Footprinting

Enumeration Methodology

External Recon

After obtaining the domain, we can perform passive reconnaissance to gather public information about it (e.g., kakarot.info).

1- First, let’s examine the SSL certificate for the domain.

• We can use crt.sh.
• We can also output the results in JSON format !

root@kakarot$ curl -s https://crt.sh/\?q\=kakarot.info\&output\=json | jq .

• We can have them filtered by the unique subdomains !

root@kakarot$ curl -s https://crt.sh/\?q\=kakarot.info\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u > subdomainlist.lst

2- Next, we can identify the hosts directly accessible from the Internet.

root@kakarot$ for i in $(cat subdomainlist.lst);do host $i | grep "has address" | grep kakarot.info | cut -d" " -f1,4;done

kakarot.info 35.157.26.135
blog.kakarot.info 63.176.8.218
dev.kakarot.info 63.176.8.218
s3-website-us-west-2.amazonaws.com 35.157.26.135 # It was explained in step five !

3- Let’s go to generate a list of IP addresses and run them through Shodan.

root@kakarot$ for i in $(cat subdomainlist.lst);do host $i | grep "has address" | grep kakarot.info | cut -d" " -f4 >> ip-addresses.txt;done #IPs List

root@kakarot$ for i in $(cat ip-addresses.txt);do shodan host $i;done #Running Shodan

4- We can display all the available DNS records where we might find more hosts.

root@kakarot$ dig any kakarot.info

You can find sensitive information in some DNS records, such as TXT records !

5- Cloud Resources.

When we identified the hosts accessible from the Internet, we have already seen that one IP address belongs to the s3-website-us-west-2.amazonaws.com server.

We can use the Google Dorks inurl: and intext: to narrow our search to specific terms. For example:

inurl:amazonaws.com intext:kakarot #For S3.

inurl:blob.core.windows.net intext:kakarot #For Azure Blobs

Sometimes the site loads images, JavaScript, or CSS directly from the cloud. Once we open the HTML code of a website, we see links like:

<SNIP>
<link rel="preconnect" href="https://kakarot.blob.core.windows.net">
<SNIP>

domain.glass can be used to discover third-party providers associated with a domain name and to gather additional information about those providers. If a provider uses cloud hosting (e.g., Azure Blob or AWS S3), it is advisable to then search databases such as GrayHatWarfare for publicly exposed files that may have been uploaded accidentally

6- Staff.

We can gather valuable information about employees through LinkedIn or Xing, as well as insights about companies through job posts.

FTP

FTP (File Transfer Protocol) is a standard internet protocol for transferring files between computers over a network, such as the internet.

How FTP works In details ?

How three-way handshake works ?

Active mode:

                         NETWORK
┌────────────────────────────┬────────────────────────────┐
│          Client            │         FTP Server         │
│  IP = 192.168.1.10         │  IP = 203.0.113.5          │
│  control src port = 40000  │  control port = 21         │
│  data listen port = 12346  │  (conventional) data src = │
│                            │  port 20 (server-side)     │
└────────────────────────────┴────────────────────────────┘

  (A)  Establish Control Channel (TCP three-way handshake)
  Client:40000  -> Server:21       :  SYN
  Server:21     -> Client:40000    :  SYN,ACK
  Client:40000  -> Server:21       :  ACK
  ==> Control channel established (Client:40000 <--> Server:21)

  (B)  FTP control conversation (over control channel)
  Client -> Server (control):
    USER kakarot
  Server -> Client (control):
    331 Password required for alice
  Client -> Server (control):
    PASS K4k4r07
  Server -> Client (control):
    230 User logged in, proceed

  (C)  Prepare for Active data transfer
  1. Client opens a local listening socket for data:
     - local IP = 192.168.1.10, local data port = 12346
  2. Client informs server which IP:port to connect to using the PORT command:
     Syntax:  PORT h1,h2,h3,h4,p1,p2
     (where port = p1*256 + p2)
     Example:
       port 12346  =>  p1 = 48, p2 = 58   (because 48*256 + 58 = 12346)
       Client sends (over control channel):
         PORT 192,168,1,10,48,58
  3. Server replies (control):
       200 PORT command successful

  (D)  Client requests file (control)
     Client -> Server (control):
       RETR report.pdf
     Server -> Client (control):
       150 Opening data connection for report.pdf

  (E)  Server initiates Data Channel (Active mode)
     Server:20 -> Client:12346    :  SYN   (server initiates)
     Client:12346 -> Server:20   :  SYN,ACK
     Server:20 -> Client:12346   :  ACK
     ==> Data channel established (Server:20 -> Client:12346)

     Server sends file bytes over data channel (binary stream).
     When complete:
       Server (control) -> Client (control): 226 Transfer complete
     Server closes data connection (TCP FIN/ACK sequence).

  (F)  Session termination (control)
     Client -> Server (control): QUIT
     Server -> Client (control): 221 Goodbye
     Close control TCP connection.

First, the client establishes a control channel to the server through TCP port 21, which is used to send login credentials, commands, and receive status codes.
Next, a separate data channel is created for transferring files between the client and the server. In Active mode, the server uses TCP port 20 to connect back to the client. In Passive mode, the server provides a random port number and the client connects to that port instead.

In Active FTP, the direction of creating a Data Channel is from Server to Client.

Passive mode:

                         NETWORK
┌────────────────────────────┬────────────────────────────┐
│          Client            │         FTP Server         │
│  IP = 192.168.1.10         │  IP = 203.0.113.5          │
│  control src port = 40000  │  control port = 21         │
│  data src port = 40001     │  passive data port = 49152 │
└────────────────────────────┴────────────────────────────┘

  (A)  Establish Control Channel (TCP three-way handshake)
  Client:40000  -> Server:21       :  SYN
  Server:21     -> Client:40000    :  SYN,ACK
  Client:40000  -> Server:21       :  ACK
  ==> Control channel established (Client:40000 <--> Server:21)

  (B)  FTP control conversation (over control channel)
  Client -> Server (control):
    USER alice
  Server -> Client (control):
    331 Password required for alice
  Client -> Server (control):
    PASS mySecretPassword
  Server -> Client (control):
    230 User logged in, proceed

  (C)  Prepare for Passive data transfer
  1. Client requests passive mode:
       Client -> Server (control):
         PASV
  2. Server opens a random ephemeral port for data (example: 49152).
     Server replies with:
         227 Entering Passive Mode (203,0,113,5,192,0)
     (calculated: 192*256 + 0 = 49152)
  3. Client learns server's IP + passive port from the reply.

  (D)  Client requests file (control)
     Client -> Server (control):
       RETR report.pdf
     Server -> Client (control):
       150 Opening data connection for report.pdf

  (E)  Client initiates Data Channel (Passive mode)
     Client:40001 -> Server:49152    :  SYN
     Server:49152 -> Client:40001    :  SYN,ACK
     Client:40001 -> Server:49152    :  ACK
     ==> Data channel established (Client:40001 -> Server:49152)

     Server sends file bytes over this data channel (binary stream).
     When complete:
       Server (control) -> Client (control): 226 Transfer complete
     Client and Server close the data connection (TCP FIN/ACK sequence).

  (F)  Session termination (control)
     Client -> Server (control): QUIT
     Server -> Client (control): 221 Goodbye
     Close control TCP connection.

In Active FTP, the direction of creating a Data Channel is from Client to server.

Install & Configure FTP Server

A commonly used FTP server on Linux distributions is vsFTPd, whose default configuration file is located at:

root@kakarot$ /etc/vsftpd.conf

You can install vsFTPd server with:

root@kakarot$ sudo apt install vsftpd

vsFTPd Config File

We can Configuring the FTP Server with the vsftp.conf file.

root@kakarot$ cat /etc/vsftpd.conf | grep -v '#'
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO

FTPUSERS file

The text file ftpusers contains a list of users that may not log in using the File Transfer Protocol (FTP) server daemon. This file is used not merely for system administration purposes but also for improving security within a TCP/IP networked environment.

root@kakarot$ cat /etc/ftpusers 
# /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5).

root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
nobody

Optional & Dangerous Settings

With vsFTPd, the optional settings that can be added to the configuration file for the anonymous login look like this:

Setting	Description
anonymous_enable=YES	Allows anyone to log in without a system account (security risk if combined with write permissions).
anon_upload_enable=YES	Permit anonymous users to upload files (very risky — enables writable anonymous directories).
anon_mkdir_write_enable=YES	Allow anonymous users to create directories (increases abuse risk).
no_anon_password=YES	Don’t prompt anonymous users for a password (typical when allowing fully anonymous access).
anon_root=/path/to/dir	Chroot or restrict anonymous users to this directory (use to limit exposure).
write_enable=YES	Globally allow FTP write commands (STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, etc.). Use carefully — enables uploads/deletions.

FTP Login & Commands

root@kakarot$ ftp <target-ip> #Anonymous Login

<SNIP>

ftp> status #Displays the current status of FTP connections

<SNIP>

ftp> debug #Toggles debugging (default = OFF)

<SNIP>

ftp> trace #Toggles packet tracing (default = OFF)

<SNIP>

ftp> ls #Displays an abbreviated list of a remote directory’s files and subdirectories

<SNIP>

ftp> ls -R #Recursive Listing

<SNIP>

ftp> get Desktop\ <filename> #Download a File

<SNIP>

ftp> quit #Ends the FTP session with the remote computer and exits ftp (same as “bye”)
221 Goodbye.

ftp> put file.txt #Upload file in the current folder to the FTP server

Setting	Description
dirmessage_enable=YES	Show a short message (e.g., .message) to the user when they enter a directory. Useful for instructions or notices.
chown_uploads=YES	After an anonymous upload, change the uploaded file’s owner to the user specified by chown_username.
chown_username=username	The system account that becomes the owner of files uploaded by anonymous users (must be an actual system user).
local_enable=YES	Allow local (system) user accounts to authenticate and use FTP.
chroot_local_user=YES	Restrict local users to their home directory (jail them in ~/), preventing access outside their home.
chroot_list_enable=YES	Enable a chroot list file — controls which local users are placed in (or excluded from) the chroot jail (depending on distro/config).
hide_ids=YES	Replace real UID/GID info in directory listings with a generic label (e.g., ftp) to hide owner/group details from clients.
ls_recurse_enable=YES	Allow recursive directory listings (e.g., ls -R) so clients can list subdirectories in one command.

Download All Available Files

We can download all accessible files and folders at once, which is handy for large directory structures. However, bulk downloads like this are unusual and may trigger security alerts, since companies rarely need to grab all content in one go.

root@kakarot$ wget -m --no-passive ftp://anonymous:anonymous@<target-ip>

Wget will create a directory with the name of the IP address of our target. All downloaded files are stored there, which we can then inspect locally with :

root@kakarot$ tree .

Footprinting the Service with nmap

Update NSE DB, Locate scripts & Scan target

root@kakarot$ sudo nmap --script-updatedb

We can find all the NSE scripts are located in:

root@kakarot$ /usr/share/nmap/scripts/

Or we can use find to locate them:

root@kakarot$ find / -type f -name ftp* 2>/dev/null/ | grep 'scripts'

Now, let’s scan our target using nmap:

root@kakarot$ sudo nmap -sV -p21 -sC -A <target-ip>

Service Interaction & Secure Connection

We can, of course, use other applications such as netcat or telnet to interact with the FTP server.

root@kakarot$ nc -nv <target-ip> 21

root@kakarot$ telnet <target-ip> 21

OpenSSL can be used to add TLS/SSL encryption to an FTP session, allowing secure transmission of credentials and commands. By using commands like:

root@kakarot$ openssl s_client -connect 10.129.14.136:21 -starttls ftp

To better understand what we explained and what we will explain in the next protocols, I highly recommend installing and configuring the servers by yourselves and trying the dangerous settings. Also, don't forget to test everything with Wireshark !
Happy learning ☕

SMB

SMB, or Server Message Block, is a network client-server communication protocol that provides shared access to files, printers, and other network resources, operating as an authenticated mechanism for sharing and resource access. It was first created by IBM, then improved by Microsoft as CIFS, and became standard in Windows. The old version SMBv1 used NetBIOS on ports 137–139, while modern SMBv2/3 work directly on port 445, with better performance and security. On Linux, the open-source project Samba provides SMB support: smbd shares files and printers, while nmbd manages old NetBIOS names and workgroups. In a NetBIOS network, every computer needs a unique name; this can be done locally, or through a central service called NBNS, which later evolved in Windows into WINS (Windows Internet Name Service) for easier name management. Since Samba 3, Linux can join Windows Active Directory, and since Samba 4, it can even act as a Domain Controller. Today, SMB is the bridge that lets Windows and Linux work together, while NetBIOS and WINS are mostly legacy tools used only for older systems.

In IP networks, SMB relies on the TCP protocol, which establishes a connection through a three-way handshake between the client and server. The TCP specifications also manage the subsequent data transfer. Examples

Install & Configure SMB Server

Follow this steps to install, setup and configure your samba server, also don’t forget take a look on this settings.

Common [global] Settings

• workgroup = WORKGROUP
• server string = File Server
• log file = /var/log/samba/log.%m
• max log size = 1000
• logging = file
• server role = standalone
• security = user
• map to guest = bad user
• usershare allow guests = yes
• unix password sync = yes
• encrypt passwords = yes
• wins support = no
• dns proxy = yes
• panic action = /usr/share/samba/panic-action %d

Common [shares] Settings

• [sharename] = documents
• path = /srv/samba/docs
• comment = Shared Documents
• browseable = yes
• read only = no
• writable = yes
• guest ok = yes
• valid users = alice bob
• invalid users = eve
• write list = alice
• admin users = admin
• create mask = 0644
• directory mask = 0755
• force user = sambauser
• force group = sambagroup
• public = yes

Dangerous Settings

• browseable = yes
• read only = no
• writable = yes
• guest ok = yes
• enable privileges = yes
• create mask = 0777
• directory mask = 0777
• logon script = script.sh
• magic script = script.sh
• magic output = script.out

Learn more about these settings here !

root@kakarot$ /etc/samba/smb.conf #cofig file.

