Noirchapeau's Gitbook

Protocol Specific Attacks

Fundamental Attack Concept

The attack methodology follows a universal four-category framework applicable across different services:

1. Source

Definition: The origin of information or input for a process
Key Sources to Investigate:
- Code outputs reused as inputs
- Libraries and configuration files
- APIs and interfaces
- User inputs (most vulnerable)

2. Process

Definition: How information from the source is processed
Critical Components to Analyze:
- Process ID (PID)
- Input handling mechanisms
- Data processing logic
- Variable manipulation
- Logging mechanisms

3. Privileges

Definition: System-controlled permissions for executing actions
Privilege Types:
- System-level (root/SYSTEM)
- User-specific permissions
- Group-based access
- Application-specific policies and rules

4. Destination

Definition: Output or target of the processed task
Destination Types:
- Local system modifications
- Network interactions with external systems

Common Service Misconfiguration Attack Vectors

Authentication Vulnerabilities

Default Credentials:
- Common weak combinations:
  - admin:admin
  - root:12345678
  - admin:<blank>
- Always attempt default credential login
Anonymous Authentication:
- Identify services allowing unauthenticated access
- Examples: FTP servers with anonymous login
- Potential for unauthorized resource access

Access Rights Exploitation

Misconfigured Permissions:
- Look for roles with excessive privileges
- Example: FTP users with unintended read/write access
- Utilize Role-Based Access Control (RBAC) assessment tools

Unnecessary Defaults Attack Surface

Identify and Exploit:
- Unused open ports
- Default accounts
- Overly informative error messages
- Unpatched services

Sensitive Information Discovery Methodology

Enumeration Techniques

Systematic Information Gathering:
- Collect usernames
- Extract email addresses
- Locate password references
- Analyze DNS records
- Map IP addresses
- Review source code and configuration files

Target Service Investigation

File Shares

Tools:
- SMBClient
- Enum4linux
- CrackMapExec
Focus Areas:
- Shared documents
- Credential files
- Configuration data

Email Services

Investigation Keywords:
- "password"
- "confidential"
Methodology:
- Manual and tool-assisted searches
- Cross-reference discovered credentials

Databases

Tools:
- SQLmap
- Database-specific clients (MySQL, MSSQL)
Extraction Targets:
- User data
- Configuration details
- Application logic

Real-World Attack Scenario: FTP to RCE

Step-by-Step Methodology

Initial Enumeration
- Attempt anonymous FTP access
- Analyze even seemingly insignificant files
- Test discovered usernames across services
Credential Correlation
- Search emails for password hints
- Cross-reference information between services
Privilege Escalation
- Leverage discovered credentials
- Exploit service-specific functionalities
- Aim for Remote Code Execution (RCE)

Best Practices and Mitigation

Prevention Strategies

Disable unnecessary services
Use unique credentials per environment
Implement automated secure configuration
Conduct regular security audits
Use minimal platforms
Apply strict access controls

Recommended Tools

Nmap
Gobuster
Metasploit
Custom enumeration scripts

Key Takeaways

Attacks are methodical, not random
Details matter immensely
Systematic approach is crucial
Always document your findings
Continuously adapt to the target's unique setup

PreviousInteracting with Common Services