Active Information Gathering

Open ports on OSCP / HTB rarely occurs without purpose. Remember about them through whole exploitation. Some of them are useless at the first glance but with information found on other ports can become crucial to compromise the machine.

Manual benner checking

It is advised to check every port manually with nc.

nc <IP> <PORT>

Nmap

You should run nmap multiple times - sometimes it do not return all ports. Another way of making sure to get the correct output is setting the --max-delay flag.

Scan for open ports [TCP]

sudo nmap -sC -sV -p- <IP>

nmap -sV -p- -oA output -Pn -A -T4 <IP>

nmap -sV -p- -oA outputVuln -Pn --script vuln -T5 <IP>

Scan for open ports [UDP]

nmap -sU -A -p- -oA outputUDP <IP>

Run vuln scan

nmap <IP> -sV --script "vuln" -p<PORT>

Nmap script listing

ls -1 /usr/share/nmap/scripts

Import NSE script

Move script to nmap script folder:

sudo mv <PATH_TO_NSE_SCRIPT> /usr/share/nmap/scripts/<SCRIPT_NAME>.nse

Update the nmap script database:

sudo nmap --script-updatedb

Run script:

nmap <IP> -sV -p<PORT> --script "<SCRIPT_NAME>"

(PowerShell NMAP alternative)

Windows port scanning

This is only for 1024 ports. You can change the range (this script is definietly not as fast as map).

1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("<IP>", $_)) "TCP port $_ is open"} 2>$null

Windows subtnetwork scanning

for i in $(seq 1 254); do nc -zv -w 1 <3_OCTET_IP>.$i <PORT>; done

SMTP Enumeration (23, 465, 587)

Manual enumeration

nc -nv <IP> 25

VRFY root

Automatic enumeration

SNMP Enumeration (161, 162, 10161, 10162 / UDP)

Can be susceptible to IP spoofing and replay attacks.

SNMP protocols 1, 2, and 2c offer no traffic encryption, meaning that SNMP information and credentials can be easily intercepted over a local network (until SNMPv3).

It can be configured with default public and private community strings.

SNMP MIB Tree - SMTP database containing information related to the network management.

Values	Paremeters
1.3.6.1.2.1.25.1.6.0	System Processes
1.3.6.1.2.1.25.4.2.1.2	Running Programs
1.3.6.1.2.1.25.4.2.1.4	Processes Path
1.3.6.1.2.1.25.2.3.1.4	Storage Units
1.3.6.1.2.1.25.6.3.1.2	Software Name
1.3.6.1.4.1.77.1.2.25	User Accounts
1.3.6.1.2.1.6.13.1.3	TCP Local Ports

Scanning the network with onesixtyone (u can also just use nmap):

# add community strings
echo public > community
echo private >> community
echo manager >> community

# list of ip to scan
for ip in $(seq 1 254); do echo <3_OCTET_IP_RANGE>.$ip; done > ips 

# this command will return data
onesixtyone -c community -i ips

Querying for a MIB data:

# community string in most cases is "public"
# timeout by default can be 10 seconds
snmpwalk -c <COMMUNITY_STRING> -v<SMTP_VERSION_NUMBER> -t <timeout> <IP>

Querying for parameters

# you can grab the value from table above
snmpwalk -c <COMMUNITY_STRING> -v<SMTP_VERSION> <IP> <VALUE>

DNS Enumeration (53)

You can use these commands also without providing the DNS IP

Banner grabbing

dig version.bind CHAOS TXT @<IP_ADDRESS>

More information:

dig ANY @<DNS_IP> <DOMAIN>     #Any information
dig A @<DNS_IP> <DOMAIN>       #Regular DNS request
dig AAAA @<DNS_IP> <DOMAIN>    #IPv6 DNS request
dig TXT @<DNS_IP> <DOMAIN>     #Information
dig MX @<DNS_IP> <DOMAIN>      #Emails related
dig NS @<DNS_IP> <DOMAIN>      #DNS that resolves that name

Zone transfer

Transfer DNS to another sercer.

dig axfr @<DNS_IP> #Try zone transfer without domain
dig axfr @<DNS_IP> <DOMAIN> #Try zone transfer guessing the domain

Subdomain Enumeration

dnsenum <domain>

Whois Enumeration (43)