SMBclient

smbclient — ftp-like client to access SMB/CIFS resources on servers.

root@kakarot$ smbclient -N -L //<IP>

-N : display a list of the server’s shares.
-L : null session

root@kakarot$ smbclient //<IP>/<ShareName> #If guest ok = yes

Enter WORKGROUP\<username>'s password:
Anonymous login successful
Try "help" to get a list of possible commands.


smb: \> help

?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            deltree        dir            
du             echo           exit           get            getfacl        
geteas         hardlink       help           history        iosize         
lcd            link           lock           lowercase      ls             
l              mask           md             mget           mkdir          
more           mput           newer          notify         open           
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
posix_unlink   posix_whoami   print          prompt         put            
pwd            q              queue          quit           readlink       
rd             recurse        reget          rename         reput          
rm             rmdir          showacls       setea          setmode        
scopy          stat           symlink        tar            tarmode        
timeout        translate      unlock         volume         vuid           
wdel           logon          listconnect    showconnect    tcon           
tdis           tid            utimes         logoff         ..             
!            


smb: \> ls

  .                                   D        0   Sep 22 10:00:00 2025
  ..                                  D        0  Wed Sep 22 10:00:00 2025
  note.txt                            N      102  Sun Sep 19 10:00:00 2025

smb: \> get note.txt 

the (!<cmd>) will execute a shell locally and run the specified shell command. If no command is specified, a local shell will be run.

The smbstatus command give us a report on current Samba connections.

Footprinting the Service

Scanning the service using nmap.

root@kakarot$ sudo nmap <target-ip> -sV -sC -p139,445

Starting Nmap 7.92 ( https://nmap.org ) at 2025-00-00 00:00 EDT
Nmap scan report for <targer-ip>
Host is up (0.00043s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_nbstat: NetBIOS name: ME, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-00-00T00:00:00
|_  start_date: N/A

Nmap done: 1 IP address (1 host up) scanned in 28.58 seconds

When we scan with Nmap, sometimes we do not get much information about SMB. In this case, we can use other tools like rpcclient. This tool talks to the server using MS-RPC over SMB. SMB is like the road that carries the data, and RPC is the method that asks the server to run special functions. For example, with RPC we can ask the server to list all the shares using a function called NetShareEnumAll. This helps us to get more details about the system than Nmap gives.

root@kakarot$ rpcclient -U "" <target-ip> # starting an anonymous rpc session via smb.

root@kakarot$ rpcclient -U <username>%<password> <target-ip> # connect with credentials.

Here is some common rpc queries 👇

Query	Description
srvinfo	Server query info.
enumdomains	Enumerate all domains deployed in the network.
querydominfo	Query domain info.
netshareenumall	Enumerate all shares.
netsharegetinfo [share]	Provides information about a specific share.
enumdomusers	Enumerate domain users.
queryuser [RID]	Provides information about a specific user.
enumdomgroups	Enumerate domain groups.
querygroup [RID]	Provides information about a specific group.
querygroupmem [RID]	Provides information about group membership.
lookupnames [name]	Convert names to SIDs.
lookupsids [SID]	Convert SIDs to names.

root@kakarot$ rpcclient -U "" <target-ip>                
Password for [SAMBA\]:


rpcclient $> srvinfo
        KAKAROT        Wk Sv PrQ Unx NT SNT KAKAROT SMB SERVER
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03


rpcclient $> enumdomains
name:[KAKAROT] idx:[0x0]
name:[Builtin] idx:[0x1]


rpcclient $> querydominfo
Domain:         WORKGROUP
Server:         KAKAROT
Comment:        KAKAROT SMB SERVER
Total Users:    2
Total Groups:   0
Total Aliases:  0
Sequence No:    1758155858
Force Logoff:   -1
Domain Server State:    0x1
Server Role:    ROLE_DOMAIN_PDC
Unknown 3:      0x1


rpcclient $> netshareenumall
netname: HR
        remark: Welcome To HR Files !
        path:   C:\share\HR
        password:
netname: Clients
        remark: Welcome All To Clients Files !
        path:   C:\share\Clients
        password:
netname: IPC$
        remark: IPC Service (KAKAROT SMB SERVER)
        path:   C:\tmp
        password:


rpcclient $> netsharegetinfo Clients
netname: Clients
        remark: Welcome All To Clients Files !
        path:   C:\share\Clients
        password:
        type:   0x0
        perms:  0
        max_uses:       -1
        num_uses:       1


rpcclient $> enumdomusers
user:[peter] rid:[0x3e8]
user:[neo] rid:[0x3e9]


rpcclient $> queryuser 0x3e8
        User Name   :   peter
        Full Name   :
        Home Drive  :   \\KAKAROT\peter
        Dir Drive   :
        Profile Path:   \\KAKAROT\peter\profile
        Logon Script:
        Description :
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      Wed, 31 Dec 1969 19:00:00 EST
        Logoff Time              :      Wed, 06 Feb 2036 10:06:39 EST
        Kickoff Time             :      Wed, 06 Feb 2036 10:06:39 EST
        Password last set Time   :      Wed, 17 Sep 2025 08:59:26 EDT
        Password can change Time :      Wed, 17 Sep 2025 08:59:26 EDT
        Password must change Time:      Wed, 13 Sep 30828 22:48:05 EDT
        unknown_2[0..31]...
        user_rid :      0x3e8
        group_rid:      0x201
        acb_info :      0x00000010
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x00000000
        padding1[0..7]...
        logon_hrs[0..21]...


rpcclient $> queryuser 0x3e9
        User Name   :   neo
        Full Name   :
        Home Drive  :   \\KAKAROT\neo
        Dir Drive   :
        Profile Path:   \\KAKAROT\neo\profile
        Logon Script:
        Description :
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      Wed, 31 Dec 1969 19:00:00 EST
        Logoff Time              :      Wed, 06 Feb 2036 10:06:39 EST
        Kickoff Time             :      Wed, 06 Feb 2036 10:06:39 EST
        Password last set Time   :      Wed, 17 Sep 2025 08:59:42 EDT
        Password can change Time :      Wed, 17 Sep 2025 08:59:42 EDT
        Password must change Time:      Wed, 13 Sep 30828 22:48:05 EDT
        unknown_2[0..31]...
        user_rid :      0x3e9
        group_rid:      0x201
        acb_info :      0x00000010
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x00000000
        padding1[0..7]...
        logon_hrs[0..21]...

        
rpcclient $> querygroup 0x201
        Group Name:     None
        Description:    Ordinary Users
        Group Attribute:7
        Num Members:0

Some commands may be blocked for a user. But queryuser <RID> often works. We can try many RIDs with rpcclient to find which are assigned. For example, run a simple Bash for-loop that calls rpcclient for each RID and save the replies.

root@kakarot$ for i in $(seq 500 1100);do rpcclient -N -U "" <target-ip> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

        User Name   :   nobody
        user_rid :      0x1f5
        group_rid:      0x201

        User Name   :   peter
        user_rid :      0x3e8
        group_rid:      0x201

        User Name   :   neo
        user_rid :      0x3e9
        group_rid:      0x201

samrdump.py Python script from Impacket is An alternative to this !

root@kakarot$ python3 samrdump.py <target-ip>

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Retrieving endpoint list from <IP>
Found domain(s):
 . KAKAROT
 . Builtin
[*] Looking up users in domain KAKAROT
Found user: peter, uid = 1000
Found user: neo, uid = 1001
peter (1000)/FullName: 
peter (1000)/AdminComment: 
peter (1000)/UserComment: 
peter (1000)/PrimaryGroupId: 513
peter (1000)/BadPasswordCount: 0
peter (1000)/LogonCount: 0
peter (1000)/PasswordLastSet: 2025-09-17 08:59:26
peter (1000)/PasswordDoesNotExpire: False
peter (1000)/AccountIsDisabled: False
peter (1000)/ScriptPath: 
neo (1001)/FullName: 
neo (1001)/AdminComment: 
neo (1001)/UserComment: 
neo (1001)/PrimaryGroupId: 513
neo (1001)/BadPasswordCount: 0
neo (1001)/LogonCount: 0
neo (1001)/PasswordLastSet: 2025-09-17 08:59:42
neo (1001)/PasswordDoesNotExpire: False
neo (1001)/AccountIsDisabled: False
neo (1001)/ScriptPath: 
[*] Received 2 entries.

Other tools can get the same info we fetched with rpcclient. For example, SMBMap and NetExec(https://www.netexec.wiki/) are popular and useful for enumerating SMB services.

root@kakarot$ smbmap -H <target-ip>

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 0 authenticated session(s)                                                          
                                                                                                                             
[+] IP: <IP>:445       Name: <IP>             Status: NULL Session
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        HR                                                      NO ACCESS       Welcome To HR Files !
        Clients                                                 READ ONLY       Welcome All To Clients Files !
        IPC$                                                    NO ACCESS       IPC Service (KAKAROT SMB SERVER)
[*] Closed 1 connections                                                                                                   

root@kakarot$ nxc smb <target-ip> --shares -u '' -p ''

enum4linux-ng is a useful tool based on the old enum4linux. It can return a lot of information.

Tool Installation

root@kakarot$ git clone https://github.com/cddmp/enum4linux-ng.git
root@kakarot$ cd enum4linux-ng
root@kakarot$ pip3 install -r requirements.txt

Running The Tool

root@kakarot$ ./enum4linux-ng.py <target-ip> -A

-A : Do all simple enumeration including nmblookup (-U -G -S -P -O -N -I -L).

NFS

Network File System NFS is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed.

NFS version 4.1 (defined in RFC 8881) is a way for computers to share files over a network, even using many servers at the same time (called pNFS) and more than one network path multipathing. It uses only one port 2049, which makes it easier to work through firewalls. NFS works using ONC-RPC (also called SUN-RPC) to send commands between computers, and it uses XDR to share data in a way that all systems can understand. NFS itself does not handle login or permissions directly; the server converts user info from the client into the file system format to decide access.

Learn more about NFS history !

Install & Configure NFS Server

First, Let’s update our linux:

root@kakarot$ sudo apt update

Now, we can install the NFS server:

root@kakarot$ sudo apt install nfs-kernel-server

NFS is relatively easy to set up because it has fewer configuration options than FTP or SMB. The /etc/exports file lists the physical filesystems on the NFS server that clients can access. This Exports Table also shows which options are allowed, helping us understand what features and permissions are available.

Default Configuration

root@kakarot$ cat /etc/exports 
# /etc/exports: the access control list for filesystems which may be exported
#		to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#

Common Options

Option	Description
rw	Read and write allowed. The client can read files and also change or delete them.
ro	Read only. The client can only read files, not change or delete them.
sync	Writes are saved to disk first, then server replies. Safer but slower.
async	Server may reply before saving to disk. Faster but risk of losing data on crash.
secure	Client must use low-numbered ports (<1024). Slightly more secure.
insecure	Client may use high-numbered ports (>1024). Less secure but sometimes needed.
no_subtree_check	Server does not always check file is inside the exported subtree. Fewer errors and better speed when files move, but skips a safety check.
root_squash	Map client root to an anonymous user (e.g. nobody). Stops remote root from being root on the server.

Example !

root@kakarot$ echo '/mnt/nfs  172.15.10.0/24(ro,sync,no_subtree_check,insecure)' >> /etc/exports
root@kakarot$ echo '/home/kakarot  172.15.10.113(rw,async,no_subtree_check,secure)' >>  /etc/exports

root@kakarot$ sudo systemctl restart nfs-kernel-server

root@kakarot$ exportnfs

/home/kakarot 	172.16.10.143
/mnt/nfs      	172.16.10.0/24

Dangerous Settings

Option	Description
rw	Read and write allowed. The client can change or delete files. This is dangerous if the client is not trusted.
insecure	Client may use high ports (>1024). Easier for normal programs to connect, so less secure.
nohide	Make a nested exported folder act like it is part of the parent export. Can give surprising access to hidden data.
no_root_squash	Remote root becomes real root on the server. Gives full control to the remote root user — very dangerous.

Footprinting the Service

When scanning for NFS, check ports 111 and 2049. You can also ask the RPC service for more info about the NFS server and the host.

root@kakarot$ sudo nmap <target-ip> -p111,2049 -sC -sV 

Starting Nmap 7.92 ( https://nmap.org ) at 2025-01-01 00:00 EDT
Nmap scan report for <target-ip>
Host is up (0.00032s latency).

PORT     STATE SERVICE
111/tcp  open  rpcbind
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      35131/tcp6  mountd
|   100005  1,2,3      35521/tcp   mountd
|   100005  1,2,3      50037/udp   mountd
|   100005  1,2,3      56887/udp6  mountd
|   100021  1,3,4      33923/tcp6  nlockmgr
|   100021  1,3,4      36601/udp   nlockmgr
|   100021  1,3,4      40864/udp6  nlockmgr
|   100021  1,3,4      43855/tcp   nlockmgr
|   100024  1          40439/udp   status
|   100024  1          44791/tcp   status
|   100024  1          54216/udp6  status
|   100024  1          54757/tcp6  status
|   100227  3           2049/tcp   nfs_acl
|_  100227  3           2049/tcp6  nfs_acl
2049/tcp open  nfs_acl
MAC Address: <MAC> (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds

We can use also the rpcinfo tool.

root@kakarot$ rpcinfo -p <target-ip>

-p : Host.

The rpcinfo script for Nmap asks the target for a list of RPC services. It shows each service name, a short description, and the port number it uses. This helps us check that the NFS share and its related services are running on the right ports. Nmap also has other NFS scripts. These scripts can try to read the exported shares and show simple information, for example the files in a share or the disk usage.

root@kakarot$ sudo nmap <target-ip> -p111,2049 -sV --script nfs\*
Host is up (0.026s latency).

PORT     STATE SERVICE VERSION
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      35131/tcp6  mountd
|   100005  1,2,3      35521/tcp   mountd
|   100005  1,2,3      50037/udp   mountd
|   100005  1,2,3      56887/udp6  mountd
|   100021  1,3,4      33923/tcp6  nlockmgr
|   100021  1,3,4      36601/udp   nlockmgr
|   100021  1,3,4      40864/udp6  nlockmgr
|   100021  1,3,4      43855/tcp   nlockmgr
|   100024  1          40439/udp   status
|   100024  1          44791/tcp   status
|   100024  1          54216/udp6  status
|   100024  1          54757/tcp6  status
|   100227  3           2049/tcp   nfs_acl
|_  100227  3           2049/tcp6  nfs_acl
| nfs-showmount: 
|   /mnt/nfs 172.16.10.0/24
|_  /home/kakarot 172.16.10.143
| nfs-ls: Volume /mnt/nfs
|   access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION  UID  GID  SIZE  TIME                 FILENAME
| rwxr-xr-x   0    0    4096  2025-09-18T17:00:26  .
| ??????????  ?    ?    ?     ?                    ..
| rw-r--r--   0    0    37    2025-09-18T17:00:26  report.txt
|_
2049/tcp open  nfs_acl 3 (RPC #100227)
MAC Address: 00:0C:29:FD:CC:20 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.33 seconds

root@kakarot$ showmount --export <target-ip> #Show Available NFS Shares.

