- [ Certified Ethical Hacker v10 ] :: [ TOC ]
- [ Certified Ethical Hacker v10 ] :: [ Syllabus ]
- [ Certified Ethical Hacker v10 ] :: [ Chapters 1 & 2 ] :: Footprinting and Reconnaissance
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 ] :: Scanning
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Enumeration
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Vulnerability Analysis
- [ Certified Ethical Hacker v10 ] :: [ Chapter 4 ] :: Sniffing, Evasion and Packet Analysis
- [ Certified Ethical Hacker v10 ] :: [ Chapter 5 ] :: System Hacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 5 cont’d] :: Hash Cracking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 ] :: Web Servers and Applications
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: SQL Injection
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: sqlmap
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: Burp Suite
- [ Certified Ethical Hacker v10 ] :: [ Chapter 7 ] :: WiFi Hacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 8 ] :: Hacking Mobile Devices
- [ Certified Ethical Hacker v10 ] :: [ Chapter 8 cont’d ] :: Hacking the Internet of Things
- [ Certified Ethical Hacker v10 ] :: [ Chapter 9 ] :: Hacking in the Cloud
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 ] :: Trojans, Backdoors, Viruses and Worms
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Denial of Service
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Buffer Overflow
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Session Hijacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 11 ] :: Cryptography
- [ Certified Ethical Hacker v10 ] :: [ Chapter 12 ] :: Social Engineering
- [ Certified Ethical Hacker v10 ] :: [ Chapter 12 ] :: Physical Security
- [ Certified Ethical Hacker v10 ] :: [ Chapter 13 ] :: Pen Testing Methodology
- [ CEH Training ] :: [ Day 7 ]
- Using the GNU Debugger: John Hammond
- [ Review ] :: EC-Council’s iLabs Platform
- [ Certified Ethical Hacker v10 ] :: Using ngrok to Set a Trap From Inside NAT
- [ Certified Ethical Hacker v10 ] :: [ Practical ] :: Become a CEH Master
Chapter 3 Continued: Enumeration
Stage 2 of a Hack: Scanning, Enumeration and Vulnerability Analysis
Windows Enumeration
NetBIOS: services, names and details
nbtstat
# nbtstat enumerates your current sessions. # It requires at least one switch. Remember -s or -S. nbtstat -s # Make nbtstat list addresses from a remote system: nbtstat -a <NetBIOS name or IP address> # Look into your own NetBIOS name cache nbtstat -c
nmap with SMB
# use -sS for the scan type and --script to specify a script nmap -sS --script smb-os-discovery <target IP> nmap -sS --script smb-check-vulns <target IP> nmap -sS --script smb-enum-users <target IP> nmap -sS --script smb-enum-shares <target IP>
NULL Sessions
This is a catastrophic weakness in Windows Simple File Sharing (which you should never use). It allows remote users to connect as no user with no password. Nice, huh?
