- Introduction
- Infrastructure Based Enumeration
- Host Based Enumeration
- Remote Management Protocols
- Definition: Enumeration involves active and passive information gathering methods to collect data about targets like
domains,IP addresses, andservices. - Distinct from OSINT: It's different from
OSINT(Open-Source Intelligence), which relies solely on passive information gathering without actively probing the target.
- Understanding Infrastructure: Rather than forcefully breaching systems, focus on
comprehendingthe infrastructure andnecessary technical aspects. - Avoid Noisy Method: Avoid noisy methods like
brute-forcing, as they can trigger security measures and hinder further investigation.
- Treasure Hunter Analogy: Similar to a treasure hunter planning with
mapsandtoolsinstead of randomly digging holes,understandthe company'sinfrastructurebefore attempting to breach it.
- Seeing Beyond the Obvious: Consider all perspectives; there's more to uncover than what initially meets the eye.
- Distinguishing Seen and Unseen Aspects: Understand the difference between
visibleandhiddenelements. - Continuous Information Gathering: Always seek ways to understand the target better; there's more information available than what's initially apparent.
Constant Reminder: Write down these principles and questions for easy reference during investigations. These principles guide cybersecurity professionals to delve deeper, consider multiple angles, and continuously gather information to understand and potentially exploit a target's vulnerabilities.
The enumeration methodology in cybersecurity follows a structured approach with six layers, navigating through infrastructure, host, and operating system aspects. It provides flexibility to adapt to diverse target systems, ensuring a comprehensive assessment without overlooking crucial details.
| Layer | Description | Information Categories |
|---|---|---|
1. Internet Presence |
Identification of internet presence and externally accessible infrastructure. | Domains, Subdomains, vHosts, ASN, Netblocks, IP Addresses, Cloud Instances, Security Measures |
2. Gateway |
Identify the possible security measures to protect the company's external and internal infrastructure. | Firewalls, DMZ, IPS/IDS, EDR, Proxies, NAC, Network Segmentation, VPN, Cloudflare |
3. Accessible Services |
Identify accessible interfaces and services that are hosted externally or internally. | Service Type, Functionality, Configuration, Port, Version, Interface |
4. Processes |
Identify the internal processes, sources, and destinations associated with the services. | PID, Processed Data, Tasks, Source, Destination |
5. Privileges |
Identification of the internal permissions and privileges to the accessible services. | Groups, Users, Permissions, Restrictions, Environment |
6. OS Setup |
Identification of the internal components and systems setup. | OS Type, Patch Level, Network config, OS Environment, Configuration files, sensitive private files |
In assessments, we often encounter gaps, yet not all lead to entry. Time-limited penetration tests can't assure uncovering all vulnerabilities. Extensive study exceeds our brief assessments; the SolarWinds cyber attack exemplifies this. A robust methodology must consider such cases.
Consider an external 'black box' penetration test. Upon meeting contract requirements, the assessment commences as scheduled.
-
Layer No.1: Internet Presence
This initial layer focuses on identifying targets for investigation, crucially so if the contract scope allows exploring additional hosts. Utilizing diverse techniques, we seek domains, subdomains, netblocks, and various elements indicating the company's online presence. Goal:
Identify all possible target systems and interfaces for testing. -
Layer No.2: Gateway
Here, we delve into understanding the reachable target's interface, its protective measures, and network placement. Due to diversity and complexities, this layer requires detailed exploration in subsequent modules. Goal:
Grasp the nature of the target and recognize potential risks. -
Layer No.3: Accessible Services
This layer involves scrutinizing each service's purpose within accessible destinations. Understanding their functions is crucial for effective interaction or exploitation. Goal:
Comprehend service functionalities and communication methods for effective exploitation. -
Layer No.4: Processes
Every command or function initiates data processing, creating tasks with identifiable sources and targets. Goal:
Understand these processes and dependencies between them. -
Layer No.5: Privileges
Services operate under specific user and group privileges set by administrators or systems, often overlooked but offering critical functionalities. Goal:
Identify and comprehend available privileges and their capabilities. -
Layer No.6: OS Setup
Gathering internal access-derived data about the operating system and setup reveals insights into internal security and administrative competencies. Goal:
Assess administrators' system management and extract sensitive internal information.A methodology summarizes all systematic procedures in obtaining knowledge within the bounds of a given objective. It is important to note that a methodology is not a step-by-step guide but, as the definition implies, a summary of systematic procedures. In our case, the enumeration methodology is the systematic approach to explore a given target.
Domain info vital for tests; beyond subdomains, it reveals a company's online presence. Passive gathering, discreet as 'visitors,' uncovers tech needs. Analyzing sites unveils services, insights into structure. Understanding unseen tech enriches assessments. We pay attention to what we see and we do not see.
Basic understanding acquired, we delve into the company's online presence.
Imagine a scenario: a medium-sized firm hires us for a black-box test with limited target scope.
Our task: gather all necessary info independently.
Exploration begins with the SSL certificate from the main website, often encompassing multiple active domains, offering initial insight into the company's online footprint.
Another valuable resource is crt.sh, leveraging Certificate Transparency logs, enabling verification of issued digital certificates. This process aids in detecting false or malicious certificates, providing access to stored entries for analysis.
SSL certificate providers like Let's Encrypt share this with the web interface crt.sh, which stores the new entries in the database to be accessed later.
Analysis privided by crt.sh
curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq .
If needed, we can also have them filtered by the unique subdomains.
curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u
Next, we can identify the hosts directly accessible from the Internet and not hosted by third-party providers. This is because we are not allowed to test the hosts without the permission of third-party providers.
for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done
Once we see which hosts can be investigated further, we can generate a list of IP addresses with a minor adjustment to the cut command and run them through Shodan.
for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;done
for i in $(cat ip-addresses.txt);do shodan host $i;done
now it is important to continue analyzing the DNS for exemple:
dig any example.com
The use of cloud, such as AWS, GCP, Azure, and others, is now one of the essential components for many companies nowadays.
For this reason we have to understand this stuff.
This often starts with the S3 buckets (AWS), blobs (Azure), cloud storage (GCP), which can be accessed without authentication if configured incorrectly.
for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done
One of the easiest and most used is Google search combined with Google Dorks. For example, we can use the Google Dorks inurl: Domain (like amazonaws.com) and intext: Company name to narrow our search to specific terms.
AWS=> inurl:amazonaws.comAzure=> inurl:blob.core.windows.net
Third-party providers such as domain.glass can also tell us a lot about the company's infrastructure.
Analyzing social media profiles of employees can provide insights into a company's infrastructure and technology stack.
Job postingscan reveal the preferred programming languages, databases, web frameworks, and version control systems used by a company.Employee profilescan showcase their skills and projects, indicating their expertise and the technologies they are familiar with.GitHub repositorieslinked to employee profiles can provide direct access to code and potential vulnerabilities.LinkedInoffers advanced search options to filter employees based on their expertise and connections.Targeting technical employeesin both development and security teams can provide a comprehensive understanding of the company's infrastructure and security posture.
One of the oldest Internet protocols, operating within the application layer of the TCP/IP stack. It establishes control and data channels through TCP ports 21 and 20 respectively. FTP supports active/passive modes, various commands, and status codes for file management. Requires credentials for access, though some servers may offer restricted anonymous FTP. Vulnerable to sniffing as it operates as a clear-text protocol.
Simpler than FTP, uses UDP, lacks user authentication, and advanced features. Access is limited by OS file permissions, making it suitable only for local and protected networks. Supports basic commands for file transfer but lacks directory listing functionality.
Let us take a look at a few commands of TFTP:
| Command | Description |
|---|---|
| connect | Sets the remote host and, optionally, the port for file transfers. |
| get | Transfers file(s) from the remote host to the local host. |
| put | Transfers file(s) from the local host onto the remote host. |
| quit | Exits TFTP. |
| status | Shows the current status of TFTP, including transfer mode, connection status, timeout value, etc. |
| verbose | Turns verbose mode (additional information during file transfer) on or off. |
One of the most used FTP servers on Linux-based distributions is vsFTPd. The default configuration of vsFTPd can be found in /etc/vsftpd.conf, and some settings are already predefined by default.
-
Install vsFTPd
sudo apt install vsftpd -
vsFTPd Config File
cat /etc/vsftpd.conf | grep -v "#"Setting Description `listen` Run from inetd or as a standalone daemon? (`NO` by default) `listenipv6` Listen on IPv6? (`YES` by default) `anonymousenable` Enable Anonymous access? (`NO` by default) `localenable` Allow local users to login? (`YES` by default) `dirmessageenable` Display active directory messages when users go into certain directories? (`YES` by default) `uselocaltime` Use local time? (`YES` by default) `xferlogenable` Activate logging of uploads/downloads? (`YES` by default) `connectfromport20` Connect from port 20? (`YES` by default) `securechrootdir` Name of an empty directory (`/var/run/vsftpd/empty` by default) `pamservicename` The name of the PAM service vsftpd will use. `rsacertfile` Location of the RSA certificate to use for SSL encrypted connections. `rsaprivatekeyfile` Location of the RSA private key to use for SSL encrypted connections. `sslenable` Enable SSL? (`NO` by default) In addition, there is a file called
/etc/ftpusersthat we also need to pay attention to, as this file is used to deny certain users access to the FTP service.cat /etc/ftpusers guest -
Dangerous Settings
FTP servers offer numerous security-related configurations to test connections, routes, and authentication methods. Among these mechanisms is the anonymous user, commonly used within internal networks to facilitate file and data sharing without direct access to individual computers. For vsFTPd, configuration settings for anonymous login include:
Setting Description `anonymousenable=YES` Allowing anonymous login? `anonuploadenable=YES` Allowing anonymous to upload files? `anonmkdirwriteenable=YES` Allowing anonymous to create new directories? `noanonpassword=YES` Do not ask anonymous for a password? `anonroot=/home/username/ftp` Directory for anonymous. `writeenable=YES` Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE? - Access via FTP Client: Using the standard FTP client (
ftp) allows access to the FTP server with the configuredanonymous userif the aforementioned settings have been applied. - Usage in Internal Environments: The anonymous account is utilized in known internal environments or infrastructures where participants are recognized. This facilitates file exchange, either temporarily or as a consistent setting.
- vsFTPd Server Connection:
- Response Code: Upon connection to the vsFTPd server, it responds with the
code 220, displaying the FTP serverbanner. - Banner Content: The banner typically contains
service description,version details, and thesystem typeof the FTP server.
- Response Code: Upon connection to the vsFTPd server, it responds with the
- Anonymous Access Configuration:
- Common Configuration: Many FTP servers are configured to
allow anonymous access, granting access to certain files without requiring legitimate credentials. - Access Benefits: Even if downloading files is restricted, listing the file contents can provide valuable insights, aiding in generating ideas or collecting information for alternative approaches.
- Common Configuration: Many FTP servers are configured to
- Access via FTP Client: Using the standard FTP client (
-
Anonymous Login
ftp 10.189.114.136 Connected to 10.129.14.136. 220 "Welcome to the vsFTP service." Name (10.129.14.136:cry0l1t3): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 1002 1002 8138592 Sep 14 16:54 Calender.pptx drwxrwxr-x 2 1002 1002 4096 Sep 14 16:50 Clients drwxrwxr-x 2 1002 1002 4096 Sep 14 16:50 Documents drwxrwxr-x 2 1002 1002 4096 Sep 14 16:50 Employees -rw-rw-r-- 1 1002 1002 41 Sep 14 16:45 Important Notes.txt 226 Directory send OK. -
vsFTPd Status
ftp> status Connected to 10.129.14.136. No proxy connection. Connecting using address family: any. Mode: stream; Type: binary; Form: non-print; Structure: file Verbose: on; Bell: off; Prompting: on; Globbing: on Store unique: off; Receive unique: off Case: off; CR stripping: on Quote control characters: on Ntrans: off Nmap: off Hash mark printing: off; Use of PORT cmds: on Tick counter printing: off -
vsFTPd Detailed Output
ftp> debug Debugging on (debug=1). ftp> trace Packet tracing on. ftp> ls ---> PORT 10,10,14,4,188,195 200 PORT command successful. Consider using PASV. ---> LIST 150 Here comes the directory listing. -rw-rw-r-- 1 1002 1002 8138592 Sep 14 16:54 Calender.pptx drwxrwxr-x 2 1002 1002 4096 Sep 14 17:03 Clients drwxrwxr-x 2 1002 1002 4096 Sep 14 16:50 Documents drwxrwxr-x 2 1002 1002 4096 Sep 14 16:50 Employees -rw-rw-r-- 1 1002 1002 41 Sep 14 16:45 Important Notes.txt 226 Directory send OK.Setting Description `dirmessageenable=YES` Show a message when users enter a new directory? `chownuploads=YES` Change ownership of anonymously uploaded files? `chownusername=username` User given ownership of anonymously uploaded files. `localenable=YES` Enable local users to log in? `chrootlocaluser=YES` Place local users into their home directory? `chrootlistenable=YES` Use a list of local users to be placed in their home directory? -
Hiding IDs - YES
Setting Description `hideids=YES` All user and group information in directory listings displayed as "ftp". `lsrecurseenable=YES` Allows the use of recursive listings. In the following example, we can see that if the
hide_ids=YESsetting is present, theUIDandGUIDrepresentation of the service will be overwritten, making it more difficult for us to identify with which rights these files are written and uploaded.ftp> ls ---> TYPE A 200 Switching to ASCII mode. ftp: setsockopt (ignored): Permission denied ---> PORT 10,10,14,4,223,101 200 PORT command successful. Consider using PASV. ---> LIST 150 Here comes the directory listing. -rw-rw-r-- 1 ftp ftp 8138592 Sep 14 16:54 Calender.pptx drwxrwxr-x 2 ftp ftp 4096 Sep 14 17:03 Clients drwxrwxr-x 2 ftp ftp 4096 Sep 14 16:50 Documents drwxrwxr-x 2 ftp ftp 4096 Sep 14 16:50 Employees -rw-rw-r-- 1 ftp ftp 41 Sep 14 16:45 Important Notes.txt -rw------- 1 ftp ftp 0 Sep 15 14:57 testupload.txt 226 Directory send OK.This setting is a security feature to prevent local usernames from being revealed. With the usernames, we could attack the services like FTP and SSH and many others with a brute-force attack in theory.
-
Recursive Listing
Another helpful setting we can use for our purposes is the
ls_recurse_enable=YES. This is often set on the vsFTPd server to have a better overview of the FTP directory structure, as it allows us to see all the visible content at once.ftp> ls -R ---> PORT 10,10,14,4,222,149 200 PORT command successful. Consider using PASV. ---> LIST -R 150 Here comes the directory listing. .: -rw-rw-r-- 1 ftp ftp 8138592 Sep 14 16:54 Calender.pptx drwxrwxr-x 2 ftp ftp 4096 Sep 14 17:03 Clients drwxrwxr-x 2 ftp ftp 4096 Sep 14 16:50 Documents drwxrwxr-x 2 ftp ftp 4096 Sep 14 16:50 Employees -rw-rw-r-- 1 ftp ftp 41 Sep 14 16:45 Important Notes.txt -rw------- 1 ftp ftp 0 Sep 15 14:57 testupload.txt ./Clients: drwx------ 2 ftp ftp 4096 Sep 16 18:04 HackTheBox drwxrwxrwx 2 ftp ftp 4096 Sep 16 18:00 Inlanefreight ./Clients/HackTheBox: -rw-r--r-- 1 ftp ftp 34872 Sep 16 18:04 appointments.xlsx -rw-r--r-- 1 ftp ftp 498123 Sep 16 18:04 contract.docx -rw-r--r-- 1 ftp ftp 478237 Sep 16 18:04 contract.pdf -rw-r--r-- 1 ftp ftp 348 Sep 16 18:04 meetings.txt ./Clients/Inlanefreight: -rw-r--r-- 1 ftp ftp 14211 Sep 16 18:00 appointments.xlsx -rw-r--r-- 1 ftp ftp 37882 Sep 16 17:58 contract.docx -rw-r--r-- 1 ftp ftp 89 Sep 16 17:58 meetings.txt -rw-r--r-- 1 ftp ftp 483293 Sep 16 17:59 proposal.pptx ./Documents: -rw-r--r-- 1 ftp ftp 23211 Sep 16 18:05 appointments-template.xlsx -rw-r--r-- 1 ftp ftp 32521 Sep 16 18:05 contract-template.docx -rw-r--r-- 1 ftp ftp 453312 Sep 16 18:05 contract-template.pdf ./Employees: 226 Directory send OK. -
Download a File
Downloading files from such an FTP server is one of the main features, as well as uploading files created by us. this paves the way for techniques such as
LFIorRCE.ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rwxrwxrwx 1 ftp ftp 0 Sep 16 17:24 Calendar.pptx drwxrwxrwx 4 ftp ftp 4096 Sep 16 17:57 Clients drwxrwxrwx 2 ftp ftp 4096 Sep 16 18:05 Documents drwxrwxrwx 2 ftp ftp 4096 Sep 16 17:24 Employees -rwxrwxrwx 1 ftp ftp 41 Sep 18 15:58 Important Notes.txt 226 Directory send OK. ftp> get Important\ Notes.txt local: Important Notes.txt remote: Important Notes.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for Important Notes.txt (41 bytes). 226 Transfer complete. 41 bytes received in 0.00 secs (606.6525 kB/s) ftp> exit 221 Goodbye. -
Download All Available Files
wget -m --no-passive ftp://anonymous:[email protected] --2021-09-19 14:45:58-- ftp://anonymous:*password*@10.129.14.136/ => ‘10.129.14.136/.listing’ Connecting to 10.129.14.136:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD not needed. ==> PORT ... done. ==> LIST ... done. 12.12.1.136/.listing [ <=> ] 466 --.-KB/s in 0s 2021-09-19 14:45:58 (65,8 MB/s) - ‘10.129.14.136/.listing’ saved [466] --2021-09-19 14:45:58-- ftp://anonymous:*password*@10.129.14.136/Calendar.pptx => ‘10.129.14.136/Calendar.pptx’ ==> CWD not required. ==> SIZE Calendar.pptx ... done. ==> PORT ... done. ==> RETR Calendar.pptx ... done. ...SNIP... 2021-09-19 14:45:58 (48,3 MB/s) - ‘10.129.14.136/Employees/.listing’ saved [119] FINISHED --2021-09-19 14:45:58-- Total wall clock time: 0,03s Downloaded: 15 files, 1,7K in 0,001s (3,02 MB/s) -
Upload a File
With the
PUT command, we can upload files in the current folder to the FTP server.ftp> put testupload.txt local: testupload.txt remote: testupload.txt ---> PORT 10,10,14,4,184,33 200 PORT command successful. Consider using PASV. ---> STOR testupload.txt 150 Ok to send data. 226 Transfer complete. ftp> ls ---> TYPE A 200 Switching to ASCII mode. ---> PORT 10,10,14,4,223,101 200 PORT command successful. Consider using PASV. ---> LIST 150 Here comes the directory listing. -rw-rw-r-- 1 1002 1002 8138592 Sep 14 16:54 Calender.pptx drwxrwxr-x 2 1002 1002 4096 Sep 14 17:03 Clients drwxrwxr-x 2 1002 1002 4096 Sep 14 16:50 Documents drwxrwxr-x 2 1002 1002 4096 Sep 14 16:50 Employees -rw-rw-r-- 1 1002 1002 41 Sep 14 16:45 Important Notes.txt -rw------- 1 1002 133 0 Sep 15 14:57 testupload.txt 226 Directory send OK.
-
Nmap FTP Scripts
sudo nmap --script-updatedbAll the NSE scripts are located in
/usr/share/nmap/scripts/, but on our systems, we can find them using a simple command on our system.find / -type f -name ftp* 2>/dev/null | grep scripts -
Nmap
As we already know, the FTP server usually runs on the standard
TCPport 21, which we can scan using Nmap. We also use the version scan (-sV), aggressive scan (-A), and the default script scan (-sC) against our target 10.179.114.136.sudo nmap -sV -p21 -sC -A 10.129.14.136 -
Nmap Script Trace
sudo nmap -sV -p21 -sC -A 10.179.114.136 --script-trace -
Service Interaction
If necessary, we can, of course, use other applications such as
netcatortelnetto interact with the FTP server.nc -nv 10.129.14.136 21 telnet 10.129.14.136 21It looks slightly different if the FTP server runs with TLS/SSL encryption. Because then we need a client that can handle TLS/SSL. For this, we can use the client openssl and communicate with the FTP server. The good thing about using
opensslis that we can see the SSL certificate, which can also be helpful.openssl s_client -connect 10.129.14.136:21 -starttls ftp CONNECTED(00000003) Can't use SSL_get_servername depth=0 C = US, ST = California, L = Sacramento, O = Inlanefreight, OU = Dev, CN = master.inlanefreight.htb, emailAddress = [email protected] verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = California, L = Sacramento, O = Inlanefreight, OU = Dev, CN = master.inlanefreight.htb, emailAddress = [email protected] verify return:1 --- Certificate chain 0 s:C = US, ST = California, L = Sacramento, O = Inlanefreight, OU = Dev, CN = master.inlanefreight.htb, emailAddress = [email protected] i:C = US, ST = California, L = Sacramento, O = Inlanefreight, OU = Dev, CN = master.inlanefreight.htb, emailAddress = [email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIENTCCAx2gAwIBAgIUD+SlFZAWzX5yLs2q3ZcfdsRQqMYwDQYJKoZIhvcNAQEL ...SNIP...This is because the SSL certificate allows us to recognize the
hostname, for example, and in most cases also anemail addressfor the organization or company.
Server Message Block (SMB) is a client-server protocol governing access to files, directories, and network resources like printers. Initially part of OS/2's LAN Manager, it's chiefly used within the Windows OS, allowing newer systems to communicate with older ones. Samba, a free software project, extends SMB to Linux and Unix, enabling cross-platform communication.
