1433 – MSSQL – TCP
by Various notes ranging from enumeration to building reverse shells for exploiting Microsoft SQL Server, MSSQL.
Category: Network Attack
Port Forwarding in RTS
Adding Additional Port Forwards During Existing Session A little trick to setup further port forwards within a current SSH session is to press “<shift> <enter> ~ c” simultaneously and then supply the relevant command. Setting Up Multiple RDP Connections On the AWS box (connecting to deployed Kali): Edit the AWS instance .ssh/config to set up […]
AS-REP Roasting
In this blog post we will look at how to perform AS-REP roasting in two different ways, how to use hashcat to crack a krbasrep5 hashes, and how to mitigate this type of attack. During kerberos pre-authentication, a user’s NTID is used to encrypt a timestamp and then the domain controller will attempt to decrypt […]
Lateral Movement – Pass-the-Hash Attacks
In this post we will take a look A LOT of tools and techniques that can be used to perform a pass-the-hash attack. First, we will dump the local SAM file hashes off our initial victim and extract the local administrator account’s hash. From there, we will use the local administrator hash to move laterally […]
Chisel with Proxychains
Chisel is a fast TCP/UDP tunnel, transported over HTTP, and secured via SSH. It uses a single executable for establishing connections as the client or server. Chisel is written in Go (golang). It is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into any network. Proxychains […]
Proxying
RDP protocol Proxy RDP protocol using xfreerdp Proxy RDP protocol using xfreerdp and use NTLM hash to authenticate (PTH RDP) Enable Restricted Admin Mode (need admin priv)
Airstrike Attack – FDE bypass and EoP on domain joined Windows workstations (CVE-2021-28316)
By default, domain joined Windows workstations allow access to the network selection UI from the lock screen. An attacker with physical access to a locked device with WiFi capabilities (such as a laptop or a workstation) can abuse this functionality to force the laptop to authenticate against a rogue access point and capture a MSCHAPv2 […]
External Network Penetration Testing
Reconnaissance Passive External Network Reconnaissance Active External Network Reconnaissance NMAP Scanning /24 IP range with UDP and TCP scan using SMB NSE script. Recon-NG User account enumeration On web app portal Exposed services – Protocols HTTP/HTTPS SMTP DKIM / DMARC / SPF misconfiguration https://github.com/BishopFox/spoofcheck.git https://github.com/Mr-Un1k0d3r/SPFAbuse SNMP FTP SSH Databases (MySQL, MSSQL, Oracle, DB2, Postgre, MongoDB…) […]
Internal Network Penetration Testing
Recon Unauthenticated enumeration PowerShelll port scan AD search GUI Copy dsquery.dll from C:\Windows\System32 Unauthenticated User enumeration User enumeration via Kerberos –> Require list of possible usernames: User enumeration without kerberos Use the DsrGetDcNameEx2,CLDAP ping and NetBIOS MailSlot ping methods respectively to establish if any of the usernames in a provided text file exist on a […]
Metasploit – Lab
Metasploit is an open source platform for vulnerability research, exploit development, and the creation of custom security tools. In this lab, we’re going to be using Metasploit to attack the Metasploitable2 VM. Preqreq – have a local Kali instance and Measploitable2 VM running. https://hack.technoherder.com/vm-setup-kali-metasploitable2/ Activities Part 1 – Getting Started Update Kali: Start the Kali […]