Service Enumeration and Locating Public Exploits
Unknown Services
- Search for nmap's definition https://svn.nmap.org/nmap/nmap-services
- Search for nmap scripts for each service:
cat /usr/share/nmap/scripts/script.db | grep -v '"brute"\|"dos"' | fzf - Run the nmap scripts:
- TCP:
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA {SERVICE_NAME}-nmap --script="{SERVICE_NAME}* and not(brute or dos)" {IP} -p {SERVICE_PORT} - UDP:
sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA {SERVICE_NAME}-nmap --script="{SERVICE_NAME}* and not(brute or dos)" {IP} -p {SERVICE_PORT}
- TCP:
- Banner Grabbing:
nc -nv {IP} {PORT} - Search for exploits:
searchsploit --exclude="Denial" {SERVICE_NAME}
Known Services
SSH
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA ssh-nmap --script="ssh* and not(brute or dos)" {IP}hydra -v -V -u -t 4 {TWO_OF_THE_BELLOW_OPTIONS_EXCEPT_WITH_OPTION_C} -u {IP} -s {PORT} ssh- For credential examples: Password Attacks#THC-Hydra
HTTP
Attention
Also identify the framework that is used by the website and search for exploits! searchsploit --exclude="dos" {FRAMEWORK_NAME}
Warning
If the website uses https you also need to change the http:// into https://
Hint
If you find a directory, always enumerate that one as well
Hint
Modify the extensions based on your previous enumeration on the HTTP server type (e.g. php only)
Hint
Bypass robots.txt "You are not a search engine. Permission denied." like this:
curl --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)" http://{IP}:{PORT}/robots.txt
curl -k http://{IP}:{PORT}nikto -h=http://{IP}:{PORT}/ -Cgidirs all -o http-nikto.txtffuf -c -t 40 -H "User-Agent: curl/7.83.0" -w /usr/share/seclists/Discovery/Web-Content/common.txt -o http-ffuf-common.csv -of csv -e .html,.htm,.php,.js,.jsp,.asp,.aspx -u http://{IP}:{PORT}/FUZZffuf -c -t 40 -H "User-Agent: curl/7.83.0" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o http-ffuf-medium.csv -of csv -e .html,.htm,.php,.js,.jsp,.asp,.aspx -u http://{IP}:{PORT}/FUZZffuf -c -t 40 -H "User-Agent: curl/7.83.0" -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -o http-ffuf-large.csv -of csv -e .html,.htm,.php,.js,.jsp,.asp,.aspx -u http://{IP}:{PORT}/FUZZ- Proxy:
-x socks5://127.0.0.1:1080
- Proxy:
- Local File Inclusion fuzzing:
ffuf -c -t 40 -H "User-Agent: curl/7.83.0" -w {LIST} -u 'http://{IP}/browse.php?p=source&file=FUZZ' -fl 17/usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt~/tools/Auto_Wordlists/custom_wordlists/file_inclusion_windows.txt
- Other fuzzing tools
gobuster dir -t 40 -a "curl/7.83.0" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o http-gobuster-medium.txt -x .html,.htm,.php,.js,.jsp,.asp,.aspx -u http://{IP}:{PORT}/- Proxy:
--proxy socks5://127.0.0.1:1080 --timeout 120s
- Proxy:
wfuzz -t 40 -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404 -u http://{IP}:{PORT}/FUZZ > http-wfuzz-common.txtdirb http://{IP}:{PORT}/ /usr/share/seclists/Discovery/Web-Content/common.txt -a "curl/7.83.0" -o http-dirb-common.txt
WordPress
wpscan -o WEB-wpscan.txt --force update -e --url http://{IP}:{PORT}/
SMB / MICROSOFT-DS
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA smb-nmap --script="smb* and not(brute or dos)" {IP}enum4linux -a {IP}enum4linux -u "" -p "" -a {IP}enum4linux -u "guest" -p "" -a {IP}smbclient -N //{IP}/{SHARE_NAME}smbmap -u "" -p "" -H {IP}smbmap -u "guest" -p "" -H {IP}crackmapexec {IP} -u "" -p ""crackmapexec {IP} -u "" -p "" accesspython ./samrdump.py -port 445 {IP}
FTP
Hint
If you want to transfer binaries, you need to put the ftp session into binary mode, with the command binary, the default is ascii
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA ftp-nmap --script="ftp* and not(brute or dos)" {IP}ftp anonymous@{IP}- Bypass a firewall:
passive - Now you can:
get secret.txtput evil.exe
- Bypass a firewall:
- Download everything recursively:
wget -r ftp://{USERNAME}:{PASSWORD}@{IP} hydra -v -V -u -t 4 {TWO_OF_THE_BELLOW_OPTIONS_EXCEPT_WITH_OPTION_C} -u {IP} -s {PORT} ftp- For credential examples: Password Attacks#THC-Hydra
MS SQL
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA mssql-nmap --script="ms-sql* and not(brute or dos)" {IP}- If you have credentials:
- Login:
sqsh -S {IP} -U {USERNAME} -P {PASSWORD} - Try to execute a shell:
xp_cmdshell 'whoami'go
- If it doesn't work, test if you can reconfigure the server:
