When enumerating a target, it’s good to be comfortable working with services on a target and knowing potential weak points of said services. By understanding all the services, we have a better chance of getting more valuable information that could help us in compromising the system.
In the example commands in post, whenever there is a password field ex: [password], it indicates that the target’s password for service should be entered. You may not have the password, but there are many ways to obtain it. Brute forcing is an option, but it should always be used as a last resort since it is very noisy. These examples are just theoretical, assuming you have the target’s password.
FTP
FTP, also known as File Transfer Protocol, is exactly what it sounds like, a service used for transferring files between two computers. A common security misconfiguration with FTP that can be exploited is the anonymous user login. An attacker can log in using the username anonymous with no password. A compromised FTP server could be storing sensitive files with information that could be used to escalate privileges. You can access the service by using the following command.
$ ftp [target_ip]
FTP Commands
Here are some commands that can be navigate and use the FTP service once were connected to it.
| Command | Description |
|---|---|
| ls | Lists the FTP server directory’s |
| ls -R | lists the FTP files and directory’s recursively |
| get file.txt | Downloads files from the FTP server to your local computer file.txt in this case |
| put file.txt | Uploads a file.txt from our computer to the FTP server |
| exit | Exits the FTP server |
FTP Enumeration
Nmap’s default script scan is pretty good when it comes to enumerating FTP. If you don’t understand script scans you can check out my post on Nmap which covers the topic. FTP usually runs on port 21.
$ nmap -p 21 -sC -sV [target_ip]
SMB
SMB is a protocol that allows computers to share access to files, printer. SMB is primarily for windows but can be used on linux. Just like FTP smb can sometimes allow anonymous log ins so it’s worth checking out. To access smb on a Linux machine we use smbclient. The -L flag allows you to list all shares and the -N flag allows you to attempt to login without a username or password (anonymously). The -U and -P flags are to specify username and password.
$ smbclient -L -N //[target_ip]
Access a Share
$ smbclient -L -N //[target_ip]/[share]
Once you are on a share you will be on a smb command line where you can move around the file system. You can type help to see all the commands available to you while accessing the share. Also, you can download share files directly to your computer using the get command and specifying the file you want to download. Adding an exclamation mark right in front of a command will let you use your actual computer command line while in smb. ex: ![command]
SMB Enumeration
You can enumerate smb using tools like NetExec or SMBMap. I’m going to use enum4linux the docs can be found here. If smb allows anonymous login you can just leave the -u and -p flags out. The -A flag starts an aggressive scan and checks the shares for write access. You can type the help command to see what each flag does.
$ enum4linux 10.129.14.128 -A -u [username] -p [password]
NFS
Network File System is basically the same thing as SMB, it’s a protocol used for sharing files. NFS was made specifically for Unix systems which is the primary system the protocol runs on.
Show Targets Available Shares
$ sudo mount -e [target_ip]
Mounting NFS
$ sudo mount -t nfs [target_ip]/:[share] ./[local_folder] -o nolock
How the Command Works
| Flag | Description |
|---|---|
| sudo mount | Runs the mount command as root |
| -t nfs | Specifies the type of device being mounted which is nfs in this case. |
| <target ip>/:<share> ex: 192.0.0.1/:myshare | Specifies the Target Ip address and the name of the share to mount |
| ./[local_folder] | Specifies the local directory to mount the share to |
| -o nolock | Specifies no file locking |
Once a share has been mounted to a local folder, all the share’s contents will be displayed in that folder as if they were on your computer locally. You can navigate through the share as if it were a normal folder on your computer.
Unmounting NFS
$ sudo unmount ./[local_folder]
Note: local_folder in this example is the local folder that the share was mounted to.
NFS Enumeration
You can run the nfs nmap scripts to try to have nmap show the contents of the shares on the server. Here were basically telling nmap to run all its nfs scripts.
$ nmap [target_ip] --script nfs* -sV
Root Squash
When an NFS share is mounted, users access the files with their local privileges. If a root user accesses the share, they could gain root privileges over the remote files. This is risky because an attacker with root access could view restricted files and upload a shell with the SUID bit, allowing it to run with root permissions.
They could then SSH into the server, run the shell, and gain root access. NFS uses root_squash to limit remote root users to anonymous privileges. Disabling root_squash is a serious security risk.
SMTP
Three different protocols are used for email services. SMTP is the protocol used for sending emails while the IMAP and POP3 are used to retrieve emails. The difference between IMAP and POP3 is how they handle the emails once they receive them.
