A cheat sheet and resource for ethically hacking common services across diverse systems. Use it as your trusted guide in cybersecurity pursuits.
SMB
SMBMap
SMBMap allows users to enumerate samba share drives across an entire domain.
smbmap -H 10.10.10.10
smbmap -H 10.10.10.10 -u victim -p password -H 10.10.10.10 [with creds]Smbclient
smbclient -L 10.10.10.10
smbclient -L //10.10.10.10/tmp
smbclient -U "" //10.10.10.10/anon
smbclient -U "Username" 10.10.10.10
smbclient -U "Username" 10.10.10.10/share-name
smbclient -L \\\\<target-ip>
smbclient \\\\<target-ip>\\<share-name>
smbclient -N //10.10.10.10/tmp --option='client min protocol=NT1' [legacy]Nmap SMB Scripts
You can find a list of all nmap scripts dealing with smb with:
# list all smb scripts
ls -1 /usr/share/nmap/scripts/smb*
# Run with:
nmap -p 445 10.10.10.10 --script smb-os-discovery.nse [single]
nmap -p 139,445 10.10.10.10 --script smb-vuln-* [group]Nbtscan
nbtscan is a CLI utility that attempts to scan NetBIOS name servers.
Use this to try and find possible connection points across a network.
# scan a subnet for valid netbios names.
nbtscan -r 10.10.10.10/24
Doing NBT name scan for addresses from 192.168.50.0/24
IP address NetBIOS Name Server User MAC address
--------------------------------------------------------------------
192.168.50.124 SAMBA <server> SAMBA 00:00:00:00:00:00
192.168.50.134 SAMBAWEB <server> SAMBAWEB 00:00:00:00:00:00RPCclient
You can use this to query MS-RPC for commands.
To try and establish a null session:
rpcclient -U "" -N 10.10.10.10
rpcclient -U "Username" 10.10.10.10
$>
$>enum<tabtab>
enumdomains enumdomusers enumdomgroups enumdata ...
<All enumeration commands shown>
Most useful rpcclient commands:
srvinfo
enumalsgroups domain
enumalsgroups builtin
enumdomusers
lookupnames "Username"
queryuser <RID>Metasploit SMB Scripts
If you search msfconsole for smb, you can find it also has a decent amount of auxiliary modules for SMB enumeration.
Enum4Linux
This is a script that will enumerate a Linux box if being stealthy is not a concern.
enum4linux 10.10.10.10Brute-Forcing
You can use Hydra‘s SMB module to brute force credentials as well. Select wordlists from SecList and launch the module.
hydra -L users.txt -P passwords.txt 10.10.10.10 smb -V
Nmap’s smb-brute module works here as well. Nmap’s module uses the same wordlist as the Conficker worm.
Net View
# the /all keyword, lists the administrative shares ending with the dollar sign.
net view \\dc01 /all
net view \\$IP /allCrackMapExec(CME)
SMB enumeration
crackmapexec smb <target-ip>Username and Password Validation
Single:
crackmapexec smb <target-ip> -u 'username' -p 'password'
Multi:
crackmapexec smb <target-ip> -u users.txt -p passwords.txtList Shares
crackmapexec smb <target-ip> --sharesSpider Shares
crackmapexec smb <target-ip> --spider 'password'Enumerate Sessions and Users
crackmapexec smb <target-ip> --sessions
crackmapexec smb <target-ip> --usersPass-the-Hash
crackmapexec smb <target-ip> -u 'username' -H 'hash_here'SMTP
Netcat
VRFY / EXPN
# The VRFY command is used to verify the existence of a specific user or email address on the mail server.
nc -nv 192.168.50.8 25
(UNKNOWN) [192.168.50.8] 25 (smtp) open
220 mail ESMTP Postfix (Ubuntu)
VRFY root
252 2.0.0 root [ User Existed ]
VRFY idontexist
550 5.1.1 <idontexist>: Recipient address rejected: User unknown in local recipient table# The EXPN command is used to request the server to provide information about a mailing list, which may contain valid email addresses or usernames.
