Service Enumeration

FTP - 21

Using hydra

Bruteforcing Credentials

hydra -L usernames.txt -P passwords.txt <IP> ftp

Telnet - 23

telnet <IP> <PORT>

NetBios - 137, 138, 139

Ports

Port	Protocol	Service
137	UDP	NetBIOS Name Service (NBNS)
138	UDP	NetBIOS Datagram Service (NDS)
139	TCP	NetBIOS over TCP/IP (NBT)

Port

Protocol

Service

137

UDP

NetBIOS Name Service (NBNS)

138

UDP

NetBIOS Datagram Service (NDS)

139

TCP

NetBIOS over TCP/IP (NBT)

Using Nbtstat - Windows

Windows Command Line Utility

nbtstat -a 192.168.18.100

Check for local cache

nbtstat -c

Using nmap

nmap -sV -v --script nbtstat.nse 192.168.18.110

nmap -sU -p 137 --script nbtstat.nse 192.168.18.110

-sV - Version Enumeration
-sU - UDP scan

SMB - 139, 445

Server Message Block

Methodology

Look out for

Network File Shares
Logged in User Details
Workgroups
Security Level Information
Domains and Services

Ports

Port	Protocol	Service
137	UDP	NetBIOS Name Service (NBNS) by SMB
138	UDP	NetBIOS Datagram Service (NDS) by SMB
139	TCP	SMB in conjunction with NetBIOS over TCP/IP (NBT)
445	TCP	Primary Port

Port

Protocol

Service

137

UDP

NetBIOS Name Service (NBNS) by SMB

138

UDP

NetBIOS Datagram Service (NDS) by SMB

139

TCP

SMB in conjunction with NetBIOS over TCP/IP (NBT)

445

TCP

Primary Port

Services Examples

netbios-ssn
microsoft-ds

Using enum4linux

enum4linux -a 10.10.10.10

Using nmap

To List All Scripts for SMB

To list all scripts by Nmap for SMB enumeration

cd /usr/share/nmap/scripts; ls | grep smb

OS Discovery

sudo nmap --script smb-os-discovery.nse 192.168.18.110

Enumerating Shares

nmap --script smb-enum-shares.nse -p445 <host>

nmap -sU -p 445 --script=smb-enum-shares <target>

Enumerating Users

nmap --script smb-enum-users.nse -p445 <host>

nmap -sU -p 445 --script=smb-enum-users <target>

Enumerating Groups

nmap -sU -p 445 --script=smb-enum-groups <target>

Enumerating Services

nmap --script smb-enum-services.nse -p445 <host>

nmap -sU -p 445 --script=smb-enum-services --script-args smbusername=administrator,smbpassword=smbserver_77 <target>

Enumerating Security Level

nmap -sC -sV -A -T4 -p 445 <target>

Exploitation

Using smbclient

smbclient -L - List shares on a machine using NULL Session
smbclient -L <target_IP> -U username%password - List shares on a machine using a valid username + password
smbclient //<target>/<share$> -U username%password - Connect to a valid share with username + password

RDP - 3389

Methodology

Check for running services on the target and confirm if RDP is running on any open port.
Use Metasploit to confirm the services running is RDP.
Use hydra to brute force the login credentials.
Use RDP tools to login into the victim's machine.

Using Metasploit

Confirming RDP

msfconsole
> use auxiliary/scanner/rdp/rdp_scanner

Using Hydra

Bruteforcing login credentials

hydra -L usernames.txt -P passwords.txt rdp://<target> -s <port>

Using xfreerdp

Creating RDP session with xfreerdp

xfreerdp /u:administrator /p:qwertyuip /v:IP:PORT

SNMP - 161, 162, 10161, 10162

Methodology

Look out for default UDP ports used by SNMP: 161, 162, 10161, 10162.
Identify the processes running on the target machine using nmap scripts.
List valid community strings of the server using nmap scripts.
List valid community strings of the server by using snmp_login Metasploit Module.
List all the interfaces of the machine. Use appropriate nmap Script.

Using snmp-check

snmp-check <IP>

Using nmap

Identifying Processes

nmap -sU -p 161 --script=snmp-processes <target>

Identifying Interfaces

nmap -sU -p 161 --script=snmp-interfaces <target>

Using Metasploit

Identifying Valid Community Strings

msfconsole
> use auxiliary/scanner/snmp/snmp_login

PreviousNetwork Scanning and Enumeration NextSystem Hacking

Last updated 11 months ago