# Active information gathering

## Port and service scanning

The more you discover about a target, the more opportunities for exploitation you have. It's good to know how to use a variety of tools (and a variety of options for each tool) because network conditions may vary.

### Netdiscover

This tool is used to scan a network for live machines:

```
netdiscover -r 192.168.1.1/24
```

### Nmap

Nmap is awesome. There are many commands and options, but below are some commonly used ones which work well in both lab and penetration testing scenarios.

Nmap is a command-line tool but has a user-friendly GUI version called [Zenmap](https://nmap.org/zenmap/), available for all major OS platforms. Zenmap also has preconfigured commands for common scans.

Host discovery (ping scan):

```
nmap -sn 192.168.1.1/24
```

Host discovery (specific range):

```
nmap -sn 192.168.1.1-100
```

Nmap also has the `-Pn` option which will disable the host discovery stage altogether on a scan. This option can be useful when the target is reported as down when it’s actually up but not responding to host discovery probes (e.g. due to host-based firewall that drops ICMP packets). Using this option with the intense scans below can be helpful.

TCP connect scan:

```
nmap -sT [host]
```

OS fingerprinting and service detection:

```
nmap -sV -O [host]
```

Intense scan, all TCP ports:

```
nmap -p 1-65535 -T4 -A -v [host]
```

Intense scan, all TCP ports, no ping:

```
nmap -p 1-65535 -T4 -A -v -Pn [host]
```

Intense scan, plus UDP

```
nmap -sS -sU -T4 -A -v [host]
```

Aggressive scan:

```
nmap -A [host]
```

**Warning:** Big, nasty scans are great for labs, but sometimes get rate-limited. In real life settings, it's even worse. Start with light scans and do targeted scans when you discover something interesting.

### Nmap scripting engine (NSE)

NSE is awesome too, its scripts can be used to detect a variety of vulnerabilities.

#### Running NSE scripts

General usage:

```
nmap --script=[scriptname] [host]
```

Example:

```
nmap --script=http-robots.txt [host]
```

Arguments can be passed to Nmap scripts using the `--script-args` option or from a file using the `--script-args-file` option.

#### Finding NSE scripts

Nmap scripts are located in the following directory:

```
/usr/share/nmap/scripts
```

FTP:

```
ls -l /usr/share/nmap/scripts/ftp*
```

HTTP:

```
ls -l /usr/share/nmap/scripts/http*
```

SMTP:

```
ls -l /usr/share/nmap/scripts/smtp*
```

SMB:

```
ls -l /usr/share/nmap/scripts/smb*
```

MySQL:

```
ls -l /usr/share/nmap/scripts/mysql*
```

WordPress:

```
ls -l /usr/share/nmap/scripts/http-wordpress*
```

Drupal:

```
ls -l /usr/share/nmap/scripts/http-drupal*
```

Citrix:

```
ls -l /usr/share/nmap/scripts/citrix*
```

#### Nmap script help

Most scripts have a help function that displays instructions when you type `--script-help` :

```
nmap --script-help ftp-anon
```

#### Updating Nmap scripts

If a script isn't available on your system, download it with the following command:

```
wget https://svn.nmap.org/nmap/scripts/smb-vuln-ms17-010.nse -O /usr/share/nmap/scripts/smb-vuln-ms17-010.nse
```

Once the script has downloaded, use the following command to update the Nmap script database so that the script will become available to Nmap:

```
nmap --script-updatedb
```

### Detecting WAF

Web application firewalls (WAF) may drop malicious requests, such as those with SQL injections, or otherwise interfere with enumeration or testing:

Detect WAF using NMAP:

```
nmap -p80 --script http-waf-detect [host]
```

Fingerprint WAF using NMAP:

```
nmap -p80 --script http-waf-fingerprint [host]
```

Fingerprint WAF using WAFw00f:

```
wafw00f.py [url]
```

### FTP

Check if anonymous FTP access is available:

```
ftp [host]
Username: anonymous
Password: anything
```

Test if you can navigate, list, read, get or put files:

```
cd ..          # move up one directory
pwd            # print working directory
dir -C         # list files
mkdir [folder] # make a directory
get [file]     # get a file
put [file]     # send a file
```

## SMTP

You can connect to an SMTP server with netcat and run the `vrfy` command to check if email addresses are valid. You can also check mailing list membership with `expn`.

```
nc -nv [host] 25
(UNKNOWN) [host] 25 (smtp) open
VRFY root
250 2.1.5 root <root@host.com>
```

## SMB

Server Message Block (SMB) is a network file sharing protocol that provides access to shared files and printers on a local network. Older versions of SMB tend to be vulnerable to major exploits, such as EternalBlue.

