Information gathering
Collecting info about what we are targeting (company, website/URL/IP, app, servers, people etc)
The scope can be wide or narrow.
People info gathering
Names and email format is what we usually want for a phishing attack
We can also look at social media, linkedin, facebook, instagram etc
Passive info gathering aka OSINT (open source intelligence)
We don't need permission because its publicly available information
Get as much as we can without actively engaging opensource intel
Publicly available information.
Visit public websites
examples:
- IP ranges and DNS info
- Domain names and ownership info
- Sub domins
- Email and social media
- Web tech being used on target sites (IIS, nginx etc)
Penetration testing method
Passive info gatherin (OSINT, DNS IP recon, social media, google)
Active info gathering (network/app/port scanning, calling up asking for info)
Enumeration (service/user/share enumeration)
Vulnerability scanning
Exploitation (use existing, modify or develop exploit)
Post exploitation
- Local enumeration from the inside
- Privilege escalation
- Credential access
- Persistence
- Défense evasion
- Lateral movement
Reporting (writing of report / recommendation on remediation)
Active info gathering
We need permission
Scanning IP ranges
Scanning IP's for open ports (nmap/nessus)
Ports can tell us about services and we can look for vulns
Discovering open ports
examples:
- nmap scan to discover open ports
- Nessus scan to discover vulnerabilities
- Enumerating info from target systems
Website recon and foot printing
IP addresses
Directories hidden from search engines
Host command (in kali)
host website.com
website.com has address 10.10.10.10
website.com has IPv6 address 2axx:4xx:1xx:4xxx::2
website.com mail is handled by 5 esa.website.com.
website.com mail is handled by 10 esa2.website.com.
website.com mail is handled by 15 esa3.website.com.
Often we might see a website hosted by a proxy like cloudflare
Robots.txt
Robots.txt is read by search engines and we can tell them directories not to crawl.
Browse to www.website.com/robots.txt
User-agent: *
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-admin/
Sitemap: https://www.website.ie/sitemap.xml
Sitemap: https://www.website.ie/sitemap.rss
We can see they disallow /wp-admin/ that wp-admin folder tells us its a word press site.
Sitemap.xml
Sitemap is again for search engines to index the site.
Firefox plugin BuiltWith
This plugin will give whats running on this site
Will see widgets and plugins
Whatweb (kali)
whatweb website.ie
Download the full website with HTTrack
HTTrack (windows and linux) to look at the source code offline.
Whois (kali also many websites) - looking up registration details of websites
Main info to gather from the whois output:
What registrar the domain was registered with
Updated Date: When the domain was renewed
Created Date: When it was created
Registry expiry: (when the domain will expire)
Name server: can point to a proxy like cloud flare
DNSSEC: we might see the owner of the domain unless DNSSEC is enabled
whois zonetransfer.me
https://who.is (useful website for running who.is)
whois x.x.x.x (where x.x.x.x is public IP)
Website footprinting with netcraft
netcraft.com is a web tool with gather lots of the passive recon information for us in one location
DNS recon
dnsrecon -d domain.com
dnsdumpster.com - free website which organises the same information nicely
We can see name servers, SRV, TXT, mx records and subdomains
WAF with WAFW00f (kali)
WAF is a web application firewall
WAFw00f is WAF fingerprinting tool
wafwoof https://zonetransfer.me
Subdomain enumeration with sublist3r (kali)
Sublister checks the search engines to see if a subdomain was indexed at some stage
subliust3r -d domain.com -e google,yahoo
subliust3r -d domain.com (this will search with all search engines)
Keep in mind results won't be 100% but very useful.
It will make lots of requests to the engines so you may need a VPN to change connection to get it to work.
