Contents

Initial Enumeration

Set target

export TARGET=<IP>

Network Scan:

sudo rustscan -a $TARGET -- -p- -A -sC

Reference Table

Vertical Order: Highest == Most likely to provide a higher CVE rating exploit
Horizontal Order: Leftmost == Quicker path to RCE
Service:Port Level 1 Level 2 Level 3
FTP:21 Anonymous Login Banner Grabbing Deep Dive
HTTP:80,443 Enumeration Burp Suite WIP: Playbook
SSH|SFTP:22 Automated Audit Banner Grabbing Deep Dive
Telnet:23 Enumeration Brute Force Deep Dive

FTP (21)

FTP Anonymous Login

A Misconfigured FTP server will allow anonymous passwordless login:

# You can connect via browser:
$ open "ftp://anonymous:[email protected]$TARGET"
# Or use ftp CLI
$ ftp $TARGET 21
ftp> account
# Try Anonymous||anonymous
ftp> ls -a

FTP Banner Grabbing

Try to quickly determine FTP version and look for known vulnerabilities

$ nc -vn $TARGET 21
$ searchsploit <FTP Server Version>

SSH|SFTP (22)

SSH Banner Grabbing

Try to quickly determine FTP version and look for known vulnerabilities

$ nc -vn $TARGET 22
$ searchsploit <SSH Server Version>

Telnet (23)

Telnet Enumeration

Use nmap script to gather all the useful information:

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 $TARGET

Telnet Bruteforce

hydra -l root -P passwords.txt [-t 32] $TARGET telnet
ncrack -p 23 --user root -P passwords.txt $TARGET [-T 5]
medusa -u root -P 500-worst-passwords.txt -h $TARGET -M telnet

HTTP (80,443)

HTTP Enumeration

nikto --host $TARGET --port 80

Basic

dirb http://$TARGET/

HTTP Burp Suite

Generally start up Burp, Open the embedded browser and start manually navigating through the site and using the tool to drill at interesting areas. To learn more, check out Something like this.

RDP (3389)

Empty user/pass Connect

rdesktop -u "" -f <TARGET>
Playbooks