Initial access (protocols)
Theory
To gain initial access into an information system, one of the most common vectors will be exploiting badly configured protocols inside the enterprise network. If companies don't necessarily implement each of the protocols listed in this category, most of them can have configuration vulnerabilities that will allow you to gain an entry point into the system. Some insecure protocols, like Telnet, HTTP, or old versions of SMB, are more rarely found in enteprise systems or services (but always check, you never know if some legacy machines have them activated 😉). Knowing which tools exist to manipulate these protocols and their possible misconfigurations is essential ! You may find it interesting to explore the following :
- Broken authentication (FTP anonymous login, SSH default creds, open SMB shares) ;
- Information disclosure (DBMS protocols such as MySQL or MSSQL, or usage of HTTP instead of HTTPS) ;
- Exploiting enterprise authentication methods such as Kerberos tickets or LDAP requests, in order to compromise either a user or a service ;
- Data exfiltration using standard file exchange protocols, but also more unconventional methods such as DNS data exfiltration
- Or even gaining direct access/code execution to a machine using one of the protocols below, and tools like
impacketorNetExec, which could then open many doors !
TIP
NetExec is a great network service exploitation tool that can help in exploiting protocols and assessing the security posture of an information system. It supports a lot of common enterprise protocols : smb, ssh, ldap, wmi, rdp, mssql... in combination with different auth methods (Kerberos, standard credentials).
Practice
Well known ports
| Common port | Protocol | Description |
|---|---|---|
21/TCP | FTP | File Transfer Protocol - Standard network protocol used for transferring files from one host to another over a TCP-based network. FTP uses a client-server architecture and operates in both active and passive modes. It lacks encryption, making it less secure for transmitting sensitive data. |
22/TCP | SSH | Secure Shell - Cryptographic network protocol to operate services and devices securely over an unsecured network. SSH uses public-key cryptography for authentication and symmetric encryption (e.g., AES, 3DES) for data confidentiality and integrity. It is widely used for remote login, command execution, and secure file transfers. |
23/TCP | Telnet | Provides a command-line interface for communication with a remote device. Telnet transmits data, including passwords, in plaintext, making it vulnerable to eavesdropping and man-in-the-middle attacks. It has largely been replaced by SSH for secure remote access. |
53/UDP or 53/TCP | DNS | Domain Name System - Hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. DNS translates human-readable domain names into IP addresses using a distributed database system. It can operate over both UDP and TCP, with UDP being more common for queries and TCP for zone transfers. |
80/TCP | HTTP | HyperText Transfer Protocol - Application layer protocol that defines communication between a client and server over TCP, using a request-response model. Key features include request methods like GET, POST, PUT, and DELETE; response status codes (e.g., 200 OK, 404 Not Found); headers for metadata; and MIME types for data formats. It is not secure by default, HTTPS being preferred for secure communications. |
88/TCP | Kerberos | The default authentication protocol for Active Directory, thus often used in enterprise environments. It is designed to provide strong authentication for client/server applications using secret-key cryptography. Kerberos uses symmetric encryption (e.g., DES, AES) and a combination of Authentication Servers and Ticket-Granting Servers (TGS) to authenticate users and services securely, using service tickets generated by the TGS. |
389/TCP | LDAP | Lightweight Directory Access Protocol - Vendor-neutral protocol designed for accessing and managing directory information services. Common uses include user authentication on internal resources, address books, or device management. Each entry in the LDAP directory has a Distinguished Name (DN), and attributes (key-value pairs) depending on the type of the entry (a user, a printer, a group...). |
443/TCP | HTTPS | HyperText Transfer Protocol Secure - Extension of HTTP that uses encryption (SSL/TLS) to secure the transmitted data. HTTPS provides confidentiality, data integrity, and authentication by encrypting the communication between the client and server using protocols like TLS 1.2 or TLS 1.3. |
445/TCP | SMB | Server Message Block - Network file sharing protocol that allows applications to read and write to files and request services from server programs in a computer network. SMB operates over TCP/IP and is used for sharing files, printers, and other resources. Recent versions provide authentication, authorization, and encryption (> SMB 3.0), but badly configured SMB shares can be good entry points inside an information system (see EternalBlue MS17-010). |
554/TCP | RTSP | Real-Time Streaming Protocol - Control protocol for streaming media, allowing clients to remotely control media servers with commands like PLAY, PAUSE, and TEARDOWN. RTSP typically works with RTP (Real-time Transport Protocol) for media delivery and supports both unicast and multicast streaming. It is widely used in video conferencing services (like MS Teams), surveillance, and entertainment systems. |
1433/TCP | MSSQL | Default port for Microsoft SQL Server - MSSQL employs the Tabular Data Stream (TDS) protocol for client-server interactions, enabling standard data management operations (CRUD). |
2049/TCP | NFS | Network File System - Distributed file system protocol that allows clients to access files on remote servers as if they were local. NFS supports standard file operations like reading, writing, and locking, and recent versions have improved security, including Kerberos authentication and ACLs. It is commonly used in UNIX/Linux environments for shared storage and data access across networks. |
3306/TCP | MySQL | Default port used by the MySQL DBMS for client-server communication. MySQL uses a proprietary protocol for communication between the client and server, allowing clients to connect to the database server and perform standard data operations like querying, updating, and managing data. |
3389/TCP | RDP | Remote Desktop Protocol - Proprietary Microsoft protocol that allows remote connection to a computer over a network. RDP provides graphical interface display, and input capabilities, so that users can interact with the computer as if they had physical access. |
5585/TCP or 5586/TCP | WinRM | Windows Remote Management - Protocol that allows administrators to manage and configure Windows machines remotely. WinRM is Microsoft's implementation of the WS-Management protocol, which uses SOAP (Simple Object Access Protocol) over HTTP/HTTPS to provide a common way for systems to access and exchange management information. Tools like EvilWinRM can help exploit bad WinRM configurations. |