Export list for <target-ip>:

/mnt/nfs      172.15.10.0/24
/home/kakarot 172.15.10.113

Mounting NFS Share

root@kakarot$ mkdir NFS-Share #Create a new empty folder to which the NFS share will be mounted.

root@kakarot$ sudo mount -t nfs <target-ip>:/ ./NFS-Share/ -o nolock #Mount it on our local machine.

-t : Limit the set of filesystem types
-o : Nfsoptions
nolock : Disables file locking. This setting is occasionally required when connecting to older NFS servers.

root@kakarot$ cd NFS-Share/

root@kakarot$ ls
drwxr-xr-x 6 kakarot kakarot 4096 Sep 18 22:56 home
drwxr-xr-x 3 root root 4096 Sep 18 12:58 mnt

Unmounting

root@kakarot$ cd ..
root@kakarot$ sudo umount ./NFS-Share

DNS

The Domain Name System (DNS) is the phonebook of the Internet. Humans access information online through domain names, like kakarot.info. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources.

How DNS Works ?

Learn more about DNS and DNS Record !

Example:

root@kakarot$ dig SOA www.kakarot.info

; <<>> DiG 9.18.33 <<>> SOA www.kakarot.info
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42791
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.kakarot.info.              IN      SOA

;; AUTHORITY SECTION:
kakarot.info.           3417    IN      SOA     dns1.p01.nsone.net. domains+netlify.netlify.com. 1754607324 43200 7200 1209600 3600

;; Query time: 38 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Wed Sep 24 13:13:38 EDT 2025
;; MSG SIZE  rcvd: 126

The dot (.) is replaced with an at sign (@) in the email field. In this case, the administrator’s address is domains+netlify@netlify.com.

Install & Configure DNS Server

First we need to install DNS server Bind9, he is very often used on Linux-based distributions:

root@kakarot$ sudo apt install bind9

Here is Bind9 Documentation !

Here is the Bind9 config files:

root@kakarot$ ls -l /etc/bind
total 48
-rw-r--r-- 1 root root 2928 Jan 25  2025 bind.keys
-rw-r--r-- 1 root root  255 Jan 25  2025 db.0
-rw-r--r-- 1 root root  271 Jan 25  2025 db.127
-rw-r--r-- 1 root root  237 Jan 25  2025 db.255
-rw-r--r-- 1 root root  353 Jan 25  2025 db.empty
-rw-r--r-- 1 root root  270 Jan 25  2025 db.local
-rw-r--r-- 1 root bind  458 Jan 25  2025 named.conf
-rw-r--r-- 1 root bind  498 Jan 25  2025 named.conf.default-zones
-rw-r--r-- 1 root bind  165 Jan 25  2025 named.conf.local
-rw-r--r-- 1 root bind  846 Jan 25  2025 named.conf.options
-rw-r----- 1 bind bind  100 Sep 24 14:41 rndc.key
-rw-r--r-- 1 root root 1317 Jan 25  2025 zones.rfc1918

We need to creat two files, the first file using to convert Domain name to IP, and the second file using to convert IP to Domain name:

root@kakarot:/etc/bind$ touch db.internal.kakarot.info    #direct zone file

root@kakarot:/etc/bind$ touch db.10.16.172    #reverse zone file

Here we configure our subdomain in named.conf.local file:

root@kakarot:/etc/bind$ cat named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "internal.kakarot.info" {
        type master;
        file "/etc/bind/db.internal.kakarot.info";
};

zone "10.16.172.in-addr.arpa" {
        type master;
        file "/etc/bind/db.10.16.172";
};

Now, let’s configure our files:

root@kakarot$ cat /etc/bind/db.internal.kakarot.info 

$TTL	604800
@	IN	SOA	me.internal.kakarot.info. root.internal.kakarot.info. (
			      2		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
@			          IN	NS    	internal.kakarot.info.
me.internal.kakarot.info.	  IN	A	172.16.10.143
internal.kakarot.info.		  IN	A	172.16.10.143

root@kakarot$ cat /etc/bind/db.10.16.172 

$TTL	604800
@	IN	SOA	me.internal.kakarot.info. root.internal.kakarot.info. (
			      2		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
@				IN	NS	  internal.kakarot.info.
143			        IN	PTR	  me.internal.kakarot.info

kakarot@me:~$ cat /etc/resolv.conf 

# Generated by NetworkManager
search localdomain
nameserver 172.16.10.143

root@kakarot$ sudo systemctl restart bind9

root@kakarot$ dig @172.16.10.143 internal.kakarot.info

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @172.16.10.143 internal.kakarot.info
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35850
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0f3c7c4fc379fd740100000068d5c3f900c1196833f1e5e5 (good)
;; QUESTION SECTION:
;internal.kakarot.info.		IN	A

;; ANSWER SECTION:
internal.kakarot.info.	604800	IN	A	172.16.10.143

;; Query time: 4 msec
;; SERVER: 172.16.10.143#53(172.16.10.143) (UDP)
;; WHEN: Thu Sep 25 18:36:41 EDT 2025
;; MSG SIZE  rcvd: 94

Sorry guys I can't explain step by step just by writing, it's tiring :(

Dangerous Settings

Here is some vulnerabilities targeting the BIND9 server:

• CVEdetails
• List of the most popular attacks on DNS servers.

Some of this settings shown below can cause these vulnerabilities and others:

Option	Description
allow-query	Defines which hosts are allowed to send requests to the DNS server.
allow-recursion	Defines which hosts are allowed to send recursive requests to the DNS server.
allow-transfer	Defines which hosts are allowed to receive zone transfers from the DNS server.
zone-statistics	Collects statistical data of zones.

Footprinting the Service

The footprinting at DNS servers is done as a result of the requests we send. So, first of all, the DNS server can be queried as to which other name servers are known. We do this using the NS record and the specification of the DNS server we want to query using the @ character. This is because if there are other DNS servers, we can also use them and query the records. However, other DNS servers may be configured differently and, in addition, may be permanent for other zones.

root@kakarot$ dig ns kakarot.info @192.0.2.5    #DIG - NS Query

; <<>> DiG 9.18.33 <<>> ns kakarot.info @192.0.2.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42791
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;kakarot.info.                 IN      NS

;; ANSWER SECTION:
kakarot.info.           604800  IN      NS      ns.kakarot.info.

;; ADDITIONAL SECTION:
ns.kakarot.info.        604800  IN      A       192.0.2.5

;; Query time: 2 msec
;; SERVER: 192.0.2.5#53(192.0.2.5)
;; WHEN: Wed Sep 24 13:13:38 EDT 2025
;; MSG SIZE  rcvd: 107

Sometimes a DNS server publishes its software version. You can ask for it by sending a special DNS query that uses the CHAOS class and the TXT type. Not all servers provide this information, the server must have that entry configured.

root@kakarot$ dig CH TXT version.bind kakarot.info    #DIG - Version Query

root@kakarot$ dig any kakarot.info @192.0.2.5     #view all available records

Zone transfer AXFR is when DNS data zone files is copied from a master primary server to slave secondary servers over TCP port 53. This keeps all servers the same, so DNS does not fail. The SOA record and its serial number are used to check updates. The rndc-key makes sure only trusted servers do the transfer.

root@kakarot$ dig axfr kakarot.info @192.0.2.5

root@kakarot$ dig axfr internal.kakarot.info @192.0.2.5

Subdomain Brute Forcing

root@kakarot$ for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.kakarot.info @192.0.2.5 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

root@kakarot$ dnsenum --dnsserver 192.0.2.5 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt kakarot.info

SMTP

The Simple Mail Transfer Protocol SMTP is a technical standard for transmitting electronic mail email over a network. Like other networking protocols, SMTP allows computers and servers to exchange data regardless of their underlying hardware or software. Just as the use of a standardized form of addressing an envelope allows the postal service to operate, SMTP standardizes the way email travels from sender to recipient, making widespread email delivery possible.

SMTP is a mail delivery protocol, not a mail retrieval protocol. A postal service delivers mail to a mailbox, but the recipient still has to retrieve the mail from the mailbox. Similarly, SMTP delivers an email to an email provider’s mail server, but separate protocols are used to retrieve that email from the mail server so the recipient can read it.

Client (MUA)
   │
   │ 1) Submit (SMTP AUTH: username/password, usually TCP/587 or 25/465)
   ▼
Submission Agent (MSA)  — (validity check / relay permission)
   │
   │ 2) Accepts submission, may add/validate headers, then hands to MTA
   ▼
Open Relay (MTA)  — (Mail Transfer Agent: routing, DNS lookup, spam/size checks)
   │
   │ 3) Looks up recipient MX via DNS → routes through network / other MTAs
   ▼
Mail Delivery Agent (MDA)  — (reassembles packets, final delivery logic)
   │
   │ 4) Places message into recipient's mailbox storage
   ▼
Mailbox (POP3 / IMAP)  — (recipient reads using POP3 or IMAP)

SMTP by itself has some issues. It doesn’t really give you a clear delivery confirmation, and it also doesn’t check who the sender really is. That’s why in the past spammers could use fake addresses mail spoofing or open relays to send a ton of junk mail. To deal with that, email servers now use things like DomainKeys (DKIM) and Sender Policy Framework (SPF) to spot fake emails. These days, people actually use the extended version, ESMTP. With it, the client starts with EHLO, then does STARTTLS to turn on encryption, and only after that it can log in safely using AUTH PLAIN.

Install & Configure SMTP Server

Installing postfix service:

root@kakarot$ apt install postfix

During the installation process you will be asked to choose the setup type, choose: Internet Site !
When you get “email name”, enter a domain of your choice.

For my setup, I chose kakarot.local as the domain.

I create a new user for this process:

root@kakarot$ useradd -m neo 
root@kakarot$ passwd neo
New password: [neo@3301]
Retype new password: [neo@3301]
passwd: password updated successfully

Our creds are neo:neo@3301.

Now, let’s configure our postfix settings.

root@kakarot$ cat /etc/postfix/main.cf
<SNIP>
myhostname = mail.kakarot.local
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, kakarot.local, localhost.localdomain, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/

Plz, don’t forget to add this line (home_mailbox = Maildir/) in your configuration file.

root@kakarot$ systemctl restart postfix #restarting the service

To store messages in Maildir format, we install Dovecot POP3/IMAP server.

root@kakarot$ apt install dovecot-imapd dovecot-pop3d

Create a Maildir folder for user neo:

root@kakarot$ maildirmake.dovecot /home/neo/Maildir

root@kakarot$ chown -R neo:neo /home/neo/Maildir

To send messages, we install mailutils.

root@kakarot$ apt install mailutils

Sending a test mail:

root@kakarot$ echo "Follow the white rabbit" | mail -s "Wake up" -r morpheus@kakarot.local neo

Chcking…

root@neo$ pwd
/home/neo/Maildir

root@neo$ ls
cur  new  tmp

root@neo$ cd new

root@neo$ ls
1759062852.V801I2273bM824197.me

root@neo$ cat 1759062852.V801I2273bM824197.me
Return-Path: <morpheus@kakarot.local>
X-Original-To: neo
Delivered-To: neo@kakarot.local
Received: by mail.kakarot.local (Postfix, from userid 0)
	id BFCE4FFC28; Sun, 28 Sep 2025 08:34:12 -0400 (EDT)
Subject: Wake up
To: neo@kakarot.local
User-Agent: mail (GNU Mailutils 3.15)
Date: Sun, 28 Sep 2025 08:34:12 -0400
Message-Id: <20250928123412.BFCE4FFC28@mail.kakarot.local>
From: root <morpheus@kakarot.local>

Follow the white rabbit

So, the message has been sent and received successfully !

Sending & Checking manually…

root@kakarot$ telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.kakarot.local ESMTP Postfix (Debian/GNU)

EHLO kakarot.local
250-mail.kakarot.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

MAIL FROM:<morpheus@kakarot.local>
250 2.1.0 Ok

RCPT TO:<neo@kakarot.local>
250 2.1.5 Ok

DATA
354 End data with <CR><LF>.<CR><LF>

The matrix has you.
.

250 2.0.0 Ok: queued as DA4D9FF932

root@neo$ ls
1759062852.V801I2273bM824197.me  1759063491.V801I22ba8M439440.me

root@neo$ cat 1759063491.V801I22ba8M439440.me
Return-Path: <morpheus@kakarot.local>
X-Original-To: neo@kakarot.local
Delivered-To: neo@kakarot.local
Received: from kakarot.local (localhost [IPv6:::1])
	by mail.kakarot.local (Postfix) with ESMTP id DA4D9FF932
	for <neo@kakarot.local>; Sun, 28 Sep 2025 08:40:39 -0400 (EDT)
Message-Id: <20250928124120.DA4D9FF932@mail.kakarot.local>
Date: Sun, 28 Sep 2025 08:40:39 -0400 (EDT)
From: morpheus@kakarot.local

The matrix has you.

The message has been sent and received successfully once again !

Command	Description
AUTH PLAIN	Used for client authentication, transmits credentials in Base64-encoded form.
HELO	Identifies the client to the server using the client’s hostname, initiating the SMTP session.
MAIL FROM	Specifies the return email address of the sender (envelope sender).
RCPT TO	Specifies the recipient’s email address (envelope recipient).
DATA	Signals the start of the email content, message body is transmitted until terminated with <CRLF>.<CRLF>.
RSET	Aborts the current mail transaction, resetting the session state while keeping the connection open.
VRFY	Requests verification of whether a specified mailbox exists on the server.
EXPN	Expands a mailing list to show its individual recipients.
NOOP	Issues a no-operation command, server responds with an acknowledgment to keep the connection active.
QUIT	Terminates the SMTP session and closes the connection gracefully.

