SMB / Netbios
# Search for SMB services (open ports only reported)
nmap -p139,445 a.a.a.a-b --open
# Specific nbt span
nbtscan a.a.a.a-b
SMB Null Session
This is valid for Windows machines before 2003 Server and XP
rpcclient -U "" a.a.a.a
Password: <leave empty>
> srvinfo
... (server info)
> enumdomusers
... (users defined on server)
> getdompwinfo
... (password policy info)
enum4linux
enum4linux -v a.a.a.a
nmap using 'nse'
# Enumerate SMB users
nmap -p139,445 --script smb-enum-users a.a.a.a
# Check for SMB Vunerabilities
nmap -p139,445 --script smb-check-vulns --script-args=unsafe=1 a.a.a.a
Showing posts with label Pen Testing. Show all posts
Showing posts with label Pen Testing. Show all posts
Wednesday, 1 November 2017
SNMP Enumeration
SNMP Enumeration
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b
onesixtyone
# Use the 161 tool
# community is a file which contains a list of community strings eg
public
private
manager
# ips is a file which contains a list of ip addresses. It can be generated easily using
for ip in (seq 50 100); do
echo a.a.a.$ip >> ips
done
# Now invoke the onesixtyone tool with these files
onesixtyone -c community -i ips
snmpwalk
# Use snmpwalk to get the values of each leaf of the snmp server using community string 'public' and version 1
snmpwalk -c public -v1 a.a.a.a
# Search for a particular MiB value
snmpwalk -c public -v1 a.a.a.a 1.2.3.4.5.6.7.8.9
snmpenum
snmpcheck
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b
onesixtyone
# Use the 161 tool
# community is a file which contains a list of community strings eg
public
private
manager
# ips is a file which contains a list of ip addresses. It can be generated easily using
for ip in (seq 50 100); do
echo a.a.a.$ip >> ips
done
# Now invoke the onesixtyone tool with these files
onesixtyone -c community -i ips
snmpwalk
# Use snmpwalk to get the values of each leaf of the snmp server using community string 'public' and version 1
snmpwalk -c public -v1 a.a.a.a
# Search for a particular MiB value
snmpwalk -c public -v1 a.a.a.a 1.2.3.4.5.6.7.8.9
snmpenum
snmpcheck
SMTP Enumeration
SMTP Enumeration
# Scan for open port 25
nmap -sT -p 25 --open a.a.a.a-b
# Connect to an SMTP server
nc -nv a.a.a.a 25
220 ... server details
# Verify that a user exists.
> VRFY ******
250 ... ******
where a.a.a.a-b is an ip range such as 192.168.1.100-150
# Scan for open port 25
nmap -sT -p 25 --open a.a.a.a-b
# Connect to an SMTP server
nc -nv a.a.a.a 25
220 ... server details
# Verify that a user exists.
> VRFY ******
250 ... ******
where a.a.a.a-b is an ip range such as 192.168.1.100-150
nmap & Port Scanning
# ICMP / ping sweep
nmap -sn a.a.a.a-b
# Output to a grepable file
nmap -sn a.a.a.a-b -oG nmap-ping-sweep.txt
grep Up nmap-ping-sweep.txt
# Specific port scan
nmap -p 22 a.a.a.a-b -oG nmap-ssh-scan.txt
Port Scanning
# Connect scan
nmap -sT a.a.a.a-b
# Syn / half open scan
nmap -sS a.a.a.a-b
# Syn scan on the top 100 ports
nmap -sS --top-ports 100 a.a.a.a-b
# ACK scan
nmap -sA --top-ports 100 a.a.a.a-b
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b
# Banner grabbing
nmap -sV a.a.a.a-b
# Operating system fingerprinting
nmap -O a.a.a.a-b
# Comprehensive scan
nmap -A a.a.a.a-b
nse = nmap scripting engine
where a.a.a.a-b is an ip range such as 192.168.1.100-150
nmap -sn a.a.a.a-b
# Output to a grepable file
nmap -sn a.a.a.a-b -oG nmap-ping-sweep.txt
