Last time I described small script you can use (or create) during your pentests. Below you will find a little continuation of the paths started last time. So...
TL;DR - 'current version'
We will start from the very first path - ssh (exploit) enumeration:
Sometimes during the scan you will find that there is a host with 'not updated OpenSSH server' (by 'not updated' I mean OpenSSH mentioned here). We can use the script to quick enum-check (assuming we already have some user-list):
As you can see (using readlog - type 2 when your scan is ready) there are few ports open.
Checking paths looks like this:
Checking 'path 01':
Preparing users.txt list:
Quick results:
Let's try another VM:
Reading log file:
Checking path(s) available for this scan/log:
Checking path02:
Yep, just a quick 'version grabber' (but as I mentioned before - use enlil more like a 'skeleton pack' rather than Metasploit ;)). Anyhow... ;]
(After I restarted ElasticSearch server installed on Ubuntu 18 VM) I decided to scan the box again:
This time we found few more open ports. Let's find out what's available with Enlil this time:
Ok, checking:
During some other scan(s of your VM's ;)) you'll see that there can also be found path03b:
Path04 (few tests for Oracle TNS Listener available in open ports) was described here.
Path05 - test cases related to Splunk(d, few of them was mentioned in this small CTF writeup). Now rewrited a little bit, so below you will find some checking for the port 8089/tcp found open:
Path06 - InfluxDB - is a simple check working like that: if there is an open (read: unauthorized) access to your InfluxDB - this path will grab some basic info:
Yes. Advanced. ;]
Next: path07 prepared for MongoDB cases (btw: I know you already tried mongoaudit also mentioned here, right? ;))
(To 'make it possible' (with Bitnami) you will need to reconfigure your VM like you can see on the screen above. For 'authorized users' - few attack scenarios you can find for example mentioned here.)
Path08 - for "pmcd" on port 44321/tcp[more]. Tool I used in enlil - pcp - is also described here.
Path11 - is rewrited now, so you can find both (scenario mentioned here): small bruteforcer for admin panel and little sender using STOMP protocol.
More? Maybe later... ;]
Remember to use it only during legal pentests.
> Questions/comments <
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz