Scanning & Enumeration

💡 the most important rule here is to search all your findings like searching for exploits or any data related to the version of services u received and take note of every thing u see

Web App(HTTP/s) Enum

Take a look at Web_Recon

• scan the website with nmap and identify the ports and services

nmap -A  -p- -T4 <ip> 

• Run nikto to automate vuln scanning

nikto --host=http://example.com

• try to fuzz the WebApp using dirbuster or any tool else

• spike the webapp and see the source code

SMB & NetBios Enum

refers to a technique used to gather information about the network shares, users, and groups of a target system that uses the SMB protocol.

SMB Protocol works on TCP port number 445, NetBios Protocol works on Ports

(udp137 nameservice , udp138 datagram service, tcp139 sessions)

EternalBlue is an exploit that targets SMBv1 and allows for remote code execution on a victim machine. It was famously used in the WannaCry ransomware attack in 2017, and is a powerful tool for attackers looking to gain access to a network. It is important to ensure that SMBv1 is disabled on all machines to prevent this vulnerability from being exploited.

in order to make a prober scan first we need to know which Hosts have the NetBios service

we can know the machines that use the NetBIOS service in a network by nbtscan tool using this command:

nbtscan -r -v  192.168.1.0/24

Screenshot_2023-03-09_06_50_09.png

second we can see what we can access throw this service on every host, we can use smbclient to connect as a client by writting this command:

smbclient -L 192.168.1.4

we can add credintials like user and pass we want login with by -u but the credits have to be clear txt form

we can add credintials like user and pass we want login with by -u but the credits have to be clear txt form

and there’s another tool that can do same job but u can pass the credits hashed, it’s called smbmap we can use it by:

smbmap -H 192.168.1.4 -u hunter -p password

there’s another powerfull tool for enum part, it’s called enum4linux

sudo enum4linux 192.168.1.4 

and last but not least we can use the most popular tool which is nmap, we will use it with it’s scripts

feature to enum, exploit the smb service by :

sudo nmap 192.168.1.4 -sV -p 139,445 --script="smb-enum-*"

Screenshot_2023-03-09_08_12_14.png

using exploits scripts:

sudo nmap 192.168.1.4 -sV -p 139,445 --script="smb-vuln-*”

Screenshot_2023-03-09_08_18_39.png

---

Network file system(NFS) Enum

The Network File System (NFS) enum is a process of enumerating NFS shares on a remote server. It is a technique used in penetration testing to gather information and potentially gain unauthorized access, it works on port number 111

in the last topic in smb,netbios services enum we were able to view or access the files of the other hosts here is the same but we can mount these files to our machine

in order to enum the NFS service we will look for the port 111 open

there’s a lot of option like using nmap

sudo nmap 192.168.1.4 -sV -p 111

and we can use NSE with it to get extra info like:

sudo nmap 192.168.1.4 -sV -p 111 --script rpcinfo

Screenshot_2023-03-09_10_47_58.png

another option using rpcinfo:

rpcinfo -p 192.168.1.4

Screenshot_2023-03-09_10_56_10.png

so know we are sure that there’s rpc and nfs , the next step to find any files we can access

using showmount:

sudo showmount -e 192.168.1.4

the system will list for the files u can access in our case we can access the whole system since the output is anything under the root /* as shown below

Screenshot_2023-03-09_11_24_55.png

to mount the files in our machine we will start the rpc service :

sudo service rpcbind start

then start the mount :

sudo mount -t nfs 192.168.1.4:/ /tmp/meta

---

SMTP Enum

SMTP enum is a technique used for enumerating or discovering email addresses on a mail server. It involves sending specific commands to the Simple Mail Transfer Protocol (SMTP) server to obtain information about valid email addresses on the domain, smtp works on port number 25

we can VRFY the users that exists on the mail server but this a manual method and non-realistic so the best way is to write a script for it using python3

#!/usr/bin/python3
import sys
import socket

if len(sys.argv) != 3:
    print("[+] usage : ./smtp.py <ip> <users>")
    exit(0)

ip = sys.argv[1]
user = sys.argv[2]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

c = s.connect((ip, 25))
banner = s.recv(1024)
print(banner)

command = ("VRFY " + user).encode()
s.send(command)
result = s.recv(1024)
print(result)
s.close()

we can modify it to bruteforcing users from a txt file

#!/usr/bin/python3
import sys
import socket

if len(sys.argv) != 3:
    print("[+] usage : ./smtp.py <ip> <users>")
    exit(0)

ip = sys.argv[1]
user_file = sys.argv[2]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

c = s.connect((ip, 25))
banner = s.recv(1024)
print(banner)

with open(users.txt, "r") as f:
    for line in f:
        user = line.strip()
        command = ("VRFY " + user).encode()
        s.send(command)
        result = s.recv(1024)
        print(result)

s.close()

or by using smtp-user-enum:

smtp-user-enum -M VRFY -u usr.txt -t 192.168.1.4 -w 20

Untitled

the output says 0 results because I’ve a problem with my metasploitable machine the response takes too long to response until it gets timed out message , the tool consider not responding as the user doesn’t exist

---

SNMP Enum

SNMP (Simple Network Management Protocol) is a protocol used for network management and monitoring. It allows network devices to be managed and monitored from a central location using standardized messages and commands.

SNMP enum is a type of network reconnaissance tool that is used to enumerate information from target devices using Simple Network Management Protocol (SNMP) it works on port number udp 161 .

we can use snmpwalk:

snmpwalk -v1 -c public 192.168.1.4

we can use metasploit

Untitled