SMB facilitates communication between clients and network participants to access shared files or services. Both parties must implement the protocol, exchange messages, and establish a TCP-based connection through a three-way handshake. An SMB server can offer parts of its file system as shares, with access rights defined by Access Control Lists (ACL). These ACLs grant specific permissions to users or user groups, independent of local server rights.
Samba bridges Unix and Windows via Common Internet File System (CIFS), an SMB "dialect." SMB versions differ in Windows support and features. Samba's v3 supports Active Directory, v4 serves as a domain controller. Hosts in a workgroup connect via NetBIOS/WINS for naming and data sharing.
However, CIFS is the extension of the SMB protocol. So when we pass SMB commands over Samba to an older NetBIOS service, it usually connects to the Samba server over TCP ports 137, 138, 139, but CIFS uses TCP port 445 only. There are several versions of SMB, including outdated versions that are still used in specific infrastructures.
| SMB Version | Supported | Features |
|---|---|---|
| CIFS | Windows NT 4.0 | Communicates through NetBIOS interface |
| SMB 1.0 | Windows 2000 | Direct TCP connection |
| SMB 2.0 | Windows Vista, Windows Server 2008 | Enhanced performance, improved message signing, caching feature |
| SMB 2.1 | Windows 7, Windows Server 2008 R2 | Locking mechanisms |
| SMB 3.0 | Windows 8, Windows Server 2012 | Multichannel connections, end-to-end encryption, remote storage access |
| SMB 3.0.2 | Windows 8.1, Windows Server 2012 R2 | |
| SMB 3.1.1 | Windows 10, Windows Server 2016 | Integrity checking, AES-128 encryption |
Presently, Samba's version 3 empowers full Active Directory membership, while version 4 operates as an Active Directory domain controller. In the network environment, hosts in a workgroup collaborate, facilitated by the NetBIOS/WINS for naming and data exchange purposes.
With version 4, Samba even provides an Active Directory domain controller. It contains several so-called daemons for this purpose - which are Unix background programs. The SMB server daemon (smbd) belonging to Samba provides the first two functionalities, while the NetBIOS message block daemon (nmbd) implements the last two functionalities. The SMB service controls these two background programs.
We know that Samba is suitable for both Linux and Windows systems. In a network, each host participates in the same workgroup. A workgroup is a group name that identifies an arbitrary collection of computers and their resources on an SMB network. There can be multiple workgroups on the network at any given time. IBM developed an application programming interface (API) for networking computers called the Network Basic Input/Output System (NetBIOS).
-
Default Configuration
As we can imagine, Samba offers a wide range of settings that we can configure. Again, we define the settings via a text file where we can get an overview of some of the settings.
cat /etc/samba/smb.conf | grep -v "#\|\;" [global] workgroup = DEV.INFREIGHT.LOCAL server string = DEVSMB log file = /var/log/samba/log.%m max log size = 1000 logging = file panic action = /usr/share/samba/panic-action %d server role = standalone server obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = noWe see global settings and two shares that are intended for printers. The global settings are the configuration of the available SMB server that is used for all shares.
Setting Description [sharename] The name of the network share. workgroup = WORKGROUP/DOMAIN Workgroup that will appear when clients query. path = path/here The directory to which the user is to be given access. server string = STRING The string that will show up when a connection is initiated. unix password sync = yes Synchronize the UNIX password with the SMB password? usershare allow guests = yes Allow non-authenticated users to access the defined share? map to guest = bad user What to do when a user login request doesn't match a valid UNIX user? browseable = yes Should this share be shown in the list of available shares? guest ok = yes Allow connecting to the service without using a password? read only = yes Allow users to read files only? create mask = 0700 What permissions need to be set for newly created files? -
Dangerous Settings
The settings outlined in the configuration hold sensitivity. For instance, enabling '
browseable = yes' offers convenience to employees, allowing easy access and navigation through shared folders for organizational purposes. However, this convenience extends to potential attackers who, upon gaining access, can exploit this setting to explore sensitive contents, posing a security risk to the company's data. This dual nature of settings highlights the trade-off between user convenience andpotential vulnerabilities.Setting Description browseable = yes Allow listing available shares in the current share? read only = no Forbid the creation and modification of files? writable = yes Allow users to create and modify files? guest ok = yes Allow connecting to the service without using a password? enable privileges = yes Honor privileges assigned to specific SID? create mask = 0777 What permissions must be assigned to the newly created files? directory mask = 0777 What permissions must be assigned to the newly created directories? logon script = script.sh Script to be executed on the user's login? magic script = script.sh Script to be executed when the session is closed? magic output = script.out Location to store the output of the magic script? -
Example Share
In creating a share like
[notes]and others, applying the settings as listed can significantly impact the enumeration process. Settings, commonly employed for testing purposes, might persist within internal subnets or small team environments in larger departments, inadvertently granting broad access. Failure to reset these settings leads to unintended consequences, allowing easy browsing, inspection, and potential download of shared data, posing a significant security risk....SNIP... [notes] comment = CheckIT path = /mnt/notes/ browseable = yes read only = no writable = yes guest ok = yes enable privileges = yes create mask = 0777 directory mask = 0777It is highly recommended to look at the man pages for Samba and configure it ourselves and experiment with the settings. We will then discover potential aspects that will be interesting for us as a penetration tester. In addition, the more familiar we become with the Samba server and SMB, the easier it will be to find our way around the environment and use it for our purposes. Once we have adjusted
/etc/samba/smb.confto our needs, we have to restart the service on the server. -
Restart Samba
sudo systemctl restart smbd -
SMBclient - Connecting to the Share
smbclient -N -L //10.129.14.128 Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers home Disk INFREIGHT Samba dev Disk DEVenv notes Disk CheckIT IPC$ IPC IPC Service (DEVSM) SMB1 disabled -- no workgroup availableThe Samba server now hosts five distinct shares, including the default '
print$' and 'IPC$' shares, established in the basic configuration. Focusing on the '[notes]' share, accessing and inspecting it through the client program allows for a closer examination. For those unfamiliar with the client program, leveraging the 'help' command post-login reveals a comprehensive list of available commands, aiding navigation and execution within the share.smbclient //10.129.14.128/notes Enter WORKGROUP\<username>'s password: Anonymous login successful Try "help" to get a list of possible commands. smb: \> help ? allinfo altname archive backup blocksize cancel case_sensitive cd chmod chown close del deltree dir du echo exit get getfacl geteas hardlink help history iosize lcd link lock lowercase ls l mask md mget mkdir more mput newer notify open posix posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink posix_whoami print prompt put pwd q queue quit readlink rd recurse reget rename reput rm rmdir showacls setea setmode scopy stat symlink tar tarmode timeout translate unlock volume vuid wdel logon listconnect showconnect tcon tdis tid utimes logoff .. ! smb: \> ls . D 0 Wed Sep 22 18:17:51 2021 .. D 0 Wed Sep 22 12:03:59 2021 prep-prod.txt N 71 Sun Sep 19 15:45:21 2021 30313412 blocks of size 1024. 16480084 blocks available -
Download Files from SMB
Once we have discovered interesting files or folders, we can download them using the
getcommand. Smbclient also allows us to execute local system commands using an exclamation mark at the beginning (!<cmd>) without interrupting the connection.smb: \> get prep-prod.txt getting file \prep-prod.txt of size 71 as prep-prod.txt (8,7 KiloBytes/sec) (average 8,7 KiloBytes/sec) smb: \> !ls prep-prod.txt smb: \> !cat prep-prod.txt [] check your code with the templates [] run code-assessment.py [] … -
Samba Status
From an administrative perspective, '
smbstatus' offers insights into active connections within the Samba server, displaying details such as connected clients, their originating hosts, and the accessed shares. This information becomes crucial, especially when navigating subnets or isolated networks accessible to others.In domain-level security, the Samba server operates as part of a Windows domain, which typically includes at least one domain controller responsible for password authentication. The domain controller ensures secure authentication within the workgroup, managing user credentials in its
Security Authentication Module(SAM). Upon user login and share access requests, these domain controllers authenticate users, enhancing security within the network.Samba version 4.11.6-Ubuntu PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 75691 sambauser samba 10.10.14.4 (ipv4:10.10.14.4:45564) SMB3_11 - - Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- notes 75691 10.10.14.4 Do Sep 23 00:12:06 2021 CEST - - No locked files
-
Nmap
sudo nmap 10.129.14.128 -sV -sC -p139,445 Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 15:15 CEST Nmap scan report for sharing.inlanefreight.htb (10.129.14.128) Host is up (0.00024s latency). PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 MAC Address: 00:00:00:00:00:00 (VMware) Host script results: |_nbstat: NetBIOS name: HTB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-09-19T13:16:04 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.35 seconds -
RPCclient
We can see from the results that it is not very much that Nmap provided us with here. Therefore, we should resort to other tools that allow us to interact manually with the SMB and send specific requests for the information. One of the handy tools for this is
rpcclient. This is a tool to perform MS-RPC functions.The Remote Procedure Call (
RPC) is a concept and, therefore, also a central tool to realize operational and work-sharing structures in networks and client-server architectures. The communication process via RPC includes passing parameters and the return of a function value.rpcclient -U "" 10.129.14.128 Enter WORKGROUP\'s password: rpcclient $>The
rpcclientoffers us many different requests with which we can execute specific functions on the SMB server to get information. A complete list of all these functions can be found on the man page of the rpcclient.Query Description srvinfo Server information. enumdomains Enumerate all domains deployed in the network. querydominfo Provides domain, server, and user information of deployed domains. netshareenumall Enumerates all available shares. netsharegetinfo <share> Provides information about a specific share. enumdomusers Enumerates all domain users. queryuser <RID> Provides information about a specific user. -
RPCclient - Enumeration
rpcclient $> srvinfo DEVSMB Wk Sv PrQ Unx NT SNT DEVSM platform_id : 500 os version : 6.1 server type : 0x809a03 rpcclient $> enumdomains name:[DEVSMB] idx:[0x0] name:[Builtin] idx:[0x1] rpcclient $> querydominfo Domain: DEVOPS Server: DEVSMB Comment: DEVSM Total Users: 2 Total Groups: 0 Total Aliases: 0 Sequence No: 1632361158 Force Logoff: -1 Domain Server State: 0x1 Server Role: ROLE_DOMAIN_PDC Unknown 3: 0x1 rpcclient $> netshareenumall netname: print$ remark: Printer Drivers path: C:\var\lib\samba\printers password: netname: home remark: INFREIGHT Samba path: C:\home\ password: netname: dev remark: DEVenv path: C:\home\sambauser\dev\ password: netname: notes remark: CheckIT path: C:\mnt\notes\ password: netname: IPC$ remark: IPC Service (DEVSM) path: C:\tmp password: rpcclient $> netsharegetinfo notes netname: notes remark: CheckIT path: C:\mnt\notes\ password: type: 0x0 perms: 0 max_uses: -1 num_uses: 1 revision: 1 type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE DACL ACL Num ACEs: 1 revision: 2 --- ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x1ff Permissions: 0x101f01ff: Generic all access SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS SID: S-1-1-0The examples provided highlight the potential information leakage to
anonymous userswithin a network. Granting access to network services to anonymous users can inadvertently expose critical information or grant excessive permissions, posing a significant risk to the entire network's security.Anonymous access not only jeopardizes the network but also facilitates the discovery of other users, potentially leading to aggressive brute-force attacks. Human error, coupled with inadequate security awareness and lax password practices, often results in weak passwords vulnerable to easy cracking.
