Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.
The slides were published here and the video from hashdays is here, no video for BSides ATL.
I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.
Post  Exposed Services and Admin Interfaces
An example of exposed services and making sure you check for default and common passwords. so first example is a VNC server with no password. This gives us a HIGH severity finding
Admin interfaces can be gold. the problem is 1) you have to find them on the random ass port they are running on and 2) you have to get eyes on them. this can be a hassle/problem/hard to do.
So to bring the "low" to it. some random HTTP server gets you this in Nessus
Here is a possible methodology for doing it:
- Nmap your range
- Import your nmap results into metasploit
- Use the db_ searches to pull out a list of hosts & ports
- With the magic of scripting languages make that list into an html page(s)
- Use linky to open all those links
Kinda goes like this:
after you have imported your nmap results, uses the services option.
If its populated you'll get a list or results like the below
msf > services -o /tmp/demo.csv
Take that CSV and run some ruby on it
The above code will output an html file that you can open with linky
You can now start intelligently trying default passwords or viewing exposed content.