ATTACKING COMMONLY USED SERVICES: PART_01 Useful Commands

by
Sharing is caring

Views: 23

ZyberRED

Server Message Block (SMB)

Windows – CMD line

net use

Connect to a File share \\192.168.45.29\ITSupport\

The command net use connects a computer to or disconnects a computer from a shared resource or displays information about computer connections. 

# net use
net use n: \\192.168.45.29\ITSupport

# net use with authentication
net use n: \\192.168.45.29\ITSupport /user:testuser Password123

Windows CMD – DIR

Displays a list of a directory’s files and subdirectories dir \\192.168.45.29\ITSupport\

C:\>dir \\192.168.1.7\test
 Volume in drive \\192.168.1.7\test is VM-Share
 Volume Serial Number is 3CFE-16F2

 Directory of \\192.168.1.7\test

26/04/2023  16:33    <DIR>          .
26/04/2023  16:33                 0 test.txt
26/04/2023  16:33    <DIR>          Test01
               1 File(s)              0 bytes
               2 Dir(s)  141.460.361.216 bytes free

C:\>

Enumerate file shares with dir

# find the number files the shared folder and its subdirectories contain
dir n: /a-d /s /b | find /c ":\"
SyntaxDescription
dirApplication
n:Directory or drive to search
/a-d/a is the attribute and -d means not directories
/sDisplays files in a specified directory and all subdirectories
/bUses bare format (no heading information or summary)
C:\Users\kanna_d1f43gr>dir /?
Displays a list of files and subdirectories in a directory.

DIR [drive:][path][filename] [/A[[:]attributes]] [/B] [/C] [/D] [/L] [/N]
  [/O[[:]sortorder]] [/P] [/Q] [/R] [/S] [/T[[:]timefield]] [/W] [/X] [/4]

  [drive:][path][filename]
              Specifies drive, directory, and/or files to list.

  /A          Displays files with specified attributes.
  attributes   D  Directories                R  Read-only files
               H  Hidden files               A  Files ready for archiving
               S  System files               I  Not content indexed files
               L  Reparse Points             O  Offline files
               -  Prefix meaning not
  /B          Uses bare format (no heading information or summary).
  /C          Display the thousand separator in file sizes.  This is the
              default.  Use /-C to disable display of separator.
  /D          Same as wide but files are list sorted by column.
  /L          Uses lowercase.
  /N          New long list format where filenames are on the far right.
  /O          List by files in sorted order.
  sortorder    N  By name (alphabetic)       S  By size (smallest first)
               E  By extension (alphabetic)  D  By date/time (oldest first)
               G  Group directories first    -  Prefix to reverse order
  /P          Pauses after each screenful of information.
  /Q          Display the owner of the file.
  /R          Display alternate data streams of the file.
  /S          Displays files in specified directory and all subdirectories.
  /T          Controls which time field displayed or used for sorting
  timefield   C  Creation
              A  Last Access
              W  Last Written
  /W          Uses wide list format.
  /X          This displays the short names generated for non-8dot3 file
              names.  The format is that of /N with the short name inserted
              before the long name. If no short name is present, blanks are
              displayed in its place.
  /4          Displays four-digit years

Switches may be preset in the DIRCMD environment variable.  Override
preset switches by prefixing any switch with - (hyphen)--for example, /-W.
Expand

With dir we can search for specific names in files such as:

  • cred
  • password
  • users
  • secrets
  • key
  • Common File Extensions for source code such as: .cs, .c, .go, .java, .php, .asp, .aspx, .html.
# searching for files using dir
C:\>dir n:\*test* /s /b
n:\test.txt
n:\Test01
n:\Test01\test01.txt
n:\Test01\Test02

# files with specific names
C:\>dir n:\*secret* /s /b
n:\Test01\Test02\secret.txt
Expand

Windows CMD – Findstr

To search for a specific word within a text file, we can use findstr.

# search for the files that contain the word 'cred'
C:\>findstr /s /i cred n:\*.*
n:\Test01\credentials.txt:file with all credentials
n:\Test01\Test02\secret.txt:domain admin credentials for domain controller

Windows PowerShell

# Get-ChildItem
PS C:\> Get-ChildItem \\192.168.1.7\test\


    Directory: \\192.168.1.7\test


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         4/26/2023   5:03 PM                Test01
-a----         4/26/2023   5:03 PM              0 password.txt
-a----         4/26/2023   4:33 PM              0 test.txt
Expand

Instead of net use, we can use New-PSDrive in PowerShell.

# New-PSDrive
PS C:\> New-PSDrive -Name "N" -Root "\\192.168.1.7\test" -PSProvider "FileSystem"

Name           Used (GB)     Free (GB) Provider      Root                                               CurrentLocation
----           ---------     --------- --------      ----                                               ---------------
N                                      FileSystem    \\192.168.1.7\test

Windows PowerShell – PSCredential Object

To provide a username and password with Powershell, we need to create a PSCredential object. It offers a centralized way to manage usernames, passwords, and credentials.

# PSCredential
PS C:\> $username = 'testuser'
PS C:\> $password = 'Password123'
PS C:\> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
PS C:\> New-PSDrive -Name "N" -Root "\192.168.1.7\test" -PSProvider "FileSystem" -Credential $cred

Name           Used (GB)     Free (GB) Provider      Root                                                              CurrentLocation
----           ---------     --------- --------      ----                                                              ---------------
N                                      FileSystem    \192.168.1.7\test
Expand

Windows PowerShell – GCI

In PowerShell, we can use the command Get-ChildItem or the short variant gci instead of the command dir.

# GCI
PS C:\> N:
PS N:\> (Get-ChildItem -File -Recurse | Measure-Object).Count
5
PS N:\>

We can use the property -Include to find specific items from the directory specified by the Path parameter.

# Include
PS N:\> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File


    Directory: \\192.168.1.7\test\Test01


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         4/26/2023   5:14 PM             25 credentials.txt

The Select-String cmdlet uses regular expression matching to search for text patterns in input strings and files. We can use Select-String similar to grep in UNIX or findstr.exe in Windows.

# Select-String
PS N:\>  Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List

\\192.168.1.7\test\Test01\credentials.txt:1:file with all credentials
\\192.168.1.7\test\Test01\Test02\secret.txt:1:domain admin credentials for domain controller
Expand

Linux

Note: We need to install cifs-utils to connect to an SMB share folder. To install it we can execute from the command line sudo apt install cifs-utils.

# mount cifs
sudo mkdir /mnt/test
sudo mount -t cifs -o username=testuser,password=Password123,domain=. //192.168.1.7/test /mnt/test

Using a credentials file,

# using credentials file
mount -t cifs //192.168.1.7/test /mnt/test -o credentials=/path/credentialfile

# Structure of the credential files
username=testuser
password=Password123
domain=.

Linux – Find

# find files with name contains 'cred'
find /mnt/test/ -name *cred*
/mnt/test/test01/credentials.txt

Next, let’s find files that contain the string cred:

# find files that contain the string 'cred'
grep -rn /mnt/Finance/ -ie cred

/mnt/test/Test01/credentials.txt:1:file with all credentials
/mnt/\test/Test01/Test02/secret.txt:1:domain admin credentials for domain controller

Connect to databases

to be updated…

Tools to Interact with Common Services

SMBFTPEmailDatabases
smbclientftpThunderbirdmssql-cli
CrackMapExeclftpClawsmycli
SMBMapncftpGearymssqlclient.py
ImpacketfilezillaMailSpringdbeaver
psexec.pycrossftpmuttMySQL Workbench
smbexec.pymailutilsSQL Server Management Studio or SSMS
sendEmail
swaks
sendmail