Red Team Toolkit
  • 👊Welcome!
  • Methodology
    • MITRE
    • NIST
    • OWASP
    • PTES
    • SANS
  • Reconnaissance
    • DNS Recon
    • Open Source Intelligence
    • Web Application Recon
  • Initial Access
    • Phishing
    • Web Authentication Bypass
    • Network Services Attacks
    • Breaching Active Directory
    • Windows Exploits
    • Linux Exploits
    • SQL Injection
    • XSS
    • Burp Suite
    • Hyrdra
    • Metasploit
    • Nessus
    • Wordlists
    • OWASP ZAP
  • Discovery
    • NMAP
    • PowerView
    • Active Directory Enumeration
    • Windows Post Exploitation Discovery
    • Linux Post Exploitation Discovery
    • Other Scanning Methods
  • Privilege Escalation
    • Password Cracking
    • AD Privilege Escalation
    • Local Windows Privilege Escalation
    • Linux Privilege Escalation
    • Mimikatz
  • Movement
    • Movement
    • Evasion
  • Collection
    • Persistence
    • Exfiltration
  • Other
    • Bookmarks
    • OpeSec
Powered by GitBook
On this page
  • Description
  • Techniques
  • Service Enumeration
  • SMB
  • Telnet
  • FTP
  • NFS
  • SMTP
  • MySQL
  • Resources

Was this helpful?

  1. Initial Access

Network Services Attacks

PreviousWeb Authentication BypassNextBreaching Active Directory

Last updated 2 years ago

Was this helpful?

Description

Techniques for exploiting common network services

Techniques

Service Enumeration

  • Use NMAP, Enum4linux

SMB

Installation of smbclient: smbclient //[IP]/[SHARE] with the tags -U [name] : to specify the user -p [port] : to specify the port

Telnet

telnet [IP] [port]

FTP

ftp [ip]

NFS

/usr/sbin/showmount -e [ip]

NFS-Common

Mounting NFS shares

sudo mount -t nfs IP:share /tmp/mount/ -nolock

Tag Function sudo Run as root mount Execute the mount command -t nfs Type of device to mount, then specifying that it's NFS IP:share The IP Address of the NFS server, and the name of the share we wish to mount -nolock Specifies not to use NLM locking

root_squash

SMTP

"smtp_version" module in MetaSploit

Enumerate users using SMTP: RFY (confirming the names of valid users) and EXPN (which reveals the actual address of user’s aliases and lists of e-mail (mailing lists)

Version scanner: auxiliary/scanner/smtp/smtp_version

MySQL

Connect to mysql database: mysql -h [IP] -u [username] -p

mysql schema dump: auxiliary/scanner/mysql/mysql_schemadump hash dump: auxiliary/scanner/mysql/mysql_hashdump

Resources

ftp arp poisoning:

To install client: sudo apt install default-mysql-client nmap's mysql-enum script: or

https://www.cvedetails.com/
https://cve.mitre.org/
https://www.jscape.com/blog/bid/91906/Countering-Packet-Sniffers-Using-Encrypted-FTP
https://tryhackme.com/room/networkservices2
https://www.afternerd.com/blog/smtp/
https://dev.mysql.com/doc/dev/mysql-server/latest/PAGE_SQL_EXECUTION.html
https://www.w3schools.com/php/php_mysql_intro.asp
https://nmap.org/nsedoc/scripts/mysql-enum.html
https://www.exploit-db.com/exploits/23081
Service Enumeration
SMB
Telnet
FTP
NFS
SMTP
MySQL