-
Rpcclient - User Enumeration
To illustrate user enumeration, the 'rpcclient' tool can be employed, showcasing how attackers could exploit vulnerabilities to enumerate users within the network.
rpcclient $> enumdomusers user:[mrb3n] rid:[0x3e8] user:[cry0l1t3] rid:[0x3e9] rpcclient $> queryuser 0x3e9 User Name : cry0l1t3 Full Name : cry0l1t3 Home Drive : \\devsmb\cry0l1t3 Dir Drive : Profile Path: \\devsmb\cry0l1t3\profile Logon Script: Description : Workstations: Comment : Remote Dial : Logon Time : Do, 01 Jan 1970 01:00:00 CET Logoff Time : Mi, 06 Feb 2036 16:06:39 CET Kickoff Time : Mi, 06 Feb 2036 16:06:39 CET Password last set Time : Mi, 22 Sep 2021 17:50:56 CEST Password can change Time : Mi, 22 Sep 2021 17:50:56 CEST Password must change Time: Do, 14 Sep 30828 04:48:05 CEST unknown_2[0..31]... user_rid : 0x3e9 group_rid: 0x201 acb_info : 0x00000014 fields_present: 0x00ffffff logon_divs: 168 bad_password_count: 0x00000000 logon_count: 0x00000000 padding1[0..7]... logon_hrs[0..21]... rpcclient $> queryuser 0x3e8 User Name : mrb3n Full Name : Home Drive : \\devsmb\mrb3n Dir Drive : Profile Path: \\devsmb\mrb3n\profile Logon Script: Description : Workstations: Comment : Remote Dial : Logon Time : Do, 01 Jan 1970 01:00:00 CET Logoff Time : Mi, 06 Feb 2036 16:06:39 CET Kickoff Time : Mi, 06 Feb 2036 16:06:39 CET Password last set Time : Mi, 22 Sep 2021 17:47:59 CEST Password can change Time : Mi, 22 Sep 2021 17:47:59 CEST Password must change Time: Do, 14 Sep 30828 04:48:05 CEST unknown_2[0..31]... user_rid : 0x3e8 group_rid: 0x201 acb_info : 0x00000010 fields_present: 0x00ffffff logon_divs: 168 bad_password_count: 0x00000000 logon_count: 0x00000000 padding1[0..7]... logon_hrs[0..21]... -
Rpcclient - Group Information
We can then use the results to identify the group's RID, which we can then use to retrieve information from the entire group.
rpcclient $> querygroup 0x201 Group Name: None Description: Ordinary Users Group Attribute:7 Num Members:2 -
Brute Forcing User RIDs
for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done User Name : sambauser user_rid : 0x1f5 group_rid: 0x201 User Name : mrb3n user_rid : 0x3e8 group_rid: 0x201 User Name : cry0l1t3 user_rid : 0x3e9 group_rid: 0x201 -
Impacket - Samrdump.py
An alternative to this would be a Python script from Impacket called samrdump.py.
samrdump.py 10.129.14.128 Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Retrieving endpoint list from 10.129.14.128 Found domain(s): . DEVSMB . Builtin [*] Looking up users in domain DEVSMB Found user: mrb3n, uid = 1000 Found user: cry0l1t3, uid = 1001 mrb3n (1000)/FullName: mrb3n (1000)/UserComment: mrb3n (1000)/PrimaryGroupId: 513 mrb3n (1000)/BadPasswordCount: 0 mrb3n (1000)/LogonCount: 0 mrb3n (1000)/PasswordLastSet: 2021-09-22 17:47:59 mrb3n (1000)/PasswordDoesNotExpire: False mrb3n (1000)/AccountIsDisabled: False mrb3n (1000)/ScriptPath: cry0l1t3 (1001)/FullName: cry0l1t3 cry0l1t3 (1001)/UserComment: cry0l1t3 (1001)/PrimaryGroupId: 513 cry0l1t3 (1001)/BadPasswordCount: 0 cry0l1t3 (1001)/LogonCount: 0 cry0l1t3 (1001)/PasswordLastSet: 2021-09-22 17:50:56 cry0l1t3 (1001)/PasswordDoesNotExpire: False cry0l1t3 (1001)/AccountIsDisabled: False cry0l1t3 (1001)/ScriptPath: [*] Received 2 entries.The information we have already obtained with
rpcclientcan also be obtained using other tools. For example, the SMBMap and CrackMapExec tools are also widely used and helpful for the enumeration of SMB services. -
SMBmap
smbmap -H 10.129.14.128 [+] Finding open SMB ports.... [+] User SMB session established on 10.129.14.128... [+] IP: 10.129.14.128:445 Name: 10.129.14.128 Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers home NO ACCESS INFREIGHT Samba dev NO ACCESS DEVenv notes NO ACCESS CheckIT IPC$ NO ACCESS IPC Service (DEVSM) -
CrackMapExec
crackmapexec smb 10.129.14.128 --shares -u '' -p '' SMB 10.129.14.128 445 DEVSMB [*] Windows 6.1 Build 0 (name:DEVSMB) (domain:) (signing:False) (SMBv1:False) SMB 10.129.14.128 445 DEVSMB [+] \: SMB 10.129.14.128 445 DEVSMB [+] Enumerated shares SMB 10.129.14.128 445 DEVSMB Share Permissions Remark SMB 10.129.14.128 445 DEVSMB ----- ----------- ------ SMB 10.129.14.128 445 DEVSMB print$ Printer Drivers SMB 10.129.14.128 445 DEVSMB home INFREIGHT Samba SMB 10.129.14.128 445 DEVSMB dev DEVenv SMB 10.129.14.128 445 DEVSMB notes READ,WRITE CheckIT SMB 10.129.14.128 445 DEVSMB IPC$ IPC Service (DEVSM) -
enum4linux
Another tool worth mentioning is the so-called enum4linux-ng, which is based on an older tool, enum4linux. This tool automates many of the queries, but not all, and can return a large amount of information.
-
Install
git clone https://github.com/cddmp/enum4linux-ng.git cd enum4linux-ng pip3 install -r requirements.txt -
Enumeration
./enum4linux-ng.py 10.179.114.128 -A
-
Network File System (NFS) is a network file system developed by Sun Microsystems and has the same purpose as SMB. Its purpose is to access file systems over a network as if they were local.
NFS is used between Linux and Unix systems. This means that NFS clients cannot communicate directly with SMB servers.
| Version | Features |
|---|---|
| NFSv2 | Older version widely supported by many systems; originally operated solely over UDP. |
| NFSv3 | Offers additional features like variable file size, improved error reporting, but lacks full compatibility with NFSv2 clients. |
| NFSv4 | Introduces Kerberos authentication, functions efficiently across firewalls and the internet, eliminates portmappers, supports ACLs, applies state-based operations, enhances performance, and prioritizes high security. First version with a stateful protocol. |
A significant advantage of NFSv4 over its predecessors is that only one UDP or TCP port 2049 is used to run the service, which simplifies the use of the protocol across firewalls.
NFS is based on the Open Network Computing Remote Procedure Call (ONC-RPC / SUN-RPC) protocol exposed on TCP and UDP ports 111, which uses External Data Representation (XDR) for the system-independent exchange of data. The NFS protocol has no mechanism for authentication or authorization.
The most common authentication is via UNIX UID / GID and group memberships, which is why this syntax is most likely to be applied to the NFS protocol.
The configuration are provided into /etc/exports, the file is like:
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
Some possible configuration:
| Option | Description |
|---|---|
| rw | Read and write permissions. |
| ro | Read-only permissions. |
| sync | Synchronous data transfer, albeit slightly slower. |
| async | Asynchronous data transfer, offering slightly faster speeds. |
| secure | Restricts the use of ports above 1024. |
| insecure | Allows the use of ports above 1024. |
| nosubtreecheck | Disables the checking of subdirectory trees, potentially enhancing performance. |
| rootsquash | Maps all permissions from root UID/GID 0 to the UID/GID of anonymous, securing root access on NFS mounts. |
-
ExportFS
echo '/mnt/nfs 10.129.14.0/24(sync,no_subtree_check)' >> /etc/exports systemctl restart nfs-kernel-server exportfsWe have shared the folder
/mnt/nfsto the subnet10.129.14.0/24with the setting shown above -
Dangerous Settings
Here are some of them listed:
Option Description rw Grants both read and write permissions. insecure Permits the utilization of ports above 1024 for NFS operations. nohide Ensures that if another filesystem is mounted below an exported directory, it gets its own exports entry. norootsquash Retains files created by root with the UID/GID 0, bypassing the usual mapping to anonymous UID/GID for security. We can take a look at the insecure option. This is dangerous because users can use ports above 1024. The first 1024 ports can only be used by root. This prevents the fact that no users can use sockets above port 1024 for the NFS service and interact with it.
-
Nmap
sudo nmap 10.129.14.128 -p111,2049 -sV -sCThe
rpcinfoNSE script retrieves a list of all currently running RPC services, their names and descriptions, and the ports they use.sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049 -
Show Available NFS Shares
showmount -e 10.129.14.128 -
Mounting NFS Share
mkdir target-NFS sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock cd target-NFS treee . -
List Contents with Usernames & Group Names
ls -l mnt/nfs/ -
List Contents with UIDs & GUIDs
ls -n mnt/nfs/ -
Unmounting
cd .. sudo umount ./target-NFS
DNS, an integral part of the Internet, facilitates access to web servers via domain names like bard.google.com or www.google.com, mapping them to specific IP addresses provided by hosting providers. It operates as a system converting computer names into IP addresses without a central database, resembling a vast library housing various phone books. This information disperses across thousands of name servers globally. These distributed DNS servers translate domain names to IP addresses, directing users to specific servers associated with a domain. Various types of DNS servers are employed worldwide to manage this functionality.
| Server Type | Description |
|---|---|
| DNS Root Server | Responsible for top-level domains (TLDs), queried if a name server fails to respond. They act as a central interface between users and internet content, linking domains and IP addresses. ICANN coordinates the 13 root servers globally. |
| Authoritative Nameserver | Holds authority for specific zones, responding only to queries within its responsibility. The information they provide is considered definitive. If such a server can't answer, the root name server steps in. |
| Non-authoritative Nameserver | Not accountable for a particular DNS zone but gathers information about specific zones through recursive or iterative DNS queries. |
| Caching DNS Server | Stores information from other name servers for a set duration, determined by the authoritative name server. These servers hold cached data. |
| Forwarding Server | Solely responsible for forwarding DNS queries to other DNS servers, handling only query redirection. |
| Resolver | Not authoritative but performs local name resolution on computers or routers. Resolvers aid in converting domain names to IP addresses without maintaining their own zone information. |
DNS is mainly unencrypted. Devices on the local WLAN and Internet providers can therefore hack in and spy on DNS queries. Since this poses a privacy risk, there are now some solutions for DNS encryption. By default, IT security professionals apply DNS over TLS (DoT) or DNS over HTTPS (DoH) here. In addition, the network protocol DNSCrypt also encrypts the traffic between the computer and the name server.
Different DNS records are used for the DNS queries, which all have various tasks. Moreover, separate entries exist for different functions since we can set up mail servers and other servers for a domain.
| DNS Record | Description |
|---|---|
| A | Returns the IPv4 address of the requested domain. |
| AAAA | Returns the IPv6 address of the requested domain. |
| MX | Identifies responsible mail servers for the domain. |
| NS | Specifies the domain's DNS servers (nameservers). |
| TXT | Versatile record containing various information. It's used for purposes like Google Search Console validation, SSL certificate validation, SPF and DMARC entries for mail traffic validation, and protection from spam. |
| CNAME | Serves as an alias, pointing one domain to the same location as another. For instance, if www.hackthebox.eu should direct to the same IP as hackthebox.eu, an A record is set for one and a CNAME record is created for the other. |
| PTR | Performs reverse lookup, translating IP addresses into valid domain names. |
| SOA | Provides information about the corresponding DNS zone and the administrative contact's email address. It signifies the start of a zone of authority and contains essential information about the zone's management. |
There are many different configuration types for DNS. All DNS servers work with three different types of hierarchical configuration files:
localDNS configuration fileszonefilesreversename resolution files
The DNS server Bind9 is very often used on Linux-based distributions. Its local configuration file (named.conf) is roughly divided into two sections, firstly the options section for general settings and secondly the zone entries for the individual domains. The local configuration files are usually:
- named.conf.local
- named.conf.options
- named.conf.log
The configuration file named.conf is divided into several options that control the behavior of the name server. A distinction is made between global options and zone options.
-
Local DNS Configuration
cat /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; zone "domain.com" { type master; file "/etc/bind/db.domain.com"; allow-update { key rndc-key; }; }; -
Zone Files
Zone files define individual DNS zones and are usually dedicated to one domain, except for ISP and public DNS servers. They utilize the BIND file format, a standard in DNS server software. These text files include essential records like
SOAandNS, ensuring completeness and accuracy. Any syntax error renders the entire file unusable, causing DNS queries for that zone to receive a SERVFAIL error. Essentially, zone files function as a structured phone book for DNS servers, detailing domain-to-IP address mappings following BIND format rules.cat /etc/bind/db.domain.com ; ; BIND reverse data file for local loopback interface ; $ORIGIN domain.com $TTL 86400 @ IN SOA dns1.domain.com. hostmaster.domain.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day IN NS ns1.domain.com. IN NS ns2.domain.com. IN MX 10 mx.domain.com. IN MX 20 mx2.domain.com. IN A 10.129.14.5 server1 IN A 10.129.14.5 server2 IN A 10.129.14.7 ns1 IN A 10.129.14.2 ns2 IN A 10.129.14.3 ftp IN CNAME server1 mx IN CNAME server1 mx2 IN CNAME server2 www IN CNAME server2 -
Reverse Name Resolution Zone Files
Indeed, for a
Fully Qualified Domain Name(FQDN) to resolve to an IP address, the DNS server requires a reverse lookup file. This file utilizesPTR(Pointer) records to map the computer name (FQDN) to the last octet of an IP address, correlating it with the respective host. PTR records play a crucial role in the reverse translation of IP addresses into corresponding names, as highlighted in the table previously mentioned.cat /etc/bind/db.10.129.14 ; ; BIND reverse data file for local loopback interface ; $ORIGIN 14.129.10.in-addr.arpa $TTL 86400 @ IN SOA dns1.domain.com. hostmaster.domain.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day IN NS ns1.domain.com. IN NS ns2.domain.com. 5 IN PTR server1.domain.com. 7 IN MX mx.domain.com. ...SNIP...
DNS servers face various vulnerabilities that attackers exploit. Vulnerabilities targeting BIND9, for instance, are documented on CVEdetails. SecurityTrails also outlines popular attacks on DNS servers.
Certain configurations contribute to these vulnerabilities. DNS, being complex, is prone to errors, compelling administrators to implement temporary workarounds until an exact solution is found. Often, functionality takes precedence over security, prompting the release of elements to ensure parts of the infrastructure function as intended. This prioritization sometimes leads to misconfigurations and vulnerabilities within the system.
| Option | Description |
|---|---|
| allow-query | Specifies hosts permitted to send requests to the DNS server. |
| allow-recursion | Specifies hosts permitted to send recursive requests to the DNS server. |
| allow-transfer | Specifies hosts permitted to receive zone transfers from the DNS server. |
| zone-statistics | Gathers statistical data related to zones managed by the DNS server. |
Footprinting DNS servers involves querying them to gather information about other name servers known to them. This is typically done using the NS (Name Server) record and specifying the DNS server to be queried using the "@" character. By doing so, one can identify additional DNS servers and query their records. However, these other servers might have distinct configurations and can be permanent for different zones.
-
Querying Name Servers (NS Records)
Retrieves the
NSrecords for the domain "example.com", showcasing the authoritative name servers responsible for the domain.nslookup -type=NS example.com dig ns example.com @10.129.14.128 -
DIG - Version Query
dig CH TXT version.bind 10.129.120.85 -
Querying ANY
We can use the option
ANYto view all available records.dig any example.com @10.129.14.128 -
Querying A Records
Fetches the IPv4 address (
A record) associated with the domain "example.com".nslookup example.com -
Querying MX Records
Retrieves the Mail Exchange (
MX) records for the domain "example.com", specifying mail servers responsible for email delivery.nslookup -type=MX example.com -
Querying TXT Records
Fetches the text records associated with the domain "example.com", commonly used for various purposes like
SPF,DMARC, andverification purposesnslookup -type=TXT example.com -
Reverse DNS Lookup (PTR Records)
Performs a reverse
DNS lookupto find the domain associated with the given IP address.nslookup <IP address> -
Querying AXFR Zone Transfer
Zone transferin DNS involves transferring zones from one server to another, commonly occurring overTCPport53throughAsynchronous Full Transfer Zone(AXFR). Given the criticality of DNS for businesses, maintaining identical zone files across multiple name servers is crucial. Changes made in one server's zone must be synchronized across all servers to ensure data consistency, achieved through zone transfer.The primary name server holds the
original zone data, while secondary servers are installed forincreased reliability,load distribution, orprimary server protection. Top-Level Domains (TLDs) often mandate multiple servers for Second Level Domains' zone files.Entries in DNS are typically managed on the primary server, either through manual edits or automated dynamic updates from a database. Servers directly providing zone file synchronization are termed masters, while those obtaining data from masters are termed slaves. A primary server functions solely as a master, while a secondary server can serve as both a slave and a master.
Slaves periodically fetch the
SOA(Start of Authority) record from the master, comparing serial numbers at refresh intervals (typically one hour). A higher serial number on the master's SOA indicates mismatched data sets between servers.dig axfr example.com @10.129.14.128-
AXFR Zone Transfer - Internal
If the administrator used a subnet for the
allow-transferoption for testing purposes or as a workaround solution or set it to any, everyone would query the entire zone file at the DNS server. In addition, other zones can be queried, which may even show internal IP addresses and hostnames.dig axfr internal.example.com @10.129.14.128
-
-
Subdomain Brute Forcing
The individual A records with the hostnames can also be found out with the help of a brute-force attack.
for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.example.com @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;doneMany different tools can be used for this, and most of them work in the same way. One of these tools is, for example DNSenum.
dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt example.com
SMTP, the Simple Mail Transfer Protocol, is pivotal for email transmission in IP networks. It operates between email clients and outgoing mail servers or between SMTP servers themselves. Often used alongside IMAP or POP3 for managing emails, SMTP follows a client-server structure, allowing server-to-server communication where servers act as clients.
Typically, SMTP servers accept connections on port 25, but newer iterations also utilize TCP port 587 for secure mail receipt. Port 587 ensures secure communication by encrypting connections with the STARTTLS command, safeguarding authentication data from being transmitted in plaintext. Authentication happens during connection initiation when clients confirm identity via a username and password, enabling email transmission by sharing sender and recipient addresses, content, and parameters. Following transmission, the server forwards the email to another SMTP server.
While SMTP primarily operates unencrypted, SSL/TLS encryption secures data from unauthorized access. Some servers opt for alternative ports like TCP 465 for encrypted SMTP connections.
An integral function of SMTP servers is spam prevention, often achieved through authentication mechanisms like ESMTP with SMTP-Auth, allowing only authorized users to send emails. The SMTP client (Mail User Agent - MUA) submits emails to the SMTP server (Mail Transfer Agent - MTA), scrutinized for size and spam before storage. Occasionally, a Mail Submission Agent (MSA) or Relay server precedes the MTA, checking email validity.
Upon reaching the destination SMTP server, data packets assemble into complete emails, forwarded to the Mail Delivery Agent (MDA), and delivered to the recipient's mailbox, accessed through POP3 or IMAP protocols. The journey typically involves.
Client (MUA) ➞ Submission Agent (MSA) ➞ Open Relay (MTA) ➞ Mail Delivery Agent (MDA) ➞ Mailbox (POP3/IMAP).
SMTP, while vital for email transmission, presents inherent drawbacks in its network protocol.
- One primary limitation is the absence of a reliable delivery confirmation when sending emails through SMTP. Though the protocol allows for such notifications, it lacks standardized formatting. Typically, only an English-language error message, accompanied by the undelivered message's header, is returned, making confirmation unusable.
- Moreover, SMTP
doesn't authenticateusers during connection establishment, leading to sender unreliability. This loophole is exploited through openSMTP relays, commonly abused for mass spam distribution. Perpetrators utilize arbitrary fake sender addresses to avoid tracing (mail spoofing). To counter such misuse, various security techniques have been adopted. Suspicious emails are either rejected or directed to quarantine (spam folder). Security protocols likeDomainKeys(DKIM) andSender Policy Framework(SPF) play key roles in addressing these issues.DKIMverifies email authenticity by adding digital signatures, whileSPFdefines email sender legitimacy by validating sender IP addresses against domain records.
These security measures aim to mitigate email abuse and improve SMTP's reliability and authenticity, enhancing the overall integrity and trustworthiness of email communication.
