public static string GetInfo(string ip, int port)
{
string returnInfo = "";
returnInfo += LDAP.GetDefaultNamingContext(ip);
returnInfo += LDAP.GetAccountInfo(ip);
return(returnInfo.Trim(Environment.NewLine.ToCharArray()));
}
// For the "Some things you probably want to do" list
public static string GetAdditionalPortInfo(string target, int port)
{
string postScanActions = "";
// Additional port info
if (port == 23)
{
postScanActions += "- Telnet: Just telnet in - Bug Reelix to update this though..." + Environment.NewLine;
}
else if (port == 53)
{
// TODO: https://svn.nmap.org/nmap/scripts/dns-nsid.nse
postScanActions += $"- Try a reverse lookup (Linux): dig @{target} -x {target}" + Environment.NewLine;
postScanActions += $"- Try a zone transfer (Linux): dig axfr domain.com @{target}" + Environment.NewLine;
}
else if (port == 80)
{
postScanActions += $"- gobuster dir -u=http://{target}/ -w ~/wordlists/directory-list-2.3-medium.txt -t 25 -o gobuster-http-medium.txt -x.php,.txt" + Environment.NewLine;
postScanActions += $"- gobuster dir -u=http://{target}/ -w ~/wordlists/common.txt -t 25 -o gobuster-http-common.txt -x.php,.txt" + Environment.NewLine;
}
else if (port == 88)
{
// Post Scan
string defaultNamingContext = LDAP.GetDefaultNamingContext(target, true);
defaultNamingContext = defaultNamingContext.Replace("DC=", "").Replace(",", ".");
// Username enum
postScanActions += $"- Kerberos Username Enum: kerbrute userenum --dc {defaultNamingContext}/ -d {target} users.txt" + Environment.NewLine;
// Requests TGT (Ticket Granting Tickets) for users
postScanActions += $"- Kerberos TGT Request: sudo GetNPUsers.py {defaultNamingContext}/ -dc-ip {target} -request" + Environment.NewLine;
// Test for users with 'Do not require Kerberos preauthentication'
postScanActions += $"- Kerberos non-preauth: sudo GetNPUsers.py {defaultNamingContext}/ -usersfile sampleUsersHere.txt -dc-ip {target}" + Environment.NewLine;
// Post exploitation
postScanActions += $"- If you get details: python3 secretsdump.py usernameHere:\"passwordHere\"@{target} | grep :" + Environment.NewLine;
}
else if (port == 443)
{
postScanActions += $"- gobuster dir -u=https://{target}/ -w ~/wordlists/directory-list-2.3-medium.txt -t 25 -o gobuster-https-medium.txt -x.php,.txt" + Environment.NewLine;
postScanActions += $"- gobuster dir -u=https://{target}/ -w ~/wordlists/common -t 25 -o gobuster-https-common.txt -x.php,.txt" + Environment.NewLine;
}
else if (port == 445)
{
if (General.GetOS() == General.OS.Windows)
{
postScanActions += $"- Port 445 - Linux (SMBClient) has better info on this: smbclient -L {target} --no-pass" + Environment.NewLine;
}
postScanActions += $"- Port 445 - I miss a lot: nmap -sC -sV -p445 {target}" + Environment.NewLine;
postScanActions += $"- Port 445 - Testing passwords: crackmapexec smb {target} -u users.txt -p passwords.txt" + Environment.NewLine;
postScanActions += $"- Port 445 - Authenticated SID Lookup: sudo lookupsid.py DOMAIN/Username:password@{target}" + Environment.NewLine;
}
else if (port == 2049)
{
postScanActions += "- NFS: rpcinfo -p " + target + Environment.NewLine;
}
else if (port == 3128)
{
postScanActions += $"- Squid: If you get a password, run: squidclient -v -h {target} -w 'passwordHere' mgr:menu" + Environment.NewLine;
}
else if (port == 3306)
{
postScanActions += $"- Try: hydra -L users.txt -P passwords.txt {target} mysql" + Environment.NewLine;
}
else if (port == 3389)
{
// TODO: https://nmap.org/nsedoc/scripts/rdp-ntlm-info.html
// https://svn.nmap.org/nmap/scripts/rdp-ntlm-info.nse
/*
* string NTLM_NEGOTIATE_BLOB = "30 37 A0 03 02 01 60 A1 30 30 2E 30 2C A0 2A 04 28"
+ "4e 54 4c 4d 53 53 50 00" // Identifier - NTLMSSP
+ "01 00 00 00" //Type: NTLMSSP Negotiate -01
+ "B7 82 08 E2 " // Flags(NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | REQUEST_TARGET | NEGOTIATE_UNICODE)
+ "00 00 " // DomainNameLen
+ "00 00" // DomainNameMaxLen
+ "00 00 00 00" // DomainNameBufferOffset
+ "00 00 " // WorkstationLen
+ "00 00" // WorkstationMaxLen
+ "00 00 00 00" // WorkstationBufferOffset
+ "0A" // ProductMajorVersion = 10
+ "00 " // ProductMinorVersion = 0
+ "63 45 " // ProductBuild = 0x4563 = 17763
+ "00 00 00" // Reserved
+ "0F"; // NTLMRevision = 5 = NTLMSSP_REVISION_W2K3
+
+
+ byte[] byteData = General.StringToByteArray(NTLM_NEGOTIATE_BLOB);
+ string result = General.BannerGrabBytes(ip, port, byteData);
+ Console.WriteLine("Result: " + result);
*/
}
else if (port == 3690)
{
// Banner: ( success ( 2 2 ( ) ( edit-pipeline svndiff1 accepts-svndiff2 absent-entries commit-revprops depth log-revprops atomic-revprops partial-replay inherited-props ephemeral-txnprops file-revs-reverse list ) ) )
postScanActions += "- SVN: svn diff -r1 svn://" + target + Environment.NewLine;
}
else if (port == 4369)
{
// TODO: https://svn.nmap.org/nmap/scripts/epmd-info.nse
postScanActions += $"- EPMD: nmap {target} -p4369 --script=epmd-info -sV" + Environment.NewLine;
}
else if (port == 5222)
{
// TODO: Jabber
// 5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
}
else if (port == 5269)
{
// jabber / xmpp-server
postScanActions += "- nmap --script=xmpp-info " + target + " -p" + port;
}
// 5269/tcp open xmpp Wildfire XMPP Client ???