EXPN [email protected]
Powershell
Test-NetConnection -Port 25 192.168.50.8Banner Grabbing
nc <target-ip> 25Brute Force
hydra -l [email protected] -P wordlist.txt <target-ip> smtp -VScripts
SMTP servers might leak valid usernames through error messages or response delays:
smtp-user-enum is a tool used to enumerate users on an SMTP server by exploiting the “VRFY”, “EXPN”, and “RCPT TO” SMTP commands.
smtp-user-enum -M VRFY -U usernames.txt -t 192.168.1.10Test for Anon Access
nc <target-ip> 25Once connected, the server will usually greet you with a banner indicating its SMTP software/version and a 220 status. Try:
HELO myname
VRFY [email protected]Try to send an email:
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
DATA
Subject: Test email
This is a test email.
.Email can sometimes be a great way to access user names and passwords. Sometimes you can try to engage a password reset mechanism on a web app, then move forward with a reset with SMTP.
SNMP
snmpwalk
# use snmpwalk with 'public' community string
snmpwalk -c public -v1 -t 10 $IP
# enumerate a specific MIB subtree
snmpwalk -c public -v1 $IP 1.3.6.1.4.1.77.1.2.25onesixtyone
onesixtyone -c community -i ip_list.txtFTP
Banner Grabbing
nc <target-ip> 21Anonymous Logins
Try pressing enter with no user name.
Try logging on with the user name anonymous and just pressing enter for password.
ftp <target-ip>
<enter>
ftp <target-ip>
>anonymous
><enter>Brute Force
You can use Medusa to brute force FTP.
Medusa
medusa -h <target-ip> -U userlist.txt -P password-file -M ftpMisconfigurations
Sometimes FTP servers might be misconfigured to allow operations like file writing or directory listing. Tools like ftp or FileZilla can be used for this.
Vulnerability Scanning
Can use nmap to scan for vulnerabilities
nmap -p 21 --script=ftp-* <target-ip>File Upload
If you can upload files, it might be possible to upload a malicious file or script and trigger its execution elsewhere. For instance, if the FTP also serves as a web server’s root directory, uploading a PHP shell could be very beneficial.
Passive Mode
Some FTP servers might leak internal IP addresses when switching to passive mode, which could be useful in multi-layered environments (like pivoting inside networks).
FTP Clients
Try using basic FTP GUI clients and see if it changes how to log in.
SSH
Banner Grabbing
nc <target-ip> 22Brute Force
hydra -l username -P password_list.txt ssh://<target-ip>Version Specific Vulnerabilities
nmap -sC -sV -p 22 <target-ip>User Enumeration
Use SSH-Enum. Careful with account lock out.
SSH Key Pairs
In some CTFs or vulnerable machines, you might find SSH private keys hidden in files, backups, or other services. These can be used to authenticate without a password. If you come across a private key:
ssh -i path_to_private_key username@<target-ip>Misconfigured SSHD_Config
On some occasions, if you gain a lower privileged access, you can check the SSH configuration file (`/etc/ssh/sshd_config`). This can give insights into things like allowed users, authentication methods, or other potentially insecure configurations.
SSH Tunneling
If you have valid credentials, SSH can be used to tunnel traffic or forward ports, which can be invaluable for accessing non-publicly exposed services or bypassing certain network restrictions. A reverse SSH tunnel is a method for setting up an SSH connection to an SSH server that is sitting behind a firewall. It allows you to establish a new connection from your localhost back to the remote computer. It acts as a way of reaching remote computers on the network without direct access.
Imagine the box you are on is hosting a web server on its local IP on port 10000. Enter:
└─$ ssh -L 10000:127.0.0.1:10000 [email protected]
Now, if we enter 127.0.0.1:1000
Weak or Known SSH Keys
Sometimes, systems might have weak SSH key pairs, or key pairs that are known and publicized (for example, default keys in some appliances or software). You can check services like GitHub or specialized databases for potentially leaked keys.
If you have obtained the id_rsa (which is a private SSH key) and the associated authorized_keys and id_rsa.pub (the corresponding public key) from a target machine, you might have the ability to authenticate to that machine or potentially others if the key is reused elsewhere. Here’s a step-by-step process:
Secure the private key
Copy the id_rsa to your machine. Make sure to set its permissions to 600 to ensure that it’s kept private.
chmod 600 id_rsa
Verify the key
Before using the key, you can verify that the id_rsa and id_rsa.pub match:
ssh-keygen -y -f id_rsa > check_id_rsa.pub
diff check_id_rsa.pub id_rsa.pub
If there’s no output from the diff command, then the public key matches the private key.