Google Dorks aka google hacking
site:domain.com
site:domain.com inrul admin (look for an admin panel)
site:domain.com inrul forum (look for a forum)
site:*.domain.com (show all the subdomains)
Sometimes subdomains are publicly available that shouldn't be
site:*.domain.com intitle admin (look for admin page)
site:*.domain.com filetype:pdf (look for pdf files)
site:*.domain.com employees
site:*.domain.com team
intitle: index of
Looking for older versions of the website for information like names, email addresses etc.
cache: domain.com
Thewaybackmachine.com
Looking for leaked usernames and passwords
inurl:auth_user_file.txt
inurl:passwd.txt
Google hacking database (https://www.exploit-db.com/google-hacking-database)
look up google dorks for wordpress for example
email harvesting with theHarvester (kali)
Searches on search engines and sites like linkedin and several other websites
Spyse - paid site worth considering
Leaked password databases
When we find emails addresses, check if their data has been leaked at some stage
Quick way to check if an email you found is in a data breach
https://haveibeenpwned.com/
DNS zone transfers
DNS servers is like a phone directory a list of URLs to IP addresses
Cloud flare: 1.1.1.1
Google: 8.8.8.8
DNS record types
A - Resolves hostname to IPv4 address
AAAA - Resolves hostname to IPv6 addreess
NS - The domains name server
MX - Where the email server is
CNAME - Aliases
TXT - text info often used to auth ownership of a domain
HINFO - host information
SOA - Domain auth
SRV - Service rexords
PTR - resolves IP to hostname
DNS Interrogation
Probe the DNS server for more info
DNS zone transfer
Admins may want to copy or transfer zone files from one DNS server to another. The process is known as a zone transfer.
If left misconfigured we can attempt a zone transfer from the primary DNS server to another server
A DNS zone transfer can provide pentesters with a holistic view of an organizations network layout.
Internal network addresses may be found on the orgs DNS servers
dnsrecon -d zonetransfer.ie
Active action:
dnsenum zonetransfer.ie
Zone transfer with dig
dig axfr [name-server] [domian]
dig axfr @ns2cm1.digi.ninja zonetransfer.me
Brute force domains with fierce
fierce -dns zonetransfer.me
Network mapping
- IP range / subnets (so we scan scan)
- How many hosts (we can see how many are up and max possible)
- What client/server OS are they running
- What network devices do they have, what vendor/SW versions running
- Can we find a DMZ ?
- Find what ports are open
Host discovery with nmap
-sn
ping sweep but may be blocked by firewalls
follow with
-Pn
--send-ip overrides arp (don't use arp, use icmp etc)
The idea is to gather IP's with a ping sweep, then run port scans on the IPs we see are up.
Some hosts won't respond to ping or it will be blocked by a hardward or software firewall. For this resaon we need to try a few methods and put it all together:
- Ping (icmp echo)
- TCP SYN (half open scan or stealth scan in namp)
- ARP
- TCP ACK (send an ACK to a server to see if we get a TCP RST back then we know its up)
- TCP SYN-ACK (similar to above)
- UDP (longer shot / specific use cases often UDP won't respond)
ICMP
Echo request
type: 8
code: 0
Echo reply
Type: 0
code: 0
8=request
0=reply
Netdiscover
namp uses ping/icmp and netdiscover uses arp
sudo netdiscover -i eth0 -r 192.168.3.0/24
Port scanning with nmap
-Pn (don't use ping for host detection, just do the port scan on common 1000 ports)
nmap -Pn x.x.x.x
nmap -Pn -p- x.x.x.x (scan all ports will take a long time, can add -T4 to speed up)
nmap -Pn -p- x.x.x.x -T4
nmap -Pn -p 80 x.x.x.x (scan port 80)
nmap -Pn -p1-10 x.x.x.x (scan a range)
nmap -Pn -F x.x.x.x (fast scan of commonly used ports)
nmap -Pn -sU x.x.x.x (use UDP)
Scan a range
nmap -sn 192.168.1.0/24 --send-ip
Scan multiple targets
nmap -sn 192.168.1.30 192.168.1.40
Scan .30 to .40
nmap -sn 192.168.1.30-40
Scan a list of IPs from a file
Gather you list of inscope IP's in a file called targets.txt
nmap -sn -iL targets.txt
Real world scan
nmap -sn -v -T4 192.168.1.10
-sn ping scan
-v verbose
-T4 timing templacte to increase speed
Adding on the syn scan and udp scan
nmap -sn -v -PS21,22,25,80,3389,445,8080,8443 -PU137,138,139 -T4 192.168.1.10
filtered generally means a firewall blocked us
closed means the port not listening
Find IPs
Scan for open ports
Look for services
Look for service versions
Look for vulnerabilities
service version detection
nmap -Pn -F -sV x.x.x.x (service version detection, takes longer)
-O OS detection (upper case O)
nmap -Pn -F -sV -O x.x.x.x -v
-sC (script scan to get more info)
We may need to speed up/slow down scans to avoid detection. We can use -T. Lower value is slower, higher value is faster (more chance to be detected by IPS etc).
