Network Services
FTP
Anonymous login
ftp anonymous@<target_ip> # No password neededAuto login
sshpass -p <password> ftp <user>@<target_ip>Browser URL
ftp://<user>:<password>@<target_ip>SSL
lftp <user>@<target_ip> -e "set ssl:verify-certificate no; set ftp:ssl-force true"Download all files
wget -r --user=<user> --password=<password> ftp://<target_ip>SSH
Default credentials
Check for default credentials depending on the vendor:
Vendor
Usernames
Passwords
APC
apc, device
apc
Brocade
admin
admin123, password, brocade, fibranne
Cisco
admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin
admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme
Citrix
root, nsroot, nsmaint, vdiadmin, kvm, cli, admin
C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler
D-Link
admin, user
private, admin, user
Dell
root, user1, admin, vkernel, cli
calvin, 123456, password, vkernel, Stor@ge!, admin
EMC
admin, root, sysadmin
EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc
HP/3Com
admin, root, vcx, app, spvar, manage, hpsupport, opc_op
admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin
Huawei
admin, root
123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123
IBM
USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer
PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer
Juniper
netscreen
netscreen
NetApp
admin
netapp123
Oracle
root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user
changeme, ilom-admin, ilom-operator, welcome1, oracle
VMware
vi-admin, root, hqadmin, vmware, admin
vmware, vmw@re, hqadmin, default
Auto login
sshpass -p <password> ssh <user>@<target_ip>Private key login
ssh -i id_rsa <user>@<target_ip>Generate RSA keys
ssh-keygen -t rsa -f id_rsaSMB
System enumeration with enum4linux
enum4linux -a [-u <user> -p <password>] <target_ip>Shares Enumeration
# null session
smbclient -N -L //<target_ip>
# authenticated
smbclient -U <user>[%<password>] -L //<target_ip>
# conect to a share
smbclient [-U <user>[%<password>]] //<target_ip>/<share># null session
smbmap -H <target_ip>
# authenticated
smbmap -u <user> -p <password> -H <target_ip>
# recursive/non-recursive listing
smbmap [-u <user> -p <password>] -R/-r <share> -H <target_ip># null session
nxc smb <target_ip>-u '' -p '' --shares
# authenticated
nxc smb <target_ip> -u <user> -p <password> --shares
# List share
nxc smb <target_ip> [-u <user> -p <password>] --share <share>nmap -p 139,445 --script "smb-enum-shares" <target_ip>RPC
Automated Enumeration
rpcdump.py <target_ip>Manual Enumeration
# null session
rpcclient -U "" -N <target_ip>
# authenticated
rpcclient -U <user>%<password> -N <target_ip>
# commands
rpcclient -U "[<user>%<password>]" -N <target_ip> -c 'command'