Network Services

SMB (Server Message Block) 445/TCP

Microsoft Windows OS have client and server SMB protocol support. Samba, an open source server that supports the SMB protocol, was released for Unix systems.

Enumerating SMB

enum4linux [options] IP

-U get Userlist
-M get machine list
-N get namelist dump (different from -U and -M)
-S get sharelist
-P get password policy information
-G get group and member list
-a all of the above (full basic enumeration)

Exploiting SMB

smbclient //[IP]/[SHARE]

-U [name] to specify the user
-p [port] to specify the port

Sometimes is enough trying with Anonymous username and no password.

Telnet 23/TCP

Allows with the use of a telnet client, to connect to and execute commands on a remote machine that's hosting a telnet server.

Enumerating Telnet

nmap -n -sV -Pn --script "telnet and safe" -p 23 \<IP>

Exploiting SMB

Bruteforce (Hacktricks)

telnet [IP][Port]

FTP (File Transfer Protocol) 21/TCP

Enumerating FTP

With nmap

Exploiting FTP

Bruteforce (Hacktricks)

Ex: nmap --script ftp-* -p 21 \<ip>

ftp IP (anonymous, anonymous)

NFS (Network File System) 2049/TCP

Enumerating NFS

Useful nmap scripts

nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share

Mounting

To know which folder has the server available to mount you ask it:

showmount -e <IP>

Then mount it using:

mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock

Exploiting NFS

NSFShell

SMTP 25,465,587/TCP

Enumerating SMTP

Exploiting SMTP

Mysql 3306/TCP

Connect

Local

mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)

Remote

mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost

Enumerating Mysql

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>

Brute force (Hacktricks)

Exploiting Mysql

Tcpdump

sudo tcpdump port 110 -A

SSH

ssh username@MACHINE_IP
scp username@MACHINE_IP:/path/archive ~ # To transfer files securely
scp fileto transfer username@MACHINE_IP:/destinypath

SMB (Server Message Block) 445/TCP​

Enumerating SMB​

enum4linux [options] IP​

Exploiting SMB​

smbclient //[IP]/[SHARE]​

Telnet 23/TCP​

Enumerating Telnet​

Exploiting SMB​

Bruteforce (Hacktricks)​

telnet [IP][Port]​

FTP (File Transfer Protocol) 21/TCP​

Enumerating FTP​

Exploiting FTP​

Bruteforce (Hacktricks)​

Anonymous login​

NFS (Network File System) 2049/TCP​

Enumerating NFS​

Useful nmap scripts​

Mounting​

Exploiting NFS​

SMTP 25,465,587/TCP​

Enumerating SMTP​

Exploiting SMTP​

Mysql 3306/TCP​

Connect​

Local​

Remote​

Enumerating Mysql​

Brute force (Hacktricks)​

Exploiting Mysql​

Tcpdump​

SSH​

SMB (Server Message Block) 445/TCP

Enumerating SMB

enum4linux [options] IP

Exploiting SMB

smbclient //[IP]/[SHARE]

Telnet 23/TCP

Enumerating Telnet

Exploiting SMB

Bruteforce (Hacktricks)

telnet [IP][Port]

FTP (File Transfer Protocol) 21/TCP

Enumerating FTP

Exploiting FTP

Bruteforce (Hacktricks)

Anonymous login

NFS (Network File System) 2049/TCP

Enumerating NFS

Useful nmap scripts

Mounting

Exploiting NFS

SMTP 25,465,587/TCP

Enumerating SMTP

Exploiting SMTP

Mysql 3306/TCP

Connect

Local

Remote

Enumerating Mysql

Brute force (Hacktricks)

Exploiting Mysql

Tcpdump

SSH