101
- To successfully attack a service, we need to know:
- Its purpose
- how to interact with it
- what tools we can use
- what we can do with it\
File Sharing Services
- Pahile Internal services were used - SMB, NFS, FTP, TFTP, SFTP
- Now with cloud adoption, Dropbox, GSuite, Onedrive, SharePoint are also used
- AWS S3, Azure Blob, Google Cloud Storage\
SMB (Server Message Block)
- commonly in Windows
Windows
GUI
- Press [WINKEY] + [R] - open the run dialogue box
\\192.168.220.129\Finance\- If we have anonymous access or current logged in users' access, we can see the shared drive directly
- If not, we will see an authentication request
CMD
CMD - dir
dir \\192.168.202.211\Finanace
CMD - net use
net use n: \\192.168.202.221\Finance- This will mount the shared drive on drive
n: net use n: \\192.168.202.221\Finance /user:plaintext Password123- If auth is required
- After this mounting, we can query the drive
n:as if it is local
CMD - find number of folders
- finding the number of folders in the shared drive (
n:) we mounted dir n: /a-d /s /b | find /c ":\"
CMD - searching files/finding files
dir n:\*cred* /s /b- find files with cred in filenamedir n:\*secret* /s /b- find files with secrets in filename
CMD - findstr to look inside windows files
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/findstr
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/findstr#examples
findstr /s /i cred n:\*.*
PowerShell
- cmdlets - commandlets PS - smb share
Get-ChildItem \\192.168.202.221\Finance\ORgci \\192.168.202.221\Finance\
PS - New-PSDrive is net use
- Without creds
New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem"- With Creds
$username = 'plaintext'
$password = 'admin123'
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred
PS count items
cd N:(Get-ChildItem -File -Recurse | Measure-Object).Count
PS - Find filenames
Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
PS - find string inside files
Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List
Linux
Mount SMB on Linux
sudo mkdir /mnt/financesudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance
OR
mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile
Linux - find filenames
find /mnt/Finance/ -name *cred*
linux - find string inside files
grep -rn /mnt/Finance/ -ie cred
Emails
- To send emails we need (SMTP), to receive we need either (IMAP or POP3)
- use https://wiki.gnome.org/Apps/Evolution Evolution
sudo apt install evolution- Note: If an error appears when starting evolution indicating "bwrap: Can't create file at ...",
export WEBKIT_FORCE_SANDBOX=0 && evolution.- https://www.youtube.com/watch?v=xelO2CiaSVs
Databases
- Interacting with a db
Command Line Utils
MSSql
Linux - sqsh
- https://manpages.ubuntu.com/manpages/jammy/man1/sqsh.1.html
sqsh -S 10.129.20.13 -U username -P Password123
Windows - sqlcmd
- https://docs.microsoft.com/en-us/sql/ssms/scripting/sqlcmd-use-the-utility
sqlcmd -S 10.129.20.13 -U username -P Password123
MySQL
Linux
mysql -u username -p -h 10.129.20.13- Enter
Passwordin the prompt
MySQL
mysql.exe -u username -pPassword123 -h 10.129.20.13
GUI Apps
- MySQL - https://dev.mysql.com/downloads/workbench/
-
MSSQL - https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms -> only WINDOWS\
-
dbeaver - https://github.com/dbeaver/dbeaver/releases
sudo dpkg -i dbeaver-<version>.deb- MSSQL Connect - https://www.youtube.com/watch?v=gU6iQP5rFMw
- MySQL Connect - https://www.youtube.com/watch?v=PeuWmz8S6G8\
Tools for Common Services
