Protocol Specific Attacks

Fundamental Attack Concept

The attack methodology follows a universal four-category framework applicable across different services:

1. Source

• Definition: The origin of information or input for a process

• Key Sources to Investigate:

  • Code outputs reused as inputs

  • Libraries and configuration files

  • APIs and interfaces

  • User inputs (most vulnerable)

2. Process

• Definition: How information from the source is processed

• Critical Components to Analyze:

  • Process ID (PID)

  • Input handling mechanisms

  • Data processing logic

  • Variable manipulation

  • Logging mechanisms

3. Privileges

• Definition: System-controlled permissions for executing actions

• Privilege Types:

  • System-level (root/SYSTEM)

  • User-specific permissions

  • Group-based access

  • Application-specific policies and rules

4. Destination

• Definition: Output or target of the processed task

• Destination Types:

  • Local system modifications

  • Network interactions with external systems

Common Service Misconfiguration Attack Vectors

Authentication Vulnerabilities

• Default Credentials:

  • Common weak combinations:

    • admin:admin

    • root:12345678

    • admin:<blank>

  • Always attempt default credential login

• Anonymous Authentication:

  • Identify services allowing unauthenticated access

  • Examples: FTP servers with anonymous login

  • Potential for unauthorized resource access

Access Rights Exploitation

• Misconfigured Permissions:

  • Look for roles with excessive privileges

  • Example: FTP users with unintended read/write access

  • Utilize Role-Based Access Control (RBAC) assessment tools

Unnecessary Defaults Attack Surface

• Identify and Exploit:

  • Unused open ports

  • Default accounts

  • Overly informative error messages

  • Unpatched services

Sensitive Information Discovery Methodology

Enumeration Techniques

• Systematic Information Gathering:

  • Collect usernames

  • Extract email addresses

  • Locate password references

  • Analyze DNS records

  • Map IP addresses

  • Review source code and configuration files

Target Service Investigation

File Shares

• Tools:

  • SMBClient

  • Enum4linux

  • CrackMapExec

• Focus Areas:

  • Shared documents

  • Credential files

  • Configuration data

Email Services

• Investigation Keywords:

  • "password"

  • "confidential"

• Methodology:

  • Manual and tool-assisted searches

  • Cross-reference discovered credentials

Databases

• Tools:

  • SQLmap

  • Database-specific clients (MySQL, MSSQL)

• Extraction Targets:

  • User data

  • Configuration details

  • Application logic

Real-World Attack Scenario: FTP to RCE

Step-by-Step Methodology

1. Initial Enumeration

   • Attempt anonymous FTP access

   • Analyze even seemingly insignificant files

   • Test discovered usernames across services

2. Credential Correlation

   • Search emails for password hints

   • Cross-reference information between services

3. Privilege Escalation

   • Leverage discovered credentials

   • Exploit service-specific functionalities

   • Aim for Remote Code Execution (RCE)

Best Practices and Mitigation

Prevention Strategies

• Disable unnecessary services

• Use unique credentials per environment

• Implement automated secure configuration

• Conduct regular security audits

• Use minimal platforms

• Apply strict access controls

Recommended Tools

• Nmap

• Gobuster

• Metasploit

• Custom enumeration scripts

Key Takeaways

• Attacks are methodical, not random

• Details matter immensely

• Systematic approach is crucial

• Always document your findings

• Continuously adapt to the target's unique setup