LinkedInGithub
Edit

Services

Initial Access Guide

Theory

To gain initial access to an information system, one of the most common vectors is exploiting poorly configured protocols within the enterprise network. While not all companies implement every protocol listed in this category, many may have configuration vulnerabilities that provide entry points into their systems. Some insecure protocols, such as Telnet, HTTP, or old versions of SMB, are rare in modern enterprise systems but may still exist on legacy machines. It is essential to understand tools for manipulating these protocols and their potential misconfigurations. Below are common methods to explore:

Common Exploitable Areas

  1. Broken Authentication

    • Examples: FTP anonymous login, SSH default credentials, open SMB shares.

  2. Information Disclosure

    • Examples: Using HTTP instead of HTTPS, DBMS protocols like MySQL or MSSQL leaking information.

  3. Enterprise Authentication Exploitation

    • Examples: Kerberos tickets, LDAP requests to compromise users or services.

  4. Data Exfiltration

    • Examples:

      • Standard file exchange protocols.

      • Unconventional methods such as DNS data exfiltration.

  5. Direct Access/Code Execution

    • Tools: Impacket, NetExec.

    • Protocols: SMB, SSH, LDAP, WMI, RDP, MSSQL.

TIP

NetExec is a powerful network service exploitation tool. It supports various enterprise protocols, including SMB, SSH, LDAP, WMI, RDP, and MSSQL. Combined with different authentication methods (e.g., Kerberos, standard credentials), it can assess an information system's security posture effectively.

Practice

Well-Known Ports

Protocol

Port Number

Description

FTP

21

File Transfer Protocol.

SSH

22

Secure Shell for remote administration.

Telnet

23

Unencrypted remote access protocol.

HTTP

80

Web traffic (insecure).

HTTPS

443

Web traffic (secure).

SMB

445

Server Message Block for file sharing.

DNS

53

Domain Name System.

LDAP

389

Lightweight Directory Access Protocol.

LDAPS

636

Secure LDAP.

RDP

3389

Remote Desktop Protocol for Windows systems.

MySQL

3306

Database service for MySQL.

MSSQL

1433

Microsoft SQL Server.

WinRM

5985

Windows Remote Management (HTTP).

WinRM Secure

5986

Windows Remote Management (HTTPS).

PreviousToolsNextDNS 53

Last updated