Use telnet to connect to the SMTP server and start the session with HELO/EHLO.

root@kakarot$ telnet neo.kakarot.local 25   #telnet - HELO/EHLO
Trying 172.16.10.143...
Connected to neo.kakarot.local.
Escape character is '^]'.
220 mail.kakarot.local ESMTP Postfix (Debian/GNU)

HELO mail.kakarot.local
250 mail.kakarot.local

EHLO mail
250-mail.kakarot.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

The VRFY command can be used to ask the mail server if a certain user exists. In practice, though, it doesn’t always work as expected. Some servers are set up to reply with code 252, which can make it look like a user exists even when they don’t. If you want to see all possible replies, you can look at the full list of SMTP response codes.

telnet neo.kakarot.local 25   #telnet - VRFY
Trying 172.16.10.143...
Connected to neo.kakarot.local.
Escape character is '^]'.
220 mail.kakarot.local ESMTP Postfix (Debian/GNU)

VRFY root
252 2.0.0 root

VRFY neo
252 2.0.0 neo

VRFY peter
550 5.1.1 <peter>: Recipient address rejected: User unknown in local recipient table

VRFY kakarot
252 2.0.0 kakarot

VRFY roben
550 5.1.1 <roben>: Recipient address rejected: User unknown in local recipient table

We can brute force the users with nmap

Open Relay

An SMTP server that works as an open relay, is a email server that does not verify if the user is authorised to send email from the specified email address. Therefore, users would be able to send email originating from any third-party email address that they want (spoofing).

Open-Relay Checking…

root@kakarot$ sudo nmap <IP> -p25 --script smtp-open-relay -v
<SNIP>

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-open-relay: Server is an open relay (16/16 tests)
|  MAIL FROM:<> -> RCPT TO:<relaytest@nmap.scanme.org>
|  MAIL FROM:<antispam@nmap.scanme.org> -> RCPT TO:<relaytest@nmap.scanme.org>
|  MAIL FROM:<antispam@mail.kakarot.local> -> RCPT TO:<relaytest@nmap.scanme.org>
|  MAIL FROM:<antispam@[127.0.0.1]> -> RCPT TO:<relaytest@nmap.scanme.org>
|  MAIL FROM:<antispam@[127.0.0.1]> -> RCPT TO:<relaytest%nmap.scanme.org@[127.0.0.1]>
|  MAIL FROM:<antispam@[127.0.0.1]> -> RCPT TO:<relaytest%nmap.scanme.org@mail.kakarot.local>
|  MAIL FROM:<antispam@[127.0.0.1]> -> RCPT TO:<"relaytest@nmap.scanme.org">
|  MAIL FROM:<antispam@[127.0.0.1]> -> RCPT TO:<"relaytest%nmap.scanme.org">
|  MAIL FROM:<antispam@[127.0.0.1]> -> RCPT TO:<relaytest@nmap.scanme.org@[127.0.0.1]>
|  MAIL FROM:<antispam@[127.0.0.1]> -> RCPT TO:<"relaytest@nmap.scanme.org"@[127.0.0.1]>
|  MAIL FROM:<antispam@[127.0.0.1]> -> RCPT TO:<relaytest@nmap.scanme.org@mail.kakarot.local>
|  MAIL FROM:<antispam@[127.0.0.1]> -> RCPT TO:<@[127.0.0.1]:relaytest@nmap.scanme.org>
|  MAIL FROM:<antispam@[127.0.0.1]> -> RCPT TO:<@mail.kakarot.local:relaytest@nmap.scanme.org>
|  MAIL FROM:<antispam@[127.0.0.1]> -> RCPT TO:<nmap.scanme.org!relaytest>
|  MAIL FROM:<antispam@[127.0.0.1]> -> RCPT TO:<nmap.scanme.org!relaytest@[127.0.0.1]>
|_ MAIL FROM:<antispam@[127.0.0.1]> -> RCPT TO:<nmap.scanme.org!relaytest@mail.kakarot.local>

NSE: Script Post-scanning.
Initiating NSE at 12:02
Completed NSE at 12:02, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds
           Raw packets sent: 1 (44B) | Rcvd: 2 (88B)

Always complement automated Nmap scans with manual SMTP testing via telnet or nc to reliably verify whether a server is truly an open relay.

User enumeration

We can enum SMTP users with different methods:

For example nmap script smtp-enum-users.

root@kakarot$ nmap 10.129.23.178 -p 21 --script smtp-enum-users --script-args userdb=/home/kakarot/Desktop/[ListPathHere]

Or this metasploit framework auxiliary:

auxiliary/scanner/smtp/smtp_enum

Also, we can find some script on github, but for I prefer nmap.

POP3 / IMAP

POP3

The POP3 abbreviation stands for Post Office Protocol version 3, which provides access to an inbox stored in an email server. It executes the download and deletes operations for messages. Thus, when a POP3 client connects to the mail server, it retrieves all messages from the mailbox. Then it stores them on your local computer and deletes them from the remote server.

Thanks to this protocol, you are able to access the messages locally in offline mode as well.

Modern POP3 clients allow you to keep a copy of your messages on the server if you explicitly select this option.

┌──────────────────────────┐                       ┌──────────────────────────┐
│        CLIENT            │                       │          SERVER          │
│   Local Computer / App   │                       │   Mail Server (POP3)     │
│ (Outlook, Thunderbird..) │                       │ Stores Incoming Emails   │
└─────────────┬────────────┘                       └─────────────┬────────────┘
              │                                                  │
              │ (1) Establish Connection (Port 110 / 995)        │
              ├────────────────────────────────────────────────▶│
              │                                                  │
              │ (2) Authenticate (Username & Password)           │
              ├────────────────────────────────────────────────▶│
              │                                                  │
              │ (3) Download All Emails                          │
              |◀────────────────────────────────────────────────┤
              │                                                  │
              │ (4) Delete Emails from Server (Default Behavior) │
              ├────────────────────────────────────────────────▶│
              │                                                  │
┌─────────────▼────────────┐                       ┌─────────────▼────────────┐
│  LOCAL STORAGE (Inbox)   │                       │   SERVER MAILBOX         │
│ Emails saved on device   │                       │ Becomes empty after POP3 │
│ (No synchronization)     │                       │ access                   │
└──────────────────────────┘                       └──────────────────────────┘

Command	Description
USER username	Identifies the user who wants to access the mailbox.
PASS password	Authenticates the user by verifying the provided password.
STAT	Requests the server to return the total number of messages and the total size of the mailbox.
LIST	Retrieves a list of all messages with their sizes from the server.
RETR id	Requests the server to deliver the full content of the message identified by id.
DELE id	Marks the message with the specified id for deletion from the server.
CAPA	Requests the server to return a list of its supported capabilities (extensions).
RSET	Resets any messages marked for deletion in the current session and restores their status.
QUIT	Ends the session and closes the connection with the POP3 server, applying any deletions.

IMAP

The Internet Message Access Protocol (IMAP) allows you to access and manage your email messages on the email server. This protocol permits you to manipulate folders, permanently delete and efficiently search through messages. It also gives you the option to set or remove email flags, or fetch email attributes selectively. By default, all messages remain on the server until the user specifically deletes them.

IMAP supports the connection of multiple users to a single mail server.

┌──────────────────────────┐                       ┌──────────────────────────┐
│        CLIENT            │                       │          SERVER          │
│   Local Computer / App   │                       │   Mail Server (IMAP)     │
│ (Outlook, Thunderbird..) │                       │ Stores Incoming Emails   │
└─────────────┬────────────┘                       └─────────────┬────────────┘
              │                                                  │
              │ (1) Establish Connection (Port 143 / 993)        │
              ├────────────────────────────────────────────────▶│
              │                                                  │
              │ (2) Authenticate (Username & Password)           │
              ├────────────────────────────────────────────────▶│
              │                                                  │
              │ (3) Synchronize Folder Structure & Headers       │
              |◀────────────────────────────────────────────────┤
              │                                                  │
              │ (4) Fetch Email Content on Demand                │
              |◀────────────────────────────────────────────────┤
              │                                                  │
              │ (5) Mark, Move, or Delete Emails (Synced)        │
              ├────────────────────────────────────────────────▶│
              │                                                  │
┌─────────────▼────────────┐                       ┌─────────────▼────────────┐
│  LOCAL STORAGE (Cache)   │                       │   SERVER MAILBOX         │
│ Partial/Full Messages    │                       │ Remains the master copy  │
│ (Synchronized with IMAP) │                       │ All changes reflected    │
└──────────────────────────┘                       └──────────────────────────┘

Command	Description
LOGIN username password	Authenticates the user by verifying the provided username and password.
LIST "" *	Retrieves a list of all mailboxes (folders) available to the user.
CREATE "INBOX"	Creates a new mailbox with the specified name.
DELETE "INBOX"	Deletes the specified mailbox from the server.
RENAME "Old" "New"	Renames an existing mailbox from the old name to a new name.
LSUB "" *	Returns a list of mailboxes to which the user is currently subscribed (active subscriptions).
SELECT INBOX	Selects a mailbox so that its messages can be accessed, searched, or modified.
UNSELECT INBOX	Deselects the currently selected mailbox without closing the connection.
FETCH <ID> all	Retrieves all data (headers, flags, body, etc.) associated with a specific message identified by <ID>.
CLOSE	Closes the currently selected mailbox and permanently removes any messages flagged as Deleted.
LOGOUT	Terminates the session and closes the connection with the IMAP server.

Dangerous Settings

Setting	Description
auth_debug	Enables detailed debug output for the authentication subsystem, showing internal authentication steps and state. Does not necessarily log plaintext passwords.
auth_debug_passwords	Logs submitted passwords and the authentication scheme to the server logs. Intended only for short-term debugging, it exposes credentials in logs.
auth_verbose	Records failed authentication attempts along with contextual details (reason, client IP, timestamps). Useful for auditing but reveals failure causes.
auth_verbose_passwords	Includes attempted passwords in verbose authentication logs (often truncated). This greatly increases the risk of credential leakage and must not be enabled in production.
auth_anonymous_username	Specifies the username string assigned to sessions authenticated via the ANONYMOUS SASL mechanism, controls which identity the system records for anonymous logins.

When settings like auth_debug, auth_debug_passwords, auth_verbose, auth_verbose_passwords are enabled, the logs become rich with sensitive information.

Footprinting the Service

Ports Scanning…

root@kakarot$ sudo nmap 172.16.10.143 -sV -p110,143,993,995 -sC
Starting Nmap 7.92 ( https://nmap.org ) at 2025-09-29 14:49 EDT
Nmap scan report for neo.kakarot.local (172.16.10.143)
Host is up (0.00033s latency).

PORT    STATE SERVICE  VERSION
110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: STLS SASL RESP-CODES UIDL CAPA PIPELINING TOP AUTH-RESP-CODE
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=me
| Subject Alternative Name: DNS:me
| Not valid before: 2025-09-09T11:38:22
|_Not valid after:  2035-09-07T11:38:22
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: more SASL-IR LOGIN-REFERRALS OK IMAP4rev1 ENABLE STARTTLS LOGINDISABLEDA0001 have post-login listed capabilities ID IDLE Pre-login LITERAL+
| ssl-cert: Subject: commonName=me
| Subject Alternative Name: DNS:me
| Not valid before: 2025-09-09T11:38:22
|_Not valid after:  2035-09-07T11:38:22
|_ssl-date: TLS randomness does not represent time
993/tcp open  ssl/imap Dovecot imapd
|_imap-capabilities: AUTH=PLAINA0001 SASL-IR IDLE OK IMAP4rev1 ENABLE post-login more have listed capabilities ID LOGIN-REFERRALS Pre-login LITERAL+
| ssl-cert: Subject: commonName=me
| Subject Alternative Name: DNS:me
| Not valid before: 2025-09-09T11:38:22
|_Not valid after:  2035-09-07T11:38:22
|_ssl-date: TLS randomness does not represent time
995/tcp open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: USER SASL(PLAIN) RESP-CODES UIDL CAPA PIPELINING TOP AUTH-RESP-CODE
| ssl-cert: Subject: commonName=me
| Subject Alternative Name: DNS:me
| Not valid before: 2025-09-09T11:38:22
|_Not valid after:  2035-09-07T11:38:22
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:0C:29:FD:CC:20 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.77 seconds

Interact with a POP3/IMAP server using cURL…

root@kakarot$ curl -k 'pop3s://172.16.10.143' --user neo:neo@3301
1 434
2 434
3 434

root@kakarot$ curl -k 'pop3s://172.16.10.143/2' --user neo:neo@3301
Return-Path: <morpheus@kakarot.local>
X-Original-To: neo@kakarot.local
Delivered-To: neo@kakarot.local
Received: by mail.kakarot.local (Postfix, from userid 0)
        id 15C82FFC27; Sat, 27 Sep 2025 20:01:39 -0400 (EDT)
Subject: Wake up
To: <neo@kakarot.local>
User-Agent: mail (GNU Mailutils 3.15)
Date: Sat, 27 Sep 2025 20:01:39 -0400
Message-Id: <20250928000139.15C82FFC27@mail.kakarot.local>
From: root <morpheus@kakarot.local>

root@kakarot$ curl -k 'imaps://172.16.10.143' --user neo:neo@3301

* LIST (\HasNoChildren) "." Important
* LIST (\HasNoChildren) "/" INBOX

If we also use the verbose -v option, we will see how the connection is made, TLS used for encryption and more information.

