SMB / Netbios
# Search for SMB services (open ports only reported)
nmap -p139,445 a.a.a.a-b --open
# Specific nbt span
nbtscan a.a.a.a-b
SMB Null Session
This is valid for Windows machines before 2003 Server and XP
rpcclient -U "" a.a.a.a
Password: <leave empty>
> srvinfo
... (server info)
> enumdomusers
... (users defined on server)
> getdompwinfo
... (password policy info)
enum4linux
enum4linux -v a.a.a.a
nmap using 'nse'
# Enumerate SMB users
nmap -p139,445 --script smb-enum-users a.a.a.a
# Check for SMB Vunerabilities
nmap -p139,445 --script smb-check-vulns --script-args=unsafe=1 a.a.a.a
Wednesday, 1 November 2017
SNMP Enumeration
SNMP Enumeration
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b
onesixtyone
# Use the 161 tool
# community is a file which contains a list of community strings eg
public
private
manager
# ips is a file which contains a list of ip addresses. It can be generated easily using
for ip in (seq 50 100); do
echo a.a.a.$ip >> ips
done
# Now invoke the onesixtyone tool with these files
onesixtyone -c community -i ips
snmpwalk
# Use snmpwalk to get the values of each leaf of the snmp server using community string 'public' and version 1
snmpwalk -c public -v1 a.a.a.a
# Search for a particular MiB value
snmpwalk -c public -v1 a.a.a.a 1.2.3.4.5.6.7.8.9
snmpenum
snmpcheck
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b
onesixtyone
# Use the 161 tool
# community is a file which contains a list of community strings eg
public
private
manager
# ips is a file which contains a list of ip addresses. It can be generated easily using
for ip in (seq 50 100); do
echo a.a.a.$ip >> ips
done
# Now invoke the onesixtyone tool with these files
onesixtyone -c community -i ips
snmpwalk
# Use snmpwalk to get the values of each leaf of the snmp server using community string 'public' and version 1
snmpwalk -c public -v1 a.a.a.a
# Search for a particular MiB value
snmpwalk -c public -v1 a.a.a.a 1.2.3.4.5.6.7.8.9
snmpenum
snmpcheck
SMTP Enumeration
SMTP Enumeration
# Scan for open port 25
nmap -sT -p 25 --open a.a.a.a-b
# Connect to an SMTP server
nc -nv a.a.a.a 25
220 ... server details
# Verify that a user exists.
> VRFY ******
250 ... ******
where a.a.a.a-b is an ip range such as 192.168.1.100-150
# Scan for open port 25
nmap -sT -p 25 --open a.a.a.a-b
# Connect to an SMTP server
nc -nv a.a.a.a 25
220 ... server details
# Verify that a user exists.
> VRFY ******
250 ... ******
where a.a.a.a-b is an ip range such as 192.168.1.100-150
nmap & Port Scanning
# ICMP / ping sweep
nmap -sn a.a.a.a-b
# Output to a grepable file
nmap -sn a.a.a.a-b -oG nmap-ping-sweep.txt
grep Up nmap-ping-sweep.txt
# Specific port scan
nmap -p 22 a.a.a.a-b -oG nmap-ssh-scan.txt
Port Scanning
# Connect scan
nmap -sT a.a.a.a-b
# Syn / half open scan
nmap -sS a.a.a.a-b
# Syn scan on the top 100 ports
nmap -sS --top-ports 100 a.a.a.a-b
# ACK scan
nmap -sA --top-ports 100 a.a.a.a-b
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b
# Banner grabbing
nmap -sV a.a.a.a-b
# Operating system fingerprinting
nmap -O a.a.a.a-b
# Comprehensive scan
nmap -A a.a.a.a-b
nse = nmap scripting engine
where a.a.a.a-b is an ip range such as 192.168.1.100-150
nmap -sn a.a.a.a-b
# Output to a grepable file
nmap -sn a.a.a.a-b -oG nmap-ping-sweep.txt
grep Up nmap-ping-sweep.txt
# Specific port scan
nmap -p 22 a.a.a.a-b -oG nmap-ssh-scan.txt
Port Scanning
# Connect scan
nmap -sT a.a.a.a-b
# Syn / half open scan
nmap -sS a.a.a.a-b
# Syn scan on the top 100 ports
nmap -sS --top-ports 100 a.a.a.a-b
# ACK scan
nmap -sA --top-ports 100 a.a.a.a-b
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b
# Banner grabbing
nmap -sV a.a.a.a-b
# Operating system fingerprinting
nmap -O a.a.a.a-b
