enumeration techniques

[SilicaG]

Hi all!
I want to illustrate my basic LAN enumeration techniques and lern new from you.

Basicly i use nmap, nbtscan (or nbtstat on win), sbmclient and rpcclient.
Supposing a 10.0.2.0/24 net

First i use nbtscan. This is not the best tool, but the result are simple and clarifies the situation of the LAN.

Code:

root@bt:~# nbtscan -r 10.0.2.0/24
Doing NBT name scan for addresses from 10.0.2.0/24

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
10.0.2.0	Sendto failed: Permission denied
10.0.2.10        <unknown>                  <unknown>        
10.0.2.15        METASPLOITABLE   <server>  METASPLOITABLE   00-00-00-00-00-00
10.0.2.18        TEST01		  <server>  TEST01	     00-11-21-22-1d-4d
10.0.2.45        TEST04	 	  <server>  TEST04           00-12-d2-34-11-55

Then I perform a quick scan on the lan using nmap. Nmap (and his interface zenmap) is the best enumeration tool, but some times the results are too big, for this reason first i try a nbtscan.
the code for a quick lan scan is

Code:

root@bt:~# nmap -T4 -F 10.0.2.*

After that I point on a single IP and perform a complete scan. In this case over METASPLOITABLE VM (I cutted the result...is too long. I left only usefull informations)

Code:

root@bt:~# nmap -p 1-65535 -T4 -O -A -v 10.0.2.15
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-06-21 08:52 CEST
NSE: Loaded 63 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 08:52
Scanning 10.0.2.15 [1 port]
Completed ARP Ping Scan at 08:52, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:52
Completed Parallel DNS resolution of 1 host. at 08:52, 13.00s elapsed
Initiating SYN Stealth Scan at 08:52
Scanning 10.0.2.15 [65535 ports]
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp    open  ssh          OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp    open  telnet?
25/tcp    open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp    open  domain       ISC BIND 9.4.2
80/tcp    open  http         Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-title: Metasploitable2 - Linux
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
111/tcp   open  rpcbind
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      40023/udp  mountd
|   100005  1,2,3      40950/tcp  mountd
|   100021  1,3,4      35299/tcp  nlockmgr
|   100021  1,3,4      44001/udp  nlockmgr
|   100024  1          35037/udp  status
|_  100024  1          55906/tcp  status
139/tcp   open  netbios-ssn  Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn  Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp   open  exec?
513/tcp   open  login?
514/tcp   open  shell?
1099/tcp  open  java-rmi     Java RMI Registry
1524/tcp  open  ingreslock?
2049/tcp  open  rpcbind
2121/tcp  open  ccproxy-ftp?
3306/tcp  open  mysql?
3632/tcp  open  distccd      distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql   PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc          VNC (protocol 3.3)
6000/tcp  open  X11          (access denied)
6667/tcp  open  irc          Unreal ircd
6697/tcp  open  irc          Unreal ircd
8009/tcp  open  ajp13        Apache Jserv (Protocol v1.3)
8180/tcp  open  unknown
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-favicon: Apache Tomcat
8787/tcp  open  unknown
35299/tcp open  rpcbind
40470/tcp open  unknown
40950/tcp open  rpcbind
55906/tcp open  rpcbind
MAC Address: 08:00:27:98:30:43 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.31
Uptime guess: 0.027 days (since Thu Jun 21 08:15:33 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=188 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: localhost, irc.Metasploitable.LAN; OSs: Unix, Linux

Host script results:
| nbstat: 
|   NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     METASPLOITABLE<00>   Flags: <unique><active>
|     METASPLOITABLE<03>   Flags: <unique><active>
|     METASPLOITABLE<20>   Flags: <unique><active>
|     \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|     WORKGROUP<00>        Flags: <group><active>
|     WORKGROUP<1d>        Flags: <unique><active>
|_    WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Name: WORKGROUP\Unknown
|_  System time: 2012-06-21 08:54:28 UTC-4

TRACEROUTE
HOP RTT     ADDRESS
1   0.31 ms 10.0.2.15

Smbclient is usefull to find share an to try an anonymous login (here I tried it on the METASPLOITABLE VM)

Code:

root@bt:~# smbclient -L=10.0.2.15
Enter root's password: 
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	tmp             Disk      oh noes!
	opt             Disk      
	IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
	ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

