Enumerating Servers and Services: A Dive into Network Enumeration
Recently, I successfully passed my eLearnSecurity Junior Penetration Tester (eJPT) examination, and I’m excited to share some of my notes on the crucial topic of enumeration. Enumeration is a fundamental step in penetration testing where we extract information about servers and services to identify potential vulnerabilities. In this post, I’ll focus on various enumeration techniques for different services and protocols.
SMB Enumeration
Server Message Block (SMB)
SMB is a network file-sharing protocol used primarily by Windows-based computers. Enumerating SMB can reveal valuable information about shares, users, and sessions.
-Nmap Scripts:
$ nmap -p 445 — script smb-protocols 10.10.10.10
$ nmap -p 445 — script smb-security-mode 10.10.10.10
$ nmap -p 445 — script smb-enum-sessions 10.10.10.10
$ nmap -p 445 — script smb-enum-sessions — script-args smbusername=administrator,smbpassword=smbserver_771 10.10.10.10
-SMBMap:
$ smbmap -u guest -p “” -ed . -H 10.10.10.10
$ smbmap -H 10.10.10.10 -u administrator -p smbserver_771 -x ‘ipconfig’
$ smbmap -H 10.10.10.10 -u administrator -p smbserver_771 — download ‘c$\flag.txt’
SMB — Samba
Samba is the Linux equivalent of SMB. Enumeration can be performed using tools like Metasploit, smbclient, rpcclient, and enum4linux.
FTP Enumeration
FTP (File Transfer Protocol) runs on port 21 and can be enumerated using tools like Hydra or Nmap Scripts.
-Hydra:
$ hydra -L /usr/share/merasploit-framework/data/wordlists/common_users.txt -P /usr/share/merasploit-framework/data/wordlists/unix_passwords.txt 10.10.10.10 ftp
-Nmap Scripts:
$ nmap 10.10.10.10 — script ftp-brute — script-args userdb=/root/users -p 21
SSH Enumeration
Secure Shell (SSH) operates on port 22, and its enumeration involves checking algorithms, host keys, and potential weak passwords.
- Nmap Scripts:
$ nmap 10.10.10.10 -p 22 — script ssh2-enum-algos
$ nmap 10.10.10.10 -p 22 — script ssh-hostkey — script-arg ssh_hostkey=full
$ nmap 10.10.10.10 -p 22 — script ssh-auth-methods — script-args=”ssh.user=student” - Hydra:
$ hydra -l student -P /usr/share/passwordlists/rockyou.txt 10.10.10.10 ssh
HTTP Enumeration
Enumerating HTTP involves using tools like WhatWeb, Nmap Scripts, and Metasploit for version detection, banner grabbing, and directory brute-forcing.
WhatWeb:
$ whatweb 10.10.10.10
Nmap scripts:
$ nmap 10.10.10.10 -sV -p 80 — script http-enum
$ nmap 10.10.10.10 -sV -p 80 — script http-headers
$ nmap 10.10.10.10 -sV -p 80 — script http-methods — script-args http-methods.url-path=/webdav/
Metasploit:
$ use auxiliary/scanner/http/http_version
$ use auxiliary/scanner/http/brute_dirbs
SQL Enumeration
Enumerating SQL services involves using Nmap Scripts, MySQL command-line tools, Metasploit, and Hydra.
Nmap Scripts for MySQL:
$ nmap 10.10.10.10 -p 3306 — script=mysql-empty-password
MySQL Command-line:
$ mysql -h 10.10.10.10 -u root
Metasploit:
$ use auxiliary/scanner/mysql/mysql_login
$ use auxiliary/scanner/mysql/mysql_enum_sql_logins
$ use auxiliary/scanner/mysql/mysql_exec — set cmd whoami
MSSQL Enumeration
For Microsoft SQL Server (MSSQL) on Windows, Nmap Scripts, Metasploit, and Hydra can be employed.
Nmap Scripts for MSSQL:
$ nmap 10.10.10.10 -p 1433 — script ms-sql-info
$ nmap 10.10.10.10 -p 1433 — script ms-sql-brute — script-args userdb=<users_list_path>,password=<pass_list_path>
Metasploit:
$ use auxiliary/scanner/mssql/mssql_login
$ use auxiliary/admin/mssql/mssql_enum
$ use auxiliary/admin/mssql/mssql_enum_sql_logins
Footprinting & Scanning
For this, You need to MAP the network by using the following tools:
- Arp-scan
- https://www.kali.org/tools/arp-scan/
- Ping
- Fping
- https://fping.org/
- Nmap
- https://www.kali.org/tools/nmap/
- zenmap
You should also perform a port scan in order to identify the OS and services using Nmap or the following tools:
- Nmap:
- To scan all ports:
nmap -p- 192.168.0.1
- To scan a single port:
nmap -p 22 192.168.1.1
- To scan a range of ports:
nmap -p 1-100 192.168.1.1
- Zenmap:
- To scan all ports:
zenmap -p- 192.168.0.1
- To scan a single port:
zenmap -p 22 192.168.1.1
- To scan a range of ports:
zenmap -p 1-100 192.168.1.1
- Automator:
- To scan all ports:
automator -p- 192.168.0.1
- To scan a single port:
automator -p 22 192.168.1.1
- To scan a range of ports:
automator -p 1-100 192.168.1.1
- Masscan:
- To scan all ports:
masscan -p- -iL hosts.txt
- To scan a single port:
masscan -p 22 -iL hosts.txt
- To scan a range of ports:
masscan -p 1-100 -iL hosts.txt
- Rustscan:
- To scan all ports:
rustscan -p- 192.168.0.1
- To scan a single port:
rustscan -p 22 192.168.1.1
- To scan a range of ports:
rustscan -p 1-100 192.168.1.1
- Autorecon:
- To scan all ports:
autorecon -p- 192.168.0.1
- To scan a single port:
autorecon -p 22 192.168.1.1
- To scan a range of ports:
autorecon -p 1-100 192.168.1.1
Remember to explore and customize these enumeration techniques based on your specific penetration testing scenarios. Enumeration is a critical phase, and thorough exploration can lead to the discovery of potential vulnerabilities and entry points into a system.
Happy hacking!