search

Attacking Common Services

Vulnerabilities are commonly discovered by people who use and understand technology, a protocol, or a service. As we evolve in this field, we will find different services to interact with, and we will need to evolve and learn new technology constantly.

To be successful at attacking a service, we need to know its purpose, how to interact with it, what tools we can use, and what we can do with it. This section will focus on common services and how we can interact with them.

hashtag
SMB

hashtag
GUI

Win + R
\\192.168.220.129\Finance\

hashtag
CMD

dir \\192.168.220.129\Finance\

hashtag
Mounting using CMD

net use n: \\192.168.220.129\Finance

net use n: \\192.168.220.129\Finance /user:plaintext Password123

With the shared folder mapped as the n drive, we can execute Windows commands as if this shared folder is on our local computer. Let's find how many files the shared folder and its subdirectories contain.

dir n: /a-d /s /b | find /c ":\"

dir command explanation:

Syntax

Description

dir

Application

n:

Directory or drive to search

/a-d

/a is the attribute and -d means not directories

/s

Displays files in a specified directory and all subdirectories

/b

Uses bare format (no heading information or summary)

hashtag
dir for searching

With dir we can search for specific names in files such as:

  • cred

  • password

  • users

  • secrets

  • key

  • Common File Extensions for source code such as: .cs, .c, .go, .java, .php, .asp, .aspx, .html.

hashtag
findstr for searching contents (grep equivalent)

hashtag
Powershell

hashtag
Monting to drive letter

To provide a username and password with Powershell, we need to create a PSCredential objectarrow-up-right. It offers a centralized way to manage usernames, passwords, and credentials.

hashtag
Counting files in all drive

hashtag
Finding files by name

We can use the property -Include to find specific items from the directory specified by the Path parameter.

hashtag
Select-String to find file contents (grep equivalent)

hashtag
Linux

hashtag
Mount

As an alternative, we can use a credential file (sudo apt install cifs-utils).

Credentials file:

hashtag
Find file by name

hashtag
Find file by content

hashtag
Other services

hashtag
Email

Suggested client: evolution

hashtag
Databases

  • Command Line Utilities (mysql or sqsh)

  • Programming Languages

  • A GUI application to interact with databases such as HeidiSQL, MySQL Workbench, or SQL Server Management Studio.

hashtag
Command Line Utilities

  • MSSQL:

    • Linux: sqsh -S 10.129.20.13 -U username -P Password123

    • Windows: sqlcmd -S 10.129.20.13 -U username -P Password123

  • MySQL

    • Linux: mysql -u username -pPassword123 -h 10.129.20.13

    • Windows: mysql.exe -u username -pPassword123 -h 10.129.20.13

hashtag
Multi-DB GUI

dbeaverarrow-up-right is a multi-platform database tool for Linux, macOS, and Windows that supports connecting to multiple database engines such as MSSQL, MySQL, PostgreSQL, among others,

To install dbeaverarrow-up-right using a Debian package we can download the release .deb package from https://github.com/dbeaver/dbeaver/releasesarrow-up-right and execute the following command:

hashtag
General Tools

SMB

FTP

Email

Databases

smbclientarrow-up-right

ftparrow-up-right

Thunderbirdarrow-up-right

mssql-cliarrow-up-right

CrackMapExecarrow-up-right

lftparrow-up-right

Clawsarrow-up-right

mycliarrow-up-right

SMBMaparrow-up-right

ncftparrow-up-right

Gearyarrow-up-right

mssqlclient.pyarrow-up-right

Impacketarrow-up-right

filezillaarrow-up-right

MailSpringarrow-up-right

dbeaverarrow-up-right

psexec.pyarrow-up-right

crossftparrow-up-right

muttarrow-up-right

MySQL Workbencharrow-up-right

smbexec.pyarrow-up-right

mailutilsarrow-up-right

SQL Server Management Studio or SSMSarrow-up-right

sendEmailarrow-up-right

swaksarrow-up-right

sendmailarrow-up-right

PreviousCracking FilesNextFTP

Last updated