public static string GetInfo(string ip, int port) { string returnInfo = ""; returnInfo += LDAP.GetDefaultNamingContext(ip); returnInfo += LDAP.GetAccountInfo(ip); return(returnInfo.Trim(Environment.NewLine.ToCharArray())); }
// For the "Some things you probably want to do" list public static string GetAdditionalPortInfo(string target, int port) { string postScanActions = ""; // Additional port info if (port == 23) { postScanActions += "- Telnet: Just telnet in - Bug Reelix to update this though..." + Environment.NewLine; } else if (port == 53) { // TODO: https://svn.nmap.org/nmap/scripts/dns-nsid.nse postScanActions += $"- Try a reverse lookup (Linux): dig @{target} -x {target}" + Environment.NewLine; postScanActions += $"- Try a zone transfer (Linux): dig axfr domain.com @{target}" + Environment.NewLine; } else if (port == 80) { postScanActions += $"- gobuster dir -u=http://{target}/ -w ~/wordlists/directory-list-2.3-medium.txt -t 25 -o gobuster-http-medium.txt -x.php,.txt" + Environment.NewLine; postScanActions += $"- gobuster dir -u=http://{target}/ -w ~/wordlists/common.txt -t 25 -o gobuster-http-common.txt -x.php,.txt" + Environment.NewLine; } else if (port == 88) { // Post Scan string defaultNamingContext = LDAP.GetDefaultNamingContext(target, true); defaultNamingContext = defaultNamingContext.Replace("DC=", "").Replace(",", "."); // Username enum postScanActions += $"- Kerberos Username Enum: kerbrute userenum --dc {defaultNamingContext}/ -d {target} users.txt" + Environment.NewLine; // Requests TGT (Ticket Granting Tickets) for users postScanActions += $"- Kerberos TGT Request: sudo GetNPUsers.py {defaultNamingContext}/ -dc-ip {target} -request" + Environment.NewLine; // Test for users with 'Do not require Kerberos preauthentication' postScanActions += $"- Kerberos non-preauth: sudo GetNPUsers.py {defaultNamingContext}/ -usersfile sampleUsersHere.txt -dc-ip {target}" + Environment.NewLine; // Post exploitation postScanActions += $"- If you get details: python3 secretsdump.py usernameHere:\"passwordHere\"@{target} | grep :" + Environment.NewLine; } else if (port == 443) { postScanActions += $"- gobuster dir -u=https://{target}/ -w ~/wordlists/directory-list-2.3-medium.txt -t 25 -o gobuster-https-medium.txt -x.php,.txt" + Environment.NewLine; postScanActions += $"- gobuster dir -u=https://{target}/ -w ~/wordlists/common -t 25 -o gobuster-https-common.txt -x.php,.txt" + Environment.NewLine; } else if (port == 445) { if (General.GetOS() == General.OS.Windows) { postScanActions += $"- Port 445 - Linux (SMBClient) has better info on this: smbclient -L {target} --no-pass" + Environment.NewLine; } postScanActions += $"- Port 445 - I miss a lot: nmap -sC -sV -p445 {target}" + Environment.NewLine; postScanActions += $"- Port 445 - Testing passwords: crackmapexec smb {target} -u users.txt -p passwords.txt" + Environment.NewLine; postScanActions += $"- Port 445 - Authenticated SID Lookup: sudo lookupsid.py DOMAIN/Username:password@{target}" + Environment.NewLine; } else if (port == 2049) { postScanActions += "- NFS: rpcinfo -p " + target + Environment.NewLine; } else if (port == 3128) { postScanActions += $"- Squid: If you get a password, run: squidclient -v -h {target} -w 'passwordHere' mgr:menu" + Environment.NewLine; } else if (port == 3306) { postScanActions += $"- Try: hydra -L users.txt -P passwords.txt {target} mysql" + Environment.NewLine; } else if (port == 3389) { // TODO: https://nmap.org/nsedoc/scripts/rdp-ntlm-info.html // https://svn.nmap.org/nmap/scripts/rdp-ntlm-info.nse /* * string NTLM_NEGOTIATE_BLOB = "30 37 A0 03 02 01 60 A1 30 30 2E 30 2C A0 2A 04 28" + "4e 54 4c 4d 53 53 50 00" // Identifier - NTLMSSP + "01 00 00 00" //Type: NTLMSSP Negotiate -01 + "B7 82 08 E2 " // Flags(NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | REQUEST_TARGET | NEGOTIATE_UNICODE) + "00 00 " // DomainNameLen + "00 00" // DomainNameMaxLen + "00 00 00 00" // DomainNameBufferOffset + "00 00 " // WorkstationLen + "00 00" // WorkstationMaxLen + "00 00 00 00" // WorkstationBufferOffset + "0A" // ProductMajorVersion = 10 + "00 " // ProductMinorVersion = 0 + "63 45 " // ProductBuild = 0x4563 = 17763 + "00 00 00" // Reserved + "0F"; // NTLMRevision = 5 = NTLMSSP_REVISION_W2K3 + + + byte[] byteData = General.StringToByteArray(NTLM_NEGOTIATE_BLOB); + string result = General.BannerGrabBytes(ip, port, byteData); + Console.WriteLine("Result: " + result); */ } else if (port == 3690) { // Banner: ( success ( 2 2 ( ) ( edit-pipeline svndiff1 accepts-svndiff2 absent-entries commit-revprops depth log-revprops atomic-revprops partial-replay inherited-props ephemeral-txnprops file-revs-reverse list ) ) ) postScanActions += "- SVN: svn diff -r1 svn://" + target + Environment.NewLine; } else if (port == 4369) { // TODO: https://svn.nmap.org/nmap/scripts/epmd-info.nse postScanActions += $"- EPMD: nmap {target} -p4369 --script=epmd-info -sV" + Environment.NewLine; } else if (port == 5222) { // TODO: Jabber // 5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later } else if (port == 5269) { // jabber / xmpp-server postScanActions += "- nmap --script=xmpp-info " + target + " -p" + port; } // 5269/tcp open xmpp Wildfire XMPP Client ??? else if (port == 5672) { string portHeader = "Port 5672 - Advanced Message Queuing Protocol (AMQP)"; string portData = General.BannerGrab(target, 5672, "Woof" + Environment.NewLine + Environment.NewLine); if (portData.StartsWith("AMQP")) { if (portData[4] == 0 && portData[5] == 0 && portData[6] == 9 && portData[7] == 1) { portData = "- Version 0-9-1"; // theBanner = General.BannerGrab(ip, port, theBanner); // Need to send the bytes of AMQP0091 // Oh gawd.... // \u0001\0\0\0\0\u0001?\0\n\0\n\0\t\0\0\u0001?\fcapabilitiesF\0\0\0?\u0012publisher_confirmst\u0001\u001aexchange_exchange_bindingst\u0001\nbasic.nackt\u0001\u0016consumer_cancel_notifyt\u0001\u0012connection.blockedt\u0001\u0013consumer_prioritiest\u0001\u001cauthentication_failure_closet\u0001\u0010per_consumer_qost\u0001\u000fdirect_reply_tot\u0001\fcluster_nameS\0\0\0\u0010rabbit@dyplesher\tcopyrightS\0\0\0.Copyright (C) 2007-2018 Pivotal Software, Inc.\vinformationS\0\0\05Licensed under the MPL. See http://www.rabbitmq.com/\bplatformS\0\0\0\u0011Erlang/OTP 22.0.7\aproductS\0\0\0\bRabbitMQ\aversionS\0\0\0\u00053.7.8\0\0\0\u000ePLAIN AMQPLAIN\0\0\0\u0005en_US? // https://svn.nmap.org/nmap/nselib/amqp.lua postScanActions += $"- AMQP is up and nmap knows more: nmap --script amqp-info -p{port} {target}" + Environment.NewLine; } else { portData = "- 5672.Unknown Version - Bug Reelix"; } } else { portData = "- 5672.Unknown - Bug Reelix"; } Console.WriteLine(portHeader + Environment.NewLine + portData + Environment.NewLine); } else if (port == 9100) { // TODO: Clean - Should the file be named "Printer.cs" or "jetdirect.cs" ??? string portHeader = $"Port {port} - Printer (jetdirect)"; // PJL // http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet // Yoinked from Nmap string bannerInfo = General.BannerGrab(target, port, "@PJL INFO ID\r\n"); string portData = ""; if (bannerInfo != "") { portData += "- Version: " + bannerInfo + Environment.NewLine; // Yoinked from PRET List <string> dirList = General.BannerGrab(target, port, "@PJL FSDIRLIST NAME=\"0:/ \" ENTRY=1 COUNT=65535\r\n").Split("\r\n".ToCharArray()).ToList(); // Clean new lines dirList.RemoveAll(string.IsNullOrEmpty); // Append each item portData += "- Directory List: " + Environment.NewLine; foreach (string dir in dirList) { portData += "-- " + dir + Environment.NewLine; } portData = portData.Trim(Environment.NewLine.ToCharArray()); // PFL Successful - Add pjl to the post scan actions postScanActions += portData + Environment.NewLine + $"- Printer: pret.py {target} pjl ( https://github.com/RUB-NDS/PRET )" + Environment.NewLine; } else { portData = "- Unknown - Bug Reelix!"; } // TODO: Add PCL (Printer Command Language), XEX, IPDS Console.WriteLine(portHeader + Environment.NewLine + portData + Environment.NewLine); } else if (port == 11211) { postScanActions += "- 11211 - Memcache" + Environment.NewLine; postScanActions += "-- Verify: stats (Dumps \"STAT\")" + Environment.NewLine; postScanActions += "-- Dump key names: lru_crawler metadump all" + Environment.NewLine; postScanActions += "-- Read key: get keyname" + Environment.NewLine; } else if (port == 27017) { // MongoDB postScanActions += "- 27017 - MongoDB: NMap can get the version" + Environment.NewLine; // Nmap can get the version - What else can we get? } return(postScanActions); }