Each SMTP server can be configured in many ways, as can all other services. However, there are differences because the SMTP server is only responsible for sending and forwarding emails.
cat /etc/postfix/main.cf | grep -v "#" | sed -r "/^\s*$/d"
smtpd_banner = ESMTP Server
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = mail1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtp_generic_maps = hash:/etc/postfix/generic
mydestination = $myhostname, localhost
masquerade_domains = $myhostname
mynetworks = 127.0.0.0/8 10.129.0.0/16
mailbox_size_limit = 0
recipient_delimiter = +
smtp_bind_address = 0.0.0.0
inet_protocols = ipv4
smtpd_helo_restrictions = reject_invalid_hostname
home_mailbox = /home/postfix
| Command | Description |
|---|---|
| AUTH PLAIN | Service extension for client authentication. |
| HELO | Client initiates session by logging in with its computer name. |
| MAIL FROM | Client specifies the email sender. |
| RCPT TO | Client specifies the email recipient. |
| DATA | Client initiates email transmission. |
| RSET | Client aborts initiated transmission while maintaining the connection. |
| VRFY | Client checks for mailbox availability for message transfer. |
| EXPN | Client checks for mailbox availability for messaging using this command. |
| NOOP | Client requests a server response to prevent disconnection due to timeout. |
| QUIT | Client terminates the session. |
To interact with the SMTP server, we can use the telnet tool to initialize a TCP connection with the SMTP server. The actual initialization of the session is done with the command mentioned above, HELO or EHLO.
telnet 10.129.14.128 25
Trying 10.129.14.128...
Connected to 10.129.14.128.
Escape character is '^]'.
220 ESMTP Server
HELO mail1.example.com
250 mail1.example.com
EHLO mail1
250-mail1.inlanefreight.htb
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
The command VRFY can be used to enumerate existing users on the system. However, this does not always work. Depending on how the SMTP server is configured, the SMTP server may issue code 252 and confirm the existence of a user that does not exist on the system. A list of all SMTP response codes can be found here.
telnet 10.129.14.128 25
Trying 10.129.14.128...
Connected to 10.129.14.128.
Escape character is '^]'.
220 ESMTP Server
VRFY root
252 2.0.0 root
VRFY cry0l1t3
252 2.0.0 cry0l1t3
VRFY testuser
252 2.0.0 testuser
VRFY aaaaaaaaaaaaaaaaaaaaaaaaaaaa
252 2.0.0 aaaaaaaaaaaaaaaaaaaaaaaaaaaa
telnet 10.129.14.128 25
Trying 10.129.14.128...
Connected to 10.129.14.128.
Escape character is '^]'.
220 ESMTP Server
EHLO example.com
250-mail1.example.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
MAIL FROM: <[email protected]>
250 2.1.0 Ok
RCPT TO: <[email protected]> NOTIFY=success,failure
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: <[email protected]>
To: <[email protected]>
Subject: DB
Date: Tue, 28 Sept 2021 16:32:51 +0200
Hey man, I am trying to access our XY-DB but the creds don't work.
Did you make any changes there?
.
250 2.0.0 Ok: queued as 6E1CF1681AB
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
Using trusted relay servers prevents email filtering, but misconfigurations due to broad IP allowances pose security risks.
mynetworks = 0.0.0.0/0
-
Nmap
sudo nmap 10.129.14.128 -sC -sV -p25 -
Nmap - Open Relay
sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v
Internet Message Access Protocol (MAP) enables remote email management with folder structures, unlike Post Office Protocol (POP3), facilitating online access to emails directly on the server. It supports synchronization across multiple clients, offering advanced functionalities like hierarchical mailboxes and access to multiple mailboxes within a session. With IMAP, emails remain on the server until deletion, ensuring a uniform database across clients. POP3, on the other hand, does not have the same functionality as IMAP, and it only provides listing, retrieving, and deleting emails as functions at the email server.
Clients access and create local copies of email structures, ensuring consistency across several devices. IMAP operates via port 143, using text-based ASCII commands for communication, and requires user authentication upon connection establishment. SMTP complements IMAP for email transmission and offers accessibility to sent emails across multiple devices by copying them into IMAP folders.
However, IMAP typically operates unencrypted, transmitting data in plaintext. To bolster security, email servers often require encrypted IMAP sessions using SSL/TLS, enhancing email traffic security and preventing unauthorized mailbox access. This encrypted connection usually utilizes standard port 143 or an alternative like 993, depending on the implementation.
Exploring detailed configurations of IMAP and POP3 protocols is intricate due to their numerous options.
I recommend creating a VM locally and install the two packages dovecot-imapd, and dovecot-pop3d using apt and play around with the configurations and experiment.
In the documentation of Dovecot, we can find the individual core settings and service configuration options that can be utilized for our experiments.
| Command | Description |
|---|---|
| 1 LOGIN username password | User's login. |
| 1 LIST "" * | Lists all directories. |
| 1 CREATE "INBOX" | Creates a mailbox with a specified name. |
| 1 DELETE "INBOX" | Deletes a mailbox. |
| 1 RENAME "ToRead" "Important" | Renames a mailbox. |
| 1 LSUB "" * | Returns a subset of active or subscribed names. |
| 1 SELECT INBOX | Selects a mailbox for message access. |
| 1 UNSELECT INBOX | Exits the selected mailbox. |
| 1 FETCH <ID> all | Retrieves data associated with a message in the mailbox. |
| 1 CLOSE | Removes all messages with the Deleted flag set. |
| 1 LOGOUT | Closes the connection with the IMAP server. |
| Command | Description |
|---|---|
| USER username | Identifies the user. |
| PASS password | Authenticates the user using their password. |
| STAT | Requests the number of saved emails from the server. |
| LIST | Requests from the server the number and size of all emails. |
| RETR id | Requests the server to deliver the requested email by ID. |
| DELE id | Requests the server to delete the requested email by ID. |
| CAPA | Requests the server to display its capabilities. |
| RSET | Requests the server to reset the transmitted information. |
| QUIT | Closes the connection with the POP3 server. |
Misconfigured settings within these email servers can expose critical information. Debugging executed commands or attempting to log in anonymously, akin to FTP services, might reveal vulnerabilities. While numerous companies opt for third-party email providers like Google or Microsoft, some manage their own mail servers for privacy and control reasons. However, this self-management presents risks. Administrators' configuration errors can inadvertently grant access to all sent and received emails, potentially containing sensitive or confidential information. Some of these critical configuration options include:
| Setting | Description |
|---|---|
| authdebug | Enables all authentication debug logging. |
| authdebugpasswords | Adjusts log verbosity, logging the submitted passwords, and the authentication scheme. |
| authverbose | Logs unsuccessful authentication attempts along with their reasons. |
| authverbosepasswords | Logs passwords used for authentication, potentially truncating them for security purposes. |
| authanonymoususername | Specifies the username to be used when logging in with the ANONYMOUS SASL mechanism. |
-
Nmap
sudo nmap 10.129.14.128 -sV -p110,143,993,995 -sC -
cURL
curl -k 'imaps://10.129.14.128' --user user:p4ssw0rd -
OpenSSL - TLS Encrypted Interaction POP3
openssl s_client -connect 10.129.14.128:pop3s -
OpenSSL - TLS Encrypted Interaction IMAP
openssl s_client -connect 10.129.14.128:imaps
Simple Network Management Protocol (SNMP) was created to monitor network devices.
In addition, this protocol can also be used to handle configuration tasks and change settings remotely.
In addition, configuration tasks can be handled, and settings can be made remotely using this standard.
In addition to the pure exchange of information, SNMP also transmits control commands using agents over UDP port 161.
While in classical communication, it is always the client who actively requests information from the server, SNMP also enables the use of so-called traps over UDP port 162.
If a device is configured accordingly, an SNMP trap is sent to the client once a specific event occurs on the server-side.
-
MIB
The
Management Information Base(MIB) is a standardized format to store device information in SNMP, ensuring interoperability across devices and systems. It's a textual file outlining all SNMP queryable objects, organized in a tree hierarchy via unique Object Identifiers (OIDs). These filesdescribewhere to find specificinformation, along with details like data types and access rights, but don't contain the actual data. -
OID
Object Identifiers(OIDs) are numerical sequences representing nodes in a hierarchical structure. EachOIDuniquely identifies a node in the tree, indicating its position and specificity. They're composed of integers concatenated with dot notation, enabling reference and lookup in the Object Identifier Registry. -
SNMPv1
SNMP versions vary in their functionalities and security.
SNMPv1is still prevalent in smaller networks, supporting information retrieval, device configuration, and event notifications. However, its lack of authentication or encryption makes it susceptible to unauthorized access and data interception. -
SNMPv2
SNMPv2, specifically v2c, retainsSNMPv1's security issues. While it introduces additional functionalities, it suffers from transmitting the community string in plain text, lacking inherent encryption. -
SNMPv3
SNMPv3significantly improves security by implementing features likeusername/passwordauthentication and data encryption usingpre-shared keys. However, its complexity in configuration surpasses its predecessors. -
Community Strings
Community strings function as passwords controlling access to requested information. Despite the advancements in SNMPv3, many organizations remain on SNMPv2 due to the complexity of transitioning. This ongoing use of SNMPv2 without encryption poses security risks, allowing interception of community strings during transmission, leading to potential unauthorized access. This scenario concerns administrators, as attackers could exploit these vulnerabilities without encryption, accessing sensitive information with intercepted community strings.
The default configuration of the SNMP daemon defines the basic settings for the service, which include the IP addresses, ports, MIB, OIDs, authentication, and community strings.
-
SNMP Daemon Config
cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d' sysLocation Sitting on the Dock of the Bay sysContact Me <[email protected]> sysServices 72 master agentx agentaddress 127.0.0.1,[::1] view systemonly included .1.3.6.1.2.1.1 view systemonly included .1.3.6.1.2.1.25.1 rocommunity public default -V systemonly rocommunity6 public default -V systemonly rouser authPrivUser authpriv -V systemonly
Some dangerous settings that the administrator can make with SNMP are:
| Settings | Description |
|---|---|
| rwuser noauth | Provides access to the full OID tree without authentication. |
| rwcommunity <community string> <IPv4> | Provides access to the full OID tree regardless of the request's origin (IPv4). |
| rwcommunity6 <community string> <IPv6> | Provides access to the full OID tree regardless of the request's origin (IPv6). |
For footprinting SNMP, we can use tools like snmpwalk, onesixtyone, and braa.
snmpwalk -v2c -c public 10.129.14.128
sudo apt install onesixtyone
onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt 10.129.14.128
Often, when certain community strings are bound to specific IP addresses, they are named with the hostname of the host, and sometimes even symbols are added to these names to make them more challenging to identify.
sudo apt install braa
braa <community string>@<IP>:.1.3.6.* # Syntax
braa [email protected]:.1.3.6.*
MySQL is an open-source relational database management system (RDBMS) that allows users to manage and store data.
MySQL uses Structured Query Language (SQL) for querying, managing, and manipulating data within databases.
MySQL works according to the client-server principle and consists of a MySQL server and one or more MySQL clients.
The client-server architecture in MySQL (and in many other database systems) separates the responsibilities of managing the database (server_) from interacting with it (client_).