Basic information about a domain name.

whois <domain>

whois <domain> -h <whois_server>

FTP Enumeration (21)

It is advised to change from ASCII to binary mode to troubleshoot errors during file transfer

Check version using searchsploit for public exploits

Check for anonymous login

Check for hints within the directory

Check if there's anything that points towards uploads going to the web directory

Upload files

put <file>

Download files

get <file>

NBT Enumeration (137)

You can grab NetBIOS names - it can be useful in other areas of the hacking process.

sudo nbtscan -r <IP>

SMB Enumeration (139, 445)

Despite providing blank user and blank password when you dont have credentials, you can also provide non existing user without password - it changes auth method and can reveal shares.

ClockSKEW error? Synchronize time with DC using:

sudo ntpdate <DC_IP>

You can grab a lot of information from SMB.

Enumerate Users, Groups and Logged on Users

You can spray usernames as passwords when you provide users.txt file in -p parameter with --no-bruteforce and --continue-on-success.

crackmapexec smb <VICTIM_IP> --users [-u <username> -p <password>]
crackmapexec smb <VICTIM_IP> --groups [-u <username> -p <password>]
crackmapexec smb <VICTIM_IP> --groups --loggedon-users [-u <username> -p <password>]

crackmapexec smb <VICTIM_IP> -u '' -p '' --rid-brute # rid brute force -> you can insert here guest user with blank password or any other user if it does not work

ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h <VICTIM_IP> | grep -i samaccountname: | cut -f 2 -d " "

rpcclient -U "" -N <VICTIM_IP>
enumdomusers
enumdomgroups

Enumerate shares (alternative)

Sometimes crackmapexec does not return truthful output - it is advised to use other tools.

smbclient -L //<IP>

Connect to share

smbclient \\\\fileserver\\share

Download everything from share

mask""
recurse ON
prompt OFF
mget *

Mount share (listing bypass, can search for hidden files)

Umount old mount:

sudo umnount /mnt

Mount to kali's /mnt folder:

sudo mount -t cifs -o 'username=<USERNAME>,password=<PASSWORD>' //<IP>/<SHARE> /mnt

MSSQL

Crackmapexec user check:

crackmapexec mssql <IP> -u '<USER>' -p '<PASSWORD>' # check if user can log in (AD)
crackmapexec mssql <IP> -u '<USER>' -p '<PASSWORD>' -local-auth # check if user can log in (local)

Crackmapexec modules enumeration:

crackmapexec mssql <IP> -u '<USER>' -p '<PASSWORD>' -L # enumerate modules
crackmapexec mssql <IP> -u '<USER>' -p '<PASSWORD>' -M # use module

Log in through impacket:

impacket-mssqlclient sequel.htb/<USER>:'<PASSWORD>'@<IP>
impacket-mssqlclient sequel.htb/<USER>:'<PASSWORD>'@<IP> -windows-auth

NFS Enumeration (2049)

Show all mounts

showmount -e <IP>

Mount folder

mkdir <YOUR_FOLDER> # create folder

sudo mount -t nfs <IP>:<MOUNTABLE_FOLDER> <YOUR_FOLDER> # mount

LDAP (389, 636, 3268, 3269)

Ldapsearch:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
-x Simple Authentication
-H LDAP Server
-D My User
-w My password
-b Base site, all data from here will be given

Sample command

sudo ldapsearch -H ldap://<IP> -D -w -bx "DC=<domain>,DC=<domain>"

WEB (80, 443)

Information Gathering

Oracle TNS Listener (1521, 1522-1529)

Download the tool from here: https://github.com/quentinhardy/odat/releases/

Enumeration and exploitation

./odat-libc2.17-x86_64 -h # get info about the tool
./odat-libc2.17-x86_64 all -s 192.168.1.254 -p 1521 # find SID
./odat-libc2.17-x86_64 all -s 192.168.1.254 -p 1521 -d ORCL # find credentials
./odat-libc2.17-x86_64 all -s 192.168.1.254 -p 1521 -d ORCL -U scott -P tiger # scan with creds
./odat-libc2.17-x86_64 dbmsxslprocessor -s 10.129.95.188 -d XE -U scott -P tiger --putFile "C:\inetpub\wwwroot" "shell2.aspx" "shell2.aspx" --sysdba # upload file