Active information gathering

Port and service scanning

The more you discover about a target, the more opportunities for exploitation you have. It's good to know how to use a variety of tools (and a variety of options for each tool) because network conditions may vary.

Netdiscover

This tool is used to scan a network for live machines:
1
netdiscover -r 192.168.1.1/24
Copied!

Nmap

Nmap is awesome. There are many commands and options, but below are some commonly used ones which work well in both lab and penetration testing scenarios.
Nmap is a command-line tool but has a user-friendly GUI version called Zenmap, available for all major OS platforms. Zenmap also has preconfigured commands for common scans.
Host discovery (ping scan):
1
nmap -sn 192.168.1.1/24
Copied!
Host discovery (specific range):
1
nmap -sn 192.168.1.1-100
Copied!
Nmap also has the -Pn option which will disable the host discovery stage altogether on a scan. This option can be useful when the target is reported as down when it’s actually up but not responding to host discovery probes (e.g. due to host-based firewall that drops ICMP packets). Using this option with the intense scans below can be helpful.
TCP connect scan:
1
nmap -sT [host]
Copied!
OS fingerprinting and service detection:
1
nmap -sV -O [host]
Copied!
Intense scan, all TCP ports:
1
nmap -p 1-65535 -T4 -A -v [host]
Copied!
Intense scan, all TCP ports, no ping:
1
nmap -p 1-65535 -T4 -A -v -Pn [host]
Copied!
Intense scan, plus UDP
1
nmap -sS -sU -T4 -A -v [host]
Copied!
Aggressive scan:
1
nmap -A [host]
Copied!
Warning: Big, nasty scans are great for labs, but sometimes get rate-limited. In real life settings, it's even worse. Start with light scans and do targeted scans when you discover something interesting.

Nmap scripting engine (NSE)

NSE is awesome too, its scripts can be used to detect a variety of vulnerabilities.

Running NSE scripts

General usage:
1
nmap --script=[scriptname] [host]
Copied!
Example:
1
nmap --script=http-robots.txt [host]
Copied!
Arguments can be passed to Nmap scripts using the --script-args option or from a file using the --script-args-file option.

Finding NSE scripts

Nmap scripts are located in the following directory:
1
/usr/share/nmap/scripts
Copied!
FTP:
1
ls -l /usr/share/nmap/scripts/ftp*
Copied!
HTTP:
1
ls -l /usr/share/nmap/scripts/http*
Copied!
SMTP:
1
ls -l /usr/share/nmap/scripts/smtp*
Copied!
SMB:
1
ls -l /usr/share/nmap/scripts/smb*
Copied!
MySQL:
1
ls -l /usr/share/nmap/scripts/mysql*
Copied!
WordPress:
1
ls -l /usr/share/nmap/scripts/http-wordpress*
Copied!
Drupal:
1
ls -l /usr/share/nmap/scripts/http-drupal*
Copied!
Citrix:
1
ls -l /usr/share/nmap/scripts/citrix*
Copied!

Nmap script help

Most scripts have a help function that displays instructions when you type --script-help :
1
nmap --script-help ftp-anon
Copied!

Updating Nmap scripts

If a script isn't available on your system, download it with the following command:
1
wget https://svn.nmap.org/nmap/scripts/smb-vuln-ms17-010.nse -O /usr/share/nmap/scripts/smb-vuln-ms17-010.nse
Copied!
Once the script has downloaded, use the following command to update the Nmap script database so that the script will become available to Nmap:
1
nmap --script-updatedb
Copied!

Detecting WAF

Web application firewalls (WAF) may drop malicious requests, such as those with SQL injections, or otherwise interfere with enumeration or testing:
Detect WAF using NMAP:
1
nmap -p80 --script http-waf-detect [host]
Copied!
Fingerprint WAF using NMAP:
1
nmap -p80 --script http-waf-fingerprint [host]
Copied!
Fingerprint WAF using WAFw00f:
1
wafw00f.py [url]
Copied!

FTP

Check if anonymous FTP access is available:
1
ftp [host]
2
Username: anonymous
3
Password: anything
Copied!
Test if you can navigate, list, read, get or put files:
1
cd .. # move up one directory
2
pwd # print working directory
3
dir -C # list files
4
mkdir [folder] # make a directory
5
get [file] # get a file
6
put [file] # send a file
Copied!

SMTP

You can connect to an SMTP server with netcat and run the vrfy command to check if email addresses are valid. You can also check mailing list membership with expn.
1
nc -nv [host] 25
2
(UNKNOWN) [host] 25 (smtp) open
3
VRFY root
4
250 2.1.5 root <[email protected]>
Copied!

