Offensive Stack

  PostgreSQL, also known as Postgres, is a powerful open-source object-relational database system. It has earned a strong reputation for its proven architecture, reliability, data integrity, robust feature set, and extensibility. Identify PostgreSQL nmap -sV -p 5432 <target-host> nmap Scanning nmap -sC -sV --script vuln,vulners --script-args mincvss=7.0 -p5432,5433 -Pn 10.10.10.10 #make sure to check for vulnerable versions nmap -sV -p 5432 <target-host> Exploiting Known Vulnerabilities searchsploit postgresql <version> Enumerating Databases and Tables List all databases \l Switch to a database \c <database_name> List tables in the current database: \dt Extract data from a specific table: SELECT * FROM <table_name>; Dumping Hashes SELECT usename, passwd FROM pg_shadow; Accessing File System COPY (SELECT * FROM sensitive_table) TO '/tmp/sensitive_data.txt'; Bruteforcing Postgres Creds #Using Metasploit use auxiliary/scanner/postgr...

  It is also known as a function call or a subroutine call. Default ports are 135, 593. Enumeration nmap --script msrpc-enum -p 135 <target-ip> RPC Endpoints To enumerate RPC endpoints, use impacket-rpcdump. impacket-rpcdump -port 135 <target-ip> | grep -E 'MS-EFSRPC|MS-RPRN|MS-PAR' MS-EFSRPC: It might be vulnerable to PetitPotam. MS-RPRN, MS-PAR: It might be vulnerable to PrintNightmare. Metasploit msfconsole msf> use auxiliary/scanner/dcerpc/endpoint_mapper msf> use auxiliary/scanner/dcerpc/hidden msf> use auxiliary/scanner/dcerpc/management msf> use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor Connect # Anonymous logon rpcclient -N -U "" <target-ip> rpcclient -N -U "" -p 593 <target-ip> rpcclient -N -U "" dc.example.local # Specify username # -W: Workgroup # -N: No password rpcclient -U username <target-ip> rpcclient -W WORKGROUP -U username <target-ip> rpcclient -U username -N <target-ip...

 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS)   Connect We can use Telnet to connect to the remote server. Here is a command using Telnet: telnet example.com 25 Enumeration Identifying a SMTP Server You can use Nmap to check if there's an Telnet server on a target host like this: nmap -p25,465,587 -sV -Pn target.com Additional Nmap commands for enumeration nmap --script smtp-brute -p 25,465,587 "target-ip" nmap --script smtp-commands -p 25,465,587 "target-ip" nmap --script smtp-enum-users -p 25,465,587 "target-ip" nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip" nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip" nmap --script smtp-* -p 25,465,587 "target-ip" Enumer...

Recon Banner Grabbing - Identify DNS Server Versions # Use dig to determine DNS server versions dig version.bind CHAOS TXT @DNS # Alternatively, use nmap script to grab the banner nmap --script dns-nsid <DNS_IP> # Alternatively, use telnet to grab the banner nc -nv -u <DNS_IP> 53 DNS Server Discovery # Using dig dig NS <target-domain> # Using nslookup nslookup -type=NS <target-domain> Enumeration Using DNS enum dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN> Using dig # Query DNS records dig hackviser.com # Query specific type of DNS records (e.g., A record) dig A hackviser.com # Perform a reverse DNS lookup dig -x <IP_ADDRESS> # Query a specific DNS server dig @<DNS_SERVER_IP> hackviser.com Using nslookup # Perform DNS queries nslookup hackviser.com # Query a specific type of DNS record (e.g., MX record) nslookup -type=MX hackviser.com # Query a specific DNS server nslookup ha...

Pivoting for Red Teamers Using rpcclient via Metasploit for Enumeration & Exploitation rpcclient is a powerful tool used for enumerating and interacting with Windows RPC services . It is commonly used in penetration testing to extract usernames, groups, and policies from Windows machines. Using rpcclient Manually (Without Metasploit) If you already have valid credentials (or null session access), you can use rpcclient from Kali Linux: rpcclient -U "" <TARGET_IP> or rpcclient -U "guest" <TARGET_IP> 🔹 If it prompts for a password, just press Enter to attempt a null session login . Common Enumeration Commands enumdomusers # Enumerate domain users queryuser <RID> # Get user details (Replace <RID> with a user RID) enumdomgroups # Enumerate groups querygroup <RID> # Get group details getsid # Get security identifier (SID) lookupnames <...

Pivoting for Red Teamers Pivoting in Red Team Operations: A Complete Guide Introduction In a real-world red team operation , gaining initial access is just the beginning. The real challenge is pivoting —the ability to move laterally, escalate privileges, and compromise additional systems within the network. What is Pivoting? Pivoting is a technique used to route traffic through a compromised host to access internal networks that are not directly reachable. Types of Pivoting Network Pivoting : Routes network traffic through a compromised host (e.g., SSH Tunneling, Metasploit, ProxyChains). Port Forwarding : Exposes specific ports from an internal machine to the attacker (e.g., SSH Local Port Forwarding). Step 1: Pivoting Using Metasploit Setting Up a Pivot via Meterpreter meterpreter> backgroun...