Once the services have been fingerprinted, we can perform enumeration. There can be many different sources used to achieve the goal of this recipe. In this recipe, we will look at how to perform service-discovery scans using various tools, for the following:
Nbtscan is a script in Kali that enumerates for the NetBIOS name of the target IP. It can be used as the early part of SMB enumeration. It basically requests a status query of the NetBIOS name in a human-readable format.
For this recipe, the steps are as follows:
nbtscan <IP address>
The output will be as shown in the following screenshot:
nbtscan -r <IP address>/<class range>
The output will be as shown in the following screenshot:
enum4linux
. Enter the following command in terminal to start an SMB scan:enum4linux <IP address>
The output will be as shown in the following screenshot:
Additionally, it even provides share-enumeration information to check the available shares on the system:
It even shows us the password policy (if any applied) on the target:
As you can see, enum4 Linux is a powerful tool, especially in the scenario where null sessions are enabled.
A reference from Wikipedia to understand null sessions: A null session is an anonymous connection to an inter-process communication network service on Windows-based computers. The service is designed to allow named pipe connections. However, it can be exploited to retrieve information. For a basic understanding of null sessions, visit http://www.softheap.com/security/session-access.html . A thoroughly detailed pentest scenario can be understood at https://pen-testing.sans.org/blog/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions .
Start by typing the following command in terminal:
snmpwalk -c public -v1 <IP address>
The output will be as shown in the following screenshot:
For example , if we wish to extract only system users then we can use this value 1.3.6.1.4.1.77.1.2.25
, enter the following command in terminal:
snmpwalk -c public -v1 <IP address> <MIB value>
The output will be as shown in the following screenshot:
/usr/share/nmap/scripts/
. The output will be as shown in the following screenshot:
These scripts need to be updated from time to time.
Once we select a target, we will run nmap scripts over it.
nmap -sC <IP address >
The output will be as shown in the following screenshot:
nmap -sT --script *smb-enum* <IP address>
The output will be as shown in the following screenshot:
nmap -sT -p 139,443 --script smb-check-vulns --script- args=unsafe=1 <IP address>
The output will be as shown in the following screenshot:
This tells us if the port is vulnerable to any attack.
Let us understand a few of the switches used in this recipe:
In Nbtscan, we used the -r
switch, which tells nbtscan to scan for a given whole class network/subnet; it queries all the systems on UDP port 137
. This port has a service referenced to "Network Neighborhood" also known as netbios. When this port receives a query, it responds with all the running services on that system.
The enum4linux
is a script that enumerates pretty much all the possible information that includes RID cycling, user listing, enumeration of shares, identifying the type of remote OS, what the running services are, password policy, and so on, if the target IP is susceptible to null-session authentication.
Following are the switches used in SnmpWalk:
-c
: This switch tells SnmpWalk what type of community string it is. By default, the SNMP community string is public.-v1
: This switch specifies that the SNMP version is 1. We can even use 2c or 3 depending on the type of SNMP service version it is running on.dnsenum
: This is a DNS enumeration tool. It basically enumerates all the DNS-related information from a DNS server, and even checks if it is possible for a zone transfer.-sC
: This switch enables nmap to run default NSE scripts for all the open ports detected on the target IP, from the repository.--script
: This switch enables us to specify which script we want to execute. We can use regex, as shown in the preceding example.--script-args=unsafe=1
: This switch enables nmap to run dangerous scripts to assess if a port is vulnerable to a type of attack. The reason it is not a part of default script analysis is because, at times, these can cause the remote service to crash and be rendered unavailable, leading to a DOS situation.In this recipe, we learned how to run different scripts on the services detected by nmap, and how to run dangerous enumeration scripts.
18.224.215.188