SMB

Server Message Block (SMB) is a network file sharing protocol that provides access to shared files and printers on a local network. Older versions of SMB tend to be vulnerable to major exploits, such as EternalBlue.
Versions:
SMB Version
Windows version
CIFS
Microsoft Windows NT 4.0
SMB 1.0
Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2
SMB 2.0
Windows Vista & Windows Server 2008
SMB 2.1
Windows 7 and Windows Server 2008 R2
SMB 3.0
Windows 8 and Windows Server 2012
SMB 3.0.2
Windows 8.1 and Windows Server 2012 R2
SMB 3.1.1
Windows 10 and Windows Server 2016
SMB uses these ports, which can be discovered using Nmap scans:
  • netbios-ns 137/tcp - NETBIOS Name Service
  • netbios-ns 137/udp
  • netbios-dgm 138/tcp - NETBIOS Datagram Service
  • netbios-dgm 138/udp
  • netbios-ssn 139/tcp - NETBIOS session service
  • netbios-ssn 139/udp
  • microsoft-ds 445/tcp - Active Directory

SMBclient

Linux/Unix machines can browse and mount SMB shares, and transfer files.
To see which shares are available on a given host:
1
smbclient -L [host]
Copied!
To reach a directory that has been shared as 'public' on a host:
1
smbclient \\\\host\\public mypasswd
2
3
Server time is Sat Aug 10 15:58:44 1996
4
Timezone is UTC+10.0
5
Domain=[WORKGROUP] OS=[Windows NT 3.51] Server=[NT LAN Manager 3.51]
6
smb: \>
Copied!
View available commands from the smb prompt:
1
smb: \> h
2
ls dir lcd cd pwd
3
get mget put mput rename
4
more mask del rm mkdir
5
md rmdir rd prompt recurse
6
translate lowercase print printmode queue
7
cancel stat quit q exit
8
newer archive tar blocksize tarmode
9
setmode help ? !
Copied!

Nmap SMB scripts

Nmap has scripts specifically for the SMB protocol (see above).
To scan a host for all known SMB vulnerabilities:
1
nmap -p 139,445 --script=smb-vuln* [host]
Copied!
If you want to scan a target for a particular SMB vulnerability, for instance MS08-067 (which allows remote code execution) you can run this command:
1
nmap -p 139,445 --script=smb-vuln-ms08-067 [host]
Copied!

MS17-010 EternalBlue script

EternalBlue is one of the exploits leaked by the Shadow Brokers in April 2017. It exploits a critical vulnerability in the SMBv1 protocol and leaves a lot of Windows installations vulnerable to remote code execution, including Windows 7, 8, 8.1 and Windows Server 2003/2008/2012(R2)/2016.
Nmap script to test for EternalBlue vulnerability:
1
nmap -p 445 [host] --script=smb-vuln-ms17-010
Copied!

Rpcclient

Rpcclient is a Linux tool used for client-side MS-RPC functions (port 445) using a null session, a connection that does not require a password. Null sessions were enabled by default on legacy systems but have since been disabled from Windows XP SP2 and Windows Server 2003.
1
rpcclient -U "" [host]
2
rpcclient gt; querydominfo
3
rpcclient gt; srvinfo
4
rpcclient gt; enumdomusers
5
rpcclient gt; queryuser [username]
6
rpcclient gt; getdompwinfo
Copied!
The above commands return domain information, including users. More enumeration commands are available here.
Take special note of the srvinfo response, because googling it may give you the exact exploit you need. It looks like gibberish:
1
HOSTNAME Wk Sv PrQ Unx NT SNT Samba Server
2
platform_id : 500
3
os version : 4.9
4
server type : 0x9a03
Copied!

Enum4Linux

Enum4linux is used to enumerate data from Windows and Samba hosts. It's really helpful if you aren't that familiar with SMB commands because it can pull a lot of information out quickly:
1
enum4linux [host]
2
3
-U get userlist
4
-M get machine list*
5
-S get sharelist
6
-P get password policy information
7
-G get group and member list
8
-d be detailed, applies to -U and -S
9
-u user specify username to use (default “”)
10
-p pass specify password to use (default “”)
11
-a Do all simple enumeration (-U -S -G -P -r -o -n -i).
12
-o Get OS information
13
-i Get printer information
Copied!
It will also pull OS information via srvinfo that is helpful when searching for exploits:
1
HOSTNAME Wk Sv PrQ Unx NT SNT Samba Server
Copied!