-T
0 paranoid
1 sneaky
2 polite
3 normal
4 aggressive
5 insane
We can output nmap to files
-oN scan.txt
-oX scan.xml (can be imported into Metasploit)
Assessment Methods: footprinting + scanning
Mapping a network
define the scope
what is the most useful use of your time
physical access
VPN S2S, or dial in
Or totally no help you must gain physical or digital access
Get on the network (physical or remote access)
sniffing
Passive recon, watch the network, learn
ARP - resolves IP to MAC address, can arp the full subnet to learn about the network
ICMP (ping and traceroute)
type 8 is echo request (ping) we can ping the subnet to see what responds.
Nework Tools
Wireshark
ArpScan
ping
Fping
nmap and zenmap
Arpscan CLI
Sudo arp-sscan -i eht0 -g 192.168.3.0/24
Fping CLI
fping -i eth0 -g 192.168.3.0/24 -a 2> /dev/null
This prints only the alive hosts on the screen
Good idea to arp and ping the subnet.
Nmap CLI
nmap -Pn 192.168.3.0/24
nmap -sn 192.168.3.0/24
nmap also sends a TCP SYN
Wireshark
Run a capture
Run all your scans
Check hosts
Zenmap is gui version of nmap
Nmap OS and service detection
We can find OS and service versions with NMAP, below is how it works
Standard TCP 3WHS
open port
SYN >
SYN--ACK <
ACL >
RST+ACK >
closed port
SYN >
RST+ACK <
Stealth scan
SYN>
SYN+ACK
RST >
In the stealth scan we close the 3WHS as soon as we get the SYN+ACK back we know the port is open and a server responding.
Service detection
SYN >
SYN+ACK <
ACK >
BANNER < (service info here eg openssh v1.0)
RST+ACK >
In service detection we read data provided by the server.
NMAP basic switches
nmap -H (help, lots of options here)
-sV Service detection
-sC Scripts default
-A aggressive mode (loud) does all the scans
-0 OS detection
-exclude (exclude certain hosts from scanning)
-A will does OS detect, version detect, Script Scan and traceroute
Scan targets from a file
nmap -iL ip-list.txt
Scan skip port scan and just send syn packet (faster). Just sends TCP SYN to port 80.
