Skip to main content

Posts

Showing posts from August, 2022

Web Penetration Testing with Curl

In lot of scenarios, we usually don't have access to GUI access to web applications but in most of the scenarios - you can find curl installed on the test machine - so, below is a simple cheat sheet to run basic checks #Get request using Curl curl -I http://10.10.10.10 # Send Post Request curl --data "param1=value1&param2=value2" http://10.10.10.10 #Check for Trace Method curl -k -v -X TRACE http://10.10.10.10 #PUT Request curl -X PUT -d "PUT request data" http://10.10.10.10 curl -kL https://10.10.10.10 -T file.txt #HEAD Request curl -I http://10.10.10.10 #Test DEBUG Method --> if Response "OK" --> DEBUG is enabled curl -X DEBUG https://10.10.10.10 -k -v -H "Command: stop-debug" #Ignore SSL warnings curl -k http://10.10.10.10 #Follow Redirection curl -L http://10.10.10.10 #Add headers in a JSON GET request curl -i -H "Accept: application/json" -H "Content-Type: application/json" http://10.10.10.10 #

Internal Pentesting Citrix Servers

Citrix Servers - Ports 1604 - Citrix MetaFrame ICA 1494/tcp open citrix-ica Citrix Metaframe XP ICA - Citrix VDI (Virtual Delivery Agent) 2598/tcp open citriximaclient #Below 4 are used in Load Balancers 3008/tcp open ssl/midnight-tech? 3009/tcp open ssl/mep Citrix NetScaler Metric Exchange Protocol 3010/tcp open gw?                     Citrix NetScaler Gateway 3011/tcp open mep Citrix NetScaler Metric Exchange Protocol nmap -sS -sU --script citrix-enum-apps,citrix-enum-servers -i ips.txt -Pn -oA citrix For Citrix ADC - Default Username/Password : nsroot/nsroot Finding Citrix ADC Version https://10.10.10.10/nitro/v1/config/nsversion or curl -X GET -H "Content-Type: application/json" -u nsroot:examplepassword http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/nsversion curl -X GET -H "Content-Type: application/json" -u <username>:<examplepassword> http://<Citrix-ADC-IP-address(NSIP)>/nit

SMB Pentest

 SMB Enum Scripts and Checklists Enumerating SMB Shares my $host = "10.10.10.10"; my $filename = "/usr/share/wordlists/SecLists/blob/master/Discovery/Web-Content/common.txt"; open(my $fh, '<', $filename) or die $!; while (my $word = <$fh>) { chomp($word); ## Try to login with a username and no password my $result = qx( smbclient //$host/$word -N 2>/dev/null ); ## ACCESS_DENIED means the share exists ## BAD_NETW_NAME means the share does not exist if ($result =~ /NT_STATUS_ACCESS_DENIED/g ) { print "[+] Share Found @ //$host/$word\n"; next; } }

UnCommon Ports

  CPANEL Ports cPanel 2082 cPanel - SSL 2083 WHM 2086 WHM - SSL 2087 Webmail 2095 Webmail - SSL 2096 SFTP Shared/Reseller Servers 2222 Webdisk 2077 Webdisk - SSL 2078 SSH Shared/Reseller Servers 2222 Plesk Control Panel 8880 Plesk Control Panel - SSL 8443 Plesk Windows Webmail (SmarterMail) 9998** DotNet Panel 9001 10000/tcp - WebAdmin; MiniServ 2.021(Has few vulns) Port 5601, 9200 - Kibana NDMP Port 10000 - NDMP nmap -p 10000 --script ndmp-fs-info,vuln -sVC -d 10.10.10.10 Port 30000 - NDMPS nmap -p 30000--script ndmp-fs-info,vuln -sVC -d 10.10.10.10 NetApp NDFS Common Ports Parallel Virtual File System (PVFS) TCP port 3334 - Heap Over flow nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 Docker Port - 2375 2375: unencrypted docker socket, remote root passwordless access to the host 2376: tls encrypted socket, most likely this is your CI servers 4243 port as a modification of the https 443 port 2377: swarm mode socket, for swarm

Pentesting Routers & Switches

 Penetration testing Routers & Switches Routersploit Nipper-ng  dig nslookup port 1999 snmpsniff (v1 is vulnerable) test for NTP  Routersploit git clone https://www.github.com/threat9/routersploit.git/ cd routersploit python3 -m pip install -r requirements.txt python3 rsf.py search exploit search scanner use scanners/autopwn set target 10.10.10.10 Attacking Switches using Yersinia on Spanning Tree Protocol (STP) good doc https://github.com/tomac/yersinia #launch GUI yersinia -G # yersinia protocol -h #Start SPN attack and capture the traffic - sensitive info will be exposed to the network VLAN Enumeration and Hopping and Trunking git clone https://github.com/nccgroup/vlan-hopping.git ./frogger.sh #VLAN hopping/ Truking can be done via yersina as well #Create a new fake Trunk and let the switch believe that you are a trunk and ge the info via VLAN hopping yersinia -G go to DTP --> enable trunking # Test for Finger Services finger -l 10.10.10.10 finger -l user@10.10.10.10 Tes