Scanning & Enumeration

Scanning with nmap

nmap -T4 -p- -A
nmap -sV -sC -oA $file $IP

nmap Scripting Language

nmap -p $PORT --script $NAME -oA $IP

Script names can be: safe, vuln, discovery, version,brute, intrusive, auth, broadcast

Enumerating SMB

SMB client

smbclient -L \\\\192.168.57.134\\
smbclient \\\\192.168.57.134\\FileShare

To download all of the files in a share
smbclient //192.168.57.134/FileShare
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse IP

SMB map

smbmap -u USER -H IP
smbmap -H IP -R --depth 5

search for files
smbmap -R FOLDER -H IP

download files
smbmap -R FOLDER -H IP -A Group.xml -q

using creds
smbmap -d active.htb -u user -p password -H IP

To mount smb shares

mount -t cifs //IP/folder /mnt/smb
mount -t cifs -o username=USER //IP//SHARE /mnt/smb

Brute force smb login

msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set pass_file wordlist
pass_file => wordlist
msf5 auxiliary(scanner/smb/smb_login) > set USER_file users.txt
USER_file => users.txt
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS fuse.htb
msf5 auxiliary(scanner/smb/smb_login) > run

Find creds and run smb client again

Enumerating using rpcclient

rpcclient -U DOMAIN\\user IP

rpcclient $> enumdomusers
rpcclient $> enumprivs
rpcclient $> enumprinters

Enumerating Mounts(RPCbind)

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.148.131

Enumerating NFS

to list the NFS shares

/usr/sbin/showmount -e [IP]

to mount shares

sudo mount -t nfs 10.10.143.241:home /tmp/mount/ -nolock

Enumerating rsync


nmap -sV --script "rsync-list-modules" -p <PORT> <IP>

rsync --list-only rsync://rsync-connect@$IP/
rsync -av --list-only rsync://$IP:873
rsync -av --list-only rsync://192.168.0.123/shared_name

Copy all files

rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared

Creating a folder and copying the files

rsync -a /root/thm/authorized_keys rsync://rsync-connect@$IP/files/sys-internal/.ssh/

rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh

Enum4Linux

Enum telnet

telnet IP PORT

check for pings (tcpdump)

Listener
sudo tcpdump ip proto \\icmp -i tun0

ping IP -c 1

FTP

ftp IP
anonymous login
enable binary mode
binary

Downloading FTP

wget --user USER --password PASSWORD -r ftp://IP

telnet over FTP

telnet IP PORT
site cpfr /path-of-file/folder-to-copy
site cpto /path-where-to-copy

LDAP

To get the domain name
ldapsearch -x h IP -s base namingcontexts

To get the domain information
ldapsearch -x h IP -s sub -b 'DC=cascade,DC=local'

Additional Scanning Tools

Masscan

mass -p1-65535 --rate 1000 192.168.57.134

Autorecon

https://github.com/Tib3rius/AutoRecon