SecuriTree Home

SecuriTree

Windows Security
- Post-exploitation
  - Network Tunneling
    (Ligolo-ng, Chisel)
  - Reverse Shell
  - System Manipulation
  - File Transfer
- Lateral Movement
  - Common Problems
    - Double Hop
    - Remote UAC
  - Techniques
    - Access Token Manipulation
      (RunAs, RunasCs)
    - Pass-the-Ticket (Kerberos)
      (Rubeus, getTGT)
  - Technologies
    - MS-RPC
      - MS-DCOM
      - MS-RRP
      - MS-SCMR
        (PsExec, SmbExec, ScExec)
      - MS-TSCH
      - MS-WMI
        (WmiExec)
    - RDP
    - WinRM
      (winrs, PS Remoting)
- Domain Privesc
  - ACL Abuse
  - AD Delegation Abuse
    - Constrained Delegation
    - Resource-Based Constrained Delegation
    - Unconstrained Delegation
  - AS-Rep Roasting
  - Certificate Service Abuse
  - Credentials Dump
    - DCSync
    - LSASS Memory
    - Local SAM
    - Windows Vault
  - Group Policies
  - Information to steal
    (files, logs, processes, ...)
  - Kerberoasting
  - Local Admin Hunting
  - MSSQL Abuse
  - NTLM Hash Stealing
  - NTLM Relay
  - Password Spraying
  - RDP Hijacking
  - Tasks and Services Abuse
- Reconnaissance
  - Active Directory
  - DNS
  - LDAP
  - NetBIOS
  - NFS
  - Port Scanning
  - RPC
  - SMB
  - SMTP
  - SNMP

#Windows Security #Reconnaissance #SMTP

Recon of SMTP (25 / 465 / 587)

We can gather information about a host or network from vulnerable mail servers. The Simple Mail Transport Protocol (SMTP) supports several interesting commands which allow to e.g. perform usernames enumeration.

# Connect to SMTP server
nc -nv $host -p $port
 
# Interesting SMTP commands
> VRFY $username            # Verify if user exists
> EXPN $username            # Username to email

Automated enumeration

# User enumeration using Metasploit
auxiliary/scanner/smtp/smtp_enum
 
# Various Nmap scripts
nmap --script smtp-commands,smtp-open-relay,smtp-enum-users $ip

Children