243 lines
8.7 KiB
Plaintext
243 lines
8.7 KiB
Plaintext
[*] domain on tcp/53
|
|
|
|
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
|
|
|
|
dnsrecon -n escape.htb -d escape.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/htb/escape/results/escape.htb/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
|
|
|
|
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
|
|
|
|
dnsrecon -n escape.htb -d <DOMAIN-NAME> 2>&1 | tee /home/simon/htb/escape/results/escape.htb/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
|
|
|
|
[*] msrpc on tcp/135
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 135 -U "" escape.htb
|
|
|
|
[*] netbios-ssn on tcp/139
|
|
|
|
[-] Bruteforce SMB
|
|
|
|
crackmapexec smb escape.htb --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
|
|
|
|
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
|
|
|
|
nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/htb/escape/results/escape.htb/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/htb/escape/results/escape.htb/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" escape.htb
|
|
|
|
[*] ldap on tcp/389
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://escape.htb:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp389/tcp_389_ldap_all-entries.txt"
|
|
|
|
[*] microsoft-ds on tcp/445
|
|
|
|
[-] Bruteforce SMB
|
|
|
|
crackmapexec smb escape.htb --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
|
|
|
|
[-] Lookup SIDs
|
|
|
|
impacket-lookupsid '[username]:[password]@escape.htb'
|
|
|
|
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
|
|
|
|
nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/htb/escape/results/escape.htb/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/htb/escape/results/escape.htb/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" escape.htb
|
|
|
|
[*] ldap on tcp/636
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://escape.htb:636 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp636/tcp_636_ldap_all-entries.txt"
|
|
|
|
[*] ms-sql-s on tcp/1433
|
|
|
|
[-] (sqsh) interactive database shell:
|
|
|
|
sqsh -U <username> -P <password> -S escape.htb:1433
|
|
|
|
[*] ldap on tcp/3268
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://escape.htb:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
|
|
|
|
[*] ldap on tcp/3269
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://escape.htb:3269 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp3269/tcp_3269_ldap_all-entries.txt"
|
|
|
|
[*] wsman on tcp/5985
|
|
|
|
[-] Bruteforce logins:
|
|
|
|
crackmapexec winrm escape.htb -d 'escape.htb' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
|
|
|
|
[-] Check login (requires credentials):
|
|
|
|
crackmapexec winrm escape.htb -d 'escape.htb' -u '<username>' -p '<password>'
|
|
|
|
[-] Evil WinRM (gem install evil-winrm):
|
|
|
|
evil-winrm -u '<user>' -p '<password>' -i escape.htb
|
|
|
|
evil-winrm -u '<user>' -H '<hash>' -i escape.htb
|
|
|
|
[*] msrpc on tcp/49667
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49667 -U "" escape.htb
|
|
|
|
[*] msrpc on tcp/49678
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49678 -U "" escape.htb
|
|
|
|
[*] msrpc on tcp/49698
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49698 -U "" escape.htb
|
|
|
|
[*] msrpc on tcp/49702
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49702 -U "" escape.htb
|
|
|
|
[*] msrpc on tcp/60738
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 60738 -U "" escape.htb
|
|
|
|
[*] domain on tcp/53
|
|
|
|
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
|
|
|
|
dnsrecon -n escape.htb -d escape.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/htb/escape/results/escape.htb/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
|
|
|
|
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
|
|
|
|
dnsrecon -n escape.htb -d <DOMAIN-NAME> 2>&1 | tee /home/simon/htb/escape/results/escape.htb/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
|
|
|
|
[*] msrpc on tcp/135
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 135 -U "" escape.htb
|
|
|
|
[*] netbios-ssn on tcp/139
|
|
|
|
[-] Bruteforce SMB
|
|
|
|
crackmapexec smb escape.htb --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
|
|
|
|
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
|
|
|
|
nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/htb/escape/results/escape.htb/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/htb/escape/results/escape.htb/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" escape.htb
|
|
|
|
[*] ldap on tcp/389
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://escape.htb:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp389/tcp_389_ldap_all-entries.txt"
|
|
|
|
[*] microsoft-ds on tcp/445
|
|
|
|
[-] Bruteforce SMB
|
|
|
|
crackmapexec smb escape.htb --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
|
|
|
|
[-] Lookup SIDs
|
|
|
|
impacket-lookupsid '[username]:[password]@escape.htb'
|
|
|
|
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
|
|
|
|
nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/htb/escape/results/escape.htb/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/htb/escape/results/escape.htb/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" escape.htb
|
|
|
|
[*] ldap on tcp/636
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://escape.htb:636 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp636/tcp_636_ldap_all-entries.txt"
|
|
|
|
[*] ms-sql-s on tcp/1433
|
|
|
|
[-] (sqsh) interactive database shell:
|
|
|
|
sqsh -U <username> -P <password> -S escape.htb:1433
|
|
|
|
[*] ldap on tcp/3268
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://escape.htb:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
|
|
|
|
[*] ldap on tcp/3269
|
|
|
|
[-] ldapsearch command (modify before running):
|
|
|
|
ldapsearch -x -D "<username>" -w "<password>" -H ldap://escape.htb:3269 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp3269/tcp_3269_ldap_all-entries.txt"
|
|
|
|
[*] wsman on tcp/5985
|
|
|
|
[-] Bruteforce logins:
|
|
|
|
crackmapexec winrm escape.htb -d 'escape.htb' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
|
|
|
|
[-] Check login (requires credentials):
|
|
|
|
crackmapexec winrm escape.htb -d 'escape.htb' -u '<username>' -p '<password>'
|
|
|
|
[-] Evil WinRM (gem install evil-winrm):
|
|
|
|
evil-winrm -u '<user>' -p '<password>' -i escape.htb
|
|
|
|
evil-winrm -u '<user>' -H '<hash>' -i escape.htb
|
|
|
|
[*] msrpc on tcp/49667
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49667 -U "" escape.htb
|
|
|
|
[*] msrpc on tcp/49674
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49674 -U "" escape.htb
|
|
|
|
[*] msrpc on tcp/49696
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49696 -U "" escape.htb
|
|
|
|
[*] msrpc on tcp/49703
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 49703 -U "" escape.htb
|
|
|
|
[*] msrpc on tcp/53254
|
|
|
|
[-] RPC Client:
|
|
|
|
rpcclient -p 53254 -U "" escape.htb
|
|
|
|
[*] domain on udp/53
|
|
|
|
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
|
|
|
|
dnsrecon -n escape.htb -d escape.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/htb/escape/results/escape.htb/scans/udp53/udp_53_dnsrecon_subdomain_bruteforce.txt
|
|
|
|
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
|
|
|
|
dnsrecon -n escape.htb -d <DOMAIN-NAME> 2>&1 | tee /home/simon/htb/escape/results/escape.htb/scans/udp53/udp_53_dnsrecon_default_manual.txt
|
|
|