SNMP

Simple Network Management Protocol (SNMP) an older UDP-based protocol that is often vulnerable. They are commonly left in default configurations which can reveal a lot of network information.
The SNMP Management Information Base (MIB) is a database containing network management information organized in a tree of functions.

OneSixtyOne

OneSixtyOne brute forces community strings based on dictionary and the target IP address. You can also provide a list of host IP addresses to be scanned by onesixtyone using the -i option. Single values can be passed via the command line.
1
onesixtyone -c [community list] -i [host list]
Copied!

SNMPwalk

SNMPwalk queries MIB values to retrieve information about managed devices. It requires a valid SNMP read-only community string.
To run SNMPwalk with the default community string ‘public’ on an SNMPv1 device:
1
snmpwalk -c public -v1 [host]
2
`
Copied!
Enumerate the entire MIB tree:
1
snmpwalk -c public -v1 [host]
Copied!
Enumerate based on a single object ID:
1
snmpwalk -c public -v1 [host] [OID]
Copied!
Enumerate Windows users:
1
snmpwalk -c public -v1 [host] 1.3.6.1.4.1.77.1.2.25
Copied!
Enumerate running Windows processes:
1
snmpwalk -c public -v1 [host] 1.3.6.1.2.1.25.4.2.1.2
Copied!
Enumerate open TCP ports:
1
snmpwalk -c public -v1 [host] 1.3.6.1.2.1.6.13.1.3
Copied!
Enumerate installed software:
1
snmpwalk -c public -v1 [host] 1.3.6.1.2.1.25.6.3.1.2
Copied!

Website scanning

Web servers are a common target for hackers, because they can be used to get a foothold on the system (e.g. shell) or even an organization's network. Scanning is usually detectable, but also can identify opportunities for further exploitation.

Nikto

Nikto is a popular (but noisy) assessment tool, good for quickly enumerating a web server:
1
nikto -h [host]
Copied!
Specify a port:
nikto -h [host] -p 8080
Test multiple ports:
1
nikto -h [target host] -p 80,88,443
Copied!
Specify a port range:
1
nikto -h [target host] -p 80-88
Copied!

Scan Tuning

Use the -Tuning parameter to run a specific set of tests instead of all tests:
1
0 – File Upload
2
1 – Interesting File / Seen in logs
3
2 – Misconfiguration / Default File
4
3 – Information Disclosure
5
4 – Injection (XSS/Script/HTML)
6
5 – Remote File Retrieval – Inside Web Root
7
6 – Denial of Service
8
7 – Remote File Retrieval – Server Wide
9
8 – Command Execution / Remote Shell
10
9 – SQL Injection
11
a – Authentication Bypass
12
b – Software Identification
13
c – Remote Source Inclusion
14
x – Reverse Tuning Options (i.e., include all except specified)
Copied!

Dirb

Dirb is a web content scanner that guesses web objects using a dictionary.
1
dirb [http://host]
Copied!
It can also use a custom wordlist if one is provided:
1
dirb [http://host] [wordlist]
Copied!
Wordlists are located here:
1
/usr/share/wordlists/dirb/
Copied!
By default, dirb will use common.txt which works well in most lab situations. However, if you're enumerating a machine with a very small attack surface (e.g. only port 80 is open) you may want to try big.txt instead.

Dirbuster

Dirbuster is a web scanner with a GUI and some additional features, including more wordlists:
1
dirbuster
Copied!
Wordlists are located here:
1
/usr/share/dirbuster/wordlists/
Copied!

WPScan

WordPress is a popular website/blogging platform and is frequently targeted by hackers. Vulnerabilities are typically introduced through community-developed modules and themes. WPScan is a tool that scans for a variety of module/theme vulnerabilities and can also enumerate users.
Update WPScan with the latest information:
1
wpscan --update
Copied!
Default scan:
1
wpscan --url [http://host]
Copied!

Active enumeration

Scan time can be reduced by choosing specific options:
  • p Scans popular plugins only.
  • vp Scans vulnerable plugins only.
  • ap Scans all plugins.
The same options are available for WordPress themes:
  • t Scans popular themes only.
  • vt Scans vulnerable themes only.
  • at Scans all themes.
Enumerate specific options:
1
wpscan --url [http://host] --enumerate [p/vp/ap/t/vt/at]
Copied!
Scan for all popular plugins:
1
wpscan --url [http://host] --enumerate p
Copied!
Scan for vulnerable plugins:
1
wpscan --url [http://host] --enumerate vp
Copied!
Scan for all plugins:
1
wpscan --url [http://host] --enumerate ap
Copied!
Enumerate users:
1
wpscan --url [http://host] --enumerate u
Copied!

Further reading