Interact with a POP3/IMAP server using openssl…

root@kakarot$ openssl s_client -connect 172.16.10.143:995 -crlf -ign_eof
Connecting to 172.16.10.143
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN=me
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN=me
verify return:1
---
Certificate chain
 0 s:CN=me
   i:CN=me
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  9 11:38:22 2025 GMT; NotAfter: Sep  7 11:38:22 2035 GMT
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1299 bytes and written 382 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 1861D610F7A4788234104CBAF853454E7EA59534ED7F26BFA3C10DF8A7F9DB1E
    Session-ID-ctx: 
    Resumption PSK: 733437D2D93B482217D08E457D0031E43F7CF2398D9951A68250EE3F36AB956ECBD1CD88B14C187F5CFFB0BCCDFFA929
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 9e d5 fa fd b9 dd 0f 4f-2b 32 af 68 8e 0a f9 50   .......O+2.h...P
    0010 - 12 6d 58 73 f4 e3 30 e1-c3 d3 ca 93 01 7f 8c 4d   .mXs..0........M
    0020 - 72 ce d4 cf f2 1f d9 a2-7e 7e 43 7b 5a 04 de c3   r.......~~C{Z...
    0030 - bc 83 85 c0 72 b0 99 22-2f ac e8 f8 8b e7 e5 66   ....r.."/......f
    0040 - bb 13 3c e4 ad 0d c8 61-c8 5f 2e 40 97 6d 80 26   ..<....a._.@.m.&
    0050 - 63 3c 68 13 fa 46 70 75-5e cb 83 a5 f5 fc 03 eb   c<h..Fpu^.......
    0060 - 75 95 ba a5 f9 b0 93 81-02 b6 d7 15 78 24 79 12   u...........x$y.
    0070 - de d4 46 6a 30 bc 2d 9d-e5 2c a1 f4 9b 02 81 39   ..Fj0.-..,.....9
    0080 - b1 9e 7e a7 9a 04 ed d2-3c 63 4b b5 fc a3 dd c4   ..~.....<cK.....
    0090 - 3b e4 b0 ac 0d b5 81 f7-bb 36 61 aa c7 e6 e4 b7   ;........6a.....
    00a0 - 4a 2f 74 22 6c e3 59 53-e0 9a 90 19 54 45 37 b7   J/t"l.YS....TE7.
    00b0 - 6e 52 25 41 10 fa b8 e8-60 e9 3e 8f 8d 63 b2 87   nR%A....`.>..c..
    00c0 - a9 e5 bf 8b 5c 23 88 e9-b8 1c 8f de 19 2e 20 42   ....\#........ B

    Start Time: 1759182685
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 1A71DC277EAF4B57AF2431CEDDB2D660C7DD397F9394EF228CFC958EE8CB9C60
    Session-ID-ctx: 
    Resumption PSK: 98BA9B54E0C3EAE554EBAD254860F98FBD7263D5B0B936B1DCE34739AA7DF67A725C18EC69D7E037F6AE32B5823FD7F0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 9e d5 fa fd b9 dd 0f 4f-2b 32 af 68 8e 0a f9 50   .......O+2.h...P
    0010 - a8 3c 3b 74 22 ab 1c 0e-05 71 38 15 a8 34 b1 57   .<;t"....q8..4.W
    0020 - 24 e4 a2 73 d4 31 2b 77-a1 41 31 2d b7 fe b4 50   $..s.1+w.A1-...P
    0030 - a0 c1 b3 a0 96 bf 40 05-db 42 b4 fb 22 4a 89 4e   ......@..B.."J.N
    0040 - 18 82 9f 87 c5 b2 8a fa-4f 85 f9 74 76 32 7d 10   ........O..tv2}.
    0050 - e2 47 4e bf c1 84 91 48-c5 e0 03 cb f4 46 9c a6   .GN....H.....F..
    0060 - c3 40 d2 ef 8a 31 cc ca-65 e3 12 99 4d a5 f2 1c   .@...1..e...M...
    0070 - 50 97 fc 86 b7 fe 3d 01-c3 04 c9 c2 0a 8a a7 6e   P.....=........n
    0080 - 7e 7f e3 ff 8d 83 65 0a-28 2f bc 26 ca c7 f3 77   ~.....e.(/.&...w
    0090 - 69 23 dd e3 a1 e1 c4 22-88 d4 31 a2 5f db c7 29   i#....."..1._..)
    00a0 - d7 1b ce 56 c7 91 c4 cd-25 7e 73 84 81 dd 04 59   ...V....%~s....Y
    00b0 - 64 8f d9 56 1e 6a a0 a7-f5 33 2b 21 3c 7e f3 2e   d..V.j...3+!<~..
    00c0 - 89 85 4f 0f 06 ba 22 e0-94 c6 01 95 7d 0b 94 ac   ..O...".....}...

    Start Time: 1759182685
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---


read R BLOCK
+OK Dovecot (Debian) ready.


USER neo
+OK

PASS neo@3301
+OK Logged in.

LIST
+OK 3 messages:
1 434
2 434
3 434
.

RETR 1
+OK 434 octets
Return-Path: <root@me>
X-Original-To: neo@kakarot.local
Delivered-To: neo@kakarot.local
Received: by mail.kakarot.local (Postfix, from userid 0)
        id A6C28FFB51; Sat, 27 Sep 2025 19:58:31 -0400 (EDT)
Subject: Wake up
To: <neo@kakarot.local>
User-Agent: mail (GNU Mailutils 3.15)
Date: Sat, 27 Sep 2025 19:58:31 -0400
Message-Id: <20250927235831.A6C28FFB51@mail.kakarot.local>
From: root <root@me>

Follow the white rabbit
.
QUIT
+OK Logging out.
closed

root@kakarot$ openssl s_client -connect 172.16.10.143:993 -crlf -ign_eof
Connecting to 172.16.10.143
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN=me
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN=me
verify return:1
---
Certificate chain
 0 s:CN=me
   i:CN=me
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  9 11:38:22 2025 GMT; NotAfter: Sep  7 11:38:22 2035 GMT
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1299 bytes and written 382 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 3423CA2AF24E6CECC33DB73779C66B6C769BC6099483423BE1663418AE946D10
    Session-ID-ctx: 
    Resumption PSK: 99BF7E88545985435B8DCF3538365BCAB8680B68E0835F6F2D5DED19CBEA995D245FD90820F710AEF5D57FF91F66D662
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 67 a1 92 cf be d6 89 f6-01 23 d2 82 05 f1 80 cf   g........#......
    0010 - a6 52 f8 60 e8 75 f1 53-1f 83 60 a0 8b 88 55 59   .R.`.u.S..`...UY
    0020 - d1 06 19 8b 22 ef 10 07-ce b7 16 a4 e5 37 47 11   ...."........7G.
    0030 - 9d fc 4c 9d 61 b8 ff 08-2c 53 da 30 20 a5 6d b1   ..L.a...,S.0 .m.
    0040 - ba 78 69 3f cb 54 a7 8a-72 df 5c 89 fe d0 27 fb   .xi?.T..r.\...'.
    0050 - af 4b 43 f2 af a8 25 00-1d 19 dd 0e 2a f4 e5 a1   .KC...%.....*...
    0060 - d8 eb 47 07 a5 fd 41 ec-e9 ce ed 69 a7 06 a8 a1   ..G...A....i....
    0070 - 8b 78 6a d2 bc 9f 41 12-ee d6 5e 60 34 39 c1 15   .xj...A...^`49..
    0080 - 3c a2 f0 c7 01 80 f4 76-25 71 6d 31 b7 5e 4e c5   <......v%qm1.^N.
    0090 - c0 dc 53 f6 36 c2 4a 67-23 a1 3a c1 e5 8f b4 81   ..S.6.Jg#.:.....
    00a0 - 77 30 4c 5f 3a 5f f5 63-59 b6 13 d6 10 5c 8f a6   w0L_:_.cY....\..
    00b0 - 37 1d 3c 92 0f 05 ec a3-67 5d 71 34 fb 16 e1 bc   7.<.....g]q4....
    00c0 - 2a d8 40 0a 88 c3 57 c1-7f e4 d9 01 b5 c1 50 1a   *.@...W.......P.

    Start Time: 1759183406
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 9A31FBC68CB8C7F8CC1021CC1624404EC6E50C79C28BFE60BC57651036EE12D7
    Session-ID-ctx: 
    Resumption PSK: 279D7940BD9A740469D2719830C6BD49B221E39CF70824B60D6ABCF1872806562A1A295FB7B5A3075A2806E1E914B3E3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 67 a1 92 cf be d6 89 f6-01 23 d2 82 05 f1 80 cf   g........#......
    0010 - 9d 71 0d ec 81 1b 31 9a-d3 2c 94 4e 47 00 4b 94   .q....1..,.NG.K.
    0020 - 48 71 da bb 7b b7 ef 49-a4 26 d4 28 44 e4 a0 f2   Hq..{..I.&.(D...
    0030 - 29 83 cd 29 70 78 1b db-85 24 32 7f 34 8a cc f8   )..)px...$2.4...
    0040 - 9c 34 8e 31 bf 44 13 dd-8e 28 28 ff 8e 2b 29 dd   .4.1.D...((..+).
    0050 - 88 35 2c 8e e9 1e 6b 1a-be e0 c1 b2 b1 cc 7a 78   .5,...k.......zx
    0060 - 3f 16 1f c1 1b 9e 04 f7-24 03 6d 08 3c 9d 44 3f   ?.......$.m.<.D?
    0070 - 8d e2 0c dd 2a 85 d0 07-51 c9 e2 bf 76 39 5a c7   ....*...Q...v9Z.
    0080 - fb 38 12 96 d3 a0 d2 3d-a9 9b c8 81 24 2c 34 c3   .8.....=....$,4.
    0090 - 6f b7 15 cd 3c d6 bf 49-e3 54 7b 68 a4 a8 3a c3   o...<..I.T{h..:.
    00a0 - 54 c4 63 6a d6 dd 3a ef-93 47 9e f8 70 a5 46 d5   T.cj..:..G..p.F.
    00b0 - 9f e7 ab 76 63 c1 ff bf-e0 e7 cd e1 95 4a 24 4f   ...vc........J$O
    00c0 - 11 b2 12 7e 21 27 77 fe-2d 79 25 a6 6e d5 cb c2   ...~!'w.-y%.n...

    Start Time: 1759183406
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---


read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Debian) ready.

a001 LOGIN neo neo@3301
a001 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE] Logged in

a002 LIST "" *
* LIST (\HasNoChildren) "/" INBOX
a002 OK List completed (0.001 + 0.000 secs).

a003 SELECT INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 3 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1759172707] UIDs valid
* OK [UIDNEXT 4] Predicted next UID
a003 OK [READ-WRITE] Select completed (0.002 + 0.000 + 0.001 secs).

a007 FETCH 1:3 (BODY[])    
* 1 FETCH (BODY[] {434}
Return-Path: <root@me>
X-Original-To: neo@kakarot.local
Delivered-To: neo@kakarot.local
Received: by mail.kakarot.local (Postfix, from userid 0)
        id A6C28FFB51; Sat, 27 Sep 2025 19:58:31 -0400 (EDT)
Subject: Wake up
To: <neo@kakarot.local>
User-Agent: mail (GNU Mailutils 3.15)
Date: Sat, 27 Sep 2025 19:58:31 -0400
Message-Id: <20250927235831.A6C28FFB51@mail.kakarot.local>
From: root <root@me>

Follow the white rabbit
)
* 2 FETCH (BODY[] {434}
Return-Path: <root@me>
X-Original-To: neo@kakarot.local
Delivered-To: neo@kakarot.local
Received: by mail.kakarot.local (Postfix, from userid 0)
        id 15C82FFC27; Sat, 27 Sep 2025 20:01:39 -0400 (EDT)
Subject: Wake up
To: <neo@kakarot.local>
User-Agent: mail (GNU Mailutils 3.15)
Date: Sat, 27 Sep 2025 20:01:39 -0400
Message-Id: <20250928000139.15C82FFC27@mail.kakarot.local>
From: root <root@me>

Follow the white rabbit
)
* 3 FETCH (BODY[] {434}
Return-Path: <root@me>
X-Original-To: neo@kakarot.local
Delivered-To: neo@kakarot.local
Received: by mail.kakarot.local (Postfix, from userid 0)
        id F3500FFC27; Sat, 27 Sep 2025 20:03:32 -0400 (EDT)
Subject: Wake up
To: <neo@kakarot.local>
User-Agent: mail (GNU Mailutils 3.15)
Date: Sat, 27 Sep 2025 20:03:32 -0400
Message-Id: <20250928000332.F3500FFC27@mail.kakarot.local>
From: root <root@me>

Follow the white rabbit
)
a007 OK Fetch completed (0.003 + 0.000 + 0.002 secs).

SNMP

SNMP, or Simple Network Management Protocol, is a standard method for monitoring and managing various network components, including routers, switches, servers, and IoT devices. It operates on a client-server model using lightweight agents on the devices and a manager that communicates over UDP on port 161. It receives unrequested reports called traps on port 162. Central to SNMP is the concept of a Management Information Base (MIB). This is a textual ‘map’ where all the queryable items and the associated details are arranged, and each item is associated with an Object Identifier Registry (OID). OIDs are a sequence of dotted numbers that indicate an item’s position within a hierarchy and provide increasing specificity. SNMP is available in multiple versions. v1 and v2c are the simplest to implement and most widely distributed, but they offer no real protections as authentication and encryption are bypassed by the use of community strings. Crude community strings can be easily intercepted as they function as weak passwords. v3 systems implement user-based control and authentication which are optional encyption layers. This makes the system more secure.

Default Configuration

root@kakarot$ cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'

sysLocation    Sitting on the Dock of the Bay
sysContact     Me <me@example.org>
sysServices    72
master  agentx
agentaddress  127.0.0.1,[::1]
view   systemonly  included   .1.3.6.1.2.1.1
view   systemonly  included   .1.3.6.1.2.1.25.1
rocommunity  public default -V systemonly
rocommunity6 public default -V systemonly
rouser authPrivUser authpriv -V systemonly

Here is SNMP manpage !

Dangerous Settings

Settings	Description
rwuser noauth	Grants unrestricted read-write access to the entire SNMP OID tree without requiring any authentication.
rwcommunity <community string> <IPv4 address>	Grants full read-write access to the entire SNMP OID tree for requests originating from the specified IPv4 address, regardless of the source.
rwcommunity6 <community string> <IPv6 address>	Provides the same full read-write access as rwcommunity, specifically for requests originating from the specified IPv6 address.

