83 lines
2.7 KiB
Plaintext
83 lines
2.7 KiB
Plaintext
[*] msrpc on tcp/135
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 135 -U "" flight.htb
|
|
|
|
[*] netbios-ssn on tcp/139
|
|
|
|
[-] Bruteforce SMB
|
|
|
|
crackmapexec smb flight.htb --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
|
|
|
|
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
|
|
|
|
nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/kali/htb/flight/results/flight.htb/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/kali/htb/flight/results/flight.htb/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" flight.htb
|
|
|
|
[*] ldap on tcp/389
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://flight.htb:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/kali/htb/flight/results/flight.htb/scans/tcp389/tcp_389_ldap_all-entries.txt"
|
|
|
|
[*] microsoft-ds on tcp/445
|
|
|
|
[-] Bruteforce SMB
|
|
|
|
crackmapexec smb flight.htb --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
|
|
|
|
[-] Lookup SIDs
|
|
|
|
impacket-lookupsid '[username]:[password]@flight.htb'
|
|
|
|
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
|
|
|
|
nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/kali/htb/flight/results/flight.htb/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/kali/htb/flight/results/flight.htb/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" flight.htb
|
|
|
|
[*] ldap on tcp/3268
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://flight.htb:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/kali/htb/flight/results/flight.htb/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
|
|
|
|
[*] wsman on tcp/5985
|
|
|
|
[-] Bruteforce logins:
|
|
|
|
crackmapexec winrm flight.htb -d '<domain>' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
|
|
|
|
[-] Check login (requires credentials):
|
|
|
|
crackmapexec winrm flight.htb -d '<domain>' -u '<username>' -p '<password>'
|
|
|
|
[-] Evil WinRM (gem install evil-winrm):
|
|
|
|
evil-winrm -u '<user>' -p '<password>' -i flight.htb
|
|
|
|
evil-winrm -u '<user>' -H '<hash>' -i flight.htb
|
|
|
|
[*] msrpc on tcp/49667
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49667 -U "" flight.htb
|
|
|
|
[*] msrpc on tcp/49674
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49674 -U "" flight.htb
|
|
|
|
[*] msrpc on tcp/49690
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49690 -U "" flight.htb
|
|
|
|
[*] msrpc on tcp/49699
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49699 -U "" flight.htb
|
|
|