# Attacking Common Services Vulnerabilities are commonly discovered by people who use and understand technology, a protocol, or a service. As we evolve in this field, we will find different services to interact with, and we will need to evolve and learn new technology constantly. To be successful at attacking a service, we need to know its purpose, how to interact with it, what tools we can use, and what we can do with it. This section will focus on common services and how we can interact with them. ## SMB ### GUI ``` Win + R \\192.168.220.129\Finance\ ``` ### CMD ```batch dir \\192.168.220.129\Finance\ ``` #### Mounting using CMD ```batch net use n: \\192.168.220.129\Finance net use n: \\192.168.220.129\Finance /user:plaintext Password123 ``` With the shared folder mapped as the `n` drive, we can execute Windows commands as if this shared folder is on our local computer. Let's find how many files the shared folder and its subdirectories contain. ```batch dir n: /a-d /s /b | find /c ":\" ``` `dir` command explanation: | **Syntax** | **Description** | | ---------- | -------------------------------------------------------------- | | `dir` | Application | | `n:` | Directory or drive to search | | `/a-d` | `/a` is the attribute and `-d` means not directories | | `/s` | Displays files in a specified directory and all subdirectories | | `/b` | Uses bare format (no heading information or summary) | #### dir for searching With `dir` we can search for specific names in files such as: * cred * password * users * secrets * key * Common File Extensions for source code such as: .cs, .c, .go, .java, .php, .asp, .aspx, .html. ```batch dir n:\*cred* /s /b dir n:\*secret* /s /b ``` #### findstr for searching contents (grep equivalent) ```batch findstr /s /i cred n:\*.* ``` ### Powershell ```powershell Get-ChildItem \\192.168.220.129\Finance\ ``` #### Monting to drive letter ```powershell New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" ``` To provide a username and password with Powershell, we need to create a [PSCredential object](https://docs.microsoft.com/en-us/dotnet/api/system.management.automation.pscredential). It offers a centralized way to manage usernames, passwords, and credentials. ```powershell $username = 'plaintext' $password = 'Password123' $secpassword = ConvertTo-SecureString $password -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred ``` #### Counting files in all drive ```powershell N: (Get-ChildItem -File -Recurse | Measure-Object).Count ``` #### Finding files by name We can use the property `-Include` to find specific items from the directory specified by the Path parameter. ```powershell Get-ChildItem -Recurse -Path N:\ -Include *cred* -File ``` #### Select-String to find file contents (grep equivalent) ```powershell Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List ``` ### Linux #### Mount ```bash sudo mkdir /mnt/Finance sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance ``` As an alternative, we can use a credential file (`sudo apt install cifs-utils`). ```bash mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile ``` Credentials file: ```txt username=plaintext password=Password123 domain=. ``` #### Find file by name ```bash find /mnt/Finance/ -name *cred* ``` #### Find file by content ```bash grep -rn /mnt/Finance/ -ie cred ``` ## Other services ### Email Suggested client: evolution ### Databases * Command Line Utilities (`mysql` or `sqsh`) * Programming Languages * A GUI application to interact with databases such as HeidiSQL, MySQL Workbench, or SQL Server Management Studio. #### Command Line Utilities * MSSQL: * Linux: `sqsh -S 10.129.20.13 -U username -P Password123` * Windows: `sqlcmd -S 10.129.20.13 -U username -P Password123` * MySQL * Linux: `mysql -u username -pPassword123 -h 10.129.20.13` * Windows: `mysql.exe -u username -pPassword123 -h 10.129.20.13` #### Multi-DB GUI [dbeaver](https://github.com/dbeaver/dbeaver) is a multi-platform database tool for Linux, macOS, and Windows that supports connecting to multiple database engines such as MSSQL, MySQL, PostgreSQL, among others, To install [dbeaver](https://github.com/dbeaver/dbeaver) using a Debian package we can download the release .deb package from and execute the following command: ```bash sudo dpkg -i dbeaver-.deb ``` ## General Tools
SMBFTPEmailDatabases
smbclientftpThunderbirdmssql-cli
CrackMapExeclftpClawsmycli
SMBMapncftpGearymssqlclient.py
ImpacketfilezillaMailSpringdbeaver
psexec.pycrossftpmuttMySQL Workbench
smbexec.pymailutilsSQL Server Management Studio or SSMS
sendEmail
swaks
sendmail