Footprinting the Service

Nmap Scanning…

root@kakarot$ nmap -sU --script snmp-brute <target-ip> -p 161

SNMPwalk - Used to recursively query OIDs from an SNMP agent and retrieve their values defined in the MIB…

root@kakarot$ snmpwalk -v2c -c public 172.16.10.143

iso.3.6.1.2.1.1.1.0 = STRING: "Linux neo 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (5134) 0:00:51.34
iso.3.6.1.2.1.1.4.0 = STRING: "e3tr@kakarot.info"
iso.3.6.1.2.1.1.5.0 = STRING: "neo"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (3676678) 10:12:46.78
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E5 09 14 0E 2B 2D 00 2B 02 00 
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/boot/vmlinuz-5.11.0-34-generic root=UUID=9a6a5c52-f92a-42ea-8ddf-940d7e0f4223 ro quiet splash"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 3
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 411
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.25.1.7.0 = No more variables left in this MIB View (It is past the end of the MIB tree)

...SNIP...

iso.3.6.1.2.1.25.6.3.1.2.1232 = STRING: "printer-driver-sag-gdi_0.1-7_all"
iso.3.6.1.2.1.25.6.3.1.2.1233 = STRING: "printer-driver-splix_2.0.0+svn315-7fakesync1build1_amd64"
iso.3.6.1.2.1.25.6.3.1.2.1234 = STRING: "procps_2:3.3.16-1ubuntu2.3_amd64"
iso.3.6.1.2.1.25.6.3.1.2.1235 = STRING: "proftpd-basic_1.3.6c-2_amd64"
iso.3.6.1.2.1.25.6.3.1.2.1236 = STRING: "proftpd-doc_1.3.6c-2_all"
iso.3.6.1.2.1.25.6.3.1.2.1237 = STRING: "psmisc_23.3-1_amd64"
iso.3.6.1.2.1.25.6.3.1.2.1238 = STRING: "publicsuffix_20200303.0012-1_all"
iso.3.6.1.2.1.25.6.3.1.2.1239 = STRING: "pulseaudio_1:13.99.1-1ubuntu3.12_amd64"
iso.3.6.1.2.1.25.6.3.1.2.1240 = STRING: "pulseaudio-module-bluetooth_1:13.99.1-1ubuntu3.12_amd64"
iso.3.6.1.2.1.25.6.3.1.2.1241 = STRING: "pulseaudio-utils_1:13.99.1-1ubuntu3.12_amd64"
iso.3.6.1.2.1.25.6.3.1.2.1242 = STRING: "python-apt-common_2.0.0ubuntu0.20.04.6_all"
iso.3.6.1.2.1.25.6.3.1.2.1243 = STRING: "python3_3.8.2-0ubuntu2_amd64"
iso.3.6.1.2.1.25.6.3.1.2.1244 = STRING: "python3-acme_1.1.0-1_all"
iso.3.6.1.2.1.25.6.3.1.2.1245 = STRING: "python3-apport_2.20.11-0ubuntu27.21_all"
iso.3.6.1.2.1.25.6.3.1.2.1246 = STRING: "python3-apt_2.0.0ubuntu0.20.04.6_amd64" 

...SNIP...

Onesixtyone - Used to brute-force the names of the community strings since they can be named arbitrarily by the administrator

root@kakarot$ sudo apt install onesixtyone
root@kakarot$ onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt 172.16.10.143

Scanning 1 hosts, 3220 communities
172.16.10.143 [public] Linux mee 5.11.0-37-generic #41~20.04.2-Ubuntu SMP ... x86_64

Community strings are often named after hostnames, sometimes with added symbols. On large networks, patterns may exist, allowing you to guess them. Tools like crunch can help create custom wordlists for smarter SNMP enumeration.

Braa - Used to brute-force the individual OIDs and enumerate the information behind them…

root@kakarot$ sudo apt install braa
root@kakarot$ braa <community string>@<IP>:.1.3.6.*   # Syntax
root@kakarot$ braa public@172.16.10.143:.1.3.6.*

172.16.10.143:20ms:.1.3.6.1.2.1.1.1.0:Linux mee 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64
172.16.10.143:20ms:.1.3.6.1.2.1.1.2.0:.1.3.6.1.4.1.8072.3.2.10
172.16.10.143:20ms:.1.3.6.1.2.1.1.3.0:548
172.16.10.143:20ms:.1.3.6.1.2.1.1.4.0:e3tr@kakarot.info
172.16.10.143:20ms:.1.3.6.1.2.1.1.5.0:mee
172.16.10.143:20ms:.1.3.6.1.2.1.1.6.0:US
172.16.10.143:20ms:.1.3.6.1.2.1.1.7.0:78
...SNIP...

MySQL

MySQL is basically one of the go-to databases when people build dynamic websites. It’s been around for a long time, and even though Oracle owns it now, it’s still open-source, which means you don’t pay for it. That’s one big reason people like it. Another one is that it’s fast, and it doesn’t eat up too much space.

The idea behind it is the client–server setup. The server is where all the data actually lives, in tables with rows and columns. Clients just send SQL commands, like add this, remove that, or give me the info I need. Pretty straightforward once you get the hang of it.

Most of the time, MySQL comes as part of what’s called LAMP or LEMP. That’s Linux, Apache or Nginx, PHP, and MySQL. In that role, it usually stores sensitive stuff, like usernames, passwords, emails, and access levels. That’s why it’s such a big deal for security. Sure, passwords are normally hashed so they’re not just plain text, but things like SQL injection can still break through. And honestly, error messages can sometimes spill details about the database that attackers find useful.

What makes MySQL strong is also what makes it risky. You get a lot of freedom to design tables, set up relationships, add indexes, and manage users. But if the setup is weak or messy, it’s easy to exploit.

And then there’s MariaDB. It’s basically MySQL’s sibling, created after Oracle took over. Same core idea, still open-source, and many people use it because they wanted something not tied to Oracle

Install & Configure MySQL Server

Install MySQL server software on the server machine:

root@kakarot$ sudo apt install mysql-server -y

If you see this error E: Package 'mysql-server' has no installation candidate, plz follow this steps!

---

root@kakarot$ sudo wget https://dev.mysql.com/get/mysql-apt-config_0.8.30-1_all.deb

root@kakarot$ sudo dpkg -i mysql-apt-config_0.8.30-1_all.deb

root@kakarot$ sudo apt update

root@kakarot$ sudo apt install mysql-server -y

---

We can find the default configs here:

root@kakarot$ cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d'

Create a database, table, and insert data:

root@kakarot$ sudo mysql -u root -p

mysql> CREATE DATABASE users;
mysql> USE users;
mysql> CREATE TABLE users (id INT AUTO_INCREMENT PRIMARY KEY, username VARCHAR(50), password VARCHAR(50));
mysql> INSERT INTO users (username, password) VALUES ('admin', 'admin123');
...

Allow the client machine to connect securely:

root@kakarot$ sudo mysql -u root -p

mysql> CREATE USER 'neo'@'172.16.10.1' IDENTIFIED BY 'Neo@3301';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'neo'@'172.16.10.1' WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;
mysql> EXIT;

Verify that the server is accessible remotely:

root@neo$ mysql -u neo -h 172.16.10.143 -pNeo@3301

MySQL [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| users              |
+--------------------+

MySQL [(none)]> USE users;

MySQL [users]> SHOW TABLES;
+-----------------+
| Tables_in_users |
+-----------------+
| users           |
+-----------------+

MySQL [users]> SELECT * FROM users;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | admin    | admin123 |
|  2 | peter    | peter123 |
|  3 | bob      | bob@123  |
+----+----------+----------+

Dangerous Settings

Setting	Academic Description
user	Defines the system account under which the MySQL server process (mysqld) runs. Typically set to mysql to ensure process isolation and security.
password	Historically used to set a password for the MySQL user at startup, but it is deprecated because it may expose credentials in plain text. It is recommended to use MySQL’s internal account management or secure tools such as mysql_secure_installation instead.
admin_address	Specifies the IP address on which the MySQL server listens for administrative TCP/IP connections. Commonly used to separate administrative access from regular user connections for security purposes.
debug	Controls debugging options for the server. When enabled, it logs detailed internal execution information, useful for troubleshooting and performance analysis.
sql_warnings	Determines whether MySQL generates warning messages for certain operations (e.g., single-row INSERT statements that cause truncation or implicit conversions). Helps identify logical or data consistency issues.
secure_file_priv	Restricts the directory path for data import and export operations (LOAD DATA INFILE, SELECT ... INTO OUTFILE). Enhances security by preventing unauthorized file access outside the specified directory.

See here for more information about settings !

Footprinting the Service

Scanning MySQL Server…

root@kakarot$ sudo nmap 172.16.10.143 -sV -sC -p3306 --script mysql\*
Starting Nmap 7.92 ( https://nmap.org ) at 0000-00-00 00:00 EDT
Nmap scan report for neo.kakarot.local (172.16.10.143)
Host is up (0.00026s latency).

PORT     STATE SERVICE VERSION
3306/tcp open  mysql   MySQL 8.0.43
| mysql-brute: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 50009 guesses in 23 seconds, average tps: 2082.3
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.43
|   Thread ID: 21
|   Capabilities flags: 65535
|   Some Capabilities: ConnectWithDatabase, Support41Auth, SupportsLoadDataLocal, LongPassword, SupportsTransactions, IgnoreSigpipes, FoundRows, SwitchToSSLAfterHandshake, InteractiveClient, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsCompression, Speaks41ProtocolNew, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: :{\x02!2\x0E\x06N\x01'"\x0D9-\x17W]XM\x13
|_  Auth Plugin Name: caching_sha2_password
| mysql-enum: 
|   Valid usernames: 
|     root:<empty> - Valid credentials
|     netadmin:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|     user:<empty> - Valid credentials
|     web:<empty> - Valid credentials
|     sysadmin:<empty> - Valid credentials
|     administrator:<empty> - Valid credentials
|     webadmin:<empty> - Valid credentials
|     admin:<empty> - Valid credentials
|     test:<empty> - Valid credentials
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:FD:CC:20 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.60 seconds  

Interaction with the MySQL Server…

root@kakarot$ mysql -u neo -h 172.16.10.143 -pNeo@3301

The key MySQL databases are sys (management metadata) and information_schema (information about all databases)

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| users              |
+--------------------+

mysql> use sys;

mysql> show tables;
+-----------------------------------------------+
| Tables_in_sys                                 |
+-----------------------------------------------+
| host_summary                                  |
| host_summary_by_file_io                       |
| host_summary_by_file_io_type                  |
| host_summary_by_stages                        |
| host_summary_by_statement_latency             |
| host_summary_by_statement_type                |
| innodb_buffer_stats_by_schema                 |
| innodb_buffer_stats_by_table                  |
| innodb_lock_waits                             |
| io_by_thread_by_latency                       |
| io_global_by_file_by_bytes                    |
| io_global_by_file_by_latency                  |
| io_global_by_wait_by_bytes                    |
| io_global_by_wait_by_latency                  |
| latest_file_io                                |
| memory_by_host_by_current_bytes               |
| memory_by_thread_by_current_bytes             |
| memory_by_user_by_current_bytes               |
| memory_global_by_current_bytes                |
| memory_global_total                           |
| metrics                                       |
| processlist                                   |
| ps_check_lost_instrumentation                 |
| schema_auto_increment_columns                 |
| schema_index_statistics                       |
| schema_object_overview                        |
| schema_redundant_indexes                      |
| schema_table_lock_waits                       |
| schema_table_statistics                       |
| schema_table_statistics_with_buffer           |
| schema_tables_with_full_table_scans           |
| schema_unused_indexes                         |
| session                                       |
| session_ssl_status                            |
| statement_analysis                            |
| statements_with_errors_or_warnings            |
| statements_with_full_table_scans              |
| statements_with_runtimes_in_95th_percentile   |
| statements_with_sorting                       |
| statements_with_temp_tables                   |
| sys_config                                    |
| user_summary                                  |
| user_summary_by_file_io                       |
| user_summary_by_file_io_type                  |
| user_summary_by_stages                        |
| user_summary_by_statement_latency             |
| user_summary_by_statement_type                |
| version                                       |
| wait_classes_global_by_avg_latency            |
| wait_classes_global_by_latency                |
| waits_by_host_by_latency                      |
| waits_by_user_by_latency                      |
| waits_global_by_latency                       |
| x$host_summary                                |
| x$host_summary_by_file_io                     |
| x$host_summary_by_file_io_type                |
| x$host_summary_by_stages                      |
| x$host_summary_by_statement_latency           |
| x$host_summary_by_statement_type              |
| x$innodb_buffer_stats_by_schema               |
| x$innodb_buffer_stats_by_table                |
| x$innodb_lock_waits                           |
| x$io_by_thread_by_latency                     |
| x$io_global_by_file_by_bytes                  |
| x$io_global_by_file_by_latency                |
| x$io_global_by_wait_by_bytes                  |
| x$io_global_by_wait_by_latency                |
| x$latest_file_io                              |
| x$memory_by_host_by_current_bytes             |
| x$memory_by_thread_by_current_bytes           |
| x$memory_by_user_by_current_bytes             |
| x$memory_global_by_current_bytes              |
| x$memory_global_total                         |
| x$processlist                                 |
| x$ps_digest_95th_percentile_by_avg_us         |
| x$ps_digest_avg_latency_distribution          |
| x$ps_schema_table_statistics_io               |
| x$schema_flattened_keys                       |
| x$schema_index_statistics                     |
| x$schema_table_lock_waits                     |
| x$schema_table_statistics                     |
| x$schema_table_statistics_with_buffer         |
| x$schema_tables_with_full_table_scans         |
| x$session                                     |
| x$statement_analysis                          |
| x$statements_with_errors_or_warnings          |
| x$statements_with_full_table_scans            |
| x$statements_with_runtimes_in_95th_percentile |
| x$statements_with_sorting                     |
| x$statements_with_temp_tables                 |
| x$user_summary                                |
| x$user_summary_by_file_io                     |
| x$user_summary_by_file_io_type                |
| x$user_summary_by_stages                      |
| x$user_summary_by_statement_latency           |
| x$user_summary_by_statement_type              |
| x$wait_classes_global_by_avg_latency          |
| x$wait_classes_global_by_latency              |
| x$waits_by_host_by_latency                    |
| x$waits_by_user_by_latency                    |
| x$waits_global_by_latency                     |
+-----------------------------------------------+

mysql> select * from version;
+-------------+---------------+
| sys_version | mysql_version |
+-------------+---------------+
| 2.1.3       | 8.0.43        |
+-------------+---------------+

Common Queries For Enumeration…

Command	Description
SELECT schema_name FROM information_schema.schemata;	List all databases available on the server
SELECT table_schema, table_name FROM information_schema.tables;	List all tables in all databases
SELECT table_name, column_name, data_type FROM information_schema.columns;	Show all columns and their types for each table
SELECT User, Host, plugin, authentication_string FROM mysql.user;	Enumerate MySQL users, their hosts, authentication plugins, and password hashes
SHOW GRANTS FOR '<username>'@'<host>';	Display privileges of a specific user
SELECT version();	Show the MySQL server version
SELECT @@hostname, @@datadir, @@basedir;	Get system information about the database server

MSSQL

Microsoft SQL (MSSQL) is a database system from Microsoft that helps store and manage data. It was first made for Windows, but now it can also run on Linux and MacOS. Many developers and administrators like to use it for .NET applications because it works very well with the .NET framework. A common tool to work with MSSQL is SQL Server Management Studio (SSMS). You can install it with MSSQL or on its own, on any computer, not just the server. This sometimes allows pentesters to find systems where credentials are saved, giving them access to the database. Other tools for connecting to MSSQL include mssql-cli, SQL Server PowerShell, HeidiSQL, SQLPro, and Impacket’s mssqlclient.py, which is very useful for testing security.

