Skip to content

Half-Pwned

Attacking SMTP

Half-Pwned

Home
ActiveDirectory
ActiveDirectory
- ActiveDirectory 101
  ActiveDirectory 101
- ActiveDirectory Hacking
  ActiveDirectory Hacking
  - 101
  - PrivEsc
  - Tools of the Trade
  - 1. Initial Enum
    1. Initial Enum
    
    Domain Enum
    
    External Recon and Enum
  - 2. LLMNR+NBT NS Poisoning
    2. LLMNR+NBT NS Poisoning
    
    LLMNR+NBT NS Linux
    
    LLMNR+NBT NS Windows
  - 3. Password Spraying
    3. Password Spraying
    
    Enumerating Password Policy
    
    Internal Password Spraying Linux
    
    Internal Password Spraying Windows
    
    Making a target user list
    
    Password Spraying 101
  - 4. Credentialed Enum
    4. Credentialed Enum
    
    Credentialed Enum LINUX
    
    Credentialed Enum Windows
    
    Enumerating Security Controls
    
    Living Off the Land
    
    Mimikatz
  - 5. Kerberoasting
    5. Kerberoasting
    
    Kerberoasting Linux
    
    Manual Method
  - 6. ACL
    6. ACL
    
    ACL Abuse Primer
    
    ACL Abuse Tactis
    
    PowerView
    
    BloodyAD
    
    DCSync
  - 7. Lateral Movement
    7. Lateral Movement
    
    ADCS
    
    ASREPRoasting DU
    
    Bleeding Edge Vulnerabilities
    
    GPO Abuse for Windows Privilege Escalation
    
    Kerberos 'Double Hop' Problem
    
    Miscellaneous Misconfigurations
    
    Privileged Access
    
    Kerberos Delegation
    Kerberos Delegation
    
    Delegation Types
    
    Resource Based Constraint Delegation
  - 8. Domain Trusts
    8. Domain Trusts
    
    Domain Trusts Primer
    
    Cross Forest
    Cross Forest
    
    Attacking CF Trusts Linux
    
    Attacking CF Trusts Windows
    
    Parent Child
    Parent Child
    
    Attacking Domain Trusts Linux
    
    Attacking Domain Trusts Windows
  - 9. Defense
    9. Defense
    
    AD Auditing
    
    Harden AD
  - BloodHound
    BloodHound
    
    GenericAll
Google RedTeaming
Google RedTeaming
- Resources
- Part 1
  Part 1
Network PenTesting
Network PenTesting
- Buffer Overflow
  Buffer Overflow
  - Linux
    Linux
    
    GDB Commands
    
    Prevention
    
    Exploit
    Exploit
    
    Find the Length of the Shellcode
    
    New shellcode & Return Address
    
    Take control of EIP
    
    Intro
    Intro
    
    CPU 101
    
    CPU Registers
    
    Stack Based BOF 101
- Common Services & Ports
  Common Services & Ports
  - Common Services 1
    Common Services 1
    
    Enum
    
    Infrastructure Enum
    
    Host Based Services
    Host Based Services
    
    DNS - 53
    
    FTP - 21
    
    IMAP POP3
    
    IPMI - 623
    
    LDAP - 389, 636,
    
    MSSql - 1433
    
    MySQL - 3306
    
    NFS - 111 or 2049
    
    Oracle TNS - 1521
    
    SMB - 139 or 445
    
    SMTP - 25, 587, 465
    
    SNMP - 161
    
    Remote Management
    Remote Management
    
    Linux Remote Management
    
    Windows Remote Management Protocol
  - Common Services 2
    Common Services 2
    
    101
    
    Attacking AD
    
    Attacking DNS
    
    Attacking FTP
    
    Attacking RDP
    
    Attacking SMB
    
    Attacking SMTP Attacking SMTP
    Table of contents
    
    Enum
    
    Misconfigurations
    
    Authentication
    
    Cloud Enum
    
    Password Attacks
    
    Protocol Specific Attacks
    
    Open Relay
    
    Attacking SQL DBs
    
    Protocol Specific Attacks
    Protocol Specific Attacks
    
    Concept of attacks
    
    Finding Sensitive Information
    
    Service Misconfig
- File Transfers
  File Transfers
- Linux Privesc
  Linux Privesc
  - Assessment
  - Hardening
  - PreText
  - 1. Information Gathering
    1. Information Gathering
    