	Server               Comment
	---------            -------
	METASPLOITABLE       metasploitable server (Samba 3.0.20-Debian)

	Workgroup            Master
	---------            -------
	WORKGROUP            METASPLOITABLE
root@bt:~# smbclient \\\\10.0.2.15\\tmp
Enter root's password: 
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
smb: \> ls
  .                                   D        0  Thu Jun 21 08:33:56 2012
  ..                                 DR        0  Sun May 20 20:36:12 2012
  .ICE-unix                          DH        0  Thu Jun 21 08:10:44 2012
  4465.jsvc_up                        R        0  Thu Jun 21 08:11:11 2012
  .X11-unix                          DH        0  Thu Jun 21 08:11:00 2012
  .X0-lock                           HR       11  Thu Jun 21 08:11:00 2012

		56891 blocks of size 131072. 42413 blocks available

Rpcclient is a good way to obtain informations but require lot of patient. Here a user sid discover on a Windows PC.

Code:

root@bt:~# rpcclient 10.0.2.18 -U=ADMINISTRATOR
Enter ADMINISTRATOR's password:       <--- no password

rpcclient $> getusernameAccount Name: Guest, Authority Name: TEST01        <--- logged as guest
rpcclient $> lsaenumsidfound

12 SIDs
S-1-5-6S-1-5-4
S-1-5-32-545
S-1-5-32-544
S-1-5-32
S-1-5-21-1004336348-854245398-725345543-501
S-1-5-21-1004336348-854245398-725345543-1004
S-1-5-21-1004336348-854245398-725345543-1002
S-1-5-21-1004336348-854245398-725345543S-1-5-20
S-1-5-19S-1-1-0
rpcclient $> lookupsids S-1-5-21-1004336348-854245398-725345543-501
S-1-5-21-1004336348-854245398-725345543-501 TEST01\Guest (1)
rpcclient $> lookupsids S-1-5-21-1004336348-854245398-725345543-1004
S-1-5-21-1004336348-854245398-725345543-1004 TEST01\User.One (1)  <--- that is usefull
rpcclient $> lookupsids S-1-5-21-1004336348-854245398-725345543-1002
S-1-5-21-1004336348-854245398-725345543-1002 TEST01\SUPPORT_388945a0 (1)
rpcclient $> lookupsids S-1-5-21-1004336348-854245398-725345543
S-1-5-21-1004336348-854245398-725345543 TEST01\*unknown* (3)
rpcclient $> lookupsids S-1-5-20
S-1-5-20 NT AUTHORITY\SERVIZIO DI RETE (5)
rpcclient $> lookupsids S-1-5-19
S-1-5-19 NT AUTHORITY\SERVIZIO LOCALE (5)
rpcclient $> lookupsids S-1-5-32-545
S-1-5-32-545 BUILTIN\Users (4)
rpcclient $> lookupsids S-1-5-32-544
S-1-5-32-544 BUILTIN\Administrators (4)
rpcclient $> lookupsids S-1-5-32
S-1-5-32 BUILTIN\BUILTIN (3)
rpcclient $> lookupsids S-1-5-6
S-1-5-6 NT AUTHORITY\SERVIZIO (5)

That's almost all I basicly use. Waiting for your ideas.
Bye

[shadowzero]

Personally I prefer to use Unicornscan to hit all 65,535 ports first, then take the results and run nmap on that with -sV since it'll be faster. Also, you left out scanning UDP ports - you can sometimes find useful services that are exploitable there (like a vulnerable version of TFTP), or that will give you more information about the server (like SNMP).

[SilicaG]

I Never tried Unicornscan, I will make it.
Me too, after the discover, try the -sV option, but thank for remember me the UDP protocol...too many times I forget it

[scottm99]

I agree with shadowzero, unicornscan is a great tool for first-pass. Depending on what unicornscan tells me, I use several of the auxiliary modules in metasploit as well (arp_sweep, several SMB modules, DCERPC modules, etc).

Also, don't forget about nmap scripts. When digging further on individual machines, I'll run a number of the nmap scripts (again, depending on what I learned earlier).

[SilicaG]

I tryed Unicornscan and works great. Thank you.
Is a good tool for the first-pass, but now i have to learn it
Someone use self-made-scripts to launch LAN scan?