MSSQL also includes several system databases that show how the server is organized. Master stores the main system info, Model is a template for creating new databases, msdb manages jobs and alerts, tempdb keeps temporary objects, and Resource is read-only and contains system objects. Understanding MSSQL, its clients, and these system databases is essential for both security testing and managing databases.

MSSQL defaults to NT SERVICE\MSSQLSERVER, uses Windows Authentication (via SAM/AD), connections aren’t encrypted by default, and compromised accounts can enable lateral movement.

Check for dangerous MSSQL settings like unencrypted client connections, self-signed certificates, use of named pipes, and weak or default sa credentials that may be left enabled.

Footprinting the Service

Nmap MSSQL Scan…

root@kakarot$ sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 172.16.10.143

NMAP scan reveals MSSQL hostname, instance name, version, and enabled named pipes, this is important details to note.

We can also use Metasploit to run scanner/mssql/mssql_ping auxiliary scanner and gather useful info during footprinting.

msf6 auxiliary(scanner/mssql/mssql_ping) > set rhosts 172.16.10.143

rhosts => 172.16.10.143


msf6 auxiliary(scanner/mssql/mssql_ping) > run

[*] 172.16.10.143:       - SQL Server information for 172.16.10.143:
[+] 172.16.10.143:       -    ServerName      = CORP-SQL
[+] 172.16.10.143:       -    InstanceName    = MAINDB01
[+] 172.16.10.143:       -    IsClustered     = No
[+] 172.16.10.143:       -    Version         = 13.0.5026.0
[+] 172.16.10.143:       -    tcp             = 1433
[+] 172.16.10.143:       -    np              = \\CORP-SQL\pipe\sql\primary
[*] 172.16.10.143:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Interact with MSSQL…

root@kakarot$ python3 mssqlclient.py neo@172.16.10.143 -windows-auth

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16384
[*] INFO(CORP-SQL): Line 1: Changed database context to 'master'.
[*] INFO(CORP-SQL): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 5026) 
[!] Press help for extra shell commands

SQL> select name from sys.databases

name                                                                                                                               

--------------------------------------------------------------------------------------

master                                                                                                                             

tempdb                                                                                                                             

model                                                                                                                              

msdb                                                                                                                              

saiyanDB

Transact-SQL (T-SQL) is an extended SQL query language used by Microsoft SQL Server and Azure SQL databases.

Oracle TNS

The Oracle Transparent Network Substrate (TNS) is a network-protocol that allows communicaton between applications and oracle databases. It is compatible with a variety of network protocols such as IPX/SPX or TCP/IP, and supports built-in encryption of data to prevent loss during transfer. Newer versions now also offer support for IPv6 and SSL/TLS to secure access, balance load, resolve names and manage connections well. TNS also provides additional encryption protection between clients and servers to help prevent unauthorized access or attack over a network. It also has performance monitoring, error logging, workload management and fault tolerance tools built in that are indispensable in order to have secure database operations and good overall system performance.

Oracle TNS comes with a default setup that can change depending on the version, but some settings are standard. The listener usually runs on TCP port 1521, supports several network protocols, and can handle multiple network interfaces. Older versions like 8i and 9i allow remote management, while 10g and 11g do not. For basic security, the listener only accepts connections from authorized hosts and encrypts communication.

There are two main configuration files: tnsnames.ora on the client side, which links service names to network addresses, and listener.ora on the server side, which defines how the listener manages requests. Each database or service has its own entry in tnsnames.ora with its name and location. Oracle TNS works with other services, and sometimes default passwords are used, which can be risky. To improve security, a PL/SQL Exclusion List can block specific PL/SQL packages from running.

Oracle TNS Configuration Settings…

Setting	Description (Clear and Simple)	File
DESCRIPTION	Defines all connection details for the database, including address, port, and service information.	tnsnames.ora
ADDRESS	Specifies the network address (IP or hostname and port) of the database server.	Both
PROTOCOL	Specifies the communication protocol used for the connection, such as TCP/IP.	Both
PORT	The port number used for communication between client and server (usually 1521).	Both
CONNECT_DATA	Contains internal connection details such as the service name or SID.	tnsnames.ora
INSTANCE_NAME	The name of the specific database instance that the client wants to connect to.	tnsnames.ora
SERVICE_NAME	The logical name of the database service that clients use to connect.	Both
SERVER	Defines the type of server connection: dedicated (one client per process) or shared (multiple clients).	tnsnames.ora
USER	The username used to authenticate and log in to the database.	tnsnames.ora
PASSWORD	The password for the database user (rarely stored here for security reasons).	tnsnames.ora
SECURITY	Defines the type or level of security used for the connection (e.g., SSL/TLS).	Both
VALIDATE_CERT	Determines whether the SSL/TLS certificate should be validated during the connection.	Both
SSL_VERSION	Specifies which version of SSL/TLS protocol is used for encryption.	Both
CONNECT_TIMEOUT	The maximum time (in seconds) allowed for the client to establish a connection before timing out.	Both
RECEIVE_TIMEOUT	The maximum time the client waits for a response from the server after sending a request.	Both
SEND_TIMEOUT	The maximum time allowed for sending data from the client to the server.	Both
SQLNET.EXPIRE_TIME	The time interval (in seconds) after which the server checks if a connection is still active.	listener.ora
TRACE_LEVEL	Sets the level of detail for tracing and diagnostic logs.	listener.ora
TRACE_DIRECTORY	The directory where trace (debug) files are stored.	listener.ora
TRACE_FILE_NAME	The name of the trace file used for logging detailed connection or error information.	listener.ora
LOG_FILE	The name of the log file that records listener activities and connection events.	listener.ora

Footprinting the Service

Setting up…

#!/usr/bin/env bash

set -euo pipefail

ORACLE_BASIC_URL="https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-basic-linux.x64-21.4.0.0.0dbru.zip"
ORACLE_SQLPLUS_URL="https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip"
DL_DIR="$HOME/Downloads/instantclient"
TARGET="/opt/oracle"
ODAT_REPO="https://github.com/quentinhardy/odat.git"
ODAT_DIR="$HOME/odat"
VENV="$ODAT_DIR/venv"

sudo apt update
sudo apt install -y wget unzip git python3-venv python3-pip build-essential libgmp-dev python3-scapy libaio1

mkdir -p "$DL_DIR"
cd "$DL_DIR"
wget -c "$ORACLE_BASIC_URL"
wget -c "$ORACLE_SQLPLUS_URL"

sudo mkdir -p "$TARGET"
sudo unzip -o "$(basename "$ORACLE_BASIC_URL")" -d "$TARGET"
sudo unzip -o "$(basename "$ORACLE_SQLPLUS_URL")" -d "$TARGET"

IC_DIR="$(find "$TARGET" -maxdepth 1 -type d -name 'instantclient*' | head -n1)"
if [ -z "$IC_DIR" ]; then
  echo "InstantClient directory not found under $TARGET" >&2
  exit 1
fi

echo "$IC_DIR" | sudo tee /etc/ld.so.conf.d/oracle-instantclient.conf >/dev/null
sudo ldconfig

if ! grep -q "instantclient" ~/.bashrc 2>/dev/null; then
  cat >> ~/.bashrc <<EOF

# Oracle Instant Client
export LD_LIBRARY_PATH="$IC_DIR:\$LD_LIBRARY_PATH"
export PATH="$IC_DIR:\$PATH"
EOF
fi

export LD_LIBRARY_PATH="$IC_DIR:$LD_LIBRARY_PATH"
export PATH="$IC_DIR:$PATH"

if [ -d "$ODAT_DIR" ]; then
  (cd "$ODAT_DIR" && git pull --rebase || true)
else
  git clone "$ODAT_REPO" "$ODAT_DIR"
fi

sudo chown -R "$(id -un)":"$(id -un)" "$ODAT_DIR"
git config --global --add safe.directory "$ODAT_DIR" || true

python3 -m venv "$VENV"

source "$VENV/bin/activate"
pip install --upgrade pip
pip install python-libnmap cx_Oracle pycryptodome colorlog termcolor passlib

cd "$ODAT_DIR"
git submodule init || true
git submodule update --recursive || true

echo "Done. To use ODAT:"
echo "  source $VENV/bin/activate"
echo "  cd $ODAT_DIR"
echo "If you opened a new terminal, run: source ~/.bashrc to load Oracle paths."

Use this bash script to download a few packages and tools or try sudo apt install odat !

Determine if the installation was successful…

root@kakarot$ ./odat.py -h
usage: odat.py [-h] [--version]
               {all,tnscmd,tnspoison,sidguesser,snguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
               ...

            _  __   _  ___ 
           / \|  \ / \|_ _|
          ( o ) o ) o || | 
           \_/|__/|_n_||_| 
-------------------------------------------
  _        __           _           ___ 
 / \      |  \         / \         |_ _|
( o )       o )         o |         | | 
 \_/racle |__/atabase |_n_|ttacking |_|ool 
-------------------------------------------

By Quentin Hardy (quentin.hardy@protonmail.com or quentin.hardy@bt.com)

positional arguments:
  {all,tnscmd,tnspoison,sidguesser,snguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
                      
                      Choose a main command
    all               to run all modules in order to know what it is possible to do
    tnscmd            to communicate with the TNS listener
    tnspoison         to exploit TNS poisoning attack (SID required)
    sidguesser        to know valid SIDs
    snguesser         to know valid Service Name(s)
    passwordguesser   to know valid credentials
    utlhttp           to send HTTP requests or to scan ports
    httpuritype       to send HTTP requests or to scan ports
    utltcp            to scan ports
    ctxsys            to read files
    externaltable     to read files or to execute system commands/scripts
    dbmsxslprocessor  to upload files
    dbmsadvisor       to upload files
    utlfile           to download/upload/delete files
    dbmsscheduler     to execute system commands without a standard output
    java              to execute system commands
    passwordstealer   to get hashed Oracle passwords
    oradbg            to execute a bin or script
    dbmslob           to download files
    stealremotepwds   to steal hashed passwords thanks an authentication sniffing (CVE-2012-3137)
    userlikepwd       to try each Oracle username stored in the DB like the corresponding pwd
    smb               to capture the SMB authentication
    privesc           to gain elevated access
    cve               to exploit a CVE
    search            to search in databases, tables and columns
    unwrapper         to unwrap PL/SQL source code (no for 9i version)
    clean             clean traces and logs

options:
  -h, --help          show this help message and exit
  --version           show program's version number and exit

Scan the default Oracle TNS listener port…

root@kakarot$ sudo nmap -p1521 -sV <target-ip> --open

SID bruteforcing with Nmap…

root@kakarot$ sudo nmap -p1521 -sV <target-ip> --open --script oracle-sid-brute

Full Oracle Database Services Scan Using ODAT…

root@kakarot$ ./odat.py all -s <target-ip>

Log In With SQLplus

root@kakarot$ sqlplus user/pass@IP/XE

If you see the error sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory. Run the provided fix command to configure the Oracle library path.

root@kakarot$ sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig

You can use SQLPlus commands to manually enumerate the database, for example, list all tables or show the current user’s privileges.

SQL> select table_name from all_tables;

TABLE_NAME
------------------------------
USERS
LOGIN_HISTORY
ACCESS_LOGS
SYSTEM_SETTINGS
KAKAROT_TASKS
KAKAROT_NOTES
SESSION_AUDIT
SECURITY_EVENTS
ORACLE_METADATA
TMP_UPLOADS
BACKUP_JOBS

...SNIP...


SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
KAKAROT                        CONNECT                        NO  YES NO
KAKAROT                        RESOURCE                       NO  YES NO
KAKAROT                        DBA                            NO  YES NO

The user account could potentially be used to escalate privileges to SYSDBA, granting full administrative control over the database.

root@kakarot$ sqlplus user/pass@IP/XE as sysdba

SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS                            ADM_PARALLEL_EXECUTE_TASK      YES YES NO
SYS                            APEX_ADMINISTRATOR_ROLE        YES YES NO
SYS                            AQ_ADMINISTRATOR_ROLE          YES YES NO
SYS                            AQ_USER_ROLE                   YES YES NO
SYS                            AUTHENTICATEDUSER              YES YES NO
SYS                            CONNECT                        YES YES NO
SYS                            CTXAPP                         YES YES NO
SYS                            DATAPUMP_EXP_FULL_DATABASE     YES YES NO
SYS                            DATAPUMP_IMP_FULL_DATABASE     YES YES NO
SYS                            DBA                            YES YES NO
SYS                            DBFS_ROLE                      YES YES NO
<SNIP>

Extract Oracle password hashes from SYS.USER$ for offline cracking…

SQL> select name, password from sys.user$;

NAME                           PASSWORD
------------------------------ ------------------------------
ADMIN                          A1B2C3D4E5F67890
GUEST
APP_USER
REPORTING
MAINT                           9F8E7D6C5B4A3210
ANALYTICS
AUDIT_ROLE
DBA                            7AAC88BB99CC7766
SYSBACKUP                       D4E5F6A7B8C90123
ARCHIVE_ADMIN
SERVICE                        00FF11EE22DD33CC

NAME                           PASSWORD
------------------------------ ------------------------------
MONITOR
REPL_SYNC                       BBCCDDEEFF001122
OPS
...SNIP...

We can try uploading a web shell if the target has a web server running, but we’ll need to know where the web server’s root directory is, if we have an idea of the system type, we can start with common default paths like /var/www/html for Linux or C:\inetpub\wwwroot for Windows.

Always start with safe-looking files, like a simple text file, to test uploads and avoid triggering antivirus or intrusion detection systems.

root@kakarot$ echo "It's good to be king" > testfile.txt
root@kakarot$ ./odat.py utlfile -s IP -d XE -U user -P pass --sysdba --putFile C:\\inetpub\\wwwroot testfile.txt ./testfile.txt

[1] (IP:1521): Put the ./testfile.txt local file in the C:\inetpub\wwwroot folder like testfile.txt on the <IP> server
[+] The ./testfile.txt file was created on the C:\inetpub\wwwroot directory on the <IP> server like the testfile.txt file

root@kakarot$ curl -X GET http://IP/testfile.txt

It's good to be king !