Attempt to SSH
Now, try to SSH into the target machine using the private key. You need to know the target username and the target machine’s IP address or hostname:
ssh -i id_rsa [username]@[target_IP_or_hostname]
If you get prompt to enter a passphrase, you need to use ssh2john.
ssh2john
ssh2john id_rsa > id_rsa_for_john.txt
Use John to crack it
john --wordlist=/path/to/wordlist.txt id_rsa_for_john.txt
Additional considerations
If the private key is password-protected (passphrase set), you’ll need to either know the passphrase or attempt to crack it using tools like john or ssh2john.
The authorized_keys file can give you hints on which user accounts on the system the private key is associated with. It might also contain other public keys that indicate additional users or devices have access.
The target might have additional security mechanisms in place, like IP whitelisting, 2FA, or intrusion detection systems that could detect or block your access attempt.
DNS
Basic Query
# dig
ToxSec@Hack:~$ dig +short @10.10.10.10 A www.toxsec.com
# whois
ToxSec@Hack:~$ whois toxsec.com
# host
host www.toxsec.com
host -t mx www.toxsec.com
# nslookup
nslookup mail.toxsec.comZone Transfer
# dig
dig axfr @<TARGET-DNS-SERVER> <DOMAIN-NAME>
dig axfr @n1.toxsec.com toxsec.com
dig axfr @10.10.10.10 20.20.20.20
# nslookup
nslookup
set type=AXFR
server nameserver
domain
server ns1.toxsec.com
toxsec.comEnumerate Subdomains
# host to check if a subdomain exists:
host fake.toxsec.com
Host fake.toxsec.com not found: 3(NXDOMAIN)
# used with a wordlist of hostnames:
for ip in $(cat list.txt); do host $ip.megacorpone.com; done
# Fierce
fierce -dns <DOMAIN-NAME>
# Sublist3r
sublist3r -d <DOMAIN-NAME>
# amass
amass enum -d <domain name>DNS Brute Forcing
# Gobuster
gobuster dns -u <DOMAIN-NAME> -w <WORDLIST>
# Nmap
nmap 10.10.10.10 --script dns-brute
nmap 10.10.10.10 --script dns-brute --script-args dns-brute.domain=toxsec.com
nmap 10.10.10.10 --script dns brute dns-brute.hostlist=/home/dns/wordlist.txtDNS Records
# MX
dig mx <DOMAIN-NAME>
dig +short @10.10.10.10 MX toxsec.com [Note: No www]
# NS
dig ns <DOMAIN-NAME>
# TXT
dig txt <DOMAIN-NAME>
# CNAME
dig cname <SUBDOMAIN>.<DOMAIN-NAME>
# SRV
dig srv <DOMAIN-NAME>DNSRecon
# Standard Scan
dnsrecon -d toxsec.com -t std
# Domain Scan
dnsrecon -d example.com
# Zone Transfer
dnsrecon -d example.com -t axfr
# Enumeration
dnsrecon -d example.com -t google
# Subdomains Brute Force
dnsrecon -d example.com -t brt -D /path/to/wordlist.txt
# Reverse DNS Lookup
dnsrecon -r 192.168.1.1-192.168.1.254
$ SRV Record Enumeration
dnsrecon -d example.com -t srvDNSEnum
# Deep information gathering + DNS ZT
dnsenum toxsec.comHTTP
Brute-Force Login Page
# a PHP login page.
└─$ hydra -l <username> -P <password-list> <target> http-post-form "/login.php:<request>:<error-message>"
# Example for password guessing:
└─$ hydra -l R1ckRul3s -P rmwordlist 10.10.47.81 http-post-form "/login.php:username=R1ckRul3s&password=^PASS^&sub=Login:Invalid username or password."
Nmap HTTP Scripts
# Enumerate all http nmap scripts
ls -1 /usr/share/nmap/scripts/http*
# Use all http nmap scripts
nmap $IP --script=http-*