else if (port == 5672)
{
string portHeader = "Port 5672 - Advanced Message Queuing Protocol (AMQP)";
string portData = General.BannerGrab(target, 5672, "Woof" + Environment.NewLine + Environment.NewLine);
if (portData.StartsWith("AMQP"))
{
if (portData[4] == 0 && portData[5] == 0 && portData[6] == 9 && portData[7] == 1)
{
portData = "- Version 0-9-1";
// theBanner = General.BannerGrab(ip, port, theBanner); // Need to send the bytes of AMQP0091
// Oh gawd....
// \u0001\0\0\0\0\u0001?\0\n\0\n\0\t\0\0\u0001?\fcapabilitiesF\0\0\0?\u0012publisher_confirmst\u0001\u001aexchange_exchange_bindingst\u0001\nbasic.nackt\u0001\u0016consumer_cancel_notifyt\u0001\u0012connection.blockedt\u0001\u0013consumer_prioritiest\u0001\u001cauthentication_failure_closet\u0001\u0010per_consumer_qost\u0001\u000fdirect_reply_tot\u0001\fcluster_nameS\0\0\0\u0010rabbit@dyplesher\tcopyrightS\0\0\0.Copyright (C) 2007-2018 Pivotal Software, Inc.\vinformationS\0\0\05Licensed under the MPL. See http://www.rabbitmq.com/\bplatformS\0\0\0\u0011Erlang/OTP 22.0.7\aproductS\0\0\0\bRabbitMQ\aversionS\0\0\0\u00053.7.8\0\0\0\u000ePLAIN AMQPLAIN\0\0\0\u0005en_US?
// https://svn.nmap.org/nmap/nselib/amqp.lua
postScanActions += $"- AMQP is up and nmap knows more: nmap --script amqp-info -p{port} {target}" + Environment.NewLine;
}
else
{
portData = "- 5672.Unknown Version - Bug Reelix";
}
}
else
{
portData = "- 5672.Unknown - Bug Reelix";
}
Console.WriteLine(portHeader + Environment.NewLine + portData + Environment.NewLine);
}
else if (port == 9100)
{
// TODO: Clean - Should the file be named "Printer.cs" or "jetdirect.cs" ???
string portHeader = $"Port {port} - Printer (jetdirect)";
// PJL
// http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet
// Yoinked from Nmap
string bannerInfo = General.BannerGrab(target, port, "@PJL INFO ID\r\n");
string portData = "";
if (bannerInfo != "")
{
portData += "- Version: " + bannerInfo + Environment.NewLine;
// Yoinked from PRET
List <string> dirList = General.BannerGrab(target, port, "@PJL FSDIRLIST NAME=\"0:/ \" ENTRY=1 COUNT=65535\r\n").Split("\r\n".ToCharArray()).ToList();
// Clean new lines
dirList.RemoveAll(string.IsNullOrEmpty);
// Append each item
portData += "- Directory List: " + Environment.NewLine;
foreach (string dir in dirList)
{
portData += "-- " + dir + Environment.NewLine;
}
portData = portData.Trim(Environment.NewLine.ToCharArray());
// PFL Successful - Add pjl to the post scan actions
postScanActions += portData + Environment.NewLine + $"- Printer: pret.py {target} pjl ( https://github.com/RUB-NDS/PRET )" + Environment.NewLine;
}
else
{
portData = "- Unknown - Bug Reelix!";
}
// TODO: Add PCL (Printer Command Language), XEX, IPDS
Console.WriteLine(portHeader + Environment.NewLine + portData + Environment.NewLine);
}
else if (port == 11211)
{
postScanActions += "- 11211 - Memcache" + Environment.NewLine;
postScanActions += "-- Verify: stats (Dumps \"STAT\")" + Environment.NewLine;
postScanActions += "-- Dump key names: lru_crawler metadump all" + Environment.NewLine;
postScanActions += "-- Read key: get keyname" + Environment.NewLine;
}
else if (port == 27017)
{
// MongoDB
postScanActions += "- 27017 - MongoDB: NMap can get the version" + Environment.NewLine;
// Nmap can get the version - What else can we get?
}
return(postScanActions);
}
