Enumeration

From wiki.exploitpedia.org

Enumeration DNS

$nmap -T4 -sS -p 53 $IP/24


Enumerate ALL DNS records! Maybe hidden hosts in network recon

$dig -t all target1 target2 target3 @$DNSSERVER


DNS recon (brute force subdomains):

$dnsrecon -d $IP -t std -D /usr/share/wordlists/dnsmap.txt
$dnsenum $DOMAIN
$fierce -dns $DOMAIN -wordlist dictionary.txt


DNS zone transfer

$host -la $DOMAIN. $DNSSERVER
$perl fierce.pl -dns $DOMAIN. -search $HOST
$dig axfr $TARGET @$DNSSERVER
$dnsrecon -d $DOMAIN -t axfr


Enumeration NetBIOS

$nbtscan -r $IP/24


$enum4linux -a $IP


$nmblookup -A $IP


Enumeration SMB / SAMBA

$nmap --script smb-os-discovery --open -p 139 $IP
$nmap --script smb-os-discovery -p 139 --open $IP/24 -oX smb.xml
$smbmap.py -H $IP
$smbmap.py -H $IP -u Guest -R
$smbmap.py -H $IP --upload $FILE $SHARE


Recursive download:

$smbget -a smb://$IP/$FILE -R


Enumerate Users

$python /usr/share/doc/python-impacket-doc/examples/samrdump.py $IP


Enumerate shares

$crackmapexec --shares $IP/24


To list shares

$smbclient -L $IP


or,

$smbmap -H $IP


To connect to a share, shell style

$smbclient //$IP/wwwroot


Enumeration RPC over DC (NULL SESSIONS)

$rpcclient -U "" -c enumdomusers $IP
$rpcclient -U "" $IP -N -c "lsaquery"
$rpcclient -U "" $IP -N -c "lookupnames Guest"
$rpcclient -U "" $IP -N -c "lookupnames Administrator"


Afterwards check https://github.com/trustedsec/ridenum.git


Enumeration RPC

Port 111 rpcbind
$rpcinfo $IP


$rpcinfo -p $IP


OS

$xprobe2 $IP


$nmap -O $IP


Domain Controller

$nmap -sS -T4 -p 3268 --open $IP/24


How to recognize a DC in a windows environment

DC Method 1: Netbios

If port 137 (TCP-UDP) open, a DC uses as a netbios suffixes:

  • For unique names: <1B> Domain Master Browser (PDC)
  • For group names: <1C> Domain Controllers for a domain

DC Method 2: Global Catalog Service

  • Use nmap
  • As a Active Directory Server open ports 3268 and 3269 (SSL) for the Global Catalog Service (LDAP protocol).
  • Attention: LDAP protocol uses 389 and 636 (SSL).

DC Method #3

From the Windows machine:

C:>echo %logonserver%


C:>nltest /dclist:$DOMAIN


DC Method #4

msf>use post/windows/gather/enum_domain
msf>set SESSION 1
msf>run


HTTP / WebDAV

Enumeration HTTP

The following tools are useful to enumerate paths and files inside webservers, they operate in a similar way as a web crawler or web spider.


$nmap --open -sV -p 80,8080,443,8000 -O $IP/24


Virtual domains

$nmap --open --script=hostmap -p 80 $IP


TRACE method

$nmap --open --script=http-trace -p 80 $IP


Enumerate userdir:

$nmap --open --script=http-userdir-enum $IP


Nikto scanner:

$nikto -host http://$IP


Dirb scanner:


For Wordpress:

$wpscan http://$IP


For Joomla:

$joomscan http://$IP


Gobuster (https://github.com/OJ/gobuster):

$gobuster -u https://$DOMAIN -w /usr/share/dirb/wordlists/common.txt


$gobuster -u https://$DOMAIN -c 'session=123456' -t 50 -w /usr/share/dirb/wordlists/common.txt -x .php,.html


Use -k flag to not verify digital certificates in a https session.

Enumeration WebDAV

$davtest -cleanup -url http://$IP


$cadaver http://$IP
    dav:/> put webshell.txt
    dav:/> copy webshell.txt ws.asp


SNMP

$nmap -p 161 --script snmp-enum $IP


$snmp-check $IP


Very useful

$snmp-check -v2c -c public $IP


$python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP $IP


$onesixtone -w 0 $IP


For scanning

$onesixtyone -c <community> -i <ip_list_file>


For enumeration low level (MIB)

$snmpwalk -c public -v1 $IP


SNMP on different port:

root #snmpwalk -v 2c -c public $IP:666


root #snmp-check -p 6492 $IP


LDAP

$ldapwhoami


$ldapsearch -H ldap://$IP/


$ldapsearch -x -h $IP -s base


SSH

$TOOLS/enumSSH


$nmap --script ssh-hostkey -p 22 $IP/24 --open -sS


$ssh-keyscan $IP


$./TOOLS/ssh-vulnkey $IP TOOLS/ssh-blacklist/blacklist.all


FTP

$nmap --script=ftp* $IP


SMTP

$nmap --open --script smtp-enum-users -sS -p 25 -sV $IP/24


TFTP

$nmap --open -sU -p 69 $IP/24


NFS

$showmount -e $IP


$showmount -a $IP


$mount.nfs $IP:$DIR $LOCALDIR


NTP

Show clients that have queried this server:

$ntpdc -n -c monlist $IP
$nmap -sU -p 123 --script=ntp-info $ip


TLS / SSL

$sslscan $IP


$nmap -sV --script ssl-enum-ciphers -p 443 $IP



Redis-server

$(printf "info\r\n"; sleep 1) | netcat 192.168.45.67 6379


SSDP server

$tcpdump -n -A host $IP & perl -e 'print "M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n"' > /dev/udp/$IP/1900


memcached

$echo "stats"
$ netcat $IP 11211
$echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | netcat -u $IP 11211



elasticsearch

$echo -ne "GET / HTTP/1.0\r\n\r\n" | netcat 192.168.45.67 9200



avahi-daemon / mDNS

$dig +short -p 5353 -t ptr _services._dns-sd._udp.local @$IP


Mongo

$mongo --host $IP


RDP

rdp-sec-check