PHASE III: Enumeration

Learn Cybersecurity for FREE

Enumeration DNS

nmap -T4 -sS -p 53 $IP/24

Enumerate ALL DNS records! Maybe hidden hosts in network recon

dig -t all target1 target2 target3 @$DNSSERVER

DNS recon (brute force subdomains):

dnsrecon -d $IP -t brt -D /usr/share/wordlists/dnsmap.txt
dnsenum $DOMAIN
fierce -dns $DOMAIN -wordlist dictionary.txt

Wordlists: https://github.com/rbsec/dnscan

DNS zone transfer

host -la $DOMAIN. $DNSSERVER
perl fierce.pl -dns $DOMAIN. -search $HOST
dig axfr $TARGET @$DNSSERVER
dnsrecon -d $DOMAIN -t axfr

Enumeration NetBIOS

nbtscan -r $IP/24
enum4linux -a $IP
nmblookup -A $IP

Enumeration SMB / SAMBA

nmap --script smb-os-discovery --open -p 139 $IP
nmap --script smb-os-discovery -p 139 --open $IP/24 -oX smb.xml
smbmap.py -H $IP
smbmap.py -H $IP -u Guest -R
smbmap.py -H $IP --upload $FILE $SHARE

Recursive download:

smbget -a smb://$IP/$FILE -R

Enumerate Users:

python /usr/share/doc/python-impacket-doc/examples/samrdump.py $IP

Enumerate shares:

crackmapexec --shares $IP/24

To list shares:

smbclient -L $IP

or,

smbmap -H $IP

To connect to a share (shell style):

smbclient //$IP/wwwroot

Enumeration RPC over DC (NULL SESSIONS)

rpcclient -U "" -c enumdomusers $IP
rpcclient -U "" $IP -N -c "lsaquery"
rpcclient -U "" $IP -N -c "lookupnames Guest"
rpcclient -U "" $IP -N -c "lookupnames Administrator"

Afterwards check https://github.com/trustedsec/ridenum.git

Enumeration RPC

Look for port 111 rpcbind

rpcinfo $IP
rpcinfo -p $IP

Enumerate Operating System (OS)

xprobe2 $IP
nmap -O $IP

Enumerate Windows Server Domain Controllers (DC)

nmap -sS -T4 -p 3268 --open $IP/24

How to recognize a DC in a windows environment

DC Method 1: Netbios

If port 137 (TCP-UDP) open, a DC uses as a netbios suffixes:

  • For unique names: <1B> Domain Master Browser (PDC)
  • For group names: <1C> Domain Controllers for a domain

DC Method 2: Global Catalog Service

  • Use nmap
  • As a Active Directory Server open ports 3268 and 3269 (SSL) for the Global Catalog Service (LDAP protocol).
  • Attention: LDAP protocol uses 389 and 636 (SSL).

DC Method #3

From the Windows machine:

echo %logonserver%
nltest /dclist:$DOMAIN

DC Method #4

msf> use post/windows/gather/enum_domain|set SESSION 1
msf> run

HTTP / WebDAV

Enumeration HTTP

The following tools are useful to enumerate paths and files inside webservers, they operate in a similar way as a web crawler or web spider.

nmap --open -sV -p 80,8080,443,8000 -O $IP/24

Virtual domains

nmap --open --script=hostmap -p 80 $IP

TRACE method:

nmap --open --script=http-trace -p 80 $IP

Enumerate userdir:

nmap --open --script=http-userdir-enum $IP

Nikto scanner:

nikto -host http://$IP

Dirb scanner:

dirb http://$IP

For WordPress (wpscan):

docker pull wpscanteam/wpscan
docker run -it --rm wpscanteam/wpscan --stealthy --url https://$DOMAIN/
docker run -it --rm wpscanteam/wpscan --url https://$DOMAIN/ --enumerate u

For Joomla:

joomscan http://$IP

Gobuster (https://github.com/OJ/gobuster):

gobuster -u https://$DOMAIN -w /usr/share/dirb/wordlists/common.txt
gobuster -u https://$DOMAIN -c 'session=123456' -t 50 -w /usr/share/dirb/wordlists/common.txt -x .php,.html

Use -k flag to not verify digital certificates in a https session.

Enumeration WebDAV

davtest -cleanup -url http://$IP
cadaver http://$IP
    dav:/> put webshell.txt
    dav:/> copy webshell.txt ws.asp

SNMP

nmap -p 161 --script snmp-enum $IP
snmp-check $IP

Very useful:

snmp-check -v2c -c public $IP
python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP $IP
onesixtone -w 0 $IP

For scanning:

onesixtyone -c -i 

For enumeration low level (MIB):

snmpwalk -c public -v1 $IP

SNMP on different port:

snmpwalk -v 2c -c public $IP:666
snmp-check -p 6492 $IP

LDAP

ldapwhoami
ldapsearch -H ldap://$IP/
ldapsearch -x -h $IP -s base

SSH

TOOLS/enumSSH
nmap --script ssh-hostkey -p 22 --open -sS $IP/24
ssh-keyscan $IP
./TOOLS/ssh-vulnkey $IP TOOLS/ssh-blacklist/blacklist.all

FTP

nmap --script=ftp* $IP

SMTP

nmap --open --script smtp-enum-users -sS -p 25 -sV $IP/24

TFTP

nmap --open -sU -p 69 $IP/24

NFS

showmount -e $IP
showmount -a $IP
mount.nfs $IP:$DIR $LOCALDIR

NTP

Show clients that have queried this server:

ntpdc -n -c monlist $IP
nmap -sU -p 123 --script=ntp-info $ip

TLS / SSL

sslscan $IP
nmap -sV --script ssl-enum-ciphers -p 443 $IP

Redis-server

(printf "info\r\n"; sleep 1) | netcat $IP 6379

SSDP server

tcpdump -n -A host $IP & perl -e 'print "M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n"' > /dev/udp/$IP/1900

memcached

echo "stats" | netcat $IP 11211
echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | netcat -u $IP 11211

elasticsearch

echo -ne "GET / HTTP/1.0\r\n\r\n" | netcat $IP 9200

avahi-daemon / mDNS

dig +short -p 5353 -t ptr _services._dns-sd._udp.local @$IP

Mongo

mongo --host $IP

RDP