enumeration techniques
Hi all!
I want to illustrate my basic LAN enumeration techniques and lern new from you.
Basicly i use nmap, nbtscan (or nbtstat on win), sbmclient and rpcclient.
Supposing a 10.0.2.0/24 net
First i use nbtscan. This is not the best tool, but the result are simple and clarifies the situation of the LAN.
Code:root@bt:~# nbtscan -r 10.0.2.0/24 Doing NBT name scan for addresses from 10.0.2.0/24 IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 10.0.2.0 Sendto failed: Permission denied 10.0.2.10 <unknown> <unknown> 10.0.2.15 METASPLOITABLE <server> METASPLOITABLE 00-00-00-00-00-00 10.0.2.18 TEST01 <server> TEST01 00-11-21-22-1d-4d 10.0.2.45 TEST04 <server> TEST04 00-12-d2-34-11-55
Then I perform a quick scan on the lan using nmap. Nmap (and his interface zenmap) is the best enumeration tool, but some times the results are too big, for this reason first i try a nbtscan.
the code for a quick lan scan is
After that I point on a single IP and perform a complete scan. In this case over METASPLOITABLE VM (I cutted the result...is too long. I left only usefull informations)Code:root@bt:~# nmap -T4 -F 10.0.2.*
Smbclient is usefull to find share an to try an anonymous login (here I tried it on the METASPLOITABLE VM)Code:root@bt:~# nmap -p 1-65535 -T4 -O -A -v 10.0.2.15 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-06-21 08:52 CEST NSE: Loaded 63 scripts for scanning. NSE: Script Pre-scanning. Initiating ARP Ping Scan at 08:52 Scanning 10.0.2.15 [1 port] Completed ARP Ping Scan at 08:52, 0.10s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 08:52 Completed Parallel DNS resolution of 1 host. at 08:52, 13.00s elapsed Initiating SYN Stealth Scan at 08:52 Scanning 10.0.2.15 [65535 ports] PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 23/tcp open telnet? 25/tcp open smtp? |_smtp-commands: Couldn't establish connection on port 25 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) |_http-title: Metasploitable2 - Linux |_http-methods: No Allow or Public header in OPTIONS response (status code 200) 111/tcp open rpcbind | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 40023/udp mountd | 100005 1,2,3 40950/tcp mountd | 100021 1,3,4 35299/tcp nlockmgr | 100021 1,3,4 44001/udp nlockmgr | 100024 1 35037/udp status |_ 100024 1 55906/tcp status 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 512/tcp open exec? 513/tcp open login? 514/tcp open shell? 1099/tcp open java-rmi Java RMI Registry 1524/tcp open ingreslock? 2049/tcp open rpcbind 2121/tcp open ccproxy-ftp? 3306/tcp open mysql? 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd 6697/tcp open irc Unreal ircd 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8180/tcp open unknown |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-favicon: Apache Tomcat 8787/tcp open unknown 35299/tcp open rpcbind 40470/tcp open unknown 40950/tcp open rpcbind 55906/tcp open rpcbind MAC Address: 08:00:27:98:30:43 (Cadmus Computer Systems) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.9 - 2.6.31 Uptime guess: 0.027 days (since Thu Jun 21 08:15:33 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=188 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Hosts: localhost, irc.Metasploitable.LAN; OSs: Unix, Linux Host script results: | nbstat: | NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> | Names | METASPLOITABLE<00> Flags: <unique><active> | METASPLOITABLE<03> Flags: <unique><active> | METASPLOITABLE<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | WORKGROUP<00> Flags: <group><active> | WORKGROUP<1d> Flags: <unique><active> |_ WORKGROUP<1e> Flags: <group><active> | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Name: WORKGROUP\Unknown |_ System time: 2012-06-21 08:54:28 UTC-4 TRACEROUTE HOP RTT ADDRESS 1 0.31 ms 10.0.2.15
Rpcclient is a good way to obtain informations but require lot of patient. Here a user sid discover on a Windows PC.Code:root@bt:~# smbclient -L=10.0.2.15 Enter root's password: Anonymous login successful Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian] Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) Anonymous login successful Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian] Server Comment --------- ------- METASPLOITABLE metasploitable server (Samba 3.0.20-Debian) Workgroup Master --------- ------- WORKGROUP METASPLOITABLE root@bt:~# smbclient \\\\10.0.2.15\\tmp Enter root's password: Anonymous login successful Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian] smb: \> ls . D 0 Thu Jun 21 08:33:56 2012 .. DR 0 Sun May 20 20:36:12 2012 .ICE-unix DH 0 Thu Jun 21 08:10:44 2012 4465.jsvc_up R 0 Thu Jun 21 08:11:11 2012 .X11-unix DH 0 Thu Jun 21 08:11:00 2012 .X0-lock HR 11 Thu Jun 21 08:11:00 2012 56891 blocks of size 131072. 42413 blocks available
That's almost all I basicly use. Waiting for your ideas.Code:root@bt:~# rpcclient 10.0.2.18 -U=ADMINISTRATOR Enter ADMINISTRATOR's password: <--- no password rpcclient $> getusernameAccount Name: Guest, Authority Name: TEST01 <--- logged as guest rpcclient $> lsaenumsidfound 12 SIDs S-1-5-6S-1-5-4 S-1-5-32-545 S-1-5-32-544 S-1-5-32 S-1-5-21-1004336348-854245398-725345543-501 S-1-5-21-1004336348-854245398-725345543-1004 S-1-5-21-1004336348-854245398-725345543-1002 S-1-5-21-1004336348-854245398-725345543S-1-5-20 S-1-5-19S-1-1-0 rpcclient $> lookupsids S-1-5-21-1004336348-854245398-725345543-501 S-1-5-21-1004336348-854245398-725345543-501 TEST01\Guest (1) rpcclient $> lookupsids S-1-5-21-1004336348-854245398-725345543-1004 S-1-5-21-1004336348-854245398-725345543-1004 TEST01\User.One (1) <--- that is usefull rpcclient $> lookupsids S-1-5-21-1004336348-854245398-725345543-1002 S-1-5-21-1004336348-854245398-725345543-1002 TEST01\SUPPORT_388945a0 (1) rpcclient $> lookupsids S-1-5-21-1004336348-854245398-725345543 S-1-5-21-1004336348-854245398-725345543 TEST01\*unknown* (3) rpcclient $> lookupsids S-1-5-20 S-1-5-20 NT AUTHORITY\SERVIZIO DI RETE (5) rpcclient $> lookupsids S-1-5-19 S-1-5-19 NT AUTHORITY\SERVIZIO LOCALE (5) rpcclient $> lookupsids S-1-5-32-545 S-1-5-32-545 BUILTIN\Users (4) rpcclient $> lookupsids S-1-5-32-544 S-1-5-32-544 BUILTIN\Administrators (4) rpcclient $> lookupsids S-1-5-32 S-1-5-32 BUILTIN\BUILTIN (3) rpcclient $> lookupsids S-1-5-6 S-1-5-6 NT AUTHORITY\SERVIZIO (5)
Bye
