127 lines
4.6 KiB
Plaintext
127 lines
4.6 KiB
Plaintext
[*] domain on tcp/53
|
|
|
|
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
|
|
|
|
dnsrecon -n sequel.htb -d sequel.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/htb/escape/results/sequel.htb/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
|
|
|
|
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
|
|
|
|
dnsrecon -n sequel.htb -d <DOMAIN-NAME> 2>&1 | tee /home/simon/htb/escape/results/sequel.htb/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
|
|
|
|
[*] msrpc on tcp/135
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 135 -U "" sequel.htb
|
|
|
|
[*] netbios-ssn on tcp/139
|
|
|
|
[-] Bruteforce SMB
|
|
|
|
crackmapexec smb sequel.htb --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
|
|
|
|
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
|
|
|
|
nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/htb/escape/results/sequel.htb/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/htb/escape/results/sequel.htb/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" sequel.htb
|
|
|
|
[*] ldap on tcp/389
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://sequel.htb:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/sequel.htb/scans/tcp389/tcp_389_ldap_all-entries.txt"
|
|
|
|
[*] microsoft-ds on tcp/445
|
|
|
|
[-] Bruteforce SMB
|
|
|
|
crackmapexec smb sequel.htb --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
|
|
|
|
[-] Lookup SIDs
|
|
|
|
impacket-lookupsid '[username]:[password]@sequel.htb'
|
|
|
|
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
|
|
|
|
nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/htb/escape/results/sequel.htb/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/htb/escape/results/sequel.htb/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" sequel.htb
|
|
|
|
[*] ldap on tcp/636
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://sequel.htb:636 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/sequel.htb/scans/tcp636/tcp_636_ldap_all-entries.txt"
|
|
|
|
[*] ms-sql-s on tcp/1433
|
|
|
|
[-] (sqsh) interactive database shell:
|
|
|
|
sqsh -U <username> -P <password> -S sequel.htb:1433
|
|
|
|
[*] ldap on tcp/3268
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://sequel.htb:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/sequel.htb/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
|
|
|
|
[*] ldap on tcp/3269
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://sequel.htb:3269 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/sequel.htb/scans/tcp3269/tcp_3269_ldap_all-entries.txt"
|
|
|
|
[*] wsman on tcp/5985
|
|
|
|
[-] Bruteforce logins:
|
|
|
|
crackmapexec winrm sequel.htb -d 'sequel.htb' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
|
|
|
|
[-] Check login (requires credentials):
|
|
|
|
crackmapexec winrm sequel.htb -d 'sequel.htb' -u '<username>' -p '<password>'
|
|
|
|
[-] Evil WinRM (gem install evil-winrm):
|
|
|
|
evil-winrm -u '<user>' -p '<password>' -i sequel.htb
|
|
|
|
evil-winrm -u '<user>' -H '<hash>' -i sequel.htb
|
|
|
|
[*] msrpc on tcp/49667
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49667 -U "" sequel.htb
|
|
|
|
[*] msrpc on tcp/49674
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49674 -U "" sequel.htb
|
|
|
|
[*] msrpc on tcp/49696
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49696 -U "" sequel.htb
|
|
|
|
[*] msrpc on tcp/49703
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49703 -U "" sequel.htb
|
|
|
|
[*] msrpc on tcp/53254
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 53254 -U "" sequel.htb
|
|
|
|
[*] domain on udp/53
|
|
|
|
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
|
|
|
|
dnsrecon -n sequel.htb -d sequel.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/htb/escape/results/sequel.htb/scans/udp53/udp_53_dnsrecon_subdomain_bruteforce.txt
|
|
|
|
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
|
|
|
|
dnsrecon -n sequel.htb -d <DOMAIN-NAME> 2>&1 | tee /home/simon/htb/escape/results/sequel.htb/scans/udp53/udp_53_dnsrecon_default_manual.txt
|
|
|