Enumeration¶
Enumeration
DNS ENUMERATION¶
Nmap dns hostnames lookup | nmap -F --dns-server
Host lookup | host -t ns example.com
Zone transfer with dig | dig axfr example.com @nameserver
Windows dns zone transfer | nslookup -> set type=any -> ls -d example.com
Dnsrecon Brute force | dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml output.xml
Dnsrecon List | dnsrecon -d TARGET -t axfr
FINGER ENUMERATION¶
finger-user-enum.pl (options) -u username|-U users.txt -t host| -T hosts.txt
"useful references /usr/share/seclists/usernames/names"
FTP ENUMERATION¶
Version detection, Public exploit, Anonymous login
nmap -n -Pn -p21 -vv -sV --script-enum.nse,ftp-vuln-cve2010-4221.nse,ftp-vsftpd-backdoor.nse,ftp-syst.nse,ftp-proftpd-backdoor.nse,ftp-libopie.nse,ftp-brute.nse,ftp-bounce.nse,ftp-anon.nse
ftp anonymous@
search exploit ftp public exploit
FTP BRUTE FORCE¶
hydra -l user -P passlist.txt ftp://<ip>
hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp
MSSQL ENUMERATION¶
nmap -vv -sV -Pn -p --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=%s,smsql.username-sa,mssql.password-sa
hydra -s -C ./wordlists/mssql-default-userpass.txt -u -f mssql
nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve-2012-2122 -p
hydra -s -C ./wordlists/mssql-default-userpass.txt -u -f mysql
mysql --user= --password= --host=
NFS ENUMERATION¶
nmap -sV --script=nfs-showmount
showmount -e (more options possible)
Oracle SID enumeration use ODAT
/usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt
RPC ENUMERATION¶
HTTP ENUMERATION¶
nikto http://
robots.txt
burp spider for splidering the application
http://ip/~root
gobuster
cewl
javascripts
php files permissions
sql injection
command injection
traversal directories
file upload
rce
source code comments??
hostnames
cgi-bin
SMB ENUMERATION¶
ngrep -i -d tap0s.?a.?m.?b.?a.*[[:digit:]]&
smbclient -L
smblookup -A
smbmap -h
echo exit | smbclient -L \\\\
smbclient -L INSERTIPADDRESS
smbclient //INSERTIPADDRESS/tmp
smbclient \\INSERTIPADDRESS\ipc$ -U
nmap -v -p 445 --script=smb-enum-shares.nse --script-args=unsafe=1
smbclient ///wwwroot -U "guest"%""
smbclient //INSERTIPADDRESS/ipc$ -U
smbclient //MOUNT/share -l -N
smbclient \\\\\\
nmap -n -Pn -sV -vv --script smb-vuln* -p 139,445
nmap -n -Pn -sV -vv --script smb2-vuln-uptime.nse -p 139,445
nmap -n -Pn -sV -vv -p --script smb-vuln* --script-args=unsafe=1
enum4linux -a
nmap -p --scrip=smb-enum-groups -vvvvv
nmap -sU -sS --script=smb-enum-users -p U:137,T:139
nmap -p --script=smb-enum-sessions -vvvvv
nmap -p --script=smb-enum-domains -vvvvv
winexe -U username //INSERTIPADDRESS "cmd.exe" --system
nmap --script smb-os-discovery.nse
smbmap -R -H
smbmap -d "domain" -u "username" -p "password" -H
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt smb
pth-winexe -U administrator // cmd