Skip to content

Scanning and Enumeration

Jump to bottom
Jakob Pennington edited this page Feb 27, 2019 · 7 revisions

Port Scanning

nmap

# TCP Fast
nmap --disable-arp-ping -Pn -oA nmap-tcp-fast IP_ADDRESS

# TCP Full
nmap --disable-arp-ping -Pn -A -p- -sC -oA nmap-tcp-allports IP_ADDRESS

# UDP Fast
nmap --disable-arp-ping -Pn -sU -oA nmap-udp-fast IP_ADDRESS

# UDP Full
nmap --disable-arp-ping -Pn -sU -p- -A -oA nmap-udp-allports IP_ADDRESS

Useful flags

-Pn                 - Skip host discovery. Useful if you know a host is up.
-T1 - T5            - Scale up or down the accressiveness of the scan (high number is high).
--disable-arp-ping  - Option if scans are slow or misbehaving.

Useful scripts

Usage: --script="script1,script2"
Script Classes:
    ftp-*
    http-*
    smb-*

Reconnoitre

# Scan a host or list of hosts including service scans
reconnoitre -o . --services -t IP_ADDRESS

# Discover live hosts and hostnames within a range
reconnoitre -o . --pingsweep --hostnames -t IP_ADDRESS

# Discover live hosts within a range and then do a quick probe for services
reconnoitre -o . --pingsweep --services --quick -t IP_ADDRESS

TCP Services

[ 21 ] FTP - File Transfer Protocol

FTP is the standard network protocol for tranferring files from an FTP server to an FTP client. Other variations of the protocol include:

  • FTPS - Encrypted FTP over TLS
  • SFTP - Encrypted FTP over SSH
  • TFTP - Trivial File Transfer Protocol

Things to look out for

  • Anonymous FTP - The ability to connect to an FTP server without valid credentials. This can be done by logging in with the username 'anonymous' and an arbitrary password.

FTP commands

Connect to an FTP using the FTP command and specifying the IP address. Aupply a username and password of a local user on the server, or by connecting anonymously.

root@localhost> ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.1)
Name (127.0.0.1:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

[ 22 ] SSH - Secure SHell

# Useful options
 -v                 Verbose output
 -i IDENTITY.pem    Public key authentication

[ 25 ] SMTP - Simple Mail Transfer Protocol

Enumerate usernames

smtp-user-enum -M VRFY -U ~/Tools/SecLists/Usernames/top_shortlist.txt -t IP_ADDRESS -p 25 | tee smtp-user-enum.txt

[ 80, 443 ] HTTP / HTTPS - HyperText Transfer Protocol (Secure)

Enumerate files / directories

dirb http://IP_ADDRESS:PORT/ -o dirb.txt

dirbuster -H -u http://IP_ADDRESS:PORT/ -l /root/Tools/SecLists/Discovery/Web_Content/raft-medium-directories.txt -t 20 -s / -v -r dirbuster.txt

gobuster -w /root/Tools/SecLists/Discovery/Web-Content/common.txt -u http://IP_ADDRESS:PORT/ -s '200,204,301,302,307,403,500' -e -k | tee gobuster.txt

gobuster -w /root/Tools/SecLists/Discovery/Web-Content/CGIs.txt -u http://IP_ADDRESS:PORT/ -s '200,204,301,302,307,403,500' -e -k | tee gobuster-cgi.txt

Scan for common files / vulnerabilities

nikto -host http://IP_ADDRESS -port PORT | tee nikto.txt

WordPress

Once you have wp-admin Administrator credentials, reverse shell by modifying a theme's page (eg. 404)

# General scan
wpscan --url http://IP_ADDRESS:PORT/WP_PATH/ --enumerate vp,vt,tt,cb,dbe,u | tee wpscan.txt

# Password bruteforce
wpscan -U users.txt -P ~/Tools/SecLists/Passwords/rockyou.txt --password-attack wp-login --url=http://10.11.1.234:80

# Note: wp-login can be interchanged with xmlrpc or xmlrpcmulitcall

WebDAV

nmap --script="http-iis-webdav-vuln" -oA nmap-webdav --disable-arp-ping -Pn -T4 -p PORT IP_ADDRESS

davtest -url http://IP_ADDRESS | tee davtest.txt

cadaver -t http://IP_ADDRESS | tee cadaver.txt

[ 111 ] rpcbind

rpcinfo

rpcinfo -p IP_ADDRESS | tee rpcinfo.txt

[ 135 ] MSRPC - Microsoft Remote Procedure Call

# nmap enumeration
nmap --script=msrpc-enum -oA 'nmap-msrpc' IP_ADDRESS

[ 139, 445 ] SMB - Server Message Block

Common SMB scans

enum4linux -a IP_ADDRESS | tee enum4linux.txt

nmap --disable-arp-ping -Pn -sV -Pn -vv -p 139,445 --script=smb-vuln* --script-args=unsafe=1 -oA 'nmap-smb' IP_ADDRESS
nmap --disable-arp-ping -Pn -sV -Pn -vv -p 445 --script=smb-enum-users --script-args=unsafe=1 -oA 'nmap-smb-users' IP_ADDRESS

Query NetBIOS names

nmblookup -A IP_ADDRESS | tee nmblookup.txt

Enumerate shares

smbclient -L //IP_ADDRESS
smbclient //MOUNT/share

rpcclient enumeration

# Connect to SMB with rpcclient
rpcclient —U USERNAME IP_ADDRESS    # Known username
rpcclient -U "" -N IP_ADDRESS       # Anonymous login

## Commands
srvinfo                             # Server information
netshareenumall                     # Enumerate shares including paths
enumprivs                           # Get current user privileges

enumdomusers                        # Query domain users
enumdomgroups                       # Query domain groups

[ 161 ] SNMP - Simple Network Management Protocol

snmp-check -c public IP_ADDRESS

snmpwalk -c public -v 1 IP_ADDRESS

[ 1433 ] MSSQL - Microsoft SQL Server

# nmap enumeration
nmap --script='mssql-*' -oA 'nmap-mssql' IP_ADDRESS

# mssql-tools
sqlcmd -S IP_ADDRESS -U USERNAME -P PASSWORD

# Impacket
mssqlclient.py USERNAME:PASSWORD@IP_ADDRESS -db DB_NAME
mssqlclient.py USERNAME:PASSWORD@IP_ADDRESS -db DB_NAME -windows-auth

Cheatsheets

MSSQL - Graceful Security
MSSQL - Pentester Monkey

UDP Services

[ 500 ] ISAKMP - Internet Security Association and Key Management Protocol

ike-scan IP_ADDRESS | tee ike-scan.txt

cisco-torch -A 10.10.10.125

Some tips on Scanning and Enumeration

  • Sometimes it's worthwhile setting DNS records in /etc/hosts so you can access services using hostnames rather than IPs. Good when there's Virtual Hosts on web or other hostname-based services (MSSQL)

Contents

Home
The Basics
Scanning and Enumeration
Exploitation
Post Exploitation
Linux Privilege Escalation
Windows Privilege Escalation
Buffer Overflows
Resources

Get in touch

Blog
Email
LinkedIn
Twitter
Website

Clone this wiki locally