net use \\<target>\ipc$ "" "/user:" net view \\<target> net use g: \\<target>\<shared folder>
- Users and Groups
- Shares and other network services
- Routing tables
- DNS and machine names
- Applications and banners
- Determining what auditing is in place
Tools
Command line in Windows and Linux
PsTools
https://docs.microsoft.com/en-us/sysinternals/downloads/pstools
https://www.youtube.com/watch?v=hOuS3_A6vQs (terrible sound, good examples)
enum4linux
https://tools.kali.org/information-gathering/enum4linux
https://github.com/portcullislabs/enum4linux
https://www.youtube.com/watch?v=EqSJBr1bIh0
SMBmap
https://tools.kali.org/information-gathering/smbmap
https://github.com/ShawnDEvans/smbmap
https://www.youtube.com/watch?v=Nt0CE3Km8Nw
CrackMapExec
https://github.com/byt3bl33d3r/CrackMapExec
https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec-cheatsheet/
https://www.youtube.com/watch?v=pS_6Ouvgkcc (basic usage)
https://www.youtube.com/watch?v=I2ctzF1tZX8 (better demos if you can stand Hillbilly Storytime’s accent)
Powershell Empire
https://www.powershellempire.com/ (The current project)
https://github.com/EmpireProject/Empire (The old project, no longer supported)
https://null-byte.wonderhowto.com/how-to/use-powershell-empire-getting-started-with-post-exploitation-windows-hosts-0178664/ (A very nice text demo)
https://www.youtube.com/watch?v=lI_G5xhF7zY (A quick-start video)
https://www.youtube.com/watch?v=52xkWbDMUUM (A tutorial in depth)
Other Tools
SuperScan
acccheck
Other Issues
SAM files
SIDs
Linux Enumeration
finger
rpcinfo
showmount
SNMP Scanning
The MIB
snscan
https://en.kali.tools/all/?tool=1303
snmp-check
https://tools.kali.org/information-gathering/snmp-check
SNMP scanning with nmap, onesixtyone and snmpwalk
https://resources.infosecinstitute.com/snmp-pentesting/
LDAP Scanning
JXplorer
http://www.jxplorer.org/
https://sourceforge.net/projects/jxplorer/
https://www.youtube.com/watch?v=4zq8U3Fsr3M
ldap-search script in nmap
https://nmap.org/nsedoc/scripts/ldap-search.html
ldapdomaindump
https://kalilinuxtutorials.com/ldapdomaindump-active-directory-ldap/
LEX (LDAP Explorer)
http://ldapexplorer.com/
SMTP Enumeration
Using VRFY, EXPN, RCPT in telnet, Metasploit and iSMTP
https://www.hackingarticles.in/4-ways-smtp-enumeration/
smtp-user-enum
https://tools.kali.org/information-gathering/smtp-user-enum
# First, telnet into the target telnet <target> #verify a single user: VRFY fred #expand a mailing list: EXPN <mailing list name> # send a single message, separately, to multiple users # You have to use the MAIL FROM command first: MAIL FROM:fred RCPT TO:george RCPT TO:mary
Using nmap with an NSE script: smtp-enum-users.methods={EXPN,RCPT,VRFY}
nmap --script smtp-enum-users.nse [--script-args smtp-enum-users.methods={EXPN,...},...] -p 25,465,587 <host>
Network Infrastructure Enumeration
Sparta
http://sparta.secforce.com/
https://tools.kali.org/information-gathering/sparta
NTP Enumeration
ntpdate ntptrace ntpdc ntpq
nmap -sU -pU:123 -Pn -n --script ntp-monlist <target>
DNS Enumeration
Zone transfer:
dig axfr
https://www.acunetix.com/blog/articles/dns-zone-transfers-axfr/
dig axfr @nsztm1.digi.ninja zonetransfer.me
nslookup
http://techgenix.com/nslookupandDNSZoneTransfers/
nslookup set type=any ls -d target.net > dns.target.net exit
More DNS tools built in to Kali
dnsenum <domain name>
dnsmap <domain name>
fierce -dns <domain name>
A target site: ZoneTransfer.me
https://digi.ninja/projects/zonetransferme.php
dig axfr @nsztm1.digi.ninja zonetransfer.me
Exercises
- Attempt a null session connection to the designated target.
- Attempt a zone transfer from the designated target.
- Find JXplorer. There is a practice server (that is usually up) at http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ . Can you figure out how to connect?
- Perform Exercise 7.7 on page 215: Using netcat
- Install Sparta on Kali. Be sure to watch the two short videos. Unleash it on the designated targets.
Homework
- Watch or re-watch the nmap videos above.
- Perform several types of scans on scanme.nmap.org. Do all scans reveal the same thing?
- Look closely at the nmap switches. For instance, what does the -s switch always need, and always specify?
- Practice forming packets with hping3. Create a Ping of Death packet.