nmap -sn -PS 10.4.23.227
Other scan tools
Masscan - Fast scanner for big networks
Rutscan - low level language so fast
AutoRecon - keeps scanning / doing recon
Nmap Scan Techniques
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sS | nmap 192.168.1.1 -sS | TCP SYN port scan (Default) |
| -sT | nmap 192.168.1.1 -sT | TCP connect port scan (Default without root privilege) |
| -sU | nmap 192.168.1.1 -sU | UDP port scan |
| -sA | nmap 192.168.1.1 -sA | TCP ACK port scan |
| -sW | nmap 192.168.1.1 -sW | TCP Window port scan |
| -sM | nmap 192.168.1.1 -sM | TCP Maimon port scan |
Host Discovery
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sL | nmap 192.168.1.1-3 -sL | No Scan. List targets only |
| -sn | nmap 192.168.1.1/24 -sn | Disable port scanning. Host discovery only. |
| -Pn | nmap 192.168.1.1-5 -Pn | Disable host discovery. Port scan only. |
| -PS | nmap 192.168.1.1-5 -PS22-25,80 | TCP SYN discovery on port x. Port 80 by default |
| -PA | nmap 192.168.1.1-5 -PA22-25,80 | TCP ACK discovery on port x. Port 80 by default |
| -PU | nmap 192.168.1.1-5 -PU53 | UDP discovery on port x. Port 40125 by default |
| -PR | nmap 192.168.1.1-1/24 -PR | ARP discovery on local network |
| -n | nmap 192.168.1.1 -n | Never do DNS resolution |
Port Specification
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -p | nmap 192.168.1.1 -p 21 | Port scan for port x |
| -p | nmap 192.168.1.1 -p 21-100 | Port range |
| -p | nmap 192.168.1.1 -p U:53,T:21-25,80 | Port scan multiple TCP and UDP ports |
| -p | nmap 192.168.1.1 -p- | Port scan all ports |
| -p | nmap 192.168.1.1 -p http,https | Port scan from service name |
| -F | nmap 192.168.1.1 -F | Fast port scan (100 ports) |
| -top-ports | nmap 192.168.1.1 -top-ports 2000 | Port scan the top x ports |
| -p-65535 | nmap 192.168.1.1 -p-65535 | Leaving off initial port in range makes the scan start at port 1 |
| -p0- | nmap 192.168.1.1 -p0- | Leaving off end port in range makes the scan go through to port 65535 |
Service and Version Detection
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sV | nmap 192.168.1.1 -sV | Attempts to determine the version of the service running on port |
| -sV -version-intensity | nmap 192.168.1.1 -sV -version-intensity 8 | Intensity level 0 to 9. Higher number increases possibility of correctness |
| -sV -version-light | nmap 192.168.1.1 -sV -version-light | Enable light mode. Lower possibility of correctness. Faster |
| -sV -version-all | nmap 192.168.1.1 -sV -version-all | Enable intensity level 9. Higher possibility of correctness. Slower |
| -A | nmap 192.168.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
OS Detection
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -O | nmap 192.168.1.1 -O | Remote OS detection using TCP/IP stack fingerprinting |
| -O -osscan-limit | nmap 192.168.1.1 -O -osscan-limit | If at least one open and one closed TCP port are not found it will not try OS detection against host |
| -O -osscan-guess | nmap 192.168.1.1 -O -osscan-guess | Makes Nmap guess more aggressively |
| -O -max-os-tries | nmap 192.168.1.1 -O -max-os-tries 1 | Set the maximum number x of OS detection tries against a target |
| -A | nmap 192.168.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
Timing and Performance
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -T0 | nmap 192.168.1.1 -T0 | Paranoid (0) Intrusion Detection System evasion |
| -T1 | nmap 192.168.1.1 -T1 | Sneaky (1) Intrusion Detection System evasion |
| -T2 | nmap 192.168.1.1 -T2 | Polite (2) slows down the scan to use less bandwidth and use less target machine resources |
| -T3 | nmap 192.168.1.1 -T3 | Normal (3) which is default speed |
| -T4 | nmap 192.168.1.1 -T4 | Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network |
| -T5 | nmap 192.168.1.1 -T5 | Insane (5) speeds scan; assumes you are on an extraordinarily fast network |
Timing and Performance Switches
| SWITCH | EXAMPLE INPUT | DESCRIPTION |
|---|---|---|
| -host-timeout <time> | 1s; 4m; 2h | Give up on target after this long |
| -min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> | 1s; 4m; 2h | Specifies probe round trip time |
| -min-hostgroup/max-hostgroup <size<size> | 50; 1024 | Parallel host scan group sizes |
| -min-parallelism/max-parallelism <numprobes> | 10; 1 | Probe parallelization |
| -max-retries <tries> | 3 | Specify the maximum number of port scan probe retransmissions |
| -min-rate <number> | 100 | Send packets no slower than <number> per second |
| -max-rate <number> | 100 | Send packets no faster than <number> per second |
NSE Scripts
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sC | nmap 192.168.1.1 -sC | Scan with default NSE scripts. Considered useful for discovery and safe |
