Enumeration
Okay, by now you’ve spent hours, days or weeks stealthily footprinting your scope. Since this is pen testing, you’ve been mighty careful not to exceed your scope, right? So let’s talk tools and techniques.
See https://security.stackexchange.com/questions/168247/reduce-noise-when-penetration-testing for an extensive list of tools.
LinEnum
https://github.com/rebootuser/LinEnum
Local Linux Enumeration & Privilege Escalation Cheatsheet: an item-by-item list of tests performed by LinEnum:
https://www.rebootuser.com/?p=1623
Nmap
Quiet Scanning With Nmap
Generally when dealing with network IPS and client-side active defenses:
nmap -sS, -sC -f, T2 or 3, –osscan-limit, –version-light, and maybe -iR
-sS is a SYN scan: Note that the “stealth” scan (-sS) is NOT a silent scan!
-sC calls default scripts (equivalent to script=default)
-f forces packets to be fragmented
–osscan-limit limits OS scanning to promising targets
–version-light limits scanning to the most likely probes
-iR chooses targets at random
Discovery Options
Perform a ping scan only
nmap -sP [target]
Don’t ping
nmap -PN [target]
TCP SYN Ping
nmap -PS [target]
TCP ACK ping
nmap -PA [target]
UDP ping
nmap -PU [target]
SCTP Init Ping
nmap -PY [target]
ICMP echo ping
nmap -PE [target]
ICMP Timestamp ping
nmap -PP [target]
ICMP address mask ping
nmap -PM [target]
IP protocol ping
nmap -PO [target]
ARP ping
nmap -PR [target]
Traceroute
nmap --traceroute [target]
Force reverse DNS resolution
nmap -R [target]
Disable reverse DNS resolution
nmap -n [target]
Alternative DNS lookup
nmap --system-dns [target]
Manually specify DNS servers
nmap --dns-servers [servers] [target]
Create a host list
nmap -sL [targets]
Firewall Evasion in Nmap
–>Read the lowdown from the creator of Nmap:
https://nmap.org/book/man-bypass-firewalls-ids.html.
Also see this excellent cheat sheet: https://cs.lewisu.edu/~klumpra/camssem2015/nmapcheatsheet1.pdf)
Fragment packets: break them up so they slip by. Some IDSs reassemble packets and will reject your suspicious traffic anyway.
nmap -f [target]
Specify a specific MTU:
nmap –mtu [MTU] [target]
Specify a specific TTL:
nmap –ttl [TTL] [target]
Use a decoy: think about where responses will go. IDS might report a half-dozen port scans from unique IP addresses, but won’t know which IP was scanning and which were decoys.
nmap -D <decoy1>
[,<decoy2>
][,ME][,...]
Idle (zombie) scan: this will be slow but very quiet, and can discover hidden hosts
nmap -sI [zombie] [target]
Manually specify a source port: a common misconfiguration is trusting traffic based only on the source port number.
nmap --source-port [port] [target] # or -g [port]
Append random data: these are not the packets you’re looking for
nmap --data-length [size] [target]
Randomize target scan order: guess what, it’s the default
nmap --randomize-hosts [target]
Spoof Your MAC Address
nmap –spoof-mac [MAC|0|vendor] [target]
Send bad checksums
nmap –badsum [target]
Find and use Nmap scripts:
https://null-byte.wonderhowto.com/how-to/hack-like-pro-using-nmap-scripting-engine-nse-for-reconnaissance-0158681/
locate *.nse locate *vuln*.nse # Usage: nmap --script <scriptname> <host ip> nmap --script smb-check-vulns-nse 192.168.1.121
Nmap Web Dashboard and Reporting:
https://github.com/Rev3rseSecurity/WebMap
Change Your MAC
And when you get shunned, change your MAC address, as I show you here:
https://schoolforhackers.com/penetration-testing-step-by-step-changing-your-mac-address/
Adon90’s Pentest Compilation
Installation (If you followed the Kali Setup lesson you’ve already got this):
git clone https://github.com/adon90/pentest_compilation.git
The outline below is adapted from Adon90’s suggestions on the Github page.
Generic Enumeration
Full Portscanning
In real pen testing, you’ve got to hide like a roach. One little sound and the IDS cat’s going to play you to death. So you have two options: use Nmap as quietly as possible (see above), or use other, quieter tools. Both options may make you bang your head (and change your MAC address a lot).
HTTP Enumeration
Use dirsearch (it’s noisy.)
dirsearch big.txt -e sh,txt,htm,php,cgi,html,pl,bak,old
Perform banner inspection: (Quiet, if you don’t overdo it.)
telnet http://example.com 80
Review source code of the pages on the site. (Silent.)
Bruteforce logins forms with a CeWL-based dictionary. (Noisy.) Here’s how to generate one:
https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-5-creating-custom-wordlist-with-cewl-0158855/
Use SearchSploit (with accurate application name and version):
https://www.exploit-db.com/searchsploit.
(Silent because it’s local on your machine.)
Test all paths with exploits, and mangle paths to find hidden resources.
(Noisy.)
Always intercept with Burp!
Scan websites with Nikto. (Noisy as hell.)
General info: https://cirt.net/nikto2
Usage: https://cirt.net/nikto2-docs/usage.html#id2780332
Attempt LFI, RFI, SQL, RCE, XXE, SSRF injections. (Go slow and it’s not too noisy.)
Try uploading files with the PUT method on all directories. (Ditto.)
Change POST body encoding with Burp.
Bruteforce parameter names. Again, Burp is your friend.
Use dirb, dirbuster, dirsearch, gobuster with cookie once authenticated