Network Enumeration

NMAP

# Alive hosts
nmap -sn 10.0.0.0/24	

# scan the 1024 most common ports, run OS detection, run default nmap scripts
nmap -A -oA nmap <targetip>	

# Scan more deeply, scan all 65535 ports on $targetip with a full connect scan
nmap -v -sT <targetip> -p- 

# more options
nmap -sV -sC -v -A <targetip> -p- 
nmap -sT -sV -A -O -v -p 1–65535 <targetip> 

# my preference
nmap -sV -sC -v -oA output <targetip>
nmap -p- -v <targetip>


------------------------

SMB

Port 139 and 445- SMB/Samba shares
Samba is a service that enables the user to share files with other machines
works the same as a command line FTP client, may browse files without even having credentials

# Share List:
smbclient --list <targetip>
smbclient -L <targetip>

# Check SMB vulnerabilities:
nmap --script=smb-check-vulns.nse <targetip> -p445

# basic nmap scripts to enumerate shares and OS discovery
nmap -p 139,445 192.168.1.1/24 --script smb-enum-shares.nse smb-os-discovery.nse

# Connect using Username
root@kali:~# smbclient -L <targetip> -U username -p 445

# Connect to Shares
smbclient \\\\<targetip>\\ShareName
smbclient \\\\<targetip>\\ShareName -U john

# enumarete with smb-shares, -a “do everything” option
enum4linux -a 192.168.1.120

# learn the machine name and then enumerate with smbclient
nmblookup -A 192.168.1.102
smbclient -L <server_name> -I 192.168.1.105

# rpcclient - Connect with a null-session (only works for older windows servers)
rpcclient -U james 10.10.10.52
rpcclient -U "" 192.168.1.105
(press enter if asks for a password)
rpcclient $> srvinfo
rpcclient $> enumdomusers
rpcclient $> enumalsgroups domain
rpcclient $> lookupnames administrators
rpcclient> querydominfo
rpcclient> enumdomusers
rpcclient> queryuser john

# scan for vulnerabilities with nmap
nmap --script "vuln" <targetip> -p139,445

------------------------

SMTP

# telnet or netcat connection
nc <targetip> 25
VRFY root
# Check for commands
nmap -script smtp-commands.nse <targetip>

------------------------

Port 111 - RPC

Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC:

rpcbind -p <targetip>
rpcinfo –p x.x.x.x

# using nmap, see which port NFS is listening
locate *rpc*.nse
nmap --script rpcinfo.nse <targetip> -p 111

-------------------------

NFS

# to find the public share
locate *nfs*.nse
nmap --script nfs-showmount.nse <targetip>

# mount the share to a folder under /tmp
mkdir /tmp/nfs
/sbin/mount.nfs <targetip>:/home/box /tmp/nfs







Last updated