| -script default | nmap 192.168.1.1 -script default | Scan with default NSE scripts. Considered useful for discovery and safe |
| -script | nmap 192.168.1.1 -script=banner | Scan with a single script. Example banner |
| -script | nmap 192.168.1.1 -script=http* | Scan with a wildcard. Example http |
| -script | nmap 192.168.1.1 -script=http,banner | Scan with two scripts. Example http and banner |
| -script | nmap 192.168.1.1 -script "not intrusive" | Scan default, but remove intrusive scripts |
| -script-args | nmap -script snmp-sysdescr -script-args snmpcommunity=admin 192.168.1.1 | NSE script with arguments |
Useful NSE Script Examples
| COMMAND | DESCRIPTION |
|---|---|
| nmap -Pn -script=http-sitemap-generator scanme.nmap.org | http site map generator |
| nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000 | Fast search for random web servers |
| nmap -Pn -script=dns-brute domain.com | Brute forces DNS hostnames guessing subdomains |
| nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1 | Safe SMB scripts to run |
| nmap -script whois* domain.com | Whois query |
| nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org | Detect cross site scripting vulnerabilities |
| nmap -p80 -script http-sql-injection scanme.nmap.org | Check for SQL injections |
Firewall / IDS Evasion and Spoofing
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -f | nmap 192.168.1.1 -f | Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters |
| -mtu | nmap 192.168.1.1 -mtu 32 | Set your own offset size |
| -D | nmap -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1 | Send scans from spoofed IPs |
| -D | nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip | Above example explained |
| -S | nmap -S www.microsoft.com www.facebook.com | Scan Facebook from Microsoft (-e eth0 -Pn may be required) |
| -g | nmap -g 53 192.168.1.1 | Use given source port number |
| -proxies | nmap -proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1 | Relay connections through HTTP/SOCKS4 proxies |
| -data-length | nmap -data-length 200 192.168.1.1 | Appends random data to sent packets |
Output
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -oN | nmap 192.168.1.1 -oN normal.file | Normal output to the file normal.file |
| -oX | nmap 192.168.1.1 -oX xml.file | XML output to the file xml.file |
| -oG | nmap 192.168.1.1 -oG grep.file | Grepable output to the file grep.file |
| -oA | nmap 192.168.1.1 -oA results | Output in the three major formats at once |
| -oG - | nmap 192.168.1.1 -oG - | Grepable output to screen. -oN -, -oX - also usable |
| -append-output | nmap 192.168.1.1 -oN file.file -append-output | Append a scan to a previous scan file |
| -v | nmap 192.168.1.1 -v | Increase the verbosity level (use -vv or more for greater effect) |
| -d | nmap 192.168.1.1 -d | Increase debugging level (use -dd or more for greater effect) |
| -reason | nmap 192.168.1.1 -reason | Display the reason a port is in a particular state, same output as -vv |
| -open | nmap 192.168.1.1 -open | Only show open (or possibly open) ports |
| -packet-trace | nmap 192.168.1.1 -T4 -packet-trace | Show all packets sent and received |
| -iflist | nmap -iflist | Shows the host interfaces and routes |
| -resume | nmap -resume results.file | Resume a scan |
Helpful Nmap Output examples
| COMMAND | DESCRIPTION |
|---|---|
| nmap -p80 -sV -oG - -open 192.168.1.1/24 | grep open | Scan for web servers and grep to show which IPs are running web servers |
| nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt | Generate a list of the IPs of live hosts |
| nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txt | Append IP to the list of live hosts |
| ndiff scanl.xml scan2.xml | Compare output from nmap using the ndif |
| xsltproc nmap.xml -o nmap.html | Convert nmap xml files to html files |
| grep " open " results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | less | Reverse sorted list of how often ports turn up |
Miscellaneous Nmap Flags
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -6 | nmap -6 2607:f0d0:1002:51::4 | Enable IPv6 scanning |
| -h | nmap -h | nmap help screen |
Other Useful Nmap Commands
| COMMAND | DESCRIPTION |
|---|---|
| nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn | Discovery only on ports x, no port scan |
| nmap 192.168.1.1-1/24 -PR -sn -vv | Arp discovery only on local network, no port scan |
| nmap -iR 10 -sn -traceroute | Traceroute to random targets, no port scan |
| nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1 | Query the Internal DNS for hosts, list targets only |
| nmap 192.168.1.1 --packet-trace | Show the details of the packets that are sent and received during a scan and capture the traffic. |
Enumeration (learn more)
Before any attack we just look around. Maybe there is misconfig or default passwords.
