Service Enumeration
FTP - 21
Using hydra
Bruteforcing Credentials
hydra -L usernames.txt -P passwords.txt <IP> ftpTelnet - 23
telnet <IP> <PORT>NetBios - 137, 138, 139
Ports
137
UDP
NetBIOS Name Service (NBNS)
138
UDP
NetBIOS Datagram Service (NDS)
139
TCP
NetBIOS over TCP/IP (NBT)
Using Nbtstat - Windows
Windows Command Line Utility
nbtstat -a 192.168.18.100Check for local cache
nbtstat -cUsing nmap
nmap -sV -v --script nbtstat.nse 192.168.18.110nmap -sU -p 137 --script nbtstat.nse 192.168.18.110-sV- Version Enumeration-sU- UDP scan
SMB - 139, 445
Server Message Block
Methodology
Look out for
Network File Shares
Logged in User Details
Workgroups
Security Level Information
Domains and Services
Ports
137
UDP
NetBIOS Name Service (NBNS) by SMB
138
UDP
NetBIOS Datagram Service (NDS) by SMB
139
TCP
SMB in conjunction with NetBIOS over TCP/IP (NBT)
445
TCP
Primary Port
Services Examples
netbios-ssn
microsoft-ds
Using enum4linux
enum4linux -a 10.10.10.10Using nmap
To List All Scripts for SMB
To list all scripts by Nmap for SMB enumeration
cd /usr/share/nmap/scripts; ls | grep smb OS Discovery
sudo nmap --script smb-os-discovery.nse 192.168.18.110Enumerating Shares
nmap --script smb-enum-shares.nse -p445 <host>nmap -sU -p 445 --script=smb-enum-shares <target>Enumerating Users
nmap --script smb-enum-users.nse -p445 <host>nmap -sU -p 445 --script=smb-enum-users <target>Enumerating Groups
nmap -sU -p 445 --script=smb-enum-groups <target>Enumerating Services
nmap --script smb-enum-services.nse -p445 <host>nmap -sU -p 445 --script=smb-enum-services --script-args smbusername=administrator,smbpassword=smbserver_77 <target>Enumerating Security Level
nmap -sC -sV -A -T4 -p 445 <target> Exploitation
Unexpected error with integration github-files: Integration is not installed on this space
Using smbclient
smbclient -L- List shares on a machine using NULL Sessionsmbclient -L <target_IP> -U username%password- List shares on a machine using a valid username + passwordsmbclient //<target>/<share$> -U username%password- Connect to a valid share with username + password
RDP - 3389
Methodology
Check for running services on the target and confirm if RDP is running on any open port.
Use Metasploit to confirm the services running is RDP.
Use hydra to brute force the login credentials.
Use RDP tools to login into the victim's machine.
Using Metasploit
Confirming RDP
msfconsole
> use auxiliary/scanner/rdp/rdp_scannerUsing Hydra
Bruteforcing login credentials
hydra -L usernames.txt -P passwords.txt rdp://<target> -s <port>Using xfreerdp
Creating RDP session with xfreerdp
xfreerdp /u:administrator /p:qwertyuip /v:IP:PORTSNMP - 161, 162, 10161, 10162
Methodology
Look out for default UDP ports used by SNMP: 161, 162, 10161, 10162.
Identify the processes running on the target machine using nmap scripts.
List valid community strings of the server using nmap scripts.
List valid community strings of the server by using snmp_login Metasploit Module.
List all the interfaces of the machine. Use appropriate nmap Script.
Using snmp-check
snmp-check <IP>Using nmap
Identifying Processes
nmap -sU -p 161 --script=snmp-processes <target>Identifying Interfaces
nmap -sU -p 161 --script=snmp-interfaces <target>Using Metasploit
Identifying Valid Community Strings
msfconsole
> use auxiliary/scanner/snmp/snmp_loginLast updated
Was this helpful?