Back to All Modules

Network Service Exploitation

#Overview

Network service exploitation targets services listening on internal or external network ports that provide direct system access without the complexity of web application attacks. Common targets include SMB (445), FTP (21), SSH (22), RDP (3389), WinRM (5985/5986), MSSQL (1433), MySQL (3306), PostgreSQL (5432), Redis (6379), SNMP (161), and RPC (135). These services are often misconfigured with default credentials, anonymous access, weak cryptography, or unpatched vulnerabilities. Successful exploitation frequently leads to remote code execution, credential theft, or lateral movement opportunities.

#When to Target Network Services vs Web Applications

  • Network services first when: SMB, WinRM, RDP, SSH, or database ports are open. These often provide direct shell access with valid credentials.
  • Web applications first when: Only HTTP/HTTPS is available, or the application has obvious vulnerabilities (file upload, SQLi, default CMS creds).
  • Combine both when: Web shells or LFI can be used to reach internal services (e.g., MySQL/MSSQL from localhost), or when web app creds unlock network services.

#Decision Tree

Open Port Scan → 
  ├─ Port 445 (SMB) → Check anonymous access → enumerate shares → GPP/SCF/lnk/LFI hash capture
  ├─ Port 21 (FTP)  → Check anonymous login → check write + browse → upload webshell
  ├─ Port 5985/5986 (WinRM) → evil-winrm with found creds → PTH with hash
  ├─ Port 3389 (RDP) → xfreerdp with creds → NLA bypass → Restricted Admin PTH
  ├─ Port 1433 (MSSQL) → impacket-mssqlclient → xp_cmdshell / UNC injection
  ├─ Port 3306 (MySQL) → mysql client → UDF privesc / INTO OUTFILE webshell
  ├─ Port 5432 (PostgreSQL) → psql → COPY FROM PROGRAM / large object RCE
  ├─ Port 6379 (Redis) → redis-cli → SSH key injection / crontab / module load
  ├─ Port 161 (SNMP) → snmpwalk → process listing / config read / write abuse
  └─ Port 135 (RPC) → rpcclient → null session enumeration → service creation
TEXT

#General Methodology

  1. Port discovery: Use masscan for speed, then nmap -sC -sV for service fingerprinting.
  2. Anonymous/Guest access: Test null credentials, anonymous binds, guest logins before attempting password attacks.
  3. Default credentials: Check service documentation and default password databases.
  4. Credential spraying: Use netexec or hydra to test found credentials across all accessible services.
  5. Service-specific enumeration: Use native clients (smbclient, redis-cli, mysql, psql) to list contents after authentication.
  6. Exploitation: Follow service-specific exploitation paths outlined in the dedicated files.

#Source Machines

  • Active (Easy, AD) - GPP password extraction from SMB share
  • Blackfield (Hard, AD) - Anonymous SMB enumeration + ASREPRoasting
  • Escape (Medium, AD) - MSSQL UNC path injection → hash capture
  • Forest (Easy, AD) - LDAP null bind enumeration + ASREPRoasting
  • Return (Easy, AD) - Printer admin panel → LDAP credential capture
  • Support (Easy, AD) - SMB share binary analysis → LDAP query injection
  • Timelapse (Easy, AD) - Anonymous SMB share → PFX credential extraction + WinRM

#Cross-References

#Tool References

ToolLink
netexec (crackmapexec)https://github.com/Porchetta-Industries/CrackMapExec
smbmaphttps://github.com/ShawnDEvans/smbmap
impackethttps://github.com/fortra/impacket
evil-winrmhttps://github.com/Hackplayers/evil-winrm
responderhttps://github.com/lgandx/Responder
ntl_thefthttps://github.com/Greenwolf/ntlm_theft