Active information gathering
Port and service scanning
The more you discover about a target, the more opportunities for exploitation you have. It's good to know how to use a variety of tools (and a variety of options for each tool) because network conditions may vary.
Netdiscover
This tool is used to scan a network for live machines:
Nmap
Nmap is awesome. There are many commands and options, but below are some commonly used ones which work well in both lab and penetration testing scenarios.
Nmap is a command-line tool but has a user-friendly GUI version called Zenmap, available for all major OS platforms. Zenmap also has preconfigured commands for common scans.
Host discovery (ping scan):
Host discovery (specific range):
Nmap also has the -Pn option which will disable the host discovery stage altogether on a scan. This option can be useful when the target is reported as down when itβs actually up but not responding to host discovery probes (e.g. due to host-based firewall that drops ICMP packets). Using this option with the intense scans below can be helpful.
TCP connect scan:
OS fingerprinting and service detection:
Intense scan, all TCP ports:
Intense scan, all TCP ports, no ping:
Intense scan, plus UDP
Aggressive scan:
Warning: Big, nasty scans are great for labs, but sometimes get rate-limited. In real life settings, it's even worse. Start with light scans and do targeted scans when you discover something interesting.
Nmap scripting engine (NSE)
NSE is awesome too, its scripts can be used to detect a variety of vulnerabilities.
Running NSE scripts
General usage:
Example:
Arguments can be passed to Nmap scripts using the --script-args option or from a file using the --script-args-file option.
Finding NSE scripts
Nmap scripts are located in the following directory:
FTP:
HTTP:
SMTP:
SMB:
MySQL:
WordPress:
Drupal:
Citrix:
Nmap script help
Most scripts have a help function that displays instructions when you type --script-help :
Updating Nmap scripts
If a script isn't available on your system, download it with the following command:
Once the script has downloaded, use the following command to update the Nmap script database so that the script will become available to Nmap:
Detecting WAF
Web application firewalls (WAF) may drop malicious requests, such as those with SQL injections, or otherwise interfere with enumeration or testing:
Detect WAF using NMAP:
Fingerprint WAF using NMAP:
Fingerprint WAF using WAFw00f:
FTP
Check if anonymous FTP access is available:
Test if you can navigate, list, read, get or put files:
SMTP
You can connect to an SMTP server with netcat and run the vrfy command to check if email addresses are valid. You can also check mailing list membership with expn.
SMB
Server Message Block (SMB) is a network file sharing protocol that provides access to shared files and printers on a local network. Older versions of SMB tend to be vulnerable to major exploits, such as EternalBlue.
Versions:
SMB uses these ports, which can be discovered using Nmap scans:
netbios-ns 137/tcp - NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp - NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp - NETBIOS session service
netbios-ssn 139/udp
microsoft-ds 445/tcp - Active Directory
SMBclient
Linux/Unix machines can browse and mount SMB shares, and transfer files.
To see which shares are available on a given host:
To reach a directory that has been shared as 'public' on a host:
View available commands from the smb prompt:
Nmap SMB scripts
Nmap has scripts specifically for the SMB protocol (see above).
To scan a host for all known SMB vulnerabilities:
If you want to scan a target for a particular SMB vulnerability, for instance MS08-067 (which allows remote code execution) you can run this command:
MS17-010 EternalBlue script
EternalBlue is one of the exploits leaked by the Shadow Brokers in April 2017. It exploits a critical vulnerability in the SMBv1 protocol and leaves a lot of Windows installations vulnerable to remote code execution, including Windows 7, 8, 8.1 and Windows Server 2003/2008/2012(R2)/2016.
Nmap script to test for EternalBlue vulnerability:
Rpcclient
Rpcclient is a Linux tool used for client-side MS-RPC functions (port 445) using a null session, a connection that does not require a password. Null sessions were enabled by default on legacy systems but have since been disabled from Windows XP SP2 and Windows Server 2003.
The above commands return domain information, including users. More enumeration commands are available here.
Take special note of the srvinfo response, because googling it may give you the exact exploit you need. It looks like gibberish:
Enum4Linux
Enum4linux is used to enumerate data from Windows and Samba hosts. It's really helpful if you aren't that familiar with SMB commands because it can pull a lot of information out quickly:
It will also pull OS information via srvinfo that is helpful when searching for exploits:
SNMP
Simple Network Management Protocol (SNMP) an older UDP-based protocol that is often vulnerable. They are commonly left in default configurations which can reveal a lot of network information.
The SNMP Management Information Base (MIB) is a database containing network management information organized in a tree of functions.
OneSixtyOne
OneSixtyOne brute forces community strings based on dictionary and the target IP address. You can also provide a list of host IP addresses to be scanned by onesixtyone using the -i option. Single values can be passed via the command line.
SNMPwalk
SNMPwalk queries MIB values to retrieve information about managed devices. It requires a valid SNMP read-only community string.
To run SNMPwalk with the default community string βpublicβ on an SNMPv1 device:
Enumerate the entire MIB tree:
Enumerate based on a single object ID:
Enumerate Windows users:
Enumerate running Windows processes:
Enumerate open TCP ports:
Enumerate installed software:
Website scanning
Web servers are a common target for hackers, because they can be used to get a foothold on the system (e.g. shell) or even an organization's network. Scanning is usually detectable, but also can identify opportunities for further exploitation.
Nikto
Nikto is a popular (but noisy) assessment tool, good for quickly enumerating a web server:
Specify a port:
nikto -h [host] -p 8080
Test multiple ports:
Specify a port range:
Scan Tuning
Use the -Tuning parameter to run a specific set of tests instead of all tests:
Dirb
Dirb is a web content scanner that guesses web objects using a dictionary.
It can also use a custom wordlist if one is provided:
Wordlists are located here:
By default, dirb will use common.txt which works well in most lab situations. However, if you're enumerating a machine with a very small attack surface (e.g. only port 80 is open) you may want to try big.txt instead.
Dirbuster
Dirbuster is a web scanner with a GUI and some additional features, including more wordlists:
Wordlists are located here:
WPScan
WordPress is a popular website/blogging platform and is frequently targeted by hackers. Vulnerabilities are typically introduced through community-developed modules and themes. WPScan is a tool that scans for a variety of module/theme vulnerabilities and can also enumerate users.
Update WPScan with the latest information:
Default scan:
Active enumeration
Scan time can be reduced by choosing specific options:
p Scans popular plugins only.
vp Scans vulnerable plugins only.
ap Scans all plugins.
The same options are available for WordPress themes:
t Scans popular themes only.
vt Scans vulnerable themes only.
at Scans all themes.
Enumerate specific options:
Scan for all popular plugins:
Scan for vulnerable plugins:
Scan for all plugins:
Enumerate users:
Further reading
Last updated