concrete_protocols
Content
- Infrastructure PenTest Series: Part 2 - Vulnerability Analysis - awesome cheatsheet for vulnerability analysis of various ports
- 0daysecurity pentest by ports
SMTP (port 21)
-
mailsploit.com - a collection of bugs in email clients that allow effective sender spoofing and code injection attacks
analysis of 30 applications -
Example of telnet session to SMTP server (other example)
another trivial example
HELO server.example.com MAIL FROM: mr.president@government.com RCPT TO: phonexicum@yandex.ru DATA From: [Hacker] <mr.president@government.com> To: <phonexicum@yandex.ru> Date: Sat, 10 Dec 2017 00:20:26 -0400 Subject: Handy email Hello buddy . QUIT
-
Python SMTP server:
python -m smtpd -n -c DebuggingServer localhost:1025
(server prints received smtp messages (NO further transmission)) -
Send prepared composite e-mail with engish and other language
sendEmail -f mr.smith@matrix.io -t phonexicum@matrix.io -u "=?utf-8?B?$(echo "This is the spam message" | base64)?=" -o message-content-type=html -o message-file=/home/phonexicum/email.html -s localhost:25 -o message-charset=utf-8 -o tls=no
e-mail at
/home/phonexicum/email.html
<html> <head><title></title></head> <body> <p>Hello, phonexicum ...</p> <p>Please cooperate with us.</p> <p> Mr. Smith <br> Department of control. </p> </body> </html>
IMAP (port 143)
-
telnet IMAP session:
another trivial example
$ telnet mail.domain.ext imap * OK Courier-IMAP ready. Copyright 1998-2002 Double Precision, Inc. login me@mydomain.com mypassword * OK LOGIN Ok. # Select the folder you want to look in (usually the inbos): select INBOX # This should give you some information about the contents of that mail folder: * FLAGS (\Draft \Answered \Flagged \Deleted \Seen \Recent) * OK [PERMANENTFLAGS (\Draft \Answered \Flagged \Deleted \Seen)] Limited * 0 EXISTS * 0 RECENT * OK [UIDVALIDITY 1021381622] Ok * OK [READ-WRITE] Ok logout * BYE Courier-IMAP server shutting down * OK LOGOUT completed
FTP (port 21)
-
default login:passwd
anonymous:example@email.com
anonymous:guest
ftp:ftp
TFTP (port 69/udp)
-
tftp does not provide the directory listing, so filenames must be bruteforced:
nmap -n -sU -p69 --script tftp-enum 10.0.0.2
(nmap uses dictionary:/usr/share/nmap/nselib/data/tftplist.txt
) -
tftp session:
another trivial example
$ tftp tftp> connect 10.0.0.2 tftp> get filename.ext