVE-2020-8260
  6. CVE-2021-20016
  7. CVE-2022-42475


For this we can two use metasploit modules for two very common corporate VPNs, one being Fortinet SSL VPN and the other being CISCO.

use auxiliary/scanner/http/cisco_ssl_vpn
set RPORT 443
set USER_FILE users.txt
set PASS_FILE pass.txt
set threads 10
use auxiliary/scanner/http/fortinet_ssl_vpn
set RPORT 10443
set USER_FILE users.txt
set PASS_FILE pass.txt
set threads 10


Databases are frequently used to store and handle data. There's a wide variety of databases out there like MySQL, PostgreSQL, MongoDB, Microsoft SQL Server, SQLite, Oracle, and Redis. These databases fall under different types: Relational, NoSQL, and In-Memory, among others.

Depending on the database type, they run on specific ports. For instance, MySQL on 3306, PostgreSQL on 5432, Microsoft SQL Server on 1433 and 1434, Oracle on 1521, and MongoDB on 27017, just to list a few.

While many older and misconfigured databases allowed for easy access, like using a root user with a blank password, newer versions have plugged these gaps. But it's always worth checking. You can use nmap's NSE scripts to find out more about a database's configuration and vulnerabilities. If you manage to get in, mysqldump can help you extract data. Also, always look out for SQL Injection (SQLi) vulnerabilities in applications connected to these databases."


We can use the nmap scripting engine (NSE) and it's various scripts to enumerate the targets database either externally or internally and start probing for misconfigurations, vulnerabilities and additional information.

Enumerate using the nmap scripting engine (NSE):

  • nmap -Pn -sV -sC -A -p 3306 -oA results
  • nmap -sV -p 3306 --script mysql-* -oA results
  • nmap -sV -p 3306 --script ms-sql-* -oA results


Databases typically run on localhost and are not externally accessible however some databases may be and if your target has made their database externally accessible then you can try a brute-force attack on the database to see if the password is weak enough to crack.


SQL Injection (SQLi) is a type of attack whereby the targets application has a vulnerable parameter that we can inject SQL code into and start accessing, editing and deleting data from and bypass logins. To quickly test a login page for SQLi bypass you can either try different payloads or capture the login request with an intercept proxy and run sqlmap -r login_test.txt --dbs.

We can use various tools and techniques to discover SQLi such as crawling an application for endpoints and parameters using web crawlers, and then passing that output to sqlmap to start testing parameters for SQLi vulnerabilities (very loud).


To exfiltrate the database we can dump the database(s) into a single file to later download off the targets server.