Active information gathering
The more you discover about a target, the more opportunities for exploitation you have. It's good to know how to use a variety of tools (and a variety of options for each tool) because network conditions may vary.
This tool is used to scan a network for live machines:
netdiscover -r 192.168.1.1/24
Nmap is awesome. There are many commands and options, but below are some commonly used ones which work well in both lab and penetration testing scenarios.
Nmap is a command-line tool but has a user-friendly GUI version called Zenmap, available for all major OS platforms. Zenmap also has preconfigured commands for common scans.
Host discovery (ping scan):
nmap -sn 192.168.1.1/24
Host discovery (specific range):
nmap -sn 192.168.1.1-100
Nmap also has the
-Pn
option which will disable the host discovery stage altogether on a scan. This option can be useful when the target is reported as down when it’s actually up but not responding to host discovery probes (e.g. due to host-based firewall that drops ICMP packets). Using this option with the intense scans below can be helpful.TCP connect scan:
nmap -sT [host]
OS fingerprinting and service detection:
nmap -sV -O [host]
Intense scan, all TCP ports:
nmap -p 1-65535 -T4 -A -v [host]
Intense scan, all TCP ports, no ping:
nmap -p 1-65535 -T4 -A -v -Pn [host]
Intense scan, plus UDP
nmap -sS -sU -T4 -A -v [host]
Aggressive scan:
nmap -A [host]
Warning: Big, nasty scans are great for labs, but sometimes get rate-limited. In real life settings, it's even worse. Start with light scans and do targeted scans when you discover something interesting.
NSE is awesome too, its scripts can be used to detect a variety of vulnerabilities.
General usage:
nmap --script=[scriptname] [host]
Example:
nmap --script=http-robots.txt [host]
Arguments can be passed to Nmap scripts using the
--script-args
option or from a file using the --script-args-file
option.Nmap scripts are located in the following directory:
/usr/share/nmap/scripts
FTP:
ls -l /usr/share/nmap/scripts/ftp*
HTTP:
ls -l /usr/share/nmap/scripts/http*
SMTP:
ls -l /usr/share/nmap/scripts/smtp*
SMB:
ls -l /usr/share/nmap/scripts/smb*
MySQL:
ls -l /usr/share/nmap/scripts/mysql*
WordPress:
ls -l /usr/share/nmap/scripts/http-wordpress*
Drupal:
ls -l /usr/share/nmap/scripts/http-drupal*
Citrix:
ls -l /usr/share/nmap/scripts/citrix*
Most scripts have a help function that displays instructions when you type
--script-help
:nmap --script-help ftp-anon
If a script isn't available on your system, download it with the following command:
wget https://svn.nmap.org/nmap/scripts/smb-vuln-ms17-010.nse -O /usr/share/nmap/scripts/smb-vuln-ms17-010.nse
Once the script has downloaded, use the following command to update the Nmap script database so that the script will become available to Nmap:
nmap --script-updatedb
Web application firewalls (WAF) may drop malicious requests, such as those with SQL injections, or otherwise interfere with enumeration or testing:
Detect WAF using NMAP:
nmap -p80 --script http-waf-detect [host]
Fingerprint WAF using NMAP:
nmap -p80 --script http-waf-fingerprint [host]
Fingerprint WAF using WAFw00f:
wafw00f.py [url]
Check if anonymous FTP access is available:
ftp [host]
Username: anonymous
Password: anything
Test if you can navigate, list, read, get or put files:
cd .. # move up one directory
pwd # print working directory
dir -C # list files
mkdir [folder] # make a directory
get [file] # get a file
put [file] # send a file
You can connect to an SMTP server with netcat and run the
vrfy
command to check if email addresses are valid. You can also check mailing list membership with expn
.Server Message Block (SMB) is a network file sharing protocol that provides access to shared files and printers on a local network. Older versions of SMB tend to be vulnerable to major exploits, such as EternalBlue.
Versions:
SMB Version | Windows version |
---|---|
CIFS | Microsoft Windows NT 4.0 |
SMB 1.0 | Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2 |
SMB 2.0 | Windows Vista & Windows Server 2008 |
SMB 2.1 | Windows 7 and Windows Server 2008 R2 |
SMB 3.0 | Windows 8 and Windows Server 2012 |
SMB 3.0.2 | Windows 8.1 and Windows Server 2012 R2 |
SMB 3.1.1 | Windows 10 and Windows Server 2016 |
SMB uses these ports, which can be discovered using Nmap scans:
- netbios-ns 137/tcp - NETBIOS Name Service
- netbios-ns 137/udp
- netbios-dgm 138/tcp - NETBIOS Datagram Service
- netbios-dgm 138/udp
- netbios-ssn 139/tcp - NETBIOS session service
- netbios-ssn 139/udp
- microsoft-ds 445/tcp - Active Directory
Linux/Unix machines can browse and mount SMB shares, and transfer files.
To see which shares are available on a given host:
smbclient -L [host]
To reach a directory that has been shared as 'public' on a host:
smbclient \\\\host\\public mypasswd
Server time is Sat Aug 10 15:58:44 1996
Timezone is UTC+10.0
Domain=[WORKGROUP] OS=[Windows NT 3.51] Server=[NT LAN Manager 3.51]
smb: \>
View available commands from the smb prompt:
smb: \> h
ls dir lcd cd pwd
get mget put mput rename
more mask del rm mkdir
md rmdir rd prompt recurse
translate lowercase print printmode queue
cancel stat quit q exit
newer archive tar blocksize tarmode
setmode help ? !
Nmap has scripts specifically for the SMB protocol (see above).
To scan a host for all known SMB vulnerabilities:
nmap -p 139,445 --script=smb-vuln* [host]
If you want to scan a target for a particular SMB vulnerability, for instance MS08-067 (which allows remote code execution) you can run this command:
nmap -p 139,445 --script=smb-vuln-ms08-067 [host]
EternalBlue is one of the exploits leaked by the Shadow Brokers in April 2017. It exploits a critical vulnerability in the SMBv1 protocol and leaves a lot of Windows installations vulnerable to remote code execution, including Windows 7, 8, 8.1 and Windows Server 2003/2008/2012(R2)/2016.
Nmap script to test for EternalBlue vulnerability:
nmap -p 445 [host] --script=smb-vuln-ms17-010
Rpcclient is a Linux tool used for client-side MS-RPC functions (port 445) using a null session, a connection that does not require a password. Null sessions were enabled by default on legacy systems but have since been disabled from Windows XP SP2 and Windows Server 2003.
rpcclient -U "" [host]
rpcclient $> querydominfo
rpcclient $> srvinfo
rpcclient $> enumdomusers
rpcclient $> queryuser [username]
rpcclient $> getdompwinfo
The above commands return domain information, including users. More enumeration commands are available here.
Take special note of the
srvinfo
response, because googling it may give you the exact exploit you need. It looks like gibberish: HOSTNAME Wk Sv PrQ Unx NT SNT Samba Server
platform_id : 500
os version : 4.9
server type : 0x9a03
Enum4linux is used to enumerate data from Windows and Samba hosts. It's really helpful if you aren't that familiar with SMB commands because it can pull a lot of information out quickly:
enum4linux [host]
-U get userlist
-M get machine list*
-S get sharelist
-P get password policy information
-G get group and member list
-d be detailed, applies to -U and -S
-u user specify username to use (default “”)
-p pass specify password to use (default “”)
-a Do all simple enumeration (-U -S -G -P -r -o -n -i).
-o Get OS information
-i Get printer information
It will also pull OS information via
srvinfo
that is helpful when searching for exploits:HOSTNAME Wk Sv PrQ Unx NT SNT Samba Server
Simple Network Management Protocol (SNMP) an older UDP-based protocol that is often vulnerable. They are commonly left in default configurations which can reveal a lot of network information.
The SNMP Management Information Base (MIB) is a database containing network management information organized in a tree of functions.
OneSixtyOne brute forces community strings based on dictionary and the target IP address. You can also provide a list of host IP addresses to be scanned by onesixtyone using the -i option. Single values can be passed via the command line.
onesixtyone -c [community list] -i [host list]
SNMPwalk queries MIB values to retrieve information about managed devices. It requires a valid SNMP read-only community string.
To run SNMPwalk with the default community string ‘public’ on an SNMPv1 device:
snmpwalk -c public -v1 [host]
`
Enumerate the entire MIB tree:
snmpwalk -c public -v1 [host]
Enumerate based on a single object ID:
snmpwalk -c public -v1 [host] [OID]
Enumerate Windows users:
snmpwalk -c public -v1 [host] 1.3.6.1.4.1.77.1.2.25
Enumerate running Windows processes:
snmpwalk -c public -v1 [host] 1.3.6.1.2.1.25.4.2.1.2
Enumerate open TCP ports:
snmpwalk -c public -v1 [host] 1.3.6.1.2.1.6.13.1.3
Enumerate installed software:
snmpwalk -c public -v1 [host] 1.3.6.1.2.1.25.6.3.1.2
Web servers are a common target for hackers, because they can be used to get a foothold on the system (e.g. shell) or even an organization's network. Scanning is usually detectable, but also can identify opportunities for further exploitation.
Nikto is a popular (but noisy) assessment tool, good for quickly enumerating a web server:
nikto -h [host]
Specify a port:
nikto -h [host] -p 8080
Test multiple ports:
nikto -h [target host] -p 80,88,443
Specify a port range:
nikto -h [target host] -p 80-88
Use the -Tuning parameter to run a specific set of tests instead of all tests:
0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection
a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)
Dirb is a web content scanner that guesses web objects using a dictionary.
dirb [http://host]
It can also use a custom wordlist if one is provided:
dirb [http://host] [wordlist]
Wordlists are located here:
/usr/share/wordlists/dirb/
By default, dirb will use
common.txt
which works well in most lab situations. However, if you're enumerating a machine with a very small attack surface (e.g. only port 80 is open) you may want to try big.txt
instead.Dirbuster is a web scanner with a GUI and some additional features, including more wordlists:
dirbuster
Wordlists are located here:
/usr/share/dirbuster/wordlists/
WordPress is a popular website/blogging platform and is frequently targeted by hackers. Vulnerabilities are typically introduced through community-developed modules and themes. WPScan is a tool that scans for a variety of module/theme vulnerabilities and can also enumerate users.
Update WPScan with the latest information:
wpscan --update
Default scan:
wpscan --url [http://host]
Scan time can be reduced by choosing specific options:
- p Scans popular plugins only.
- vp Scans vulnerable plugins only.
- ap Scans all plugins.
The same options are available for WordPress themes:
- t Scans popular themes only.
- vt Scans vulnerable themes only.
- at Scans all themes.
Enumerate specific options:
wpscan --url [http://host] --enumerate [p/vp/ap/t/vt/at]
Scan for all popular plugins:
wpscan --url [http://host] --enumerate p
Scan for vulnerable plugins:
wpscan --url [http://host] --enumerate vp
Scan for all plugins:
wpscan --url [http://host] --enumerate ap
Enumerate users:
wpscan --url [http://host] --enumerate u
Last modified 1yr ago