Wednesday 1 November 2017

SMB / Netbios Enumeration

SMB / Netbios
# Search for SMB services (open ports only reported)
nmap -p139,445 a.a.a.a-b --open

# Specific nbt span
nbtscan a.a.a.a-b

SMB Null Session 
This is valid for Windows machines before 2003 Server and XP
rpcclient -U "" a.a.a.a
Password: <leave empty>
> srvinfo
... (server info)
> enumdomusers
... (users defined on server)
> getdompwinfo
... (password policy info)

enum4linux
enum4linux -v a.a.a.a

nmap using 'nse'
# Enumerate SMB users
nmap -p139,445 --script smb-enum-users a.a.a.a

# Check for SMB Vunerabilities
nmap -p139,445 --script smb-check-vulns --script-args=unsafe=1 a.a.a.a


SNMP Enumeration

SNMP Enumeration
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b

onesixtyone
# Use the 161 tool
# community is a file which contains a list of community strings eg
public
private
manager
# ips is a file which contains a list of ip addresses.  It can be generated easily using
for ip in (seq 50 100); do
echo a.a.a.$ip >> ips
done
# Now invoke the onesixtyone tool with these files
onesixtyone -c community -i ips

snmpwalk
# Use snmpwalk to get the values of each leaf of the snmp server using community string 'public' and version 1
snmpwalk -c public -v1 a.a.a.a

# Search for a particular MiB value
snmpwalk -c public -v1 a.a.a.a 1.2.3.4.5.6.7.8.9

snmpenum



snmpcheck



SMTP Enumeration

SMTP Enumeration
# Scan for open port 25
nmap -sT -p 25 --open a.a.a.a-b


# Connect to an SMTP server
nc -nv a.a.a.a 25
220 ... server details
# Verify that a user exists.
> VRFY ******
250 ... ******


where a.a.a.a-b is an ip range such as 192.168.1.100-150

nmap & Port Scanning

# ICMP / ping sweep
nmap -sn a.a.a.a-b

# Output to a grepable file
nmap -sn a.a.a.a-b -oG nmap-ping-sweep.txt
grep Up nmap-ping-sweep.txt

# Specific port scan
nmap -p 22 a.a.a.a-b -oG nmap-ssh-scan.txt


Port Scanning
# Connect scan
nmap -sT a.a.a.a-b

# Syn / half open scan
nmap -sS a.a.a.a-b

# Syn scan on the top 100 ports
nmap -sS --top-ports 100 a.a.a.a-b

# ACK scan
nmap -sA --top-ports 100 a.a.a.a-b

# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b

# Banner grabbing
nmap -sV a.a.a.a-b

# Operating system fingerprinting
nmap -O a.a.a.a-b

# Comprehensive scan
nmap -A a.a.a.a-b

nse = nmap scripting engine

where a.a.a.a-b is an ip range such as 192.168.1.100-150