Results 1 to 5 of 5

Thread: enumeration techniques

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jun 2012
    Location
    127.0.0.1
    Posts
    25

    Default enumeration techniques

    Hi all!
    I want to illustrate my basic LAN enumeration techniques and lern new from you.

    Basicly i use nmap, nbtscan (or nbtstat on win), sbmclient and rpcclient.
    Supposing a 10.0.2.0/24 net

    First i use nbtscan. This is not the best tool, but the result are simple and clarifies the situation of the LAN.

    Code:
    root@bt:~# nbtscan -r 10.0.2.0/24
    Doing NBT name scan for addresses from 10.0.2.0/24
    
    IP address       NetBIOS Name     Server    User             MAC address      
    ------------------------------------------------------------------------------
    10.0.2.0	Sendto failed: Permission denied
    10.0.2.10        <unknown>                  <unknown>        
    10.0.2.15        METASPLOITABLE   <server>  METASPLOITABLE   00-00-00-00-00-00
    10.0.2.18        TEST01		  <server>  TEST01	     00-11-21-22-1d-4d
    10.0.2.45        TEST04	 	  <server>  TEST04           00-12-d2-34-11-55

    Then I perform a quick scan on the lan using nmap. Nmap (and his interface zenmap) is the best enumeration tool, but some times the results are too big, for this reason first i try a nbtscan.
    the code for a quick lan scan is

    Code:
    root@bt:~# nmap -T4 -F 10.0.2.*
    After that I point on a single IP and perform a complete scan. In this case over METASPLOITABLE VM (I cutted the result...is too long. I left only usefull informations)

    Code:
    root@bt:~# nmap -p 1-65535 -T4 -O -A -v 10.0.2.15
    Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-06-21 08:52 CEST
    NSE: Loaded 63 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating ARP Ping Scan at 08:52
    Scanning 10.0.2.15 [1 port]
    Completed ARP Ping Scan at 08:52, 0.10s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 08:52
    Completed Parallel DNS resolution of 1 host. at 08:52, 13.00s elapsed
    Initiating SYN Stealth Scan at 08:52
    Scanning 10.0.2.15 [65535 ports]
    PORT      STATE SERVICE      VERSION
    21/tcp    open  ftp          vsftpd 2.3.4
    |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
    22/tcp    open  ssh          OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
    | ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
    |_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
    23/tcp    open  telnet?
    25/tcp    open  smtp?
    |_smtp-commands: Couldn't establish connection on port 25
    53/tcp    open  domain       ISC BIND 9.4.2
    80/tcp    open  http         Apache httpd 2.2.8 ((Ubuntu) DAV/2)
    |_http-title: Metasploitable2 - Linux
    |_http-methods: No Allow or Public header in OPTIONS response (status code 200)
    111/tcp   open  rpcbind
    | rpcinfo: 
    |   program version   port/proto  service
    |   100000  2            111/tcp  rpcbind
    |   100000  2            111/udp  rpcbind
    |   100003  2,3,4       2049/tcp  nfs
    |   100003  2,3,4       2049/udp  nfs
    |   100005  1,2,3      40023/udp  mountd
    |   100005  1,2,3      40950/tcp  mountd
    |   100021  1,3,4      35299/tcp  nlockmgr
    |   100021  1,3,4      44001/udp  nlockmgr
    |   100024  1          35037/udp  status
    |_  100024  1          55906/tcp  status
    139/tcp   open  netbios-ssn  Samba smbd 3.X (workgroup: WORKGROUP)
    445/tcp   open  netbios-ssn  Samba smbd 3.X (workgroup: WORKGROUP)
    512/tcp   open  exec?
    513/tcp   open  login?
    514/tcp   open  shell?
    1099/tcp  open  java-rmi     Java RMI Registry
    1524/tcp  open  ingreslock?
    2049/tcp  open  rpcbind
    2121/tcp  open  ccproxy-ftp?
    3306/tcp  open  mysql?
    3632/tcp  open  distccd      distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
    5432/tcp  open  postgresql   PostgreSQL DB 8.3.0 - 8.3.7
    5900/tcp  open  vnc          VNC (protocol 3.3)
    6000/tcp  open  X11          (access denied)
    6667/tcp  open  irc          Unreal ircd
    6697/tcp  open  irc          Unreal ircd
    8009/tcp  open  ajp13        Apache Jserv (Protocol v1.3)
    8180/tcp  open  unknown
    |_http-methods: No Allow or Public header in OPTIONS response (status code 200)
    |_http-favicon: Apache Tomcat
    8787/tcp  open  unknown
    35299/tcp open  rpcbind
    40470/tcp open  unknown
    40950/tcp open  rpcbind
    55906/tcp open  rpcbind
    MAC Address: 08:00:27:98:30:43 (Cadmus Computer Systems)
    Device type: general purpose
    Running: Linux 2.6.X
    OS details: Linux 2.6.9 - 2.6.31
    Uptime guess: 0.027 days (since Thu Jun 21 08:15:33 2012)
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=188 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: Hosts: localhost, irc.Metasploitable.LAN; OSs: Unix, Linux
    
