[ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Enumeration

Chapter 3 Continued: Enumeration

Stage 2 of a Hack: Scanning, Enumeration and Vulnerability Analysis

Windows Enumeration

NetBIOS: services, names and details

nbtstat

# nbtstat enumerates your current sessions. 
# It requires at least one switch. Remember -s or -S.
nbtstat -s
# Make nbtstat list addresses from a remote system:
nbtstat -a <NetBIOS name or IP address>
# Look into your own NetBIOS name cache
nbtstat -c

nmap with SMB

# use -sS for the scan type and --script to specify a script

nmap -sS --script smb-os-discovery <target IP>

nmap -sS --script smb-check-vulns <target IP>

nmap -sS --script smb-enum-users <target IP>

nmap -sS --script smb-enum-shares <target IP>

NULL Sessions

This is a catastrophic weakness in Windows Simple File Sharing (which you should never use). It allows remote users to connect as no user with no password. Nice, huh?

net use \\<target>\ipc$ "" "/user:"
net view \\<target>
net use g: \\<target>\<shared folder>

• Users and Groups
• Shares and other network services
• Routing tables
• DNS and machine names
• Applications and  banners
• Determining what auditing is in place

Tools

Command line in Windows and Linux

PsTools
https://docs.microsoft.com/en-us/sysinternals/downloads/pstools
https://www.youtube.com/watch?v=hOuS3_A6vQs (terrible sound, good examples)

enum4linux
https://tools.kali.org/information-gathering/enum4linux
https://github.com/portcullislabs/enum4linux
https://www.youtube.com/watch?v=EqSJBr1bIh0

SMBmap
https://tools.kali.org/information-gathering/smbmap
https://github.com/ShawnDEvans/smbmap
https://www.youtube.com/watch?v=Nt0CE3Km8Nw

CrackMapExec
https://github.com/byt3bl33d3r/CrackMapExec
https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec-cheatsheet/
https://www.youtube.com/watch?v=pS_6Ouvgkcc (basic usage)
https://www.youtube.com/watch?v=I2ctzF1tZX8 (better demos if you can stand Hillbilly Storytime’s accent)

Powershell Empire
https://www.powershellempire.com/ (The current project)
https://github.com/EmpireProject/Empire (The old project, no longer supported)
https://null-byte.wonderhowto.com/how-to/use-powershell-empire-getting-started-with-post-exploitation-windows-hosts-0178664/ (A very nice text demo)
https://www.youtube.com/watch?v=lI_G5xhF7zY (A quick-start video)
https://www.youtube.com/watch?v=52xkWbDMUUM (A tutorial in depth)

Other Tools

SuperScan

acccheck

Other Issues

SAM files

SIDs

Linux Enumeration

finger

rpcinfo

showmount

SNMP Scanning

The MIB

snscan
https://en.kali.tools/all/?tool=1303

snmp-check
https://tools.kali.org/information-gathering/snmp-check

SNMP scanning with nmap, onesixtyone and snmpwalk
https://resources.infosecinstitute.com/snmp-pentesting/

LDAP Scanning

JXplorer
http://www.jxplorer.org/
https://sourceforge.net/projects/jxplorer/
https://www.youtube.com/watch?v=4zq8U3Fsr3M

ldap-search script in nmap
https://nmap.org/nsedoc/scripts/ldap-search.html

ldapdomaindump
https://kalilinuxtutorials.com/ldapdomaindump-active-directory-ldap/

LEX (LDAP Explorer)
http://ldapexplorer.com/

SMTP Enumeration

Using VRFY, EXPN, RCPT in telnet, Metasploit and iSMTP
https://www.hackingarticles.in/4-ways-smtp-enumeration/

smtp-user-enum
https://tools.kali.org/information-gathering/smtp-user-enum

# First, telnet into the target
telnet <target>

#verify a single user:
VRFY fred

#expand a mailing list:
EXPN <mailing list name>

# send a single message, separately, to multiple users
# You have to use the MAIL FROM command first:
MAIL FROM:fred
RCPT TO:george
RCPT TO:mary

Using nmap with an NSE script: smtp-enum-users.methods={EXPN,RCPT,VRFY}

nmap --script smtp-enum-users.nse [--script-args smtp-enum-users.methods={EXPN,...},...] -p 25,465,587 <host>

Network Infrastructure Enumeration

Sparta
http://sparta.secforce.com/
https://tools.kali.org/information-gathering/sparta

NTP Enumeration

ntpdate
ntptrace
ntpdc
ntpq

nmap -sU -pU:123 -Pn -n --script ntp-monlist <target>

DNS Enumeration

Zone transfer:
dig axfr
https://www.acunetix.com/blog/articles/dns-zone-transfers-axfr/

dig axfr @nsztm1.digi.ninja zonetransfer.me

nslookup
http://techgenix.com/nslookupandDNSZoneTransfers/

nslookup

set type=any

ls -d target.net > dns.target.net

exit

More DNS tools built in to Kali

dnsenum <domain name>

dnsmap <domain name>

fierce -dns <domain name>

A target site: ZoneTransfer.me

https://digi.ninja/projects/zonetransferme.php

dig axfr @nsztm1.digi.ninja zonetransfer.me

Exercises

1. Attempt a null session connection to the designated target.
2. Attempt a zone transfer from the designated target.
3. Find JXplorer. There is a practice server (that is usually up) at http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ . Can you figure out how to connect?
4. Perform Exercise 7.7 on page 215: Using netcat
5. Install Sparta on Kali. Be sure to watch the two short videos. Unleash it on the designated targets.

Homework

1. Watch or re-watch the nmap videos above.
2. Perform several types of scans on scanme.nmap.org. Do all scans reveal the same thing?
3. Look closely at the nmap switches. For instance, what does the -s switch always need, and always specify?
4. Practice forming packets with hping3. Create a Ping of Death packet.

Series Navigation

<< [ Certified Ethical Hacker v10 ] :: [ Chapter 3 ] :: Scanning[ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Vulnerability Analysis >>