Network Enumeration

NMAP

# Alive hosts
nmap -sn 10.0.0.0/24	

# scan the 1024 most common ports, run OS detection, run default nmap scripts
nmap -A -oA nmap <targetip>	

# Scan more deeply, scan all 65535 ports on $targetip with a full connect scan
nmap -v -sT <targetip> -p- 

# more options
nmap -sV -sC -v -A <targetip> -p- 
nmap -sT -sV -A -O -v -p 1–65535 <targetip> 

# my preference
nmap -sV -sC -v -oA output <targetip>
nmap -p- -v <targetip>


------------------------

SMB

Port 139 and 445- SMB/Samba shares
Samba is a service that enables the user to share files with other machines
works the same as a command line FTP client, may browse files without even having credentials

# Share List:
smbclient --list <targetip>
smbclient -L <targetip>

# Check SMB vulnerabilities:
nmap --script=smb-check-vulns.nse <targetip> -p445

# basic nmap scripts to enumerate shares and OS discovery
nmap -p 139,445 192.168.1.1/24 --script smb-enum-shares.nse smb-os-discovery.nse

# Connect using Username
root@kali:~# smbclient -L <targetip> -U username -p 445

# Connect to Shares
smbclient \\\\<targetip>\\ShareName
smbclient \\\\<targetip>\\ShareName -U john

# enumarete with smb-shares, -a “do everything” option
enum4linux -a 192.168.1.120

# learn the machine name and then enumerate with smbclient
nmblookup -A 192.168.1.102
smbclient -L <server_name> -I 192.168.1.105

# rpcclient - Connect with a null-session (only works for older windows servers)
rpcclient -U james 10.10.10.52
rpcclient -U "" 192.168.1.105
(press enter if asks for a password)
rpcclient $> srvinfo
rpcclient $> enumdomusers
rpcclient $> enumalsgroups domain
rpcclient $> lookupnames administrators
rpcclient> querydominfo
rpcclient> enumdomusers
rpcclient> queryuser john

# scan for vulnerabilities with nmap
nmap --script "vuln" <targetip> -p139,445

------------------------

SMTP

# telnet or netcat connection
nc <targetip> 25
VRFY root
# Check for commands
nmap -script smtp-commands.nse <targetip>

------------------------

Port 111 - RPC

Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC:

rpcbind -p <targetip>
rpcinfo –p x.x.x.x

# using nmap, see which port NFS is listening
locate *rpc*.nse
nmap --script rpcinfo.nse <targetip> -p 111

-------------------------

NFS

# to find the public share
locate *nfs*.nse
nmap --script nfs-showmount.nse <targetip>

# mount the share to a folder under /tmp
mkdir /tmp/nfs
/sbin/mount.nfs <targetip>:/home/box /tmp/nfs

PreviousMy Web Recon Checklist NextPort Scanning

Last updated 5 years ago

Was this helpful?

NMAP # Alive hosts nmap -sn 10.0.0.0/24 # scan the 1024 most common ports, run OS detection, run default nmap scripts nmap -A -oA nmap <targetip> # Scan more deeply, scan all 65535 ports on $targetip with a full connect scan nmap -v -sT <targetip> -p- # more options nmap -sV -sC -v -A <targetip> -p- nmap -sT -sV -A -O -v -p 1–65535 <targetip> # my preference nmap -sV -sC -v -oA output <targetip> nmap -p- -v <targetip> ------------------------ SMB Port 139 and 445- SMB/Samba shares Samba is a service that enables the user to share files with other machines works the same as a command line FTP client, may browse files without even having credentials # Share List: smbclient --list <targetip> smbclient -L <targetip> # Check SMB vulnerabilities: nmap --script=smb-check-vulns.nse <targetip> -p445 # basic nmap scripts to enumerate shares and OS discovery nmap -p 139,445 192.168.1.1/24 --script smb-enum-shares.nse smb-os-discovery.nse # Connect using Username root@kali:~# smbclient -L <targetip> -U username -p 445 # Connect to Shares smbclient \\\\<targetip>\\ShareName smbclient \\\\<targetip>\\ShareName -U john # enumarete with smb-shares, -a “do everything” option enum4linux -a 192.168.1.120 # learn the machine name and then enumerate with smbclient nmblookup -A 192.168.1.102 smbclient -L <server_name> -I 192.168.1.105 # rpcclient - Connect with a null-session (only works for older windows servers) rpcclient -U james 10.10.10.52 rpcclient -U "" 192.168.1.105 (press enter if asks for a password) rpcclient $> srvinfo rpcclient $> enumdomusers rpcclient $> enumalsgroups domain rpcclient $> lookupnames administrators rpcclient> querydominfo rpcclient> enumdomusers rpcclient> queryuser john # scan for vulnerabilities with nmap nmap --script "vuln" <targetip> -p139,445 ------------------------ SMTP # telnet or netcat connection nc <targetip> 25 VRFY root # Check for commands nmap -script smtp-commands.nse <targetip> ------------------------ Port 111 - RPC Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC: rpcbind -p <targetip> rpcinfo –p x.x.x.x # using nmap, see which port NFS is listening locate *rpc*.nse nmap --script rpcinfo.nse <targetip> -p 111 ------------------------- NFS # to find the public share locate *nfs*.nse nmap --script nfs-showmount.nse <targetip> # mount the share to a folder under /tmp mkdir /tmp/nfs /sbin/mount.nfs <targetip>:/home/box /tmp/nfs