# Comprehensive scan
nmap -A a.a.a.a-b
nse = nmap scripting engine
where a.a.a.a-b is an ip range such as 192.168.1.100-150
Thursday, 14 September 2017
Using hping3
A quick cheat sheet for using hping3 for port scanning,
-c 1 Only send one request per port (c = count)
-v Verbose, show response for each port
-1 Sends a ping request (ICMP echo request) This number one not letter ell
-2 Send as UDP packet
-S Send a SYN scan, open ports will send a SYN-ACK packet back (a half-open scan)
-A Send an ACK packet
-F Send packet with a FIN flag
-8 1-500 Scan a range of ports equivalent of --span
-p 80 Scan a particular port
Examples
Send one request with a half-open scan to port 80
> hping3 -c 1 -S <www.website.somewhere> -p 80
HPING <www.website.somewhere> (eth1 <website ip>): S set, 40 headers + 0 data bytes
len=46 ip=<website ip> ttl=64 id=31610 sport=80 flags=SA seq=0 win=65535 rtt=14.8 ms
--- <www.website.somewhere> hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
Send one request per port using a half-open scan against a Windows XP machine with no firewall
>hping3 -c 1 -S --scan 1-10000 <ip address>
Scanning <ip address>, port 1-10000
10000 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
445 microsoft-d: .S..A... 64 33955 65535 46
139 netbios-ssn: .S..A... 64 46756 65535 46
135 loc-srv : .S..A... 64 47780 65535 46
3389 .S..A... 64 58947 65535 46
All replies received. Done.
Not responding ports:
Flags
The S and A flags show that the target system responded with a SYN-ACK which means the port is open and can be explored further.
-c 1 Only send one request per port (c = count)
-v Verbose, show response for each port
-1 Sends a ping request (ICMP echo request) This number one not letter ell
-2 Send as UDP packet
-S Send a SYN scan, open ports will send a SYN-ACK packet back (a half-open scan)
-A Send an ACK packet
-F Send packet with a FIN flag
-8 1-500 Scan a range of ports equivalent of --span
-p 80 Scan a particular port
Examples
Send one request with a half-open scan to port 80
> hping3 -c 1 -S <www.website.somewhere> -p 80
HPING <www.website.somewhere> (eth1 <website ip>): S set, 40 headers + 0 data bytes
len=46 ip=<website ip> ttl=64 id=31610 sport=80 flags=SA seq=0 win=65535 rtt=14.8 ms
--- <www.website.somewhere> hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
Send one request per port using a half-open scan against a Windows XP machine with no firewall
>hping3 -c 1 -S --scan 1-10000 <ip address>
Scanning <ip address>, port 1-10000
10000 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
445 microsoft-d: .S..A... 64 33955 65535 46
139 netbios-ssn: .S..A... 64 46756 65535 46
135 loc-srv : .S..A... 64 47780 65535 46
3389 .S..A... 64 58947 65535 46
All replies received. Done.
Not responding ports:
Flags
The S and A flags show that the target system responded with a SYN-ACK which means the port is open and can be explored further.
Tuesday, 6 June 2017
Spring Sleuth
Sleuth is used to trace calls in a microservices environment. It creates a trace-id over the whole interactions and a span-id between each call. For example, there is a call from a client to a microservice to load information for a customer id. First is the call to the customer service, then the recent orders and accounts services. All these calls would share the same trace-id but between each one is a different span-id. To turn on sleuth just add the following dependencies into the pom. You'll also need to add an application name.
spring.application.name=My Server
<dependency>
The trace and span ids will now be created and can be seen in the headers.
To log this and make it useful though is one thing but there is a graphical tool which makes this very easy.
