1 - Introduction - JA Smith

# Common Tools for Interacting with Serviceas |**SMB**|**FTP**|**Email**|**Databases**| |---|---|---|---| |[smbclient](https://www.samba.org/samba/docs/current/man-html/smbclient.1.html)|[ftp](https://linux.die.net/man/1/ftp)|[Thunderbird](https://www.thunderbird.net/en-US/)|[mssql-cli](https://github.com/dbcli/mssql-cli)| |[CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)|[lftp](https://lftp.yar.ru/)|[Claws](https://www.claws-mail.org/)|[mycli](https://github.com/dbcli/mycli)| |[SMBMap](https://github.com/ShawnDEvans/smbmap)|[ncftp](https://www.ncftp.com/)|[Geary](https://wiki.gnome.org/Apps/Geary)|[mssqlclient.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py)| |[Impacket](https://github.com/SecureAuthCorp/impacket)|[filezilla](https://filezilla-project.org/)|[MailSpring](https://getmailspring.com/)|[dbeaver](https://github.com/dbeaver/dbeaver)| |[psexec.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py)|[crossftp](http://www.crossftp.com/)|[mutt](http://www.mutt.org/)|[MySQL Workbench](https://dev.mysql.com/downloads/workbench/)| |[smbexec.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py)||[mailutils](https://mailutils.org/)|[SQL Server Management Studio or SSMS](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms)| |||[sendEmail](https://github.com/mogaal/sendemail)|| |||[swaks](http://www.jetmore.org/john/code/swaks/)|| |||[sendmail](https://en.wikipedia.org/wiki/Sendmail)|| # File Sharing Services - Internal examples: SMB, NFS, FTP, TFTP, SFTP - Cloud examples: Dropbox, Google Drive, OneDrive, SharePoint, or other forms of file storage such as AWS S3, Azure Blob Storage, or Google Cloud Storage ## SMB - In Windows, connect to an SMB share by pressing [Win] + [r] to open the run dialog box and type in path to share such as `\\192.168.1.2\Archive\` - We may or may not be asked to authenticate with a subsequent pop-up ### cmd.exe - From `cmd.exe`, we can interact with the share as follows: ```cmd dir \\192.168.1.2\Archive\ #lists contents of share net use n:\ \\192.168.1.2\Archive\ #attempts to map n:\ to the share net use n:\ \\192.168.1.2\Archive\ /user:username <password> #attempts to map n:\ to the share with authentication ``` - With `n:\` mapped to the share, we can now interact with its contents as follows: ```cmd dir n: /a-d /s /b | find /c ":\" #output is piped to a find command that counts how many files exist in the director dir n:\*cred* /s /b dir n:\*secret* /s /b findstr /s /i cred n:\*.* # looks for lines within files that include the specified string ``` | **Syntax** | **Description** | | ---------- | -------------------------------------------------------------- | | `dir` | Application that lists a folder's contents | | `n:` | Directory or drive to search | | `/a-d` | `/a` is the attribute and `-d` means not directories | | `/s` | Displays files in a specified directory and all subdirectories | | `/b` | Uses bare format (no heading information or summary) | | `/i` | case insensitve | ### PowerShell - PowerShell can run both cmd commands and cmdlets - From PowerShell, we can interact with the share as follows: ```powershell Get-ChildItem \\192.168.1.2\Archive\ #lists contents of share like dir New-PSDrive -Name "N" -Root "\\192.168.1.2\Archive" -PSProvider "FileSystem" #attempts to map n:\ to the share ``` - Attempting to map to a share with creds is a bit more complicated, we have to setup several local variable as follows: ```powershell $username = 'plaintext' $password = 'Password123' $secpassword = ConvertTo-SecureString $password -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred ``` - With `n:\` mapped to the share, we can now interact with its contents as follows: ```powershell PS C:\htb> N: PS N:\> (Get-ChildItem -File -Recurse | Measure-Object).Count #counts number of items in n:\ PS C:\htb> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File #searches for files with the "*cred* string" PS C:\htb> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List #looks for lines within files that include the specified string like findstr ``` ### Linux - First, we need to mount the smb share ```bash sudo apt install cifs-utils sudo mkdir /mnt/Finance sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance sudo mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile #alternative to the above with a cred file ``` - Credential file example ```text username=plaintext password=Password123 domain=. ``` - Once mounted, we can use typical Linux CLI tools like `find` and `grep` on the share ```bash find /mnt/Finance/ -name *cred* grep -rn /mnt/Finance/ -ie cred ``` # Email - Two protocols are need to send an d receive messages - SMTP for sending - IMAP/POP3 for receiving - A GUI mail client such as Evolution can be used to interect with an email server - `sudo apt install -y evolution` # Databases - Two types: hierarchical dbs such as NoSQL; and SQL relational dbs - Two most common SQL relational dbs: MySQL and MSSQL ## MSSQL - While on Linux, use `sqsh` to interact with MSSQL ```bash sqsh -S 10.129.20.13 -U username -P Password123 ``` - While on Windows, use `sqlcmd` to interact with MSSQL ```cmd sqlcmd -S 10.129.20.13 -U username -P Password123 ``` - GUI app for interacting with MSSQL: SQL Server Mgmt Studio aka SSMS - On Linux, we can use `dbeaver`, which is a GUI app that can interact with MSSQL ```bash sudo dpkg -i dbeaver-<version>.deb dbeaver & ``` ## MySQL - While on Linux, use `mysql` to interact with MySQL ```bash mysql -u username -pPassword123 -h 10.129.20.13 ``` - While on Windows, use `mysql.exe` to interact with MySQL ```cmd mysql.exe -u username -pPassword123 -h 10.129.20.13 ```