Skip to content

Commit

Permalink
feat: notes on CPTS
Browse files Browse the repository at this point in the history
  • Loading branch information
@amandaguglieri
amandaguglieri committed Jun 11, 2024
1 parent ac64c06 commit 3a9ac40
Show file tree
Hide file tree
Showing 9 changed files with 413 additions and 37 deletions.
9 changes: 9 additions & 0 deletions docs/137-138-139-445-smb.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,15 @@ We will try to connect to each of the shares except for the IPC$ one, which is n
```bash
# the use of / and \ might be different if you need to escape some characters
smbclient \\\\$ip\\ADMIN$

# download file.txt
get file.txt

# List files
!ls

# Cat a file.txt
!cat file.txt
```

### 2. smb2 security levels
Expand Down
4 changes: 2 additions & 2 deletions docs/2049-nfs-network-file-system.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ tags:

# Port 2049 - NFS Network File System

Network File System (NFS) is a network file system developed by Sun Microsystems and has the same purpose as SMB. Its purpose is to access file systems +over a network as if they were local. However, it uses an entirely different protocol. [NFS](https://en.wikipedia.org/wiki/Network_File_System) is used between Linux and Unix systems. This means that NFS clients cannot communicate directly with SMB servers.
Network File System (NFS) is a network file system developed by Sun Microsystems and has the same purpose as SMB. Its purpose is to access file systems over a network as if they were local. However, it uses an entirely different protocol. [NFS](https://en.wikipedia.org/wiki/Network_File_System) is used between Linux and Unix systems. This means that NFS clients cannot communicate directly with SMB servers.

NFS is an Internet standard that governs the procedures in a distributed file system. While NFS protocol version 3.0 (`NFSv3`), which has been in use for many years, authenticates the client computer, this changes with `NFSv4`. Here, as with the Windows SMB protocol, the user must authenticate.

Expand Down Expand Up @@ -92,7 +92,7 @@ ls -n mnt/nfs/
sudo umount ./target-NFS
```

By default nfs server has root_squash on which makes client access nobody:nogroup. To bypass it, sudo su your user to be root.
By default nfs server has root_squash option on, which makes client access nobody:nogroup. To bypass it, sudo su your user to be root.

## Attacking wrong configured NFS

Expand Down
69 changes: 53 additions & 16 deletions docs/21-ftp.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ ftp $ip

The prompt will ask us for the username we want to log in with. Here is where the magic happens. A typical misconfiguration for running FTP services allows an anonymous account to access the service like any other authenticated user. The anonymous username can be input when the prompt appears, followed by any password whatsoever since the service will disregard the password for this specific account.


## Basic usage

```
Expand Down Expand Up @@ -98,14 +99,33 @@ wget -m --no-passive ftp://anonymous:anonymous@$ip
find / -type f -name ftp* 2>/dev/null | grep scripts
# Run a general scanner for version, mode aggresive and perform default scripts
sudo nmap -sV -p21 -sC -A $ip
sudo nmap -sV -p21 -sC -A $ip --script-trace
# --script-trace > trace the progress of NSE scripts at the network level
# -sV > version scan
# -A > aggressive scan
# -sC > the default script scan
```

Some nmap scripts related to ftp:

```
# ftp-anon NSE script checks whether the FTP server allows anonymous access.
# ftp-syst, for example, executes the `STAT` command, which displays information about the FTP server status.
```

[See more about nmap for scanning, running scripts and footprinting](nmap.md)


## Interact with the service

```
nc -nv $ip 21
telnet $ip 21
openssl s_client -connect $ip:21 -starttls ftp
```

## Attacking FTP
### Brute forcing with Medusa

Expand Down Expand Up @@ -206,22 +226,39 @@ sudo apt install vsftpd

The default configuration of vsFTPd can be found in `/etc/vsftpd.conf`.

```
cat /etc/vsftpd.conf | grep -v "#"
```

|**Setting**|**Description**|
|---|---|
|`listen=NO`|Run from inetd or as a standalone daemon?|
|`listen_ipv6=YES`|Listen on IPv6 ?|
|`anonymous_enable=NO`|Enable Anonymous access?|
|`local_enable=YES`|Allow local users to login?|
|`dirmessage_enable=YES`|Display active directory messages when users go into certain directories?|
|`use_localtime=YES`|Use local time?|
|`xferlog_enable=YES`|Activate logging of uploads/downloads?|
|`connect_from_port_20=YES`|Connect from port 20?|
|`secure_chroot_dir=/var/run/vsftpd/empty`|Name of an empty directory|
|`pam_service_name=vsftpd`|This string is the name of the PAM service vsftpd will use.|
|`rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem`|The last three options specify the location of the RSA certificate to use for SSL encrypted connections.|
|`rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key`||
|`ssl_enable=NO`||
| **Setting** | **Description** |
| ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- |
| `listen=NO` | Run from inetd or as a standalone daemon? |
| `listen_ipv6=YES` | Listen on IPv6 ? |
| `anonymous_enable=NO` | Enable Anonymous access? |
| `local_enable=YES` | Allow local users to login? |
| `dirmessage_enable=YES` | Display active directory messages when users go into certain directories? |
| `use_localtime=YES` | Use local time? |
| `xferlog_enable=YES` | Activate logging of uploads/downloads? |
| `connect_from_port_20=YES` | Connect from port 20? |
| `secure_chroot_dir=/var/run/vsftpd/empty` | Name of an empty directory |
| `pam_service_name=vsftpd` | This string is the name of the PAM service vsftpd will use. |
| `rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem` | The last three options specify the location of the RSA certificate to use for SSL encrypted connections. |
| `rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key` | |
| `ssl_enable=NO` | |

In addition, there is a file called `/etc/ftpusers` that we also need to pay attention to, as this file is used to deny certain users access to the FTP service.

```
cat /etc/ftpusers
```

Dangerous settings:

| **Setting** | **Description** |
| ------------------------------ | ---------------------------------------------------------------------------------- |
| `anonymous_enable=YES` | Allowing anonymous login? |
| `anon_upload_enable=YES` | Allowing anonymous to upload files? |
| `anon_mkdir_write_enable=YES` | Allowing anonymous to create new directories? |
| `no_anon_password=YES` | Do not ask anonymous for password? |
| `anon_root=/home/username/ftp` | Directory for anonymous. |
| `write_enable=YES` | Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE? |
Loading

0 comments on commit 3a9ac40

Please sign in to comment.