    Host script results:
    | nbstat: 
    |   NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
    |   Names
    |     METASPLOITABLE<00>   Flags: <unique><active>
    |     METASPLOITABLE<03>   Flags: <unique><active>
    |     METASPLOITABLE<20>   Flags: <unique><active>
    |     \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
    |     WORKGROUP<00>        Flags: <group><active>
    |     WORKGROUP<1d>        Flags: <unique><active>
    |_    WORKGROUP<1e>        Flags: <group><active>
    | smb-os-discovery: 
    |   OS: Unix (Samba 3.0.20-Debian)
    |   Name: WORKGROUP\Unknown
    |_  System time: 2012-06-21 08:54:28 UTC-4
    
    TRACEROUTE
    HOP RTT     ADDRESS
    1   0.31 ms 10.0.2.15
    Smbclient is usefull to find share an to try an anonymous login (here I tried it on the METASPLOITABLE VM)

    Code:
    root@bt:~# smbclient -L=10.0.2.15
    Enter root's password: 
    Anonymous login successful
    Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
    
    	Sharename       Type      Comment
    	---------       ----      -------
    	print$          Disk      Printer Drivers
    	tmp             Disk      oh noes!
    	opt             Disk      
    	IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
    	ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
    Anonymous login successful
    Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
    
    	Server               Comment
    	---------            -------
    	METASPLOITABLE       metasploitable server (Samba 3.0.20-Debian)
    
    	Workgroup            Master
    	---------            -------
    	WORKGROUP            METASPLOITABLE
    root@bt:~# smbclient \\\\10.0.2.15\\tmp
    Enter root's password: 
    Anonymous login successful
    Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
    smb: \> ls
      .                                   D        0  Thu Jun 21 08:33:56 2012
      ..                                 DR        0  Sun May 20 20:36:12 2012
      .ICE-unix                          DH        0  Thu Jun 21 08:10:44 2012
      4465.jsvc_up                        R        0  Thu Jun 21 08:11:11 2012
      .X11-unix                          DH        0  Thu Jun 21 08:11:00 2012
      .X0-lock                           HR       11  Thu Jun 21 08:11:00 2012
    
    		56891 blocks of size 131072. 42413 blocks available
    Rpcclient is a good way to obtain informations but require lot of patient. Here a user sid discover on a Windows PC.

    Code:
    root@bt:~# rpcclient 10.0.2.18 -U=ADMINISTRATOR
    Enter ADMINISTRATOR's password:       <--- no password
    
    rpcclient $> getusernameAccount Name: Guest, Authority Name: TEST01        <--- logged as guest
    rpcclient $> lsaenumsidfound
    