    Check What's Running on a Port (Linux)
    
    Credential Hunting
    
    Environment Enumeration
    
    Linux Services & Internal Enum
    
    OTHER
    
    Tcpdump
  - 2. Env based privesc
    2. Env based privesc
    
    Escaping Restricted Shells
    
    Path Abuse
    
    Wildcard Abuse
  - 3. Permission based privesc
    3. Permission based privesc
    
    Capabilities
    
    Privileged Groups
    
    SUDO Right Abuse
    
    Special Permissions
  - 4. Service based privesc
    4. Service based privesc
    
    Docker Escape
    
    Docker
    
    Linux Containers
    
    Logrotate
    
    Passpie Exploitation
    
    Screen & Cron Jobs
    
    Tcpdump NFS tmux
  - 5. Internal based privesc
    5. Internal based privesc
    
    Kernel Exploits
    
    Python Library Hijacking
    
    Shared Libraries
    
    Shared Object Hijacking
  - 6. 0 days
    6. 0 days
    
    Dirty Pipe
    
    Netfilter
    
    Polkit
    
    Sudo
- Password Attacks
  Password Attacks
  - 101
  - Password Mutations
  - Remediation
  - Remote Password Attacks
  - Cracking Files
    Cracking Files
    
    Protected Archives
    
    Protected Files
  - Linux Local PA
    Linux Local PA
    
    Creds Hunting in Linux
    
    Passwd, Shadow, Opasswd
  - Passwords
    Passwords
    
    Password Mutations
    
    Remote Password Attacks
  - Windows Lateral Movement
    Windows Lateral Movement
    
    Kerberos
    
    Pass the Hash (PtH)
    
    Pass the Ticket (PtT) Linux
    
    Pass the Ticket (PtT) Windows
  - Windows Local PA
    Windows Local PA
    
    Attacking AD and NTDS.dit
    
    Attacking LSASS
    
    Attacking SAM SYSTEM NTDS SECURITY
    
    Attacking SAM
    
    Creds Hunting Windows
    
    DPAPI Decryption
- PenTesting Process
  PenTesting Process
  - Basics
  - Intro
  - My Process
  - Service Enum Links
  - Steps
  - Methodology
    Methodology
    
    Penetration Testing Foothold Checklist
    
    Linux
    
    My Process
    
    Windows AD
    
    Windows
- Pivoting
  Pivoting
  - 101
  - RDP and SOCKS Tunneling with SocksOverRDP
  - Ligolo
  - Ping Sweep
  - 1. Starting Tunnels
    1. Starting Tunnels
    
    Dynamic SSH PFW and SOCKS tunneling
    
    Local Port Fwding
    
    Meterpreter Tunneling & Port Forwarding
    
    Remote Port FWDing
  - 2. Socat
    2. Socat
    
    Socat Redirection
  - 3. Pivot Obstacles
    3. Pivot Obstacles
    
    SSH for Windows plink.exe
    
    Sshuttle
  - 4. Branching out Tunnels
    4. Branching out Tunnels
    
    DNS Tunneling with Dnscat2
    
    ICMP Tunneling
    
    SOCKS5 with Chisel
  - Ligolo
    Ligolo
    
    Ligolo Reverse tunnel
    
    Ligolo
- Reporting
  Reporting
- Windows Privesc
  Windows Privesc
  - Assessments
  - Intro
  - 1. Getting a Lay of the Land
    1. Getting a Lay of the Land
    
    Communication with Processes
    
    Initial Enum
    
    NEEDED COMMANDS
    
    Situational Awareness
  - 2. User Privileges
    2. User Privileges
    
    Enable Privileges
    
    Privileges 101
    
    SeDebugPrivilege
    
    SeImpersonate and SeAssignPrimaryToken
    
    SeTakeOwnershipPrivilege
  - 3. Group Privileges
    3. Group Privileges
    
    Backup Operators
    
    DnsAdmins
    
    Event Log Readers
    
    Hyper V Administrators
    
    Print Operators
    
    Server Operators
  - 4. Attacking the OS
    4. Attacking the OS
    
    Kernel Exploits
    
    User Account Control
    
    Vulnerable Services
    
    Weak Permissions
  - 5. Credential Theft
    5. Credential Theft
    
    Creds Hunting
    
    Further Credential Theft
    
    Hunting other Files
  - 6. Restricted Envs
    6. Restricted Envs
    
    Citrix Breakout
  - 7. Additional Techniques
    7. Additional Techniques
    
    Interacting with Users
    
    Misc
    
    Pillaging
  - 8. End of Life Systems
    8. End of Life Systems
    
    Legacy Operating Systems
    
    Windows Desktop
    
    Windows Server
Web Application Pentesting
Web Application Pentesting
- Attacking Common Applications
  Attacking Common Applications
  - 101 common Applications
  - Application Discovery & Enumeration
  - Hardening
  - ASSESSMENTS
    ASSESSMENTS
    
    Assessment 2
  - CMS
    CMS
    
    DNN
    
    Drupal
    Drupal
    
    Attacking Drupal
    
    Discovery & Enum
    
    Joomla
    Joomla
    
    Attacking Joomla
    
    Discovery and Enum
    
    Wordpress
    Wordpress
    
    Attacking Wordpress
    
    Discovery & Enum
  - Common Gateway Interfaces
    Common Gateway Interfaces
    
    Attacking CGI Apps Shellshock
    
    Attacking Tomcat CGI
  - Infra Network Tools
    Infra Network Tools
    
    PRTG Network Monitor
    
    Splunk
  - Other
    Other
    
    Apps connecting to Services
    
    Attacking LDAP
    
    ColdFusion
    
    IIS Tilde
    
    IIS machineKey RCE
    
    Web Mass Assignment
  - Servlet Containers
    Servlet Containers
    
    Jenkins
    Jenkins
    
    Attacking Jenkins
    
    Discovery & Enum
    
    Tomcat
    Tomcat
    
    Attacking Tomcat
    
    Discovery & Enum
  - Thick Client
    Thick Client
    
    PT Steps
    
    Exploiting Web vulns in Thick Client
    
    Thick Client 101
  - osTicket & GitLab
    osTicket & GitLab
    
    GitLab
    
    osTicket
- Attacking Web Apps
  Attacking Web Apps
  - Proxying
  - Brute Forcing Login
    Brute Forcing Login
    
    101
    
    Custom Wordlists Username anarchy, CUPP
    
    Hydra
    
    Medusa
  - Command Injection
    Command Injection
    
    101
    
    Prevention
    
    Filter Evasion
    Filter Evasion
    
    Basic
    
    Bypass Space and slashes
    
    Bypass blacklisted commands
    
    Evasion Tools
    
    Identifying filters
  - File Inclusion
    File Inclusion
    
    Basic Bypasses
    
    LFI 101
    
    LFI
    
    PHP Filters
    
    To do List
    
    What to look for
    
    Automation and Prevention
    Automation and Prevention
    
    Automated Scanning
    
    Prevention
    
    Remote code execution
    Remote code execution
    
    LFI and File Uploads
    
    Log Poisoning
    
    PHP Wrappers
    
    RFI
  - File Uploads
    File Uploads
    
    Prevention
    
    Bypassing Filters
    Bypassing Filters
    
    Basic Exploitation
    
    Limited File Uploads
    
    Main Techniques
    
    Other techniques
  - Fuzzing
    Fuzzing
    
    Domain + VHost Fuzzing
    
    Parameter Fuzzing
    
    Web Fuzzing
  - IDOR
    IDOR
    
    101 IDOR
    
    Bypassing IDOR
    
    IDOR Prevention
  - SQL Injection
    SQL Injection
    
    DB Enumeration
    
    Reading Files
    
    SQL 101
    
    SQL Injections
    
    Writing Files
  - SQLMap
    SQLMap
    
    SQLMap 101
    
    SQLMap outputs
    
    Building attacks
    Building attacks
    
    Handling SQLMap errors + Attack Tuning
    
    SQLMap on HTTP Request
    
    DB Enum
    DB Enum
    
    Advanced DB Enum
    
    DB Enum
    
    Webapps +OS
    Webapps +OS
    
    Bypassing Web Application Protections
    
    OS Exploitation
  - Verb Tampering
    Verb Tampering
    
    101
    
    Bypass
  - XSS
    XSS
    
    DOM XSS
    
    XSS (Stored, Reflected)
    
    XSS Discovery
    
    Xss 101
    
    XSS Attacks
    XSS Attacks
    
    Defacing
    
    Phishing & Session Hijacking
  - XXE
    XXE
    
    Advanced File Disclosure
    
    Blind Data Exfiltration
    
    Bypass XXE
    
    Prevention
    
    XXE 101
- Information Gathering
  Information Gathering
Blog
Blog
- Blog
- GCP
  GCP
  - GCRTP
    GCRTP
    
    Initial Access - Password Spray
    
    GCP-Phishing
    
    Metadata in GCP Instances
    
    Reveal Files Hidden in Google Storage
- Linux
  Linux
  - Agile
  - Alert
  - Builder
  - Chemistry
  - Conversor
  - Crafty
  - Delivery
  - Expressway
  - Giveback
  - Logforge
  - Metatwo
  - Pandora
  - Planning
  - Postman
  - Remote
  - Shoppy
  - Snoopy
  - Soccer
  - Soulmate
  - Trick
  - Underpass
  - Union
- Pro Labs
  Pro Labs
  - AEN
    AEN
    
    10.129.229.147
    
    10.129.229.147
  - POO
    POO
    
    10.13.38.11 - Entrypoint
- Windows
  Windows
  - Active
  - Authority
  - Cicada
  - Driver
  - Escapetwo
  - Fluffy
  - Forest
  - Hospital
  - Jeeves
  - Mailing
  - Manager
  - Media
  - Monitorfour
  - Nanocorp
  - Outdated
  - Pov
  - Redelegate
  - Return
  - Sauna
  - Servmon
  - Streamio
  - Support
  - Timelapse
  - Tombwatcher
  - Voleur
  - Vulncicada
- Archive
  Archive
  - 2023

Attacking SMTP

POP3 removes the downloaded emails from the email server
IMAP4 does not remove these emails and can be accessed from multiple devices

Enum

We can use the Mail eXchanger MX DNS record to identify the mail server
This MX server accepts emails on behalf of a domain name\
https://mxtoolbox.com/ Host - MX query
host -t MX hackthebox.eu DIG - MX query
dig mx inlanefreight.com | grep "MX" | grep -v ";" Host - A records
host -t A mail1.inlanefreight.htb.\

NMAP Enum

sudo nmap -Pn -sV -sC -p25,143,110,465,587,993,995 10.129.14.128

Misconfigurations

auth is required to send and receive emails
If misconfigured:
anonymous auth can be supported
enumeration of valid usernames can be conducted

Authentication

Commands to enumerate valid usernames - VRFY, EXPN, and RCPT TO

VRFY

instructs the receiving SMTP server to check the validity of a particular email username.

EXPN

will list the users related to the name
Bigger problem than VRFY

RCPT TO

id the recipient of the email message
You write an email and then do RCPT TO to different usernames to find a valid one

Using POP3 to enumerate Users

Automate Enum process using SMTP-User-Enum

https://github.com/pentestmonkey/smtp-user-enum
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7
-M : method RCPT TO, VRFY, EXPN
-D: Domain

Cloud Enum

Use https://github.com/0xZDH/o365spray to enumerate office 365

Workflow

Validate if the org is using O365
python3 o365spray.py --validate --domain msplaintext.xyz
Identify usernames
python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz

Password Attacks

Hydra on SMTP, POP3, IMAP

hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3\
hydra might not work with O365, GSuite
custom tools such as o365spray or MailSniper for Microsoft Office 365 or CredKing for Gmail or Okta.
keep them updated

Password attack on Office 365

python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz

Protocol Specific Attacks

unauthenticated email relay
Messaging Servers configured as open relays allow mail from any source to be transparently rerouted through the open relay
This masks the real source and shows the source as the open relay server

Open Relay

Check if open relay is allowed

nmap -p25 -Pn --script smtp-open-relay 10.10.11.213

Connect to a mail server and send an email

swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server 10.10.11.213