Chapter 2 - Recon & Enumeration
It is imperative that a scout should know the history, tradition, religion, social customs, and superstitions of whatever country or people he is called on to work in or among. This is almost as necessary as to know the physical character of the country, its climate and products. Certain people will do certain things almost without fail. Certain other things, perfectly feasible, they will not do. There is no danger of knowing too much of the mental habits of an enemy. One should neither underestimate the enemy nor credit him with superhuman powers. Fear and courage are latent in every human being, though roused into activity by very diverse means.
— Frederick Russell Burnham
This is what I refer to as first-pass enumeration, or enumeration from the outside. We take the time to identify all running services and open ports and identify what they are, what they do and how we can communicate with them
Information Gathering
Resources
Basic Information
Kali> whois domain.com
Kali> dig {a|txt|ns|mx} domain.com
Kali> dig {a|txt|ns|mx} domain.com @ns1.domain.com
Kali> simplyemail.py -all -e domain.com
Initial Discovery
Resources
Finger Printing
Banner Grabbing
Kali> nc -v $TARGET 80
Kali> telnet $TARGET 80
Kali> amap -bqv1 1-65535 $TARGET
TTL Fingerprinting
Operating System | TTL |
---|---|
Windows | 128 |
Solaris | 225 |
Cisco | 225 |
Probing Neighbors
# IPV4/IPV6
Kali> netdiscover -i eth0
# IPV6
Kali> ping6 ff02::1%eth0
Network Scan
Kali> nmap -sn 192.168.1.0/24
Kali> nmap -sP 192.168.1.0/2
Kali> for ip in $(cat targets.txt);do nmap -A -T4 -oN scans/nmap.$ip.txt $ip;done
UDP Scan
UDP-Protocol-Scanner
# Port Scan
udp-protocol-scanner.pl -f ips.txt
# Protocol specific scan
udp-protocol-scanner -p ntp -f ips.txt
Netcat
# UDP (ICMP Error -> Port Closed)
Kali> nc -nv -u -z -w 1 host 160-162
NMAP
Kali> sudo nmap -sU -A -T3 --top-ports 100 10.10.10.24
TCP Scan
Netcat
Kali> nc -nvv -w 1 -z host 1000-2000
NMAP
Kali> nmap -p 1-65535 -sV -sS -T4 $TARGET
Kali> nmap -v -sS -A -T4 $TARGET
Kali> nmap -v -sV -O -sS -T4 $TARGET
Masscan
Enumeration
HTTP
Stop what you're doing and go check the source code, yes all of it.
CMSHunter
Directory Fuzzing
Kali> dirb http://$TARGET /usr/share/wordlists/dirb/big.txt -o dirb.txt
Kali> gobuster -u http://$TARGET -w /usr/share/wordlists/dirb/big.txt -t 100
# A little for loop so you can go do other stuff
Kali> for wordlist in $(ls);do gobuster -u http://$TARGET -w $wordlist -t 100;done
# dirsearch is fairly good
Kali> dirsearch -u http://$TARGET -e php
cURL
# Robots can give us a clue as to where to look next you may have to send a user agent
Kali> curl -s http://$TARGET/robots.txt
# Check all the methods
Kali> curl -vX OPTIONS $TARGET
Nikto
Kali> nikto -h http://$TARGET
BurpSuite
I don't care who you are or what you're doing but it's time to go poke the website with burp. Play with all the things, get params, post params, cookies, user agents, referrers in fact all the headers, change get requests to posts, take note of all error codes, fuzz parameter values, and names, etc.
SSL
Kali> ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $TARGET
DNS
Zone Transfer
Kali> host -l megacorpon.com ns1.megacorpone.com
Kali> dnsrecon -d domain.com -t axfr @ns1.domain.com
Kali> dnsenum domain.com
Kali> nslookup -> set type=any -> ls -d domain.com
Enumerate Subdomains
Kali> for sub in $(cat subdomains.txt);do host $sub.domain.com|grep "has.address";done
Kali> dnsrecon -d $TARGET -D wordlist.txt -t std --xml output.xml
DATABASES
MSSQL
Kali> nmap -sU --script=ms-sql-info $TARGET
LDAP
Resources
RPC
Examples
Kali> Rpcinfo -p $TARGET
RDP
Kali> rdesktop -u admin -p password $TARGET
NETBIOS
Resources
Examples
# Sometimes shows logged in users/addresses
Kali> nbtscan $TARGET -R 54
SAMBA
Resources
Plundering Windows accounts through authenticated SMB sessions
Hacking windows shares through Samba with Linux
Examples
# Fingerprint version
Kali> smbclient -L //$TARGET
# TODO
Kali> nmblookup -A $TARGET
# null Session
Kali> rpcclient -v "" $TARGET
Kali> smbclient -L //$TARGET
# Minimal Scan
Kali> enum4linux $TARGET
# Scan Everything
Kali> enum4linux -a $TARGET
# discover windows/samba on subnet find macs and netbios name/domain
Kali> nbtscan 192.168.1.0/24
# Find open shares
Kali> nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24
Kali> Showmount -e $TARGET/<port>
# Investigate share
Kali> smblookup -A $TARGET smbclient //MOUNT/share -I $TARGET -N
# Enumerate users
Kali> nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.0/24
Kali> python /usr/share/doc/python-impacket-doc/examples/samrdump.py $TARGET
# RID Cycling (500 = admin, 501 = Guest)
Kali> ridenum.py $TARGET 500 50000 /path/to/wordlist.txt
# NBTScan-Unixwiz
Kali> nbtscan-unixwiz -f $TARGET
# Mount Linux/Windows
Kali> mount $TARGET:/vol/share /mnt/nfs
Kali> Mount -t cifs //<server ip>/<share> <local dir> -o username=”guest”,password=””
C:\>net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no
SMTP
VRFY username (verifies if username exists – enumeration of accounts)
EXPN username (verifies if username is valid – enumeration of accounts)
SNMP
Resources
How to get IPv6 Address through SNMP
Examples
# Overview
Default Community Names:
public, private, cisco, manager
Enumerate MIB:
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports
# Enmerate users from SNMP
Kali> snmpwalk public -v1 192.168.X.XXX 1 | grep 77.1.2.25 | cut -d” “ -f4
Kali> python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP $TARGET
# Search SNMP with nmap
Kali> nmap -sT -p 161 192.168.1.0/24 -oG snmp_results.txt
# Examples
Kali> snmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.4.2.1.2
Kali> onesixtyone -c community -I $TARGET
Kali> snmpcheck -t $TARGET
Kali> snmpenum -t $TARGET
# Version3
Kali> nmap -sV -p 161 --script=snmp-info 192.168.1.0/24
# Wordlists
/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt