Common Protocols

Solaris Fingerd (TCP/79)

./finger-user-enum.pl -U <userlist> -t <target> [-m <max_threads>]

HTTP / HTTPS

Nikto

nikto -h http://<url>

Gobuster

gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -u http://192.168.3.104 -x php,txt,bak

SMB

Nmap Scripts

nmap --script smb-enum-shares <target> -p 445
nmap --script smb-os-discovery <target> -p 445

SMBClient

# List shares
smbclient -L \\\\<ip>\\\\

# Login to a share
smbclient \\\\<ip>\\<share_name>

# Login as anonymous
smbclient \\\\<ip>\\<share_name> -N

In smbclient, get and put are commonly used.

To list files and folders recursively:

recurse ON
prompt OFF
mget *

SMBmap

smbmap -H <target>
smbmap -u <user> -p <password> -d <domain> -H <target>
smbmap -u <user> -p <ntlm> -d <domain> -H <target>
smbmap -u <user> -p <password> -d ACME -H <target> -x <command>

Enumerate SMB Users

Prepare a user list (e.g. https://github.com/insidetrust/statistically-likely-usernames) and then

for u in $(cat users.txt); do rpcclient -U "" <target> -N --command="lookupnames $u"; done | grep "User: 1"

Enum4Linux

enum4linux <target>
enum4linux -r <target> | grep "Local User"
enum4linux -U <target>

SMTP

Nmap

# Find SMTP verbs
nmap --script smtp-commands <ip> -p 25

Note that you can interact with SMTP server with nc. After connecting to SMTP server:

HELO <domain_name>
MAIL FROM <email_address>
RCPT TO <target_email> // EXPN <username> // VRFY <username>

# 250 (Valid)
# 550 (Invalid)

Useful SMTP verbs:

  • RCPT

  • VRFY

  • EXPN

Metasploit

auxiliary/scanner/smtp/smtp_enum

smtp-user-enum script

Usage: smtp-user-enum.pl [options] ( -u username | -U file-of-usernames ) 
( -t host | -T file-of-targets )

options are:
        -m n     Maximum number of processes (default: 5)
        -M mode  Method to use for username guessing EXPN, VRFY or RCPT 
        (default: VRFY)
        -u user  Check if user exists on remote system
        -f addr  MAIL FROM email address.  Used only in "RCPT TO" mode 
        (default: user@example.com)
        -D dom   Domain to append to supplied user list to make email addresses 
        (Default: none)
                 Use this option when you want to guess valid email addresses 
                 instead of just usernames
                 e.g. "-D example.com" would guess foo@example.com, 
                 bar@example.com, etc.  
                 Instead of simply the usernames foo and bar.
        -U file  File of usernames to check via smtp service
        -t host  Server host running smtp service
        -T file  File of hostnames running the smtp service
        -p port  TCP port on which smtp service runs (default: 25)
        -d       Debugging output
        -t n     Wait a maximum of n seconds for reply (default: 5)
        -v       Verbose
        -h       This help message

Also see smtp-user-enum-user-docs.pdf from the smtp-user-enum tar ball.

Examples:

$ smtp-user-enum.pl -M VRFY -U users.txt -t 10.0.0.1
$ smtp-user-enum.pl -M EXPN -u admin1 -t 10.0.0.1
$ smtp-user-enum.pl -M RCPT -U users.txt -T mail-server-ips.txt
$ smtp-user-enum.pl -M EXPN -D example.com -U users.txt -t 10.0.0.1

SNMP (Port 161)

SNMPv1 and SNMPv2 use cleartext! If you see these, remember you can use sniffer to grab the community string.

snmpwalk

snmpwalk -v <version> <target> -c <community_string> [<OID>]

You may try public as the community string.

Also, install the package snmp-mibs-downloader to avoid numerical OID. You may have to comment the 4th line in /etc/snmp/snmp.conf.

To change a value of an OID, you may use snmpset:

snmpset -v <version> -c <community_string> <target> <OID> <type> <new_value>

nmap script

List of script:

  • snmp-brute

  • snmp-info

  • snmp-interfaces

  • snmp-netstat

  • snmp-processes

  • snmp-sysdescr

  • snmp-win32-services

nmap -sU -p 161 --script <script> <target>

To brute force the community string:

nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=<wordlist> <target>

If snmp-brute.communitiesdb is not specified, the default script will be /usr/share/nmap/nselib/data/snmpcommunities.lst.

Another good list would be /usr/share/seclists/Misc/wordlist-common-snmp-community-strings.txt

Onesixtyone

onesixtyone <target> <community_string>

To brute force the community string:

onesixtyone -c /usr/share/doc/onesixtyone/dict.txt <target>

XMLRPC

Use Burp Suite Repeater and change the request type to be POST.

List methods

<methodCall>

<methodName>system.listMethods</methodName>

<params></params>

</methodCall>

SSH

The only way could be brute force using Hydra ...

If in situation the SSH version is very old, you may need to use a deprecated key exchange method:

ssh -p <port> <user>@<target> -okexAlgorithms=<method> 

LDAP

nmap

nmap --script ldap-search -p 389 -oN nmap-ldap <ip>

ldapsearch

Get the base of the ldap

ldapsearch -x -h <target> -s base namingcontexts

Sub:

ldapsearch -x -h <target> -s sub -b 'DC=xxx,DC=xxx'

Enumerate ..

ldapsearch -x -h <target> -b "<base>"

NFS (TCP/111)

nmap script

For TCP/111, it could be rpcbind / portmapper.

nmap --script=rpcinfo
nmap --script=nfs*

If NFS is found to be shared:

sudo mount -o nolock <target>:<dir> <local_dir>

https://blog.netspi.com/linux-hacking-case-studies-part-2-nfs/

Last updated