IPMI

The Intelligent Platform Management Interface (IPMI) is basically a built-in system that helps administrators look after servers, even when those servers are completely off or frozen. It doesn’t depend on the operating system or the CPU; instead, it connects straight to the hardware through the network. That means an admin can still check on a machine, change BIOS settings before startup, power it on or off remotely, or dig into it after a crash. IPMI also keeps an eye on things like temperature, voltage, fan speed, and power supply health. It logs hardware activity and can send alerts if something goes wrong. All it really needs is power and a network cable to stay active.

The idea came from Intel in 1998, and since then it’s become standard across most major brands likle Dell, HP, Cisco, Supermicro, and many others. Behind the scenes, IPMI runs on a few main pieces: the Baseboard Management Controller (BMC), communication buses like ICMB and IPMB, its own bit of memory, and several network and serial interfaces that let everything talk to each other.

Footprinting the Service

IPMI runs on UDP port 623 and is handled by Baseboard Management Controllers (BMCs), usually embedded ARM systems running Linux. Many servers come with a BMC (HP iLO, Dell DRAC, Supermicro IPMI) or allow adding one. Accessing a BMC gives almost full control over the server: monitor, reboot, power off, or reinstall the OS. BMCs often provide a web console, SSH/Telnet access, and the IPMI network protocol. Securing BMCs is critical, as compromise is nearly equivalent to physical access.

Scanning With NMAP…

root@kakarot$ sudo nmap -sU --script ipmi-version -p 623 <target-ip>

Scanning Using Metasploit…

msf6 > use auxiliary/scanner/ipmi/ipmi_version 
msf6 auxiliary(scanner/ipmi/ipmi_version) > set rhosts <target-ip>

Many BMCs still use default passwords, giving attackers easy access.

Product	Username	Password
Dell iDRAC	root	calvin
HP iLO	Administrator	randomized 8-character string with numbers and uppercase letters
Supermicro IPMI	ADMIN	ADMIN

Dumping Hashes Using Metasploit…

Sometimes the default password on a BMC won’t work, but there’s a weakness in the RAKP protocol of IPMI 2.0. Before authentication, the server sends a salted SHA1 or MD5 hash of the user’s password, which can be captured. Using Metasploit, an attacker can retrieve this hash, and then crack it offline with Hashcat mode 7300 to gain full control of the BMC. No quick fix for this flaw, so the safest approach is to use strong, complex passwords and restrict network access to the BMC. In real tests, accessing a BMC often allows control of critical servers and their web management tools.

msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes 
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts <target-ip>

Log In…

root@kakarot$ ipmitool -H <target-ip> -U user -P passwd shell

SSH

Secure Shell (SSH) is a secure way for two computers to connect and communicate over the internet, even on risky networks. It works through port TCP 22 and keeps data protected from hackers by encrypting it. SSH is supported on all major systems like Linux, macOS, and Windows. There are two main versions: SSH-1, which is outdated and less secure, and SSH-2, which offers better encryption and safety. Using SSH, you can manage remote servers, send commands, move files, or forward ports. To connect, users must verify their identity through one of several methods, such as passwords or public-key authentication, which are the most common and secure ways to log in remotely.

root@kakarot$ cat /etc/ssh/sshd_config  | grep -v "#" | sed -r '/^\s*$/d'   #Default Configuration

The sshd_config file controls the OpenSSH server and only has a few default settings. One of these, X11 forwarding, had a command injection vulnerability in version 7.2p1 (2016). Since we don’t need a graphical interface to manage servers, it’s safer to keep X11 forwarding disabled.

Dangerous Settings…

Setting	Description
PasswordAuthentication yes	Lets users log in using a password. This allows brute-force or guessing attacks if passwords are weak.
PermitEmptyPasswords yes	Accepts accounts that have no password. Anyone who knows the username can log in.
PermitRootLogin yes	Allows direct login as the root (full admin) user, giving total control if compromised.
Protocol 1	Uses the old SSH version 1, which is insecure and has known weaknesses.
X11Forwarding yes	Lets remote graphical apps show on your machine. This can leak input/display data or be abused.
AllowTcpForwarding yes	Lets SSH forward TCP connections (create tunnels/proxies), which can be misused to bypass controls.
PermitTunnel	Allows creating network tunnels (layer 2/3). Can be used to route traffic through the server.
DebianBanner yes	Shows an OS/distribution banner at login, revealing system type to anyone who connects.

Footprinting the Service

SSH-Audit…

One useful tool for fingerprinting SSH servers is ssh-audit, which inspects both client and server configurations, reports general information and the encryption algorithms in use, and can reveal weaknesses that might later be exploited at the cryptographic level.

root@kakarot$ git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit   #We can use this!
root@kakarot$ sudo apt install ssh-audit #Or this!
root@kakarot$ ./ssh-audit.py <target-ip>

Change Authentication Method…

root@kakarot$ ssh -v kakarot@IP 
CustomSSH_1.0-custom, CryptoLib 2.3.4
debug1: Reading configuration data /etc/ssh/ssh_config
...SNIP...
debug1: Authentications that can continue: publickey,password,keyboard-interactive  #Authentication MethodS

We can specify the authentication method with the SSH client option PreferredAuthentications.

root@kakarot$ ssh -v kakarot@172.16.10.143 -o PreferredAuthentications=password

OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
...SNIP...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password

kakarot@172.16.10.143's password:

Rsync

Rsync is a fast, reliable tool for copying files both on the same machine and across a network. It’s smart, if a file already exists at the destination, Rsync only sends the parts that changed, which saves time and bandwidth. People often use it for backups and mirroring, and it normally runs on port 873 or can be run securely over SSH. However, if Rsync is left open or misconfigured, an attacker might list and download files from a shared folder (sometimes even without logging in), during a pentest, finding credentials and checking for password reuse can let you pull sensitive files.

Scanning Rsync With Nmap…

root@kakarot$ sudo nmap -sV -p 873 <target-ip>

Interacting With The Service Using Ncat…

root@kakarot$ nc -nv <target-ip> 873
<SNIP>
#list
it            	IT Scripts  #Open Share
@RSYNCD: EXIT

Enumerating an Open Share…

root@kakarot$ rsync -av --list-only rsync://IP/it

receiving incremental file list
drwxr-xr-x             48 2022/09/19 09:43:10 .
-rw-r--r--              0 2022/09/19 09:34:50 runme.sh
drwx------             54 2022/09/19 09:43:10 .ssh

We could sync all files to our attack host with the command:

root@kakarot$ rsync -av rsync://IP/dev

If Rsync is configured to use SSH to transfer files…

root@kakarot$ rsync -av -e ssh user@IP:/path/to/dir /local/path   #From Target To Attacker

root@kakarot$ rsync -av -e ssh /local/path/ user@IP:/path/to/dir  #From Attacker to target

root@kakarot rsync -av -e "ssh -p 2222" user@IP:/path /local/path #If a non-standard port is in use for SSH

R-Services

R-services are an old set of Unix tools that let computers talk to each other and run commands over a network. They were popular before SSH, but unlike SSH they send data in plain text (like telnet), so anyone sniffing the network could grab passwords or login info. These services use ports 512–514 and are accessed with r-commands such as rcp, rexec, rlogin, rsh, rstat, ruptime, and rwho. You don’t see them much today, but they still pop up sometimes on systems like Solaris or AIX, so it’s useful to know what they do and why they’re risky.

Command	Service Daemon	Port	Transport	Description
rcp	rshd	514	TCP	Copies files or folders between machines. Works like cp but over the network and won’t warn if files are overwritten.
rsh	rshd	514	TCP	Opens a remote shell to run commands without logging in. Relies on .rhosts / hosts.equiv for trust.
rexec	rexecd	512	TCP	Runs a command on a remote host using username/password over the network (unencrypted). Trusted files can bypass authentication.
rlogin	rlogind	513	TCP	Logs in to a remote Unix-like host (like telnet). Can skip authentication if the host is trusted via .rhosts / hosts.equiv.

/etc/hosts.equiv is a file listing trusted hosts. Users from these hosts can access the system automatically, without needing a password.

root@kakarot$ cat /etc/hosts.equiv

# <hostname> <local username>
mee kakarot

R-Services Scanning With Nmap….

root@kakarot$ sudo nmap -sV -p 512,513,514 <target-ip>

<SNIP>
PORT    STATE SERVICE    VERSION
512/tcp open  exec?
513/tcp open  login?
514/tcp open  tcpwrapped

Logging in Using Rlogin…

root@kakarot$ rlogin <target-ip> -l neo

Last login: D M  2 00:00:00 from localhost

[neo@localhost ~]$

Use rwho on UDP port 513 to see all active sessions on the network.

root@kakarot$ rwho

root     db:pts/0 M  2 00:00
neo     pc04:tty1 M  2 00:00  00:00       

Use the rusers command to get detailed info about all logged-in users on the network, including username, host, TTY, login time, idle time, and remote host

root@kakarot$ rusers -al <target-ip>

kakarot     <target-ip>:console          M 5 00:00     00:00

RDP

Think of RDP as a magic window that lets you sit in front of a Windows computer, even if you’re miles away. You can see what’s on the screen and control it as if it were right in front of you. Normally, it talks through TCP port 3389, but sometimes it uses UDP too.

To make the connection, the computer you want to control and any firewalls in between must say “okay.” If your network uses NAT (which is super common at home or in offices), you’ll need the computer’s public IP and make sure the right ports are open.

Since Windows Vista, RDP has been protecting your session with strong encryption, so your login and activity are safe. Still, some systems use weaker encryption, and the certificates are self-signed. That’s why your computer sometimes shows warnings, it can’t be 100% sure the other side is legit.

RDP is already built into Windows servers. You don’t need to install anything. Just switch it on through Server Manager, and by default, it only lets in computers that authenticate properly with Network Level Authentication NLA.

RDP Scanning With Nmap…

root@kakarot$ nmap -sV -sC <target-ip> -p3389 --script rdp*

Using Nmap’s --packet-trace with RDP leaves identifiable cookies (mstshash=nmap) on the server. Security systems like EDR or threat hunters can detect them and may block your access on well-protected networks.

root@kakarot$ nmap -sV -sC <target-ip> -p3389 --packet-trace --disable-arp-ping -n

Cisco CX Security Labs made a Perl script called rdp-sec-check.pl that can quickly check an RDP server’s security settings by analyzing its handshake, no authentication needed.

root@kakarot$ sudo cpan

<SNIP>

cpan[1]> install Encoding::BER

<SNIP>

root@kakarot$ git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check
root@kakarot$ ./rdp-sec-check.pl <target-ip>

Authentication and connection to RDP server…

root@kakarot$ xfreerdp /u:user /p:"pass" /v:IP

WinRM

WinRM (Windows Remote Management) is a built-in Windows protocol that lets you control a remote computer using commands. It uses SOAP to communicate with remote machines and applications, so it needs to be enabled and set up starting from Windows 10. WinRM uses ports 5985 (HTTP) and 5986 (HTTPS) instead of the older ports 80 and 443.

A related tool, WinRS, allows you to run commands on the remote system directly and is even included by default in Windows 7. This means you can execute commands on another server without physically being there.

Scanning WinRM Using Nmap…

root@kakarot$ nmap -sV -sC <target-ip> -p5985,5986 --disable-arp-ping -n

Interacting With WinRM…

root@kakarot$ evil-winrm -i <target-ip> -u user -p pass

WMI

Windows Management Instrumentation, or WMI, is a tool from Microsoft that lets you manage and control almost every setting on a Windows computer, whether it’s a PC or a server. Think of it as the main interface for administering and keeping Windows machines running smoothly. You can use it through PowerShell, VBScript, or the WMIC console. WMI isn’t just one program, it’s a collection of programs and databases that work together to give you full control over the system.

Interacting With WinRM…

root@kakarot$ /usr/share/doc/python3-impacket/examples/wmiexec.py user:"pass"@IP "hostname"

Service & Port

Service Name	Port	TCP/UDP	Protocol Full Name	Description
HTTP	80	TCP	HyperText Transfer Protocol	Standard web traffic
HTTPS	443	TCP	HyperText Transfer Protocol Secure	Secure web traffic using SSL/TLS
FTP	21	TCP	File Transfer Protocol	File Transfer Protocol – control channel
FTP Data	20	TCP	File Transfer Protocol	File Transfer Protocol – data transfer
NetBIOS Name Service	137	UDP	Network Basic Input/Output System	NetBIOS name resolution
NetBIOS Datagram	138	UDP	Network Basic Input/Output System	NetBIOS datagram service
NetBIOS Session	139	TCP	Network Basic Input/Output System	NetBIOS session service
SMB / CIFS	445	TCP	Server Message Block / Common Internet File System	File sharing (Windows)
RPC / Portmapper	111	TCP/UDP	Remote Procedure Call	Remote Procedure Call / service mapping
NFS	2049	TCP/UDP	Network File System	Network File System for file sharing
SMTP	25	TCP	Simple Mail Transfer Protocol	Email sending protocol
SMTP (submission)	587	TCP	Simple Mail Transfer Protocol	Email submission (secure)
SMTP (SSL)	465	TCP	Simple Mail Transfer Protocol Secure	Secure SMTP over SSL
IMAP	143	TCP	Internet Message Access Protocol	Email retrieval protocol
IMAPS	993	TCP	Internet Message Access Protocol Secure	Secure IMAP over SSL
POP3	110	TCP	Post Office Protocol 3	Email retrieval protocol
POP3S	995	TCP	Post Office Protocol 3 Secure	Secure POP3 over SSL
SNMP	161	UDP	Simple Network Management Protocol	Network monitoring and management
MySQL	3306	TCP	MySQL Database Protocol	MySQL database service
MS-SQL	1433	TCP	Microsoft SQL Server Protocol	Microsoft SQL Server database service
Oracle DB	1521	TCP	Oracle Net Services	Oracle database listener
IPMI	623	UDP	Intelligent Platform Management Interface	Remote server management (IPMI)
SSH	22	TCP	Secure Shell	Secure shell remote access
Rsync	873	TCP	Remote Sync	File synchronization service
Syslog	514	UDP	System Logging Protocol	System logging service
Rexec	512	TCP	Remote Execution	Remote command execution (r-services)
Rlogin	513	TCP	Remote Login	Remote login service (r-services)
RSH	514	TCP	Remote Shell	Remote shell (r-services)

Finally… it’s over.