nmap -T4 -sS -p 53 $IP/24
# Enumerate ALL DNS records! Maybe hidden hosts in network recon
dig -t all target1 target2 target3 @$DNSSERVER
# DNS recon (brute force subdomains):
dnsrecon -d $IP -t brt -D /usr/share/wordlists/dnsmap.txt
dnsenum $DOMAIN
fierce -dns $DOMAIN -wordlist dictionary.txt
# DNS subdomains enum with ffuf
./ffuf -u http://$ip -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.test.lo"
Amplification
A Domain Name Server (DNS) amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of publically accessible open DNS servers to overwhelm a victim system with DNS response traffic.
# metasploit
use auxiliary/scanner/smtp/smtp_version
Open Relays
Tests if an SMTP server will accept (via a code 250) an e-mail by using a variation of testing methods
# metasploit
use auxiliary/scanner/smtp/smtp_relay
User Enumeration Utility
Allows the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of users aliases and lists of e-mail (mailing lists)). Through the implementation of these SMTP commands can reveal a list of valid users. User files contains only Unix usernames so it skips the Microsoft based Email SMTP Server. This can be changed using UNIXONLY option and custom user list can also be provided.
use auxiliary/scanner/smtp/smtp_enum
69 - TFTP
nmap --open -sU -p 69 $IP/24
88 - KERBEROS
Users enumeration
The script should work against Active Directory. It needs a valid Kerberos REALM in order to operate.
auxiliary/admin/mssql/mssql_enum normal Microsoft SQL Server Configuration Enumerator
auxiliary/admin/mssql/mssql_enum_domain_accounts normal Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration
auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli normal Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration
auxiliary/admin/mssql/mssql_enum_sql_logins normal Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration
auxiliary/admin/mssql/mssql_escalate_dbowner normal Microsoft SQL Server Escalate Db_Owner
auxiliary/admin/mssql/mssql_escalate_dbowner_sqli normal Microsoft SQL Server SQLi Escalate Db_Owner
auxiliary/admin/mssql/mssql_escalate_execute_as normal Microsoft SQL Server Escalate EXECUTE AS
auxiliary/admin/mssql/mssql_escalate_execute_as_sqli normal Microsoft SQL Server SQLi Escalate Execute AS
auxiliary/admin/mssql/mssql_exec normal Microsoft SQL Server xp_cmdshell Command Execution
auxiliary/admin/mssql/mssql_findandsampledata normal Microsoft SQL Server Find and Sample Data
auxiliary/admin/mssql/mssql_idf normal Microsoft SQL Server Interesting Data Finder
auxiliary/admin/mssql/mssql_ntlm_stealer normal Microsoft SQL Server NTLM Stealer
auxiliary/admin/mssql/mssql_ntlm_stealer_sqli normal Microsoft SQL Server SQLi NTLM Stealer
auxiliary/admin/mssql/mssql_sql normal Microsoft SQL Server Generic Query
auxiliary/admin/mssql/mssql_sql_file normal Microsoft SQL Server Generic Query from File
auxiliary/analyze/jtr_mssql_fast normal John the Ripper MS SQL Password Cracker (Fast Mode)
auxiliary/gather/lansweeper_collector normal Lansweeper Credential Collector
auxiliary/scanner/mssql/mssql_hashdump normal MSSQL Password Hashdump
auxiliary/scanner/mssql/mssql_login normal MSSQL Login Utility
auxiliary/scanner/mssql/mssql_ping normal MSSQL Ping Utility
auxiliary/scanner/mssql/mssql_schemadump
Info gathering
MSSQL Ping Utility
Queries the MSSQL instance for information. This will also provide if any ms-sql is running on different ports.
use auxiliary/scanner/mssql/mssql_ping
services -p 1433 -R
1521 - ORACLE
N.B.
We need 4 things to connect to an Oracle DB.
IP.
Port.
Service Identifier (SID).
Username/ Password.
Detect version
# metasploit
use auxiliary/scanner/oracle/tnslsnr_version
services -p 1521 -u -R
Get SID
Oracle Service Identifier: By querying the TNS Listener directly, brute force for default SIDβs or query other components that may contain it.
# Oracle TNS Listener SID Enumeration: This module simply queries the TNS listner for the Oracle SID. With Oracle 9.2.0.8 and above the listener will be protected and the SID will have to be bruteforced or guessed.
use auxiliary/scanner/oracle/sid_enum
# Oracle TNS Listener SID Bruteforce: This module queries the TNS listner for a valid Oracle database instance name (also known as a SID). Any response other than a βrejectβ will be considered a success. If a specific SID is provided, that SID will be attempted. Otherwise, SIDs read from the named file will be attempted in sequence instead.
use auxiliary/scanner/oracle/sid_brute
Bruteforce
use auxiliary/scanner/oracle/oracle_login
5432 - POSTGRESQL
Detect version
# metasploit
use auxiliary/scanner/postgres/postgres_version
Login utility
# metasploit
use auxiliary/scanner/postgres/postgres_login
Flag injection
# metasploit
# Identify PostgreSQL 9.0, 9.1, and 9.2 servers that are vulnerable to command-line flag injection through CVE-2013-1899. This can lead to denial of service, privilege escalation, or even arbitrary code execution
use auxiliary/scanner/postgres/postgres_dbname_flag_injection