#
Enumeration Quick Start
Goal is to enumerate services quickly. Triage open services for the the ones likely to hit paydirt. Tools like autorecon or legion can help with this.
#
Enumerating Ports
#
Nmap
nmap -sC -sV 10.10.10.10 -oN quick_scan # Quick Scan
nmap -sC -sV -p- -oN all_ports 10.10.10.10 # Full TCP
nmap -sC -sV --script vuln -oN vuln_scan 10.10.10.10 # Quick Vulnscan
sudo nmap -sU -p- -oN udp_scan 10.10.10.10 # Full UDP scan
#
Manual
nc -nv 10.10.10.10 25 # Manual Banner Grab
nc -nvC 10.10.10.10 119 # interacting with services that expect CRLF
#
web (80,443)
There is more detailed info in the dedicated web section.
NOTE: do yourself a favor and try default passwords like admin@foo.com:admin etc.
Add a site to your hosts file to help expose websites on virtual hosts.
echo "10.10.10.10 foobar.htb" >> /etc/hosts
#
gobuster
Directory discovery:
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txtFile discovery:
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt -k
gobuster dir -u http://10.10.10.10/cgi-bin -w /usr/share/wordlists/dirb/big.txt -x sh,cgi,pl
gobuster dir -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -x .txt,.php,.sql,.php5,.html,.htm,.png,.bak,.tmpUseful switches:
- -e Print the full URLs in your console
- -u The target URL
- -w Path to your wordlist
- -U and -P Username and Password for Basic Auth
- -p
Proxy to use for requests - -c
Specify a cookie for simulating your auth
#
FFuF
Directory discovery by using the FUZZ keyword at the end of URL (-u):
ffuf -w /path/to/wordlist -u https://target/FUZZ
ffuf -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10:59777/FUZZ -t 200 -cFile discovery:
ffuf -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10:59777/sdcard/FUZZ -t 200 -c -e .txtSubdomains:
ffuf -c -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt -u http://example.com -H "Host: FUZZ.example.com" -fw 5338- -c Colorize output.
- -u URL
- -t threads
- -w wordlist
- -e extension
- -fw filter words (filter out documents with a specific wordcount)
more info: https://github.com/ffuf/ffuf
#
sqlmap
sqlmap -u http://10.10.10.10 --crawl=1 # sqlmap crawl
sqlmap -u http://10.10.10.10 --dbms=mysql --dump # sqlmap dump database
sqlmap -u http://10.10.10.10 --dbms=mysql --os-shell # sqlmap shell
# sqlmap with cookie and ssl
sqlmap -u https://10.10.10.10 --cookie="PHPSESSID=ajfda" --level=5 --risk-3 --batch --force-ssl
#
ftp - TCP 21
run version through searchsploit to see if any vulnerabilities. Look for anonymous logins (nmap -sC can help with this). Credentials can often be found on ftp servers.
If nothing move on...
#
ssh - TCP 22
run version through searchsploit
#
smtp - TCP 25
telnet 10.10.10.10 25 # Telnet to manually run commands
# enumerate usernames with metasploit smtp_enum module
msfconsole -q -x 'setg RHOSTS 10.10.10.10;
use auxiliary/scanner/smtp/smtp_enum; run;
use auxiliary/scanner/smtp/smtp_relay; run;
use auxiliary/scanner/smtp/smtp_version; run;'
#
DNS - UDP/TCP 53
#
testing DNS
dig @10.10.10.10 example.local
#
dnszone transfer
dig axfr @<DNS_IP> #Try zone transfer without domain
dig axfr @<DNS_IP> <DOMAIN> #Try zone transfer guessing the domain
#fierce will Try to do a zone transfer against every authoritative name server and if this doesn't work, it'll launch a dictionary attack
fierce --domain <DOMAIN> --dns-servers <DNS_IP>
#
Kerberos TCP/88
./kerbrute userenum --dc 10.10.10.10 -d example.local userlist.txt -t 100 #enumerate users using kerbrute(comment)
#
POP3 - TCP/110
Example
nc -nvC 10.10.10.10 110
(UNKNOWN) [10.10.10.10] 110 (pop3) open
+OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
USER testuser
+OK
PASS password
+OK Welcome testuser
LIST
+OK 2 1807
1 420
2 6971
.
RETR 1
+OK Message followsCommands
USER uid Log in as "uid"
PASS password Substitue "password" for your actual password
STAT List number of messages, total mailbox size
LIST List messages and sizes
RETR n Show message n
DELE n Mark message n for deletion
RSET Undo any changes
QUIT Logout (expunges messages if no RSET)
TOP msg n Show first n lines of message number msg
#
NFS - TCP 111 TCP 2049
mounting NFS share
sudo apt install nfs-common # Install dependencies if needed
mkdir /tmp/mount # create mount dir in /tmp (will be removed after restart)
/usr/sbin/showmount -e 10.10.10.10 # list shares
sudo mount -t nfs 10.10.10.10:share /tmp/mount/ -nolock
#
SMB - TCP 139 TCP 445
crackmapexec
crackmapexec smb 10.10.10.10 # gives alot if info about smb share
crackmapexec smb 10.10.10.10 -u 'guest' -p '' # see if guest can mount share Enum4Linux
Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems.
enum4linux -A 10.10.10.10smbclient
smbclient -N -L //10.10.10.10/ # List shares: -N no auth, -L list available shares
smbclient //10.10.10.10/IT -U username%password # mount share IT with supplied username and password
smbclient //10.10.10.10/secret -U suit -p 139 # mount secret share as user suit on port 139
smbclient -N //10.10.10.10/backups # mount backup share anonymously
mask "";recurse ON;prompt OFF;mget * # Download an entire share once logged inEnumerate shares with smbmap
smbmap -H 10.10.10.161 -u foo -p bar With nmap
nmap --script smb-vuln* -p 445 10.10.10.10 # look for vulnerabilities
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10 # enumerate users
#
RPC - TCP 445
check to see if we can enumerate users with RPC client
rpcclient -U "" -N 10.10.10.161
rpcclient $>commands:
enumdomusers- get a list of usersenumdomgroups- list groupsquerygroup 0x200- query groups, for example domain adminsquerygroupmem 0x200- query group membershipqueryuser 0x1f4- query users
NOTE: It's helpful to make a users list with this information.