Versions:

| SMB Version | Windows version                                                          |
| ----------- | ------------------------------------------------------------------------ |
| CIFS        | Microsoft Windows NT 4.0                                                 |
| SMB 1.0     | Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2 |
| SMB 2.0     | Windows Vista & Windows Server 2008                                      |
| SMB 2.1     | Windows 7 and Windows Server 2008 R2                                     |
| SMB 3.0     | Windows 8 and Windows Server 2012                                        |
| SMB 3.0.2   | Windows 8.1 and Windows Server 2012 R2                                   |
| SMB 3.1.1   | Windows 10 and Windows Server 2016                                       |

SMB uses these ports, which can be discovered using Nmap scans:

* netbios-ns 137/tcp - NETBIOS Name Service
* netbios-ns 137/udp
* netbios-dgm 138/tcp - NETBIOS Datagram Service
* netbios-dgm 138/udp
* netbios-ssn 139/tcp - NETBIOS session service
* netbios-ssn 139/udp
* microsoft-ds 445/tcp - Active Directory

### SMBclient

Linux/Unix machines can browse and mount SMB shares, and transfer files.

To see which shares are available on a given host:

```
smbclient -L [host]
```

To reach a directory that has been shared as 'public' on a host:

```
smbclient \\\\host\\public mypasswd

Server time is Sat Aug 10 15:58:44 1996
Timezone is UTC+10.0
Domain=[WORKGROUP] OS=[Windows NT 3.51] Server=[NT LAN Manager 3.51]
smb: \>
```

View available commands from the smb prompt:

```
smb: \> h
ls             dir            lcd            cd             pwd            
get            mget           put            mput           rename         
more           mask           del            rm             mkdir          
md             rmdir          rd             prompt         recurse        
translate      lowercase      print          printmode      queue          
cancel         stat           quit           q              exit           
newer          archive        tar            blocksize      tarmode        
setmode        help           ?              !
```

### Nmap SMB scripts

Nmap has scripts specifically for the SMB protocol (see above).

To scan a host for all known SMB vulnerabilities:

```
nmap -p 139,445 --script=smb-vuln* [host]
```

If you want to scan a target for a particular SMB vulnerability, for instance MS08-067 (which allows remote code execution) you can run this command:

```
nmap -p 139,445 --script=smb-vuln-ms08-067 [host]
```

#### MS17-010 EternalBlue script

EternalBlue is one of the exploits leaked by the Shadow Brokers in April 2017. It exploits a critical vulnerability in the SMBv1 protocol and leaves a lot of Windows installations vulnerable to remote code execution, including Windows 7, 8, 8.1 and Windows Server 2003/2008/2012(R2)/2016.

Nmap script to test for EternalBlue vulnerability:

```
nmap -p 445 [host] --script=smb-vuln-ms17-010
```

### Rpcclient

Rpcclient is a Linux tool used for client-side MS-RPC functions (port 445) using a null session, a connection that does not require a password. Null sessions were enabled by default on legacy systems but have since been disabled from Windows XP SP2 and Windows Server 2003.

```
rpcclient -U "" [host]
rpcclient $> querydominfo
rpcclient $> srvinfo
rpcclient $> enumdomusers
rpcclient $> queryuser [username]
rpcclient $> getdompwinfo
```

The above commands return domain information, including users. More [enumeration commands are available here](https://bitvijays.github.io/LFF-IPS-P3-Exploitation.html).

Take special note of the `srvinfo` response, because googling it may give you the exact exploit you need. It looks like gibberish:

```
    HOSTNAME            Wk Sv PrQ Unx NT SNT Samba Server
    platform_id     :    500
    os version      :    4.9
    server type     :    0x9a03
```

### Enum4Linux

Enum4linux is used to enumerate data from Windows and Samba hosts. It's really helpful if you aren't that familiar with SMB commands because it can pull a lot of information out quickly:

```
enum4linux [host]

-U        get userlist
-M        get machine list*
-S        get sharelist
-P        get password policy information
-G        get group and member list
-d        be detailed, applies to -U and -S
-u user   specify username to use (default “”)
-p pass   specify password to use (default “”)
-a        Do all simple enumeration (-U -S -G -P -r -o -n -i).
-o        Get OS information
-i        Get printer information
```

It will also pull OS information via `srvinfo` that is helpful when searching for exploits:

```
HOSTNAME    Wk Sv PrQ Unx NT SNT Samba Server
```

## SNMP

Simple Network Management Protocol (SNMP) an older UDP-based protocol that is often vulnerable. They are commonly left in default configurations which can reveal a lot of network information.