SMB - Server Message Block (windows file shares)
Runs on port 445
nmap -sV -sC 192.168.3.10 will find SMB details
Can map drive in windows with "net use"
net use Z: \\192.168.3.10\c$ smbpw /user:admin
Nmap scripts location:
/usr/share/nnamp/scripts
ls /usr/share/nmap/scripts/ | grep smb
ls /usr/share/nmap/scripts/ | grep http
Nmap scan be used to enumerate SMB
nmap -p 445 --script smb-protocols x.x.x.x
SMBv1 is dangerous and default usernames/passwords are bad. Often we see companies have SMBv1 enabled.
nmap -p 445 --script smb-security-mode x.x.x.x
see when a user logged in
nmap -p 445 --script smb-enum-sessions x.x.x.x
IPC$ null session anonymous
nmap -p 445 --script smb-enum-shares x.x.x.x
Enum shares with a username and password
nmap -p445 --script smb-enum-shares --script-args smbusername=administrator,smbpassword=secret x.x.x.x
print$ for sharing printers
Sometimes important doc's are left on print$
look for default and guest accounts and try the default passwords
nmap -p 445 --script smb-enum-users x.x.x.x
nmap -p 445 --script smb-enum-domains x.x.x.x
nmap -p 445 --script smb-enum-groups x.x.x.x
smbmap -u guest -p "" -H x.x.x.x
We expect guest account to be read only on IPC$ and print$ and NO access on anything else
With an account with rights
-x 'ipconfig'
--upload /backdodr.txt C:\backdoor.txt
--download 'c$:\loot.txt'
Other linux tools for SMB
nmap x.x.x.x -sV -p 139,445
msfconsole (metasploit)
use auxiliary/scanner/smb/smb_version
show options
set Rhosts x.x.x.x
run
exit
use auxiliary/scanner/smb/smb2
show options
set Rhosts x.x.x.x
nmblookup -A x.x.x.x
Uses netbios <20> means we can connect
smbclient -L x.x.x.x -n
rpcclient -u '' -N x.x.x.x.x
enum4linux -o x.x.x.x
Enumeration is all about finding information to use again later, for example we can find out who has access to a certain folder and then target that user.
