Here is a longer list of common communiyt strings: https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/wordlist-common-snmp-community-strings.txt
Here is a longer list of common community strings: https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/wordlist-common-snmp-community-strings.txt
### MIB - Management information base
@@ -476,6 +476,7 @@ snmp-check -t 192.168.1.101 -c public
### Scan for open ports - Nmap
Since SNMP is using UDP we have to use the `-sU` flag.
Common UNIX Printing System has become the standard for sharing printers on a linux-network.
You will often see port 631 open in your priv-esc enumeration when you run **netstat**. You can log in to it here: **http://localhost:631/admin**
You will often see port 631 open in your priv-esc enumeration when you run `netstat`. You can log in to it here: **http://localhost:631/admin**
You authenticate with the OS-users.
Find version. Test **cups-config --version**. If this does not work surf to **http://localhost:631/printers and see the CUPS version in the title bar of your browser**.
Find version. Test **cups-config --version**. If this does not work surf to **http://localhost:631/printers** and see the CUPS version in the title bar of your browser.
There are vulnerabilites for it so check your searchsploit.
There are vulnerabilities for it so check your searchsploit.
## Port 993 - Imap Encrypted
@@ -597,12 +596,13 @@ The default port for the Imap-protocol.
## Port 995 - POP3 Encrypten
Port 995 is the default port for the *Post Office Protocol*.
Port 995 is the default port for the **Post Office Protocol**.
The protocol is used for clients to connect to the server and download their emails locally.
You usually see this port open on mx-servers. Servers that are meant to send and recieve email.
Related ports:
110 is the POP3 non-encrypted.
25, 465
@@ -612,7 +612,7 @@ I have seen them open on windows machine. But nothing has been listening on it.
## Port 1030/1032/1033/1038
I think these are used by the RPC within Windows Domains. I have found no use for them so far. But they might indicate that the target is part of a Windows domain.
I think these are used by the RPC within Windows Domains. I have found no use for them so far. But they might indicate that the target is part of a Windows domain. Not sure though.
## Port 1433 - MsSQL
@@ -625,11 +625,10 @@ sqsh -S 192.168.1.101 -U sa
# Execute commands
```
To execute the date command to the following after logging in
```bash
# To execute the date command to the following after logging in
xp_cmdshell 'date'
go
```
@@ -662,7 +661,7 @@ Bruteforce the ISD
auxiliary/scanner/oracle/sid_brute
```
Connect to the database with **sqlplus**
Connect to the database with `sqlplus`
References:
@@ -681,6 +680,7 @@ Network file system
This is a service used so that people can access certain parts of a remote filesystem. If this is badly configured it could mean that you grant excessive access to users.
If the service is on its default port you can run this command to see what the filesystem is sharing
```
showmount -e 192.168.1.109
```
@@ -688,11 +688,13 @@ showmount -e 192.168.1.109
Then you can mount the filesystem to your machine using the following command
```
mount 192.168.1.109:/ /tmp/NFS
mount -t 192.168.1.109:/ /tmp/NFS
```
Now we can go to /tmp/NFS and check out /etc/passwd, and add and remove files.
This can be used to escalate privileges if it is not correct configured. Check chapter on Linux Privilege Escalation.
## Port 2100 - Oracle XML DB
@@ -776,19 +778,17 @@ In that file you find the
```php
<?php
classJConfig{
var$mailfrom='admin@catsanddogs.com';
var$fromname='Fuku';
var$mailfrom='admin@rainng.com';
var$fromname='testuser';
var$sendmail='/usr/sbin/sendmail';
var$password='mySecretPassowrd1234';
var$sitename='catsAndDogsInc';
var$password='myPassowrd1234';
var$sitename='test';
var$MetaDesc='Joomla! - the dynamic portal engine and content management system';
var$MetaKeys='joomla, Joomla';
var$offline_message='This site is down for maintenance. Please check back again soon.';
}
```
Sotherewehaveit.
## Port 3339 - Oracle web interface
@@ -861,13 +861,14 @@ vncviewer 192.168.1.109
If you are unable to input ctr-alt-del (kali might interpret it as input for kali).
Port-knocking the a obfuscation-as-security technique. It basically means that after knocking on ports in a specific sequence a certain port will open automatically.
Port-knocking the a obfuscation-as-security technique. It basically means that after knocking on ports in a specific sequence a certain port will open automatically. It seems to be more popular in Capture-the-flag contests than real life networks. But I have included it anyways, since CTF:s are great.
This is a way to hide certain ports, so you don't get unwanted intrusion-intents.
So for example, imagine you access your server through ssh. But you are tired of getting unwanted bruteforce attempts all day long. You can just have the SSH-port closed and when you knock on certain ports in a specific order the ssh-port opens up, maybe for a few minutes, or maybe indefinitely until you close it again.
So for example, imagine you access your server through `ssh`. But you are tired of getting unwanted bruteforce attempts all day long. You can just have the SSH-port closed and when you knock on certain ports in a specific order the ssh-port opens up, maybe for a few minutes, or maybe indefinitely until you close it again.
When you "knock" on a port you are really just sending TCP-packets with SYN-flag to that port. The closed port will then respond with a ACK/RST. Which basically means that the host has received the TCP-packet, and it ACKnolwdge it, but responds with a Reset (RST) flag. RST just means that the port is closed.
When you "knock" on a port you are really just sending TCP-packets with `SYN`-flag to that port. The closed port will then respond with a `ACK/RST`. Which basically means that the host has received the `TCP`-packet, and it ACKnolwdge it, but responds with a Reset (`RST`) flag. `RST` just means that the port is closed.
## Software to implement port-knocking
@@ -19,17 +19,18 @@ As mentioned before a knock is essentially just sending a packet to a specific p
I guess there are quite a few ways to do this. But here are three ways.
1. Knock
- apt-get install knockd
- Then you simply type: knock [ip] [port]. For example: knock 192.168.1.102 7000 8000 9000
-`apt-get install knockd`
- Then you simply type: `knock [ip] [port]`. For example: `knock 192.168.1.102 4000 5000 6000`
- After that you have to scan the network to see if any new port is open.
- If you know what port is open you can connect to the port using netcat. The following command would work nc 192.168.1.102 8888. This would then connect to the port.
- If you know what port is open you can connect to the port using netcat. The following command would work `nc 192.168.1.102 8888`. This would then connect to the port.
2. Nmap/bash
-```for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done```
-`for x in 4000 5000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done`
3. Netcat
```nc 192.168.1.102 7000
nc 192.168.1.102 8000
nc 192.168.1.102 9000
```
nc 192.168.1.102 4000
nc 192.168.1.102 5000
nc 192.168.1.102 6000
nc 192.168.1.102 8888
```
@@ -39,6 +40,7 @@ One way hack a server with port-knocking implemented would be to sniff for packe
## Pitfalls
Using port-knocking as a way to secure your service might come with some risk. The biggest risk I suppose is that if the knock-daemon fails, for whatever reason. You will be shut out of you machine. There are of course ways to just restart the knock-daemon if it fails. But maybe that daemon fails as well.