By default everything is logged to localhost:9411 but this can be changed by adding a property
spring.zipkin.baseurl=http://zipkin:9411/
spring.application.name=My Server
Maven
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-sleuth</artifactId>
<version>1.2.0.RELEASE</version>
</dependency>
The trace and span ids will now be created and can be seen in the headers.
To log this and make it useful though is one thing but there is a graphical tool which makes this very easy.
Zipkin
Zipkin can be configured so that all Sleuth output is sent there and it allows a view of the interactions so that the times and services called can be seen. To configure and use zipkin just add another dependency,
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-sleuth-zipkin</artifactId>
<version>1.2.0.RELEASE</version>
</dependency>
</dependency>
By default everything is logged to localhost:9411 but this can be changed by adding a property
spring.zipkin.baseurl=http://zipkin:9411/
Docker
If you are running with docker you'll need to add a zipkin image into the compose file,
zipkin:
image: openzipkin/zipkin
networks:
- my-network
hostname: zipkin
ports:
- "9411:9411"
- "9411:9411"
Tuesday, 18 April 2017
Docker crib sheet
Here are a list of commands that are useful for docker, docker-machine and docker-compose
> docker ps
// See which images exist
> docker images
> docker image ls
// See which networks exist (usually created as part of docker-compose)
> docker network ls
// See which volumes exist
> docker volume ls
> docker rmi <image_id>
// List the containers and remove one using the container id
> docker rm <container_id>
// Remove a volume
> docker volume rm <volume_id>
// Remove a network
> docker network rm <network_id>
// After running this it'll show up on a docker ps as a container running this image
> docker run -p 1234:5678 <image_id>
// Start an image in 'detached' mode to keep the output quiet
> docker run -d -p 1234:5678 <image_id>
// View the logs of the docker container running a particular image
> docker logs <container_id>
// Stop a particular container
> docker stop <container_id>
// Attach a shell to a running docker container
> docker exec -it <container_id> "/bin/bash"
// Start with an environment variable
> docker run -d -e MY_ENVIRONMENT_VAR=bob <image_id>
> docker stats
// Grab the logs from a docker machine
> dockers logs <container_id> > output.log
// Copy a file from a docker image to the local machine
> docker cp <container_id>:<container file path> <local path>
> docker cp ab34d4532e78:/tmp/log.txt ./
// Get the ip of the docker-machine, usually 192.168.99.100
> docker-machine ip
Listings
// See what docker containers are running> docker ps
// See which images exist
> docker images
> docker image ls
// See which networks exist (usually created as part of docker-compose)
> docker network ls
// See which volumes exist
> docker volume ls
Removing Images and Containers
// List the images and then remove one using the image id> docker rmi <image_id>
// List the containers and remove one using the container id
> docker rm <container_id>
// Remove a volume
> docker volume rm <volume_id>
// Remove a network
> docker network rm <network_id>
Starting and stopping
// Start a particular image and routing 1234 on localhost to 5678 on the docker image. For a web application you'll need to expose the application server port such as 8080 eg -p 8080:8080// After running this it'll show up on a docker ps as a container running this image
> docker run -p 1234:5678 <image_id>
// Start an image in 'detached' mode to keep the output quiet
> docker run -d -p 1234:5678 <image_id>
// View the logs of the docker container running a particular image
> docker logs <container_id>
// Stop a particular container
> docker stop <container_id>
// Attach a shell to a running docker container
> docker exec -it <container_id> "/bin/bash"
// Start with an environment variable
> docker run -d -e MY_ENVIRONMENT_VAR=bob <image_id>
Other useful commands
// See what resources are currently being used> docker stats
// Grab the logs from a docker machine
> dockers logs <container_id> > output.log
// Copy a file from a docker image to the local machine
> docker cp <container_id>:<container file path> <local path>
> docker cp ab34d4532e78:/tmp/log.txt ./
docker-machine
// Useful where the host machine doesn't support natively such as anything pre windows 10// Get the ip of the docker-machine, usually 192.168.99.100
> docker-machine ip
Subscribe to:
Posts (Atom)