x

Active Information Gathering

DNS Enumeration

host

host to find A record 

host www.megacorpone.com

host to find mx or txt records 

host -t mx megacorpone.com

host -t txt megacorpone.com

Bash one-liner to resolve list of hostnames 

for ip in $(cat list.txt); do host $ip.megacorpone.com; done

for ip in $(cat list.txt); do host $ip.megacorpone.com; done | grep -v "not found"

DNSRecon

dnsrecon -d megacorpone.com -t std

Bruteforce list of subdomain strings 

dnsrecon -d megacorpone.com -D ~/list.txt -t brt

DNSEnum

dnsenum megacorpone.com

Enumerate with Gobuster

gobuster dns -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 50

nslookup

A Record enumeration 

nslookup mail.megacorptwo.com

TXT Record enumeration 

nslookup -type=TXT info.megacorptwo.com 192.168.50.151

TCP/UDP Port Scanning Theory

netcat

Scan specific ports 

nc -nvv -w 1 -z 192.168.50.152 3388-3390

Scan specific UDP ports 

nc -nv -u -z -w 1 192.168.50.149 120-123

nmap Port Scanning

SYN stealth scan 

sudo nmap -sS IP

TCP scan 

nmap -sT IP

UDP scan 

sudo nmap -sU -sS IP

sudo nmap -F -sU -sV $IP

Aggressive scan 

nmap -T4 -p- -A 192.168.5.0/24

Disable ping command and use a min rate 

nmap -p- --min-rate 1000 $IP -Pn

Save output to greppable parameter 

nmap -V -sn 192.168.50.1-253 -oG ping-sweep.txt

Check top ports (aggressive scan) 

nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt

Check for OS scan specificallly 

sudo nmap -O IP --osscan-guess

nmap -p <ports> -sV -sC -A $IP

Inspect service banners (aggressive) 

nmap -sT -A IP

nmap --script http-headers IP

Stealth scan 

nmap -sS -p- --min-rate=1000 10.11.1.229 -Pn #stealth scans

Use rustscan in conjuncture with nmap 

rustscan -a <target> -p 3000,3001,3002,3003 -- -sV

Autorecon 

autorecon 192.168.238.156 --nmap-append="--min-rate=2500" --exclude-tags="top-100-udp-ports" --dirbuster.threads=30 -vv

Script to automate network enumeration 

#!/bin/bash

target="$1"
ports=$(nmap -p- --min-rate 1000 "$target" | grep "^ *[0-9]" | grep "open" | cut -d '/' -f 1 | tr '\n' ',' | sed 's/,$//')

echo "Running second nmap scan with open ports: $ports"

nmap -p "$ports" -sC -sV -A "$target"

Scanning with Windows

Port scan from Windows with Powershell (single port) 

Test-NetConnection -Port PORT IP

Automate port scanning with Powershell (first 1024 ports) 

1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.1.151", $_)) "TCP port $_ is open"} 2>$null

SMB Enumeration

nmap scan 

nmap -v -p 139,445 -oG smb.txt 192.168.50.1-254

Check for NetBIOS information 

sudo nbtscan -r 192.168.50.0/24

SMB OS discovery 

nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152

Enumerate SMB from Windows with net view 

net view \\dc01 /all

SMTP Enumeration

Looking for VRFY & EXPN requests among others 

nc -nv 192.168.50.8 25

Python script opening a TCP socket, connecting to the SMTP server and issuing a VRFY command for a give username 

#!/usr/bin/python

import socket
import sys

if len(sys.argv) != 3:
        print("Usage: vrfy.py <username> <ip>")
        sys.exit(0)

#Create a socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

#Connect to the server
ip = sys.argv[2]
connect = s.connect((ip,25))

#Receive the banner
banner = s.recv(1024)

print(banner)

#VRFY a user
user = (sys.argv[1]).encode()
s.send(b'VRFY ' = user + b'\r\n')
result = s.recv(1024)

print(result)

#Close socket
s.close()

python3 smtp.py user ip

Windows Scanning SMTP

Enumerate SMTP information from Windows 

Test-NetConnection -Port IP

Enumerate SMTP fully using telnet (may be unavailable or the binary may need to be transferred in) 

dism /online /Enable-Feature /FeatureName:TelnetClient

Management Information Base (MIB) strings (Windows)

1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports

SNMP Enumeration

nmap scanning for SNMP 

sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt

onesixtyone (bruteforce against community strings and IP addresses) 

onesixtyone -c commuity -i ips

snmpwalk

Tool that parses a specific branch of the MIB tree called OID, giving it a string returns machine information
We will need the SNMP read-only community string to use this (its usually set to public) 

snmpwalk -c public -v1 -t 10 IP

snmpwalk -c public -v1 IP 1.3.6.1.2.1.35.4.2.1.2

Query all software installed on the machine 

snmpwalk -c public -v1 IP 1.3.6.1.2.1.25.6.3.1.2

List all current TCP listening ports 

snmpwalk -c public -v1 IP 1.3.6.1.2.1.6.13.1.3

Tags

Left-click: follow link, Right-click: select node, Scroll: zoom
x