niedziela, 9 czerwca 2019

Few more quick tests

Last time I described small script you can use (or create) during your pentests. Below you will find a little continuation of the paths started last time. So...
TL;DR - 'current version'

We will start from the very first path - ssh (exploit) enumeration:



Sometimes during the scan you will find that there is a host with 'not updated OpenSSH server' (by 'not updated' I mean OpenSSH mentioned here). We can use the script to quick enum-check (assuming we already have some user-list):


As you can see (using readlog - type 2 when your scan is ready) there are few ports open.
Checking paths looks like this:


Checking 'path 01':



Preparing users.txt list:


Quick results:


Let's try another VM:


Reading log file:


Checking path(s) available for this scan/log:

Checking path02:




Yep, just a quick 'version grabber' (but as I mentioned before - use enlil more like a 'skeleton pack' rather than Metasploit ;)). Anyhow... ;]

(After I restarted ElasticSearch server installed on Ubuntu 18 VM) I decided to scan the box again:


This time we found few more open ports. Let's find out what's available with Enlil this time:


Ok, checking:



During some other scan(s of your VM's ;)) you'll see that there can also be found path03b:


Path04  (few tests for Oracle TNS Listener available in open ports) was described here.

Path05 - test cases related to Splunk(d, few of them was mentioned in this small CTF writeup). Now rewrited a little bit, so below you will find some checking for the port 8089/tcp found open:


Path06 - InfluxDB - is a simple check working like that: if there is an open (read: unauthorized) access to your InfluxDB - this path will grab some basic info:

Yes. Advanced. ;]

Next: path07 prepared for MongoDB cases (btw: I know you already tried mongoaudit also mentioned here, right? ;))

(To 'make it possible' (with Bitnami) you will need to reconfigure your VM like you can see on the screen above. For 'authorized users' - few attack scenarios you can find for example mentioned here.)

Path08 - for "pmcd" on port 44321/tcp[more]. Tool I used in enlil - pcp - is also described here.

Path11 - is rewrited now, so you can find both (scenario mentioned here): small bruteforcer for admin panel and little sender using STOMP protocol.


More? Maybe later... ;]

Remember to use it only during legal pentests.

> Questions/comments <

See you next time!

Cheers


Brak komentarzy:

Prześlij komentarz