    12 SIDs
    S-1-5-6S-1-5-4
    S-1-5-32-545
    S-1-5-32-544
    S-1-5-32
    S-1-5-21-1004336348-854245398-725345543-501
    S-1-5-21-1004336348-854245398-725345543-1004
    S-1-5-21-1004336348-854245398-725345543-1002
    S-1-5-21-1004336348-854245398-725345543S-1-5-20
    S-1-5-19S-1-1-0
    rpcclient $> lookupsids S-1-5-21-1004336348-854245398-725345543-501
    S-1-5-21-1004336348-854245398-725345543-501 TEST01\Guest (1)
    rpcclient $> lookupsids S-1-5-21-1004336348-854245398-725345543-1004
    S-1-5-21-1004336348-854245398-725345543-1004 TEST01\User.One (1)  <--- that is usefull
    rpcclient $> lookupsids S-1-5-21-1004336348-854245398-725345543-1002
    S-1-5-21-1004336348-854245398-725345543-1002 TEST01\SUPPORT_388945a0 (1)
    rpcclient $> lookupsids S-1-5-21-1004336348-854245398-725345543
    S-1-5-21-1004336348-854245398-725345543 TEST01\*unknown* (3)
    rpcclient $> lookupsids S-1-5-20
    S-1-5-20 NT AUTHORITY\SERVIZIO DI RETE (5)
    rpcclient $> lookupsids S-1-5-19
    S-1-5-19 NT AUTHORITY\SERVIZIO LOCALE (5)
    rpcclient $> lookupsids S-1-5-32-545
    S-1-5-32-545 BUILTIN\Users (4)
    rpcclient $> lookupsids S-1-5-32-544
    S-1-5-32-544 BUILTIN\Administrators (4)
    rpcclient $> lookupsids S-1-5-32
    S-1-5-32 BUILTIN\BUILTIN (3)
    rpcclient $> lookupsids S-1-5-6
    S-1-5-6 NT AUTHORITY\SERVIZIO (5)
    That's almost all I basicly use. Waiting for your ideas.
    Bye

  2. #2
    Member shadowzero's Avatar
    Join Date
    Jun 2011
    Location
    ${HOME}
    Posts
    94

    Default Re: enumeration techniques

    Personally I prefer to use Unicornscan to hit all 65,535 ports first, then take the results and run nmap on that with -sV since it'll be faster. Also, you left out scanning UDP ports - you can sometimes find useful services that are exploitable there (like a vulnerable version of TFTP), or that will give you more information about the server (like SNMP).

  3. #3
    Junior Member
    Join Date
    Jun 2012
    Location
    127.0.0.1
    Posts
    25

    Default Re: enumeration techniques

    I Never tried Unicornscan, I will make it.
    Me too, after the discover, try the -sV option, but thank for remember me the UDP protocol...too many times I forget it

  4. #4
    Good friend of the forums scottm99's Avatar
    Join Date
    Feb 2010
    Location
    underwater
    Posts
    371

    Default Re: enumeration techniques

    I agree with shadowzero, unicornscan is a great tool for first-pass. Depending on what unicornscan tells me, I use several of the auxiliary modules in metasploit as well (arp_sweep, several SMB modules, DCERPC modules, etc).

    Also, don't forget about nmap scripts. When digging further on individual machines, I'll run a number of the nmap scripts (again, depending on what I learned earlier).
    If I could figure out how to scuba dive & hack at the same time, there would be nothing I couldn't do...

  5. #5
    Junior Member
    Join Date
    Jun 2012
    Location
    127.0.0.1
    Posts
    25

    Default Re: enumeration techniques

    I tryed Unicornscan and works great. Thank you.
    Is a good tool for the first-pass, but now i have to learn it
    Someone use self-made-scripts to launch LAN scan?

Similar Threads

  1. redirection techniques?
    By napisani in forum BackTrack 5 General Topics
    Replies: 4
    Last Post: 05-19-2011, 03:04 AM
  2. Advanced antivirus evasion techniques
    By AzraelSepultura in forum Beginners Forum
    Replies: 4
    Last Post: 03-01-2011, 06:57 AM
  3. Wireshark filter techniques for a Newbie
    By Poganka2 in forum Beginners Forum
    Replies: 1
    Last Post: 12-06-2010, 01:59 PM
  4. Firewall evasion techniques?
    By knithx in forum OLD Pentesting
    Replies: 2
    Last Post: 09-21-2009, 06:46 PM
  5. Replies: 7
    Last Post: 04-27-2007, 05:47 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •