PRIMARY CATEGORY → CHECKLISTS
Important
For any AD-related protocol not found here, refer to AD Offensive Checklist
FTP
Non-Credentialed Enumeration
-
FTP Service Software Version → Banner Grabbing or NMAP Comprehensive Scan
-
Anonymous Access
If so, then check [[#FTP#Credentialed Enumeration|FTP Credential Enumeration]]
-
Known CVEs (Searchsploit (ExploitDB), Google…) for the given FTP service version
Credentialed Enumeration
-
Web Application + FTP Write Permissions → Try to upload a Web Shell to gain RCE
-
Windows System + FTP Write Permissions → Malicious shortcut file Upload + NetNTLMv2 Hash Capture + Cracking
HTTP
MYSQL
Outside
i.e. SQL Injection
Inside
i.e. After compromising a web application and establish a remote connection via Rev. Shell ( e.g.
mysqlcli tool )
e.g. A table named Users or Employees with Crackable Hashes
DNS
Non-Credentialed Enumeration
-
DNS Service Software Version → Banner Grabbing or NMAP Comprehensive Scan
-
Known CVEs (Searchsploit (ExploitDB), Google…) for the given DNS service version
Credentialed Enumeration
- Windows AD → DNS Records Dump using adidnsdump
SMB
Non-Credentialed Enumeration
- Vulnerable SMB Version due to unpatched and outdated Windows Version
e.g. EternalBlue
If available, then check [[#SMB#Credentialed Enumeration|SMB Credentialed Enumeration]]
Credentialed Enumeration
-
READ Permissions → Look for any sensitive data through automated enumeration Snaffler or manual enumeration ( Local Mount )
-
Windows System + SMB Write Permissions → Malicious shortcut file Upload + NetNTLMv2 Hash Capture + Cracking
RPC
Non-Credentialed Enumeration
- Check RPC Null and Guest Authentication
If available, then check [[#RPC#Credentialed Enumeration|RPC Credentialed Enumeration]]
Credentialed Enumeration
LDAP
Non-Credentialed Enumeration
- Check LDAP Null Authentication
If available, then check [[#LDAP#Credentialed Enumeration|LDAP Credentialed Enumeration]]
Credentialed Enumeration
- Look for sensitive information within LDAP Objects
Plain passwords, keys, principals susceptible to ASREPRoast or Kerberoast and so on
MSSQL
e.g. Databases, Tables, Users, Procedures and so on
-
Sysadmin or ServerAdmin Role → Get Command Execution
If none of those roles are assigned, then try enabling
xp_cmdshellanyways, just in case
-
Command Execution → Reverse Shell + seImpersonate Abuse
-
Read System Files → { HTTP Server → { ISS web.config | Tomcat users’ file } }
i.e. Read Files from a MSSQL Instance ⤴️
- Sysadmin or ServerAdmin Role → Enable Ole Automation Procedures → File Creation → { HTTP Server → Try upload a Web Shell | Busy Writable Shares/Interesting Directories → Drop a Shortcut File + { NTLM Relay | NTLM Capture } }
i.e. Write Files from a MSSQL Instance ⤴
-
Current DB User with EXECUTE right over
xp_dirtree→ MitM and Credential Cracking -
Communication with othe DBS via MSSQL Linked Servers → Command Execution on MSSQL Linked Servers
RDP
-
RDP Service Software Version → Known CVEs (Searchsploit (ExploitDB), Google…)
WINRM
-
PFX Certificate ( .x509 Format and a domain principal as UPN ) → Public and Private Key Extraction → [[5985, 5986 - WINRM#MS-PSRP#Evil-WinRM|WinRM Certificate Authentication]]
SMTP
-
SMTP Service Software Version → Banner Grabbing or NMAP Comprehensive Scan
-
Known CVEs (Searchsploit (ExploitDB), Google…) for the given SMTP service version
-
Check Open Relay
IMAP
Non-Credentialed Enumeration
-
IMAP Service Software Version → Banner Grabbing or NMAP Comprehensive Scan
-
Known CVEs (Searchsploit (ExploitDB), Google…) for the given IMAP service version
Credentialed Enumeration
- Look for sensitive information ( Plain passwords, tokens… ) in any existing email message within the given INBOX
POP3
Non-Credentialed Enumeration
-
POP3 Service Software Version → Banner Grabbing or NMAP Comprehensive Scan
-
Known CVEs (Searchsploit (ExploitDB), Google…) for the given POP3 service version
Credentialed Enumeration
- Look for sensitive information ( Plain passwords, tokens… ) in any existing email message within the given INBOX
See here
NFS
SNMP
Non-Credentialed Enumeration
-
SNMPv1 and SNMPv2c → Community String Bruteforce
If we get a hit and obtain the given community string, then check [[#SNMP#Credentialed Enumeration|SNMP Credentialed Enumeration]]
Credentialed Enumeration
- Retrieve all OID values and filter by Relevant Information
REDIS
It does not require authentication by default
-
Require Authentication set → Look for Plain Credentials in REDIS Configuration
RSYNC
Non-Credentialed Enumeration
-
Check [[873 - RSYNC#Enumeration#Rsync|RSYNC Anonymous Authentication]] by listing information about an available module
If available, then check [[#RSYNC#Credentialed Enumeration|RSYNC Credentialed Enumeration]]
Credentialed Enumeration
-
[[873 - RSYNC#Enumeration#Rsync|List all information related to a specific RSYNC Module]]
-
Data Exfiltration → Download all available modules’ information
e.g. rsyncd.conf, rsyncd.secrets…