The POP3 protocol downloads the emails to the device and then deletes them from the server. IMAP synchronizes emails to the device, leaving them on the server. Let’s go over the email process and the corresponding vocabulary.
Email Process
- Email is typed and sent from Mail User Agent (Gmail, Outlook)
- The Mail Submission Agent validates the email by ensuring the sender is authenticated. Once validated, it forwards the email to the Mail Transfer Agent (MTA).
- The MTA handles routing the email to the recipient’s server.
- The Mail Delivery Agent takes the email from the server (MTA) and puts it in the mailbox.
- If the mailbox is configured with POP3 the email is downloaded to the device and deleted from the server. If it’s configured with IMAP, the email is synced to the device and remains on the server.
SMTP Vocab
| Term | Description |
|---|---|
| Mail User Agent (MAU) | The email client. Outlook, Gmail etc. |
| Mail Submission Client (MSA) | Validates and submits the email to the Mail Transfer agent |
| Mail Transfer Agent (MTA) | Routes the email across the internet to the recipient’s server. |
| Mail Delivery Agent (MDA) | Delivers the email to the recipient’s mailbox. |
| POP3/IMAP | The mailbox. |
Open/Closed Relay
When sending an email, the user must sign in and authenticate themselves through the MUA. Once authenticated, they can type and send an email. It is then forwarded to the MSA, where there are two possible outcomes. If the user did not authenticate themselves, the MSA would drop the email. If they did authenticate, the email would be sent to the MTA, where it could be routed to the recipient’s inbox.
In a closed relay, an email cannot be spoofed because the MTA only accepts emails from the MSA, which validates the user. In an open relay, an email can be spoofed because the MTA accepts emails from any sources not just the MSA, regardless of user authentication. For this reason, an open relay can be a great security risk.
I want to clarify one thing about the MTA. The reason an email can be spoofed in an open relay is because the MTA does not attempt to validate the owner of the email. The MTA’s only job is to route any emails it receives to the recipient. The validation job is for the MSA, and in this case, the MTA accepts emails from anywhere, not just the MSA.
SMTP can be accessed using telnet. SMTP usually runs on port 25.
$ telnet [target_ip] 25
SMTP Commands
| Command | Description |
|---|---|
| AUTH PLAIN | Used to authenticate the client to the server. |
| HELO | Client sends this command to identify itself to the SMTP server. |
| MAIL FROM: | This command is used to specify the sender’s email address. |
| RCPT TO: | Specifies the recipient’s email address. |
| DATA: | This command tells the server that the email content is about to be sent. After issuing this command, the client sends the email headers and body. The message is terminated by a line containing only a period ( . ). |
| RSET: | Resets the current mail transaction without disconnecting from the server. |
| VRFY: | Used to verify whether a given email address or user exists. |
| NOOP: | Used to keep the connection from timing out. |
| QUIT: | terminates the SMTP session. |
SMTP Sending an Email
After connecting through telnet by using the commands above we, can send an email through a compromised email server. In this example, it is an open relay server, so I can send an email using any address I want. The server will allow it because it doesn’t verify that I am the owner of the email address being used. This technique can be used for phishing campaigns and social engineering.
$ telnet [target_ip] 25
Trying <target ip>...
Connected to <target ip>.
Escape character is '^]'.
220 ESMTP Server
MAIL FROM: <fake-sender@example.com>
250 OK
RCPT TO: <victim@example.com>
250 OK
DATA
354 Start mail input; end with <CRLF>.<CRLF>
Subject: Important Update
From: fake-sender@example.com
To: victim@example.com
This is a phishing email.
.
250 OK
SMTP Enumeration
Using Nmap’s default scripts will check what commands can be used on the SMTP server.
$ sudo nmap -sV -sC [target_ip] -p 25
Using the open relay script, we can also check if the server is Open Relay.
$ sudo nmap 10.129.14.128 - p25 --script smtp-open-relay
You can also brute force users using smtp-user-enum which will run the VRFY command for every user on our provided list and will return a match if it finds a user. Note some smtp servers have longer timeouts so in this scan I increased the tools timeout to 10 seconds.
$ smtp-user-enum -U ./wordlist.txt -t [target_ip] -p 25 -w 10
IMAP and POP3
If SMTP is used to send emails, then IMAP and POP3 can be used to retrieve or view the emails of a compromised target. Remember, IMAP syncs emails from the server and leaves them there so they can also be synced to other devices. POP3 downloads emails to the device and deletes them from the server.
IMAP and POP3 both run on two different ports by default. IMAP runs on ports 143 and 995 while POP3 runs on 110 and 993. The lower ports are unencrypted while the higher ports for both services are encrypted using TLS/SSL.
Enumerating IMAP and POP3
You can scan the ports using nmap
$ sudo nmap [target_ip] -sV -sC -p110,143,993,995
Logging in to the mail servers
Non SSL Connections
Connecting to IMAP
> telnet [target_ip] 143
Connecting to pop3
> telnet [target_ip] 110
SSL Connection
Connecting to IMAP
> openssl s_client -connect [target_ip]:995
Connecting to POP3
> openssl s_client -connect [target_ip]:993
IMAP Commands
| Command | Description |
|---|---|
| A1 LOGIN username password | Log in with a username and password |
| 1 LIST "" * | Lists all directories |
| A1 CREATE “INBOX” | Creates a mailbox with a specified name. |
| A1 DELETE “INBOX” | Deletes a mailbox. |
| A1 LSUB "" * | List Subscribed Mailboxes |
| A1 SELECT INBOX | Selects a mailbox so that messages in the mailbox can be accessed. |
| A1 UNSELECT INBOX | Exits the selected mailbox. |
| A1 FETCH 1: * | Lists all messages in the selected mailbox. |
| A1 FETCH 1:* BODY[TEXT] | Shows message content of all messages in selected mailbox. |
| A1 FETCH 1 | List Message 1 From selected mailbox. |
| A1 FETCH 1 BODY[TEXT] | Show message content of message 1 in selected mailbox. |
| A1 FETCH 1 all | Shows all data about message 1 except message content. |
| A1 FETCH 1:* RFC822 | Shows all message content, including the “To” and “From” fields, as well as the dates of all messages in selected mailbox. |
| A1 FETCH 1 RFC822 | Shows all message content, including the “To” and “From” fields, as well as the dates of message on in selected mailbox. |
| A1 CLOSE | Closes selected mailbox |
| A1 LOGOUT | Ends connection with the IMAP server. |
POP3 Commands
| Command | Description |
|---|---|
| USER user | Log in as user. |
| PASS password | Loging in with a password of “password”. |
| STAT | List number of messages, total mailbox size |
| LIST | List messages and sizes |
| RETR q | Show message q |
| DELE q | Mark message q for deletion |
| RSET | Undo any changes |
| QUIT | Logout |
| CAPA | Get capabilities |
Reading Emails IMAP
$ openssl s_client -connect [target_ip]:993
CONNECTED(00000003)
...
* OK IMAP server ready
a LOGIN username password
a OK LOGIN completed
a SELECT INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 3 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 2] UIDs valid
* OK [UIDNEXT 4] Predicted next UID
a OK [READ-WRITE] INBOX selected. (0.000 + 0.000 secs).
a FETCH 1:* (BODY[TEXT])
* 1 FETCH (BODY[TEXT] {342}
Return-Path: <example@example.com>
Received: from example.com (example.com [192.0.2.1])
by imap.server.com (Postfix) with ESMTP id 123456789
for <user@example.com>; Wed, 25 Dec 2024 22:47:00 -0600 (CST)
Subject: Example Email
...
a OK FETCH completed.
MySQL
MySQL is a relational database that typically runs on port 3306. The settings for the username and password are stored in plain text in the configuration file. If proper permissions are not set, an attacker can view these settings.
MySQL Commands
| Command | Description |
|---|---|
| mysql -u [target_username] -p[password] -h <target ip> | Logs in to database. note: There is no space between the -p flag and the password. |
| show databases; | Show all databases. |
| use [database_name]; | Selects a database. |
| show tables; | Show all of the tables from the selected database. |
| show columns from [table_name]; | Show all the columns from the selected database. |
| describe [table_name]; | Shows the schema of a table |
| select * from [table_name]; | Show everything from the selected table, |
| select * from [table_name] where [column] = “[string]“; | Search for all selected items from the selected table. |
MySQL Skip SSL
If getting a ssl error when trying to connect to MySQL, you can use the —skip-ssl flag.
$ mysql -u [username] -p[password] -h <target_ip> --skip-ssl
Enumerate MySQL
$ sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*