The SNMP Management Information Base (MIB) is a database containing network management information organized in a tree of functions.

### OneSixtyOne

OneSixtyOne brute forces community strings based on dictionary and the target IP address. You can also provide a list of host IP addresses to be scanned by onesixtyone using the -i option. Single values can be passed via the command line.

```
onesixtyone -c [community list] -i [host list]
```

### SNMPwalk

SNMPwalk queries MIB values to retrieve information about managed devices. It requires a valid SNMP read-only community string.

To run SNMPwalk with the default community string ‘public’ on an SNMPv1 device:

```
snmpwalk -c public -v1 [host]
`
```

Enumerate the entire MIB tree:

```
snmpwalk -c public -v1 [host]
```

Enumerate based on a single object ID:

```
snmpwalk -c public -v1 [host] [OID]
```

Enumerate Windows users:

```
snmpwalk -c public -v1 [host] 1.3.6.1.4.1.77.1.2.25
```

Enumerate running Windows processes:

```
snmpwalk -c public -v1 [host] 1.3.6.1.2.1.25.4.2.1.2
```

Enumerate open TCP ports:

```
snmpwalk -c public -v1 [host] 1.3.6.1.2.1.6.13.1.3
```

Enumerate installed software:

```
snmpwalk -c public -v1 [host] 1.3.6.1.2.1.25.6.3.1.2
```

## Website scanning

Web servers are a common target for hackers, because they can be used to get a foothold on the system (e.g. shell) or even an organization's network. Scanning is usually detectable, but also can identify opportunities for further exploitation.

### Nikto

Nikto is a popular (but noisy) assessment tool, good for quickly enumerating a web server:

```
nikto -h [host]
```

Specify a port:

nikto -h \[host] -p 8080

Test multiple ports:

```
nikto -h [target host] -p 80,88,443
```

Specify a port range:

```
nikto -h [target host] -p 80-88
```

#### Scan Tuning

Use the -Tuning parameter to run a specific set of tests instead of all tests:

```
0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection
a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)
```

### Dirb

Dirb is a web content scanner that guesses web objects using a dictionary.

```
dirb [http://host]
```

It can also use a custom wordlist if one is provided:

```
dirb [http://host] [wordlist]
```

Wordlists are located here:

```
/usr/share/wordlists/dirb/
```

By default, dirb will use `common.txt` which works well in most lab situations. However, if you're enumerating a machine with a very small attack surface (e.g. only port 80 is open) you may want to try `big.txt` instead.

### Dirbuster

Dirbuster is a web scanner with a GUI and some additional features, including more wordlists:

```
dirbuster
```

Wordlists are located here:

```
/usr/share/dirbuster/wordlists/
```

### WPScan

WordPress is a popular website/blogging platform and is frequently targeted by hackers. Vulnerabilities are typically introduced through community-developed modules and themes. WPScan is a tool that scans for a variety of module/theme vulnerabilities and can also enumerate users.

Update WPScan with the latest information:

```
wpscan --update
```

Default scan:

```
wpscan --url [http://host]
```

#### Active enumeration

Scan time can be reduced by choosing specific options:

* p Scans popular plugins only.
* vp Scans vulnerable plugins only.
* ap Scans all plugins.

The same options are available for WordPress themes:

* t Scans popular themes only.
* vt Scans vulnerable themes only.
* at Scans all themes.

Enumerate specific options:

```
wpscan --url [http://host] --enumerate [p/vp/ap/t/vt/at]
```

Scan for all popular plugins:

```
wpscan --url [http://host] --enumerate p
```

Scan for vulnerable plugins:

```
wpscan --url [http://host] --enumerate vp
```

Scan for all plugins:

```
wpscan --url [http://host] --enumerate ap
```

Enumerate users:

```
wpscan --url [http://host] --enumerate u
```

## Further reading

* [Nmap port scanning techniques](https://nmap.org/book/man-port-scanning-techniques.html)
* [Nmap scripting engine](https://nmap.org/book/nse.html)
* [The story behind MS08-067](https://blogs.technet.microsoft.com/johnla/2015/09/26/the-inside-story-behind-ms08-067/)
* [SMB cheat sheet](https://www.tldp.org/HOWTO/SMB-HOWTO-8.html)
* [WAF detection and bypass](http://securityidiots.com/Web-Pentest/WAF-Bypass/waf-bypass-guide-part-1.html)