-
Notifications
You must be signed in to change notification settings - Fork 179
/
Copy pathEnumeration
110 lines (71 loc) · 2.44 KB
/
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
NMAP
# Alive hosts
nmap -sn 10.0.0.0/24
# scan the 1024 most common ports, run OS detection, run default nmap scripts
nmap -A -oA nmap <targetip>
# Scan more deeply, scan all 65535 ports on $targetip with a full connect scan
nmap -v -sT <targetip> -p-
# more options
nmap -sV -sC -v -A <targetip> -p-
nmap -sT -sV -A -O -v -p 1–65535 <targetip>
# my preference
nmap -sV -sC -v -oA output <targetip>
nmap -p- -v <targetip>
------------------------
SMB
Port 139 and 445- SMB/Samba shares
Samba is a service that enables the user to share files with other machines
works the same as a command line FTP client, may browse files without even having credentials
# Share List:
smbclient --list <targetip>
smbclient -L <targetip>
# Check SMB vulnerabilities:
nmap --script=smb-check-vulns.nse <targetip> -p445
# basic nmap scripts to enumerate shares and OS discovery
nmap -p 139,445 192.168.1.1/24 --script smb-enum-shares.nse smb-os-discovery.nse
# Connect using Username
root@kali:~# smbclient -L <targetip> -U username -p 445
# Connect to Shares
smbclient \\\\<targetip>\\ShareName
smbclient \\\\<targetip>\\ShareName -U john
# enumarete with smb-shares, -a “do everything” option
enum4linux -a 192.168.1.120
# learn the machine name and then enumerate with smbclient
nmblookup -A 192.168.1.102
smbclient -L <server_name> -I 192.168.1.105
# rpcclient - Connect with a null-session (only works for older windows servers)
rpcclient -U james 10.10.10.52
rpcclient -U "" 192.168.1.105
(press enter if asks for a password)
rpcclient $> srvinfo
rpcclient $> enumdomusers
rpcclient $> enumalsgroups domain
rpcclient $> lookupnames administrators
rpcclient> querydominfo
rpcclient> enumdomusers
rpcclient> queryuser john
# scan for vulnerabilities with nmap
nmap --script "vuln" <targetip> -p139,445
------------------------
SMTP
# telnet or netcat connection
nc <targetip> 25
VRFY root
# Check for commands
nmap -script smtp-commands.nse <targetip>
------------------------
Port 111 - RPC
Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC:
rpcbind -p <targetip>
rpcinfo –p x.x.x.x
# using nmap, see which port NFS is listening
locate *rpc*.nse
nmap --script rpcinfo.nse <targetip> -p 111
-------------------------
NFS
# to find the public share
locate *nfs*.nse
nmap --script nfs-showmount.nse <targetip>
# mount the share to a folder under /tmp
mkdir /tmp/nfs
/sbin/mount.nfs <targetip>:/home/box /tmp/nfs