Connecting with word lists when we don't have passwords
use auxiliary/scanner/smb/smb_login
info
show options
set Rhosts x.x.x.x
set pass_file /user/share/wordlist.txt
set smbuser bob
run
Hydra
gzip -d /user/share/rockyou.txt.gz
hydra -l admin -p /rockyou.txt x.x.x.x smb
smbmap -H x.x.x.x -u admin -p Password01
Other services and pipes
Lots of other services use SMB and they connect via "pipes"
IF we know what to look for we can get info from the other services
use auxiliary/scanner/smb/pipe_auditor
info
show options
set Rhosts x.x.x.x
set smbuser bob
set smbpassword
options
run
Named pipes returned
\netlogon
\lsarpc
\samr
\eventlog
\initshutdown
\ntsvcs
\srvsvc
\wkssvc
Maybe we can use this info later
FTP (TCP port 21)
nmap -p 21 -sV -0 192.168.1.100
ftp in cmd prompt
ftp 192.168.1.100
Try nothing for username and password (anon login)
Hydra
hydra -l /usr/share/metasploit-framework/data/monlists/unix_passwords.txt 192.168.1.100 ftp
nmap 192.168.1.100 --script ftp-brute --script-args userdb=/root/users -p 21
The file in /root called users contains a usersname list
FTP anon login with nmap
nmap 192.168.1.100 -p 21 --script ftp-anon
username ananymouse
password: (blank)
SSH (TCP 22)
nmap 192.168.1.100 -sV -0
You may see SSH ver and hosting server ver
ssh root@192.168.1.100
nc 192.168.1.100 22
You may get a banner/welcome message
Check algo's
nmap 192.168.1.100 -p 22 --script ssh2-enum-algos
some other scripts
ssh-hostkey
--script-args ssh-hostkey=full
--script ssh-auth-methods --script-args="ssh.user=student"
(can try username admin, root, etc)
SSH brute force
Unzip the rockyou pw list
gzip -d /usr/share/wordlists/rockyou.txt.gz
Run hydra
hydra -l student -p /root/rockyou.txt
Hydra may return a password found in the list
echo "administrator" > user
nmap 192.168.1.100 -p 22 --script ssh-brute --script-args userdb=/.../user
msfconsole
msfconsole
use auxiliary/scanner/ssh/ssh_login
show options
set rhosts 192.168.1.100
set userpass_file /usr/share/.../root_userpass.txt
set STOP_ON_SUCCESS true
set verbose true
options (to show all options)
run
ssh root@192.168.1.100
ls
whoami
HTTP
Lets say the scan returns port 443 we know https is running
Can check for a site in the web browser
nmap 192.168.1.100 -sV -0
MS IIS 10.0
MS RPC
MS Netbios
whatweb 192.168.1.100
http-py sends https request and returns header and other info in the output
browsh --script-url http://192.168.1.100/home.aspx
You can enum a lot of stuff with dirb
dirb http://192.168.1.100
dirb will run for a long time check for any directories with access
Enumerate http with nmap
nmap 192.168.1.100 -sV -p 80 --script http-enum http-headers
Msfconsole
use /auxiliary/scanne/http/http_version
set rhosts 192.168.1.1000
options
run
curl
curl 192.168.1.100 | more
curl http://192.168.1.100/cgi-bin | more
Text based browsers
browsh -- lynx are very similar text based browsers
Brute force directories
msfconsole
use auxiliary/http/brute_dirs
show options
set rhosts 192.168.1.100
options
exploit
will look for directories
Robots.txt
msfconsole
use auxiliary/scanner/http/robots.txt
set rhosts 192.168.1.100
options
run
MySQL
Say our nmap scan returned 3306
mssql port is 1433
nmap 192.168.1.100 -sV -p 3306
mysql -h 192.168.1.100 -u root
show databases;
use books;
select count from authors;
select * from authors;
help
mysql commands end with ;
msfconsole
use auxiliary/scanner/mysql/mysql_writetable_dirs
show options
set rhosts 192.168.1.100
set dir_list /usr/share/...dirs.txt
set verbose false
set password ""
options
run
msfconsole
use auxiliary/scanner/mysql/mysql_login
options
Get hashes for users
msfconsole
use auxiliary/scanner/mysql/mysql_hasdump
options
exploit
nmap
nmap --script=mysql-empty-password
more scripts
mysq-info
mysql-users
mysql-databases
mysql-variables
data dir /var/lib/mysql
mysql-audit
mysql-query
hydra -l root -p passwords.txt mysql
Enumeration recap
Spot common ports/apps
Find all the info publicly available
NMAP scripts intro
Nmap scripting engine (NSE)
Syn scan
Version scan
OS scan
all ports
timing profile T4
nmap -sS -sV -O -p- -T4 192.168.1.10
NMAP is open source and has many scripts already created
/usr/share/nnamp/scripts
extension is .nse and writtenin lua language
look for scripts relevant
ls /usr/share/nnamp/scripts | grep http
Script scan (default)
-sC
Run a script
--script=memcached-info
Run more than one script
--script=script1,script2
Run all scripts in a tree
--script=http-*
-A option combines OS detection, version detection and script scanning. Needs to run as root.