grep Up nmap-ping-sweep.txt
# Specific port scan
nmap -p 22 a.a.a.a-b -oG nmap-ssh-scan.txt
Port Scanning
# Connect scan
nmap -sT a.a.a.a-b
# Syn / half open scan
nmap -sS a.a.a.a-b
# Syn scan on the top 100 ports
nmap -sS --top-ports 100 a.a.a.a-b
# ACK scan
nmap -sA --top-ports 100 a.a.a.a-b
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b
# Banner grabbing
nmap -sV a.a.a.a-b
# Operating system fingerprinting
nmap -O a.a.a.a-b
# Comprehensive scan
nmap -A a.a.a.a-b
nse = nmap scripting engine
where a.a.a.a-b is an ip range such as 192.168.1.100-150
Thursday, 14 September 2017
Using hping3
A quick cheat sheet for using hping3 for port scanning,
-c 1 Only send one request per port (c = count)
-v Verbose, show response for each port
-1 Sends a ping request (ICMP echo request) This number one not letter ell
-2 Send as UDP packet
-S Send a SYN scan, open ports will send a SYN-ACK packet back (a half-open scan)
-A Send an ACK packet
-F Send packet with a FIN flag
-8 1-500 Scan a range of ports equivalent of --span
-p 80 Scan a particular port
Examples
Send one request with a half-open scan to port 80
> hping3 -c 1 -S <www.website.somewhere> -p 80
HPING <www.website.somewhere> (eth1 <website ip>): S set, 40 headers + 0 data bytes
len=46 ip=<website ip> ttl=64 id=31610 sport=80 flags=SA seq=0 win=65535 rtt=14.8 ms
--- <www.website.somewhere> hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
Send one request per port using a half-open scan against a Windows XP machine with no firewall
>hping3 -c 1 -S --scan 1-10000 <ip address>
Scanning <ip address>, port 1-10000
10000 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
445 microsoft-d: .S..A... 64 33955 65535 46
139 netbios-ssn: .S..A... 64 46756 65535 46
135 loc-srv : .S..A... 64 47780 65535 46
3389 .S..A... 64 58947 65535 46
All replies received. Done.
Not responding ports:
Flags
The S and A flags show that the target system responded with a SYN-ACK which means the port is open and can be explored further.
-c 1 Only send one request per port (c = count)
-v Verbose, show response for each port
-1 Sends a ping request (ICMP echo request) This number one not letter ell
-2 Send as UDP packet
-S Send a SYN scan, open ports will send a SYN-ACK packet back (a half-open scan)
-A Send an ACK packet
-F Send packet with a FIN flag
-8 1-500 Scan a range of ports equivalent of --span
-p 80 Scan a particular port
Examples
Send one request with a half-open scan to port 80
> hping3 -c 1 -S <www.website.somewhere> -p 80
HPING <www.website.somewhere> (eth1 <website ip>): S set, 40 headers + 0 data bytes
len=46 ip=<website ip> ttl=64 id=31610 sport=80 flags=SA seq=0 win=65535 rtt=14.8 ms
--- <www.website.somewhere> hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
Send one request per port using a half-open scan against a Windows XP machine with no firewall
>hping3 -c 1 -S --scan 1-10000 <ip address>
Scanning <ip address>, port 1-10000
10000 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
445 microsoft-d: .S..A... 64 33955 65535 46
139 netbios-ssn: .S..A... 64 46756 65535 46
135 loc-srv : .S..A... 64 47780 65535 46
3389 .S..A... 64 58947 65535 46
All replies received. Done.
Not responding ports:
Flags
The S and A flags show that the target system responded with a SYN-ACK which means the port is open and can be explored further.
Subscribe to:
Posts (Atom)