-
Mysql Server
It's the software that actually
storesandmanagesthe databases. The server is responsible for handling data storage, retrieval, access control, and various other database-related tasks. -
MySQL Clients
The client is the interface that allows users or applications to interact with the MySQL server. It could be command-line tools like the
mysql command, graphical user interfaces (GUIs) likephpMyAdmin, or various programminglanguage libraries(like Python's mysql-connector, PHP's mysqli, etc.). -
MySQL Commands
MySQL manages data using SQL commands; errors from SQL injections can expose unintended interactions. It manipulates data in tables, alters structures, and manages users.
MariaDB, a MySQL derivative, emerged after the main developer left MySQL AB post-Oracle acquisition, continuing open-source database development.
It is so large that entire professions, such as database administrator (DBA), deal with almost nothing but databases.
sudo apt install mysql-server -y
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d'
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
[mysqld_safe]
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
skip-host-cache
skip-name-resolve
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
explicit_defaults_for_timestamp
symbolic-links=0
!includedir /etc/mysql/conf.d/
Many things can be misconfigured with MySQL:
| Setting | Description |
|---|---|
| user | Sets which user the MySQL service will run as. |
| password | Sets the password for the MySQL user. |
| adminaddress | The IP address on which to listen for TCP/IP connections on the administrative network interface. |
| debug | This variable indicates the current debugging settings. |
| sqlwarnings | Controls whether single-row INSERT statements produce an information string if warnings occur. |
| securefilepriv | Used to limit the effect of data import and export operations. |
The settings user, password, and admin_address are security-relevant because the entries are made in plain text.
-
Nmap
sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql* -
Interaction with the MySQL Server
-
Login
with no pass
mysql -u root -h 10.129.14.132with pass
mysql -u root -pP4SSw0rd -h 10.129.14.128 -
Command
show databases:
show databases;show version:
select version();use specific database:
use mysql;show tables:
show tables;The most important databases for the MySQL server are the
system schema(sys) andinformation schema(information_schema). The system schema contains tables, information, and metadata necessary for management. change table:use sys;show tables:
show tables; +-----------------------------------------------+ | Tables_in_sys | +-----------------------------------------------+ | host_summary | | host_summary_by_file_io | | host_summary_by_file_io_type | | host_summary_by_stages | | host_summary_by_statement_latency | | host_summary_by_statement_type | | innodb_buffer_stats_by_schema | | innodb_buffer_stats_by_table | | innodb_lock_waits | | io_by_thread_by_latency | ...SNIP... | x$waits_global_by_latency | +-----------------------------------------------+ select host, unique_users from host_summary; +-------------+--------------+ | host | unique_users | +-------------+--------------+ | 10.129.14.1 | 1 | | localhost | 2 | +-------------+--------------+The
information schemais also a database that contains metadata. However, this metadata is mainly retrieved from thesystem schemadatabase.
-
"MSSQL," it refers to Microsoft SQL Server, a relational database management system developed by Microsoft. Like MySQL, it's used to store and retrieve data as requested by other software applications. However, MSSQL is a proprietary system, unlike MySQL, which is open-source.
Microsoft SQL Server is known for its robustness, scalability, and integration with other Microsoft products. It supports various editions catering to different needs, ranging from small applications to large enterprise-level solutions. It utilizes Transact-SQL (T-SQL), a variant of SQL, for querying and managing data.
-
MSSQL Clients
SQL Server Management Studio (
SSMS) comes as a feature that can be installed with the MSSQL install package or can be downloaded & installed separately. Keep in mind that since SSMS is a client-side application, it can be installed and used on any system an admin or developer is planning to manage the database from. Many other clients can be used to access a database running on MSSQL: -
MSSQL Database
Default System Database Description master Tracks all system information for an SQL server instance. model Serves as a template database for new database creation. Settings changed here reflect in subsequently created databases. msdb Utilized by SQL Server Agent for scheduling jobs and alerts. tempdb Dedicated for storing temporary objects. resource Read-only database housing system objects bundled with SQL Server.
When an admin initially installs and configures MSSQL to be network accessible, the SQL service will likely run as NT SERVICE\MSSQLSERVER.
Authentication being set to Windows Authentication~ means that the underlying Windows OS will process the login request and use either the local SAM database or the domain controller (hosting Active Directory) before allowing connectivity to the database management system.
In an IT administrator's shoes during an engagement, it's crucial to consider potential misconfigurations that might compromise systems. The IT landscape is fast-paced, often juggling multiple projects, leading to the potential for errors—where even a small misconfiguration can jeopardize a critical server or service.
This risk extends to MSSQL configurations, where admins might inadvertently set up:
Unencrypted MSSQL Client Connections: Failure to use encryption between clients and the MSSQL server, exposing data during transmission.Self-Signed Certificates for Encryption: Reliance on self-signed certificates, vulnerable to spoofing, despite using encryption, risking compromised security.Usage of Named Pipes: Vulnerability arising from the use of named pipes, potentially open to exploitation.Weak or Default 'sa' Credentials: Overlooking the disabling of default 'sa' (system administrator) credentials, leaving a significant security loophole if left unchanged or set with weak passwords.
-
Nmap
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248 -
Mwtasploit
We can also use Metasploit to run an auxiliary scanner called
mssql_ping.msf6 auxiliary(scanner/mssql/mssql_ping) > set rhosts 10.129.201.248 rhosts => 10.129.201.248 msf6 auxiliary(scanner/mssql/mssql_ping) > run [*] 10.129.201.248: - SQL Server information for 10.129.201.248: [+] 10.129.201.248: - ServerName = SQL-01 [+] 10.129.201.248: - InstanceName = MSSQLSERVER [+] 10.129.201.248: - IsClustered = No [+] 10.129.201.248: - Version = 15.0.2000.5 [+] 10.129.201.248: - tcp = 1433 [+] 10.129.201.248: - np = \\SQL-01\pipe\sql\query [*] 10.129.201.248: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -
Mssqlclient.py
If we can guess or gain access to credentials, this allows us to remotely connect to the MSSQL server and start interacting with databases using T-SQL (
Transact-SQL).python3 mssqlclient.py [email protected] -windows-auth
The Oracle Transparent Network Substrate (TNS) server is a communication protocol that facilitates communication between Oracle databases and applications over networks.
TNS supports various networking protocols between Oracle databases and client applications, such as IPX/SPX and TCP/IP protocol stacks.
Over time, TNS has been updated to support newer technologies, including IPv6 and SSL/TLS encryption which makes it more suitable for the following purposes:
- Name Resolution
- Connection management
- Load balancing
- Security
The configuration files for Oracle TNS are called tnsnames.ora and listener.ora and are typically located in the ORACLE_HOME/network/admin directory. The plain text file contains configuration information for Oracle database instances and other network services that use the TNS protocol.
Each database or service has a unique entry in the tnsnames.ora file, containing the necessary information for clients to connect to the service. Tnsnames.ora
ORCL =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 10.129.11.102)(PORT = 1521))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl)
)
)
Here we can see a service called ORCL, which is listening on port TCP/1521 on the IP address 10.129.11.102. Clients should use the service name orcl when connecting to the service.
Listener.ora
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PDB1)
(ORACLE_HOME = C:\oracle\product\19.0.0\dbhome_1)
(GLOBAL_DBNAME = PDB1)
(SID_DIRECTORY_LIST =
(SID_DIRECTORY =
(DIRECTORY_TYPE = TNS_ADMIN)
(DIRECTORY = C:\oracle\product\19.0.0\dbhome_1\network\admin)
)
)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = orcl.inlanefreight.htb)(PORT = 1521))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
)
ADR_BASE_LISTENER = C:\oracle
In short, the client-side Oracle Net Services software uses the tnsnames.ora file to resolve service names to network addresses, while the listener process uses the listener.ora file to determine the services it should listen to and the behavior of the listener.
Oracle databases can be protected by using so-called PL/SQL Exclusion List (PlsqlExclusionList). It is a user-created text file that needs to be placed in the $ORACLE_HOME/sqldeveloper directory, and it contains the names of PL/SQL packages or types that should be excluded from execution.
| Setting | Description |
|---|---|
| DESCRIPTION | Provides a descriptor for the database and its connection type. |
| ADDRESS | Network address of the database, including the hostname and port number. |
| PROTOCOL | Network protocol used for communication with the server. |
| PORT | Port number used for communication with the server. |
| CONNECTDATA | Specifies connection attributes: service name or SID, protocol, and database instance identifier. |
| INSTANCENAME | Name of the database instance the client aims to connect. |
| SERVICENAME | Name of the service the client intends to connect to. |
| SERVER | Type of server used for the database connection (e.g., dedicated or shared). |
| USER | Username for authenticating with the database server. |
| PASSWORD | Password for authenticating with the database server. |
| SECURITY | Type of security for the connection. |
| VALIDATECERT | Whether to validate the certificate using SSL/TLS. |
| SSLVERSION | Version of SSL/TLS to use for the connection. |
| CONNECTTIMEOUT | Time limit in seconds for the client to establish a connection to the database. |
| RECEIVETIMEOUT | Time limit in seconds for the client to receive a response from the database. |
| SENDTIMEOUT | Time limit in seconds for the client to send a request to the database. |
| SQLNET.EXPIRETIME | Time limit in seconds for the client to detect a failed connection. |
| TRACELEVEL | Level of tracing for the database connection. |
| TRACEDIRECTORY | Directory where the trace files are stored. |
| TRACEFILENAME | Name of the trace file. |
| LOGFILE | File where log information is stored. |
Before we can enumerate the TNS listener and interact with it, we need to download a few packages and tools for our Pwnbox instance in case it does not have these already.
#!/bin/bash
sudo apt-get install libaio1 python3-dev alien python3-pip -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
sudo apt install oracle-instantclient-basic oracle-instantclient-devel oracle-instantclient-sqlplus -y
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor pycryptodome passlib python-libnmap
sudo pip3 install argcomplete && sudo activate-global-python-argcomplete
-
ODAT
./odat.py -hOracle Database Attacking Tool(ODAT) is an open-source penetration testing tool written in Python and designed to enumerate and exploit vulnerabilities in Oracle databases. -
Nmap
sudo nmap -p1521 -sV 10.129.204.235 --open -
Nmap - SID Bruteforcing
The
SIDsare an essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to. If the client specifies an incorrect SID, the connection attempt will fail. *There are various ways to enumerate, or better said, guessSIDs. Therefore we can use tools likenmap,hydra,odat, and others. Let us usenmapfirst.sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute -
ODAT
./odat.py all -s 10.129.204.235 -
SQLplus - Log In
sqlplus scott/[email protected]/XEIf you come across the following error sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory, please execute the below, taken from here.
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig -
Oracle RDBMS - Interaction
SQL> select table_name from all_tables; SQL> select * from user_role_privs; -
Oracle RDBMS - Database Enumeration
Here, the user scott has no administrative privileges. However, we can try using this account to log in as the System Database Admin (sysdba), giving us higher privileges. This is possible when the user scott has the appropriate privileges typically granted by the database administrator or used by the administrator him/herself.
sqlplus scott/[email protected]/XE as sysdba -
Oracle RDBMS - Extract Password Hashes
SQL> select name, password from sys.user$; -
Oracle RDBMS - File Upload
./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txtand
curl -X GET http://10.129.204.235/testing.txt
Intelligent Platform Management Interface (IPMI) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring.
IPMI provides sysadmins with the ability to manage and monitor systems even if they are powered off or in an unresponsive state.
It operates using a direct network connection to the system's hardware and does not require access to the operating system via a login shell.
IPMI can also be used for:
- Before the OS has booted to modify BIOS settings
- When the host is fully powered down
- Access to a host after a system failure
When not being used for these tasks, IPMI can monitor a range of different things such as system temperature, voltage, fan status, and power supplies. It can also be used for querying inventory information, reviewing hardware logs, and alerting using SNMP. The host system can be powered off, but the IPMI module requires a power source and a LAN connection to work correctly. This addressing mechanism is an absolute prerequisite for successfully transmitting data and network monitoring using SNMP. To function, IPMI requires the following components:
- Baseboard Management Controller (BMC) - A micro-controller and essential component of an IPMI
- Intelligent Chassis Management Bus (ICMB) - An interface that permits communication from one chassis to another
- Intelligent Platform Management Bus (IPMB) - extends the BMC
- IPMI Memory - stores things such as the system event log, repository store data, and more
- Communications Interfaces - local system interfaces, serial and LAN interfaces, ICMB and PCI Management Bus
IPMI communicates over port 623 UDP. Systems that use the IPMI protocol are called Baseboard Management Controllers (BMCs). BMCs are typically implemented as embedded ARM systems running Linux, and connected directly to the host's motherboard. BMCs are built into many motherboards but can also be added to a system as a PCI card.
-
Nmap
sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local -
Metasploit Version Scan
msf6 > use auxiliary/scanner/ipmi/ipmi_version msf6 auxiliary(scanner/ipmi/ipmi_version) > set rhosts 10.129.42.195 msf6 auxiliary(scanner/ipmi/ipmi_version) > show options Module options (auxiliary/scanner/ipmi/ipmi_version): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set RHOSTS 10.129.42.195 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 623 yes The target port (UDP) THREADS 10 yes The number of concurrent threads msf6 auxiliary(scanner/ipmi/ipmi_version) > run [*] Sending IPMI requests to 10.129.42.195->10.129.42.195 (1 hosts) [+] 10.129.42.195:623 - IPMI - IPMI-2.0 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
If default credentials do not work to access a BMC, we can turn to a flaw in the RAKP protocol in IPMI 2.0. During the authentication process, the server sends a salted SHA1 or MD5 hash of the user's password to the client before authentication takes place. And crack them with:
hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
-
Metasploit Dumping Hashes
msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.129.42.195 msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > show options Module options (auxiliary/scanner/ipmi/ipmi_dumphashes): Name Current Setting Required Description ---- --------------- -------- ----------- CRACK_COMMON true yes Automatically crack common passwords as they are obtained OUTPUT_HASHCAT_FILE no Save captured password hashes in hashcat format OUTPUT_JOHN_FILE no Save captured password hashes in john the ripper format PASS_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt yes File containing common passwords for offline cracking, one per line RHOSTS 10.129.42.195 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 623 yes The target port THREADS 1 yes The number of concurrent threads (max one per host) USER_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt yes File containing usernames, one per line msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run [+] 10.129.42.195:623 - IPMI - Hash found: ADMIN:8e160d4802040000205ee9253b6b8dac3052c837e23faa631260719fce740d45c3139a7dd4317b9ea123456789abcdefa123456789abcdef140541444d494e:a3e82878a09daa8ae3e6c22f9080f8337fe0ed7e [+] 10.129.42.195:623 - IPMI - Hash for user 'ADMIN' matches password 'ADMIN' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Secure Shell (SSH) facilitates secure, encrypted connections between computers over potentially insecure networks, typically on TCP port 22.
When managing a remote host, SSH allows interaction via command line or GUI. It enables sending commands, file transfers, and port forwarding, necessitating a secure SSH connection and authentication.
-
Public Key Authentication
-
Server and Client Authentication
Initially , the SSH server and client authenticate each other. The server sends a certificate to verify its identity, reducing the risk of third-party intervention during the initial connection.
-
Client Authentication
Following server authentication, the client must prove access authorization. Typically, the server possesses an encrypted hash of the user's password. However, for enhanced security and convenience, public key and private key pairs are used instead.
-
Private Key
Individual to the
user's computerand secured with a passphrase stronger than typical passwords, the private key remains solely on the user's computer, ensuring its secrecy. -
Public Key on Server
The server generates a cryptographic challenge based on the client's public key and sends it. The client decrypts this challenge with its private key, providing the solution to the server, thereby confirming a legitimate connection.
-
-
-
Default Configuration
The sshdconfig file, responsible for the OpenSSH server, has only a few of the settings configured by default.
cat /etc/ssh/sshd_config | grep -v "#" | sed -r '/^\s*$/d' -
Dangerous Settings
Setting Description PasswordAuthentication Allows password-based authentication. PermitEmptyPasswords Allows the use of empty passwords. PermitRootLogin Allows logging in as the root user. Protocol Uses an outdated version of encryption. X11Forwarding Allows X11 forwarding for GUI applications. AllowTcpForwarding Allows forwarding of TCP ports. PermitTunnel Allows tunneling. DebianBanner Displays a specific banner when logging in. Allowing password authentication allows us to brute-force a known username for possible passwords. Many different methods can be used to guess the passwords of users. For this purpose, specific patterns` are usually used to mutate the most commonly used passwords and, frighteningly, correct them. -
Footprinting the Service
One of the tools we can use to fingerprint the SSH server is ssh-audit.
git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit ./ssh-audit.py 10.129.14.132-
Change Authentication Method
ssh -v [email protected]For potential brute-force attacks, we can specify the authentication method with the SSH client option
PreferredAuthentications.ssh -v [email protected] -o PreferredAuthentications=password
-
Rsync is a fast and efficient tool for locally and remotely copying files. It can be used to copy files locally on a given machine and to/from remote hosts.
By default, it uses port 873 and can be configured to use ssh.
-
Scann
sudo nmap -sV -p 873 127.0.0.1 -
Probing for Accessible Shares
nc -nv 127.0.0.1 873 -
Enumerating an Open Share
rsync -av --list-only rsync://127.0.0.1/<share>If Rsync is configured to use SSH to transfer files, we could modify our commands to include the
-e sshflag, or -e "ssh -p2222" if a non-standard port is in use for SSH.
R-Services are a suite of services hosted to enable remote access or issue commands between Unix hosts over TCP/IP.
No longer used in favor of ssh, much like telnet, r-services transmit information from client to server(and vice versa.) over the network in an unencrypted format, making it possible for attackers to intercept network traffic (passwords, login information, etc.) by performing man-in-the-middle (MITM) attacks.
The R-commands suite consists of the following programs:
- rcp (
remote copy) - rexec (
remote execution) - rlogin (
remote login) - rsh (
remote shell) - rstat
- ruptime
- rwho (
remote who)
The /etc/hosts.equiv file contains a list of trusted hosts and is used to grant access to other systems on the network.
cat /etc/hosts.equiv
-
Nmap
sudo nmap -sV -p 512,513,514 10.0.17.2 -
Logging in Using Rlogin
rlogin 10.0.17.2 -l htb-student -
Listing Authenticated Users Using Rwho
rwho root web01:pts/0 Dec 2 21:34 htb-student workstn01:tty1 Dec 2 19:57 2:25 -
Listing Authenticated Users Using Rusers
rusers -al 10.0.17.5
The main components used for remote management of Windows and Windows servers are the following:
- Remote Desktop Protocol (
RDP) - Windows Remote Management (
WinRM) - Windows Management Instrumentation (
WMI)
RDP works at the application layer in the TCP/IP reference model, typically utilizing TCP port 3389 as the transport protocol.
For an RDP session to be established, both the network firewall and the firewall on the server must allow connections from the outside.
In addition, port forwarding must be set up on the NAT router in the direction of the server.
RDP has handled Transport Layer Security (TLS/SSL) since Windows Vista, which means that all data, and especially the login process, is protected in the network by its good encryption.
The Remote Desktop service is installed by default on Windows servers and does not require additional external applications.
This service can be activated using the Server Manager and comes with the default setting to allow connections to the service only to hosts with Network level authentication (NLA).
-
Footprinting the Service
Scanning the RDP service can quickly give us a lot of information about the host. For example, we can determine if
NLAis enabled on the server or not, the product version, and the hostname.-
Nmap
nmap -sV -sC 10.129.201.248 -p3389 --script rdp*In addition, we can use
--packet-traceto track the individual packages and inspect their contents manually. We can see that theRDP cookies(mstshash=nmap) used by Nmap to interact with the RDP server can be identified by threat hunters and various security services such as Endpoint Detection and Response (EDR), and can lock us out as penetration testers on hardened networks.nmap -sV -sC 10.129.201.248 -p3389 --packet-trace --disable-arp-ping -n
-
-
RDP Security Check - Install
A Perl script named rdp-sec-check.pl has also been developed by Cisco CX Security Labs that can unauthentically identify the security settings of RDP servers based on the handshakes.
sudo cpan -
RDP Security Check
git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check ./rdp-sec-check.pl 10.129.201.248 -
Initiate an RDP Session
Authentication and connection to such RDP servers can be made in several ways. For example, we can connect to RDP servers on Linux using
xfreerdp,rdesktop, orRemminaand interact with the GUI of the server accordingly.xfreerdp /u:cry0l1t3 /p:"P455w0rd!" /v:10.129.201.248
The Windows Remote Management (WinRM) is a simple Windows integrated remote management protocol based on the command line. WinRM uses the Simple Object Access Protocol (SOAP) to establish connections to remote hosts and their applications.
Another component that fits WinRM for administration is Windows Remote Shell (WinRS), which lets us execute arbitrary commands on the remote system.
-
Footprinting the Service
As we already know, WinRM uses TCP ports 5985 (
HTTP) and 5986 (HTTPS) by default, which we can scan using Nmap.-
Nmap WinRM
nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -nIf we want to find out whether one or more remote servers can be reached via WinRM, we can easily do this with the help of PowerShell. The West-WsMan
cmdletis responsible for this, and the host's name in question is passed to it. -
Initiate an RDB in UNIX
In Linux-based environments, we can use the tool called evil-winrm, another penetration testing tool designed to interact with WinRM.
evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!
-
Windows Management Instrumentation (WMI) is Microsoft's implementation and also an extension of the Common Information Model (CIM), core functionality of the standardized Web-Based Enterprise Management (WBEM) for the Windows platform. WMI is typically accessed via PowerShell, VBScript, or the Windows Management Instrumentation Console (WMIC).
-
Footprinting the Service
The initialization of the WMI communication always takes place on TCP port 135, and after the successful establishment of the connection, the communication is moved to a random port.
Program wmiexec.py from the Impacket toolkit can be used for this.
/usr/share/doc/python3-impacket/examples/wmiexec.py Cry0l1t3:"P455w0rD!"@10.129.201.248 "hostname"