nmap -sS -A -p- -T4 192.168.1.100
Will take time as its running a lot of stuff
Evasion, Scan performance and output
-Pn Disable host discovery. Port scan only. Don't ping
-F fast scan just scans the top 100 ports
-sS TCP SYN scan
nmap -Pn -sS -F 192.168.1.10
When we scan if we see "filtered" we can assume there is a firewall blocking
Fragmenting
Breaking up you packets to evade detection
-f fragmentation option, packets get fragmented
We can give an MTU option
-f --mtu 32 (only packets larget than 32 will be fragmented)
-f --mtu 8 (you should see they are fragmented)
Spoofing your source
We can spoof our source IP. If we run a scan from a client it might trigger an alarm or look strange to IT staff. We can pretend to send our traffic from the gateway. T
-D is for a decoy IP
nmap -Pn -sS -sV -p 445,3389 -f --data-length 200 -D 192.168.1.1
Appear to come from the gateway
Optimizing nmap scans
We can speed up scans to reduce how long they take to complete, however this may cause IDS systems to alert. We can slow down scans for old networks and also to evade detection
-T
0 paranoid
1 sneaky
2 polite
3 normal
4 aggressive
5 insane
--scan-delay 5s (delay between probes)
15s is a good value but scan will take a long time
--host-timeout 5s (if it does not respond in 5seconds move on)
30s is a good option for larger networks, too low and you miss slow to respond hosts
Combining fragmentation with decoy IPs and timing templates your scans can slip under the radar of IDS systems.
NMAP output formats
Good idea to log every action you take in case you cause an issue.
Good idea to log scans so you don't have to keep running the same scans over and over
We can output nmap to files
-oN scan.txt (same as it comes out of terminal, can use grep on that file later but other formats may be better for that kind of work)
-oX scan.xml (can be imported into Metasploit)
-oS script kiddie format just a joke replaces open with op3n, can ignore this one
-oG nmap_grep.txt (greppable format so data can be manipulated with sed/awk etc. It lists each host on one line so its easier to use cut/sed/awk etc on the data)
Start DB for Metasploit (we need the DB running)
service postgresql start
Start Metasploit
msfconsole
Create a workspace, you may have several scans ongoing for different customers/projects
workspace -a PENTEST1
Confirm the DB connection is working
db_status
Import the scan data
db_import scan.xml
List the hosts (You will see all the info gathered from namp will be available in Metasploit)
hosts
List the services
services
We can run namp from Metasploit and it will automatically update the DB in Metasploit
db_nmap -Pn -sS -sV -O -p 445 192.168.1.100
Most of the time you would export in the normal .txt or .xml format
Scanning UDP ports
Don't forget some services are running on UDP
53
177
161
69
Scan a range
nmap -p 1-250 -sU x.x.x.x
Get more details on ports found like service version
nmap x.x.x.x -p 134,177,234 -sUV
Summary of foot printing and scanning
- Scan a target network with nmap
- Build a picture of their network
- Discover hosts
- Discover listening ports on those hosts
- Discover services running on those ports
- Discover the version of those services running on those ports
- Discover the OS version running on target hosts
- Enumerate SMB with nmap
- Know about nmap scripts in /usr/share/nmap/scripts
- Evade IDS with fragmentation, spoofing and timing templates
- Output your scan results
- Import .xml into a workspace in metasploit
- nnamp can be run from Metasploit
- Don't forget about UDP ports
No comments:
Post a Comment