SMB / Netbios
# Search for SMB services (open ports only reported)
nmap -p139,445 a.a.a.a-b --open
# Specific nbt span
nbtscan a.a.a.a-b
SMB Null Session
This is valid for Windows machines before 2003 Server and XP
rpcclient -U "" a.a.a.a
Password: <leave empty>
> srvinfo
... (server info)
> enumdomusers
... (users defined on server)
> getdompwinfo
... (password policy info)
enum4linux
enum4linux -v a.a.a.a
nmap using 'nse'
# Enumerate SMB users
nmap -p139,445 --script smb-enum-users a.a.a.a
# Check for SMB Vunerabilities
nmap -p139,445 --script smb-check-vulns --script-args=unsafe=1 a.a.a.a
Wednesday, 1 November 2017
SNMP Enumeration
SNMP Enumeration
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b
onesixtyone
# Use the 161 tool
# community is a file which contains a list of community strings eg
public
private
manager
# ips is a file which contains a list of ip addresses. It can be generated easily using
for ip in (seq 50 100); do
echo a.a.a.$ip >> ips
done
# Now invoke the onesixtyone tool with these files
onesixtyone -c community -i ips
snmpwalk
# Use snmpwalk to get the values of each leaf of the snmp server using community string 'public' and version 1
snmpwalk -c public -v1 a.a.a.a
# Search for a particular MiB value
snmpwalk -c public -v1 a.a.a.a 1.2.3.4.5.6.7.8.9
snmpenum
snmpcheck
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b
onesixtyone
# Use the 161 tool
# community is a file which contains a list of community strings eg
public
private
manager
# ips is a file which contains a list of ip addresses. It can be generated easily using
for ip in (seq 50 100); do
echo a.a.a.$ip >> ips
done
# Now invoke the onesixtyone tool with these files
onesixtyone -c community -i ips
snmpwalk
# Use snmpwalk to get the values of each leaf of the snmp server using community string 'public' and version 1
snmpwalk -c public -v1 a.a.a.a
# Search for a particular MiB value
snmpwalk -c public -v1 a.a.a.a 1.2.3.4.5.6.7.8.9
snmpenum
snmpcheck
SMTP Enumeration
SMTP Enumeration
# Scan for open port 25
nmap -sT -p 25 --open a.a.a.a-b
# Connect to an SMTP server
nc -nv a.a.a.a 25
220 ... server details
# Verify that a user exists.
> VRFY ******
250 ... ******
where a.a.a.a-b is an ip range such as 192.168.1.100-150
# Scan for open port 25
nmap -sT -p 25 --open a.a.a.a-b
# Connect to an SMTP server
nc -nv a.a.a.a 25
220 ... server details
# Verify that a user exists.
> VRFY ******
250 ... ******
where a.a.a.a-b is an ip range such as 192.168.1.100-150
nmap & Port Scanning
# ICMP / ping sweep
nmap -sn a.a.a.a-b
# Output to a grepable file
nmap -sn a.a.a.a-b -oG nmap-ping-sweep.txt
grep Up nmap-ping-sweep.txt
# Specific port scan
nmap -p 22 a.a.a.a-b -oG nmap-ssh-scan.txt
Port Scanning
# Connect scan
nmap -sT a.a.a.a-b
# Syn / half open scan
nmap -sS a.a.a.a-b
# Syn scan on the top 100 ports
nmap -sS --top-ports 100 a.a.a.a-b
# ACK scan
nmap -sA --top-ports 100 a.a.a.a-b
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b
# Banner grabbing
nmap -sV a.a.a.a-b
# Operating system fingerprinting
nmap -O a.a.a.a-b
# Comprehensive scan
nmap -A a.a.a.a-b
nse = nmap scripting engine
where a.a.a.a-b is an ip range such as 192.168.1.100-150
nmap -sn a.a.a.a-b
# Output to a grepable file
nmap -sn a.a.a.a-b -oG nmap-ping-sweep.txt
grep Up nmap-ping-sweep.txt
# Specific port scan
nmap -p 22 a.a.a.a-b -oG nmap-ssh-scan.txt
Port Scanning
# Connect scan
nmap -sT a.a.a.a-b
# Syn / half open scan
nmap -sS a.a.a.a-b
# Syn scan on the top 100 ports
nmap -sS --top-ports 100 a.a.a.a-b
# ACK scan
nmap -sA --top-ports 100 a.a.a.a-b
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b
# Banner grabbing
nmap -sV a.a.a.a-b
# Operating system fingerprinting
nmap -O a.a.a.a-b
# Comprehensive scan
nmap -A a.a.a.a-b
nse = nmap scripting engine
where a.a.a.a-b is an ip range such as 192.168.1.100-150
Subscribe to:
Posts (Atom)