Attacking Common Services
Vulnerabilities are commonly discovered by people who use and understand technology, a protocol, or a service. As we evolve in this field, we will find different services to interact with, and we will need to evolve and learn new technology constantly.
To be successful at attacking a service, we need to know its purpose, how to interact with it, what tools we can use, and what we can do with it. This section will focus on common services and how we can interact with them.
SMB
GUI
Win + R
\\192.168.220.129\Finance\
CMD
dir \\192.168.220.129\Finance\
Mounting using CMD
net use n: \\192.168.220.129\Finance
net use n: \\192.168.220.129\Finance /user:plaintext Password123
With the shared folder mapped as the n
drive, we can execute Windows commands as if this shared folder is on our local computer. Let's find how many files the shared folder and its subdirectories contain.
dir n: /a-d /s /b | find /c ":\"
dir
command explanation:
Syntax
Description
dir
Application
n:
Directory or drive to search
/a-d
/a
is the attribute and -d
means not directories
/s
Displays files in a specified directory and all subdirectories
/b
Uses bare format (no heading information or summary)
dir for searching
With dir
we can search for specific names in files such as:
cred
password
users
secrets
key
Common File Extensions for source code such as: .cs, .c, .go, .java, .php, .asp, .aspx, .html.
dir n:\*cred* /s /b
dir n:\*secret* /s /b
findstr for searching contents (grep equivalent)
findstr /s /i cred n:\*.*
Powershell
Get-ChildItem \\192.168.220.129\Finance\
Monting to drive letter
New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem"
To provide a username and password with Powershell, we need to create a PSCredential object. It offers a centralized way to manage usernames, passwords, and credentials.
$username = 'plaintext'
$password = 'Password123'
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred
Counting files in all drive
N:
(Get-ChildItem -File -Recurse | Measure-Object).Count
Finding files by name
We can use the property -Include
to find specific items from the directory specified by the Path parameter.
Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
Select-String to find file contents (grep equivalent)
Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List
Linux
Mount
sudo mkdir /mnt/Finance
sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance
As an alternative, we can use a credential file (sudo apt install cifs-utils
).
mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile
Credentials file:
username=plaintext
password=Password123
domain=.
Find file by name
find /mnt/Finance/ -name *cred*
Find file by content
grep -rn /mnt/Finance/ -ie cred
Other services
Email
Suggested client: evolution
Databases
Command Line Utilities (
mysql
orsqsh
)Programming Languages
A GUI application to interact with databases such as HeidiSQL, MySQL Workbench, or SQL Server Management Studio.
Command Line Utilities
MSSQL:
Linux:
sqsh -S 10.129.20.13 -U username -P Password123
Windows:
sqlcmd -S 10.129.20.13 -U username -P Password123
MySQL
Linux:
mysql -u username -pPassword123 -h 10.129.20.13
Windows:
mysql.exe -u username -pPassword123 -h 10.129.20.13
Multi-DB GUI
dbeaver is a multi-platform database tool for Linux, macOS, and Windows that supports connecting to multiple database engines such as MSSQL, MySQL, PostgreSQL, among others,
To install dbeaver using a Debian package we can download the release .deb package from https://github.com/dbeaver/dbeaver/releases and execute the following command:
sudo dpkg -i dbeaver-<version>.deb
General Tools
Last updated