π‘οΈ Methodology Checklist
- FTP: banner β anon login β list files β brute-force
- SMB: null session β enumerate shares β spray credentials
- MSSQL: default creds β xp_cmdshell check β linked server enum
- MySQL: root blank β FILE privilege β INTO OUTFILE
- SMTP: VRFY/RCPT user enum β open relay test
- IMAP/POP3: authenticate β read mailboxes for intel
- SNMP: community string brute β walk for config/credentials
- Always capture and document service banners
π― Operational Context
Use when: Manually interacting with discovered services β verifying access, enumerating capabilities, and testing authentication before automated attacks.
Think Dumber First: Manually connect to every service before automating. nc [TARGET] [PORT] for raw banner, curl for HTTP, smbclient for SMB. Manual probing catches things automated tools miss (e.g., service-specific prompts, custom banners with hints).
Skip when: Service is well-understood and automated tools are more efficient.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
net use N: \\[TARGET_IP]\[SHARE] | Map SMB share to drive letter (CMD) |
net use N: \\[TARGET_IP]\[SHARE] /user:[USER] [PASS] | Map SMB share with credentials |
dir n:\*cred* /s /b | Search share for filenames containing βcredβ |
findstr /s /i cred n:\*.* | Grep share file contents for βcredβ (CMD) |
New-PSDrive -Name "N" -Root "\\[TARGET_IP]\[SHARE]" -PSProvider "FileSystem" | Map SMB share (PowerShell) |
Get-ChildItem -Recurse -Path N:\ -Include *cred* -File | Search filenames (PowerShell) |
Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List | Grep file contents (PowerShell) |
sudo mkdir /mnt/Finance && sudo mount -t cifs -o username=[USER],password=[PASS],domain=. //[TARGET_IP]/[SHARE] /mnt/Finance | Mount SMB share on Linux |
find /mnt/Finance/ -name *cred* | Search filenames in mounted share |
grep -rn /mnt/Finance/ -ie cred | Grep file contents in mounted share |
sqsh -S [TARGET_IP] -U [USER] -P '[PASS]' | Connect to MSSQL from Linux |
mssqlclient.py -p 1433 [USER]@[TARGET_IP] | Connect to MSSQL via Impacket |
mssqlclient.py -windows-auth [DOMAIN]/[USER]:[PASS]@[TARGET_IP] | Connect to MSSQL with Windows auth |
sqlcmd -S [TARGET_IP] -U [USER] -P [PASS] | Connect to MSSQL from Windows |
mysql -u [USER] -p[PASS] -h [TARGET_IP] | Connect to MySQL (no space before password) |
export WEBKIT_FORCE_SANDBOX=0 && evolution | Launch Evolution email client (fix sandbox crash) |
π¬ Deep Dive & Workflow
SMB Share Search Strategy
Mount the share, then search systematically β manual scrolling through thousands of files is not feasible:
# CMD on Windows
net use N: \\[TARGET_IP]\Finance /user:corp\[USER] [PASS]
# Count files first
dir n: /a-d /s /b | find /c ":\"
# Search filenames
dir n:\*cred* /s /b
dir n:\*secret* /s /b
dir n:\*password* /s /b
# Grep content
findstr /s /i cred n:\*.*# PowerShell (more robust for large shares)
$cred = New-Object System.Management.Automation.PSCredential "domain\user", (ConvertTo-SecureString "pass" -AsPlainText -Force)
New-PSDrive -Name "N" -Root "\\[TARGET_IP]\[SHARE]" -PSProvider "FileSystem" -Credential $cred
(Get-ChildItem -File -Recurse | Measure-Object).Count
Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List# Linux
sudo mount -t cifs -o username=[USER],password=[PASS],domain=. //[TARGET_IP]/Finance /mnt/Finance
find /mnt/Finance/ -name *cred*
grep -rn /mnt/Finance/ -ie credSQL Client Quick Reference
| DB | Platform | Tool | Notes |
|---|---|---|---|
| MSSQL | Linux | mssqlclient.py (Impacket) | Best option; supports Windows auth |
| MSSQL | Linux | sqsh | Alternative; supports piping |
| MSSQL | Windows | sqlcmd | Native |
| MySQL | Any | mysql | No space between -p and password |
| Both | Any | DBeaver | GUI; fastest for visualizing tables |
Key SQL commands once connected:
-- MSSQL
SELECT name FROM master.dbo.sysdatabases; GO
SELECT table_name FROM [db].INFORMATION_SCHEMA.TABLES; GO
-- MySQL
SHOW DATABASES;
USE [db]; SHOW TABLES;
-- Both
SELECT * FROM [table_name];
SELECT @@VERSION;Email Client: Evolution
Evolution is the go-to GUI email client for reading compromised mailboxes during an engagement:
sudo apt-get install evolution
export WEBKIT_FORCE_SANDBOX=0 && evolution # fix "bwrap: Can't create file" crashConfigure with: host IP, port (IMAP 143/993, POP3 110/995), obtained credentials.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| nc banner grab returns nothing | TLS/SSL required | Use openssl s_client -connect [TARGET]:[PORT] for TLS services |
| ftp/smtp/pop3 interactive commands not accepted | Command format wrong | SMTP uses CRLF line endings: printf 'EHLO test\r\n' | nc [TARGET] 25 |
| smbclient prompts for password repeatedly | Null session format wrong | Use: smbclient -N //[TARGET]/share (no password); or -U '%' for blank |
| MySQL/MSSQL CLI not installed | Missing client | Alternatives: nxc mssql/mysql [TARGET]; Python: impacket-mssqlclient; mysql -h [TARGET] -u [USER] -p |
| Service interaction blocked mid-session | IDS triggers on commands | Slow down manual commands; avoid scanner-like rapid fire queries |
π Reporting Trigger
Finding Title: Unauthenticated Service Interaction Reveals Configuration Details Impact: Direct service interaction without authentication exposes server banners, software versions, supported authentication methods, and protocol capabilities that enable targeted attack selection. Root Cause: Services expose version information and configuration details to unauthenticated connections. No banner suppression or connection limiting configured. Recommendation: Suppress service banners where possible. Implement IP-based connection rate limiting. Deploy IDS to detect bulk service enumeration. Require authentication before any service capabilities are disclosed.