Service Enumeration

FTP - 21

Using hydra

Bruteforcing Credentials

hydra -L usernames.txt -P passwords.txt <IP> ftp

Telnet - 23

telnet <IP> <PORT>

NetBios - 137, 138, 139

Ports

Using Nbtstat - Windows

Windows Command Line Utility

nbtstat -a 192.168.18.100

Check for local cache

nbtstat -c

Using nmap

nmap -sV -v --script nbtstat.nse 192.168.18.110

nmap -sU -p 137 --script nbtstat.nse 192.168.18.110

-sV - Version Enumeration
-sU - UDP scan

SMB - 139, 445

Server Message Block

Methodology

Look out for

Network File Shares
Logged in User Details
Workgroups
Security Level Information
Domains and Services

Ports

Services Examples

netbios-ssn
microsoft-ds

Using enum4linux

enum4linux -a 10.10.10.10

Using nmap

To List All Scripts for SMB

To list all scripts by Nmap for SMB enumeration

cd /usr/share/nmap/scripts; ls | grep smb

OS Discovery

sudo nmap --script smb-os-discovery.nse 192.168.18.110

Enumerating Shares

nmap --script smb-enum-shares.nse -p445 <host>

nmap -sU -p 445 --script=smb-enum-shares <target>

Enumerating Users

nmap --script smb-enum-users.nse -p445 <host>

nmap -sU -p 445 --script=smb-enum-users <target>

Enumerating Groups

nmap -sU -p 445 --script=smb-enum-groups <target>

Enumerating Services

nmap --script smb-enum-services.nse -p445 <host>

nmap -sU -p 445 --script=smb-enum-services --script-args smbusername=administrator,smbpassword=smbserver_77 <target>

Enumerating Security Level

nmap -sC -sV -A -T4 -p 445 <target>

Exploitation

Using smbclient

smbclient -L - List shares on a machine using NULL Session
smbclient -L <target_IP> -U username%password - List shares on a machine using a valid username + password
smbclient //<target>/<share$> -U username%password - Connect to a valid share with username + password

RDP - 3389

Methodology

Check for running services on the target and confirm if RDP is running on any open port.
Use Metasploit to confirm the services running is RDP.
Use hydra to brute force the login credentials.
Use RDP tools to login into the victim's machine.

Using Metasploit

Confirming RDP

msfconsole
> use auxiliary/scanner/rdp/rdp_scanner

Using Hydra

Bruteforcing login credentials

hydra -L usernames.txt -P passwords.txt rdp://<target> -s <port>

Using xfreerdp

Creating RDP session with xfreerdp

xfreerdp /u:administrator /p:qwertyuip /v:IP:PORT

SNMP - 161, 162, 10161, 10162

Methodology

Look out for default UDP ports used by SNMP: 161, 162, 10161, 10162.
Identify the processes running on the target machine using nmap scripts.
List valid community strings of the server using nmap scripts.
List valid community strings of the server by using snmp_login Metasploit Module.
List all the interfaces of the machine. Use appropriate nmap Script.

Using snmp-check

snmp-check <IP>

Using nmap

Identifying Processes

nmap -sU -p 161 --script=snmp-processes <target>

Identifying Interfaces

nmap -sU -p 161 --script=snmp-interfaces <target>

Using Metasploit

Identifying Valid Community Strings

msfconsole
> use auxiliary/scanner/snmp/snmp_login

PreviousNetwork Scanning and Enumeration NextSystem Hacking

Last updated 11 months ago