EXEC SP_CONFIGURE 'show advanced options',1reconfiguregoEXEC SP_CONFIGURE 'xp_cmdshell',1reconfigurego- Try to execute a shell again
- Login:
VNC
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA vnc-nmap --script="vnc* and not(brute or dos)" {IP}
MSRPC
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA msrpc-nmap --script="msrpc* and not(brute or dos)" {IP}- Its better if you don't specify the port
rpcclient -U "" -N {IP}python rpcdump.py -port 135 {IP}- MSRPC (Microsoft Remote Procedure Call) Service Enumeration Handbook
RPCBIND
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA rpcbind-nmap --script="rpc* and not(brute or dos)" {IP}rpcinfo -s {IP}rpcinfo -p {IP}
SMTP
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA smtp-nmap --script="smtp* and not(brute or dos)" {IP}- Brute-force usernames: https://github.com/mchern1kov/pentest-everything/blob/master/enum_and_exploit/tcp-25-465-587-smtp/README.md#brute-forcing-usernames
POP3
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA pop3-nmap --script="pop3* and not(brute or dos)" {IP}
NNTP
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA nntp-nmap --script="nntp* and not(brute or dos)" {IP}
NFS / NLOCKMGR / MOUNTD
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA nfs-nmap --script="nfs* and not(brute or dos)" {IP}- Its recommended to not specify the port!
MYSQL
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA mysql-nmap --script="mysql* and not(brute or dos)" {IP}
ORACLE
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA oracle-nmap --script="oracle* and not(brute or dos)" {IP}sudo oscanner -s {IP} -P {PORT}tnscmd10g version -p 1521 -h <IP>- ODAT: Oracle Database Attacking Tool
AJP
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA ajp-nmap --script="ajp* and not(brute or dos)" {IP}- ajpShooter.py
RDP / MS-WBT-SERVER
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA rdp-nmap --script="rdp* and not(brute or dos)" {IP}- Connect to a machine:
xfreerdp +clipboard /w:1280 /h:720 /smart-sizing /cert:ignore /v:{IP} /u:{USERNAME} /p:'{PASSWORD}'rdesktop -k de-ch -u '{USERNAME}' -p '{PASSWORD}' {IP}- If the login doesn't work try
xfreerdpor usecorp\{USERNAME}
- If the login doesn't work try
hydra -v -V -u -t 4 {TWO_OF_THE_BELLOW_OPTIONS_EXCEPT_WITH_OPTION_C} -u {IP} -s {PORT} rdp- For credential examples: Password Attacks#THC-Hydra
LDAP
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA ldap-nmap --script="ldap* and not(brute or dos)" {IP}ldapsearch -x -h {IP} -s base
NETBIOS-SSN
nmblookup -A {IP}smbclient -L //{IP}smbclient -L //{IP} -U "Guest"enum4linux -a {IP}enum4linux -u "" -p "" -a {IP}enum4linux -u "guest" -p "" -a {IP}rpcclient -U "" {IP}smbclient //MOUNT/share -I {IP} Nmkdir folder && sudo mount -t cifs //{IP}/share ./folder
DOMAIN
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA dns-nmap --script="dns* and not(brute or dos)" {IP}dig axfr @{IP} {DOMAIN.TLD}dnsrecon -d {DOMAIN.TLD}
KERBEROS-SEC
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA KERBEROS-USERDB-nmap --script=krb5-enum-users --script-args krb5-enum-users.realm='{DOMAIN.TLD}',userdb=/usr/share/seclists/Usernames/Names/names.txt {IP}sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA KERBEROS-nmap --script=krb5-enum-users --script-args krb5-enum-users.realm='{DOMAIN.TLD}' {IP}
RTSP
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA rtsp-nmap --script="rtsp* and not(brute or dos)" {IP}
IMAP
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA imap-nmap --script="imap* and not(brute or dos)" {IP}
DHCP
sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA dhcp-nmap --script="dhcp* and not(brute or dos)" {IP}
SNMP
sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA snmp-nmap --script="snmp* and not(brute or dos)" {IP}onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt {IP}snmp-check {IP}snmpwalk -v1 -c public {IP}
TFTP
sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA tftp-nmap --script="tftp* and not(brute or dos)" {IP}
NTP
sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA ntp-nmap --script="ntp* and not(brute or dos)" {IP}
UPNP
sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA upnp-nmap --script="upnp*,broadcast-upnp-info and not(brute or dos)" {IP}
NAT
sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA nat-nmap --script="nat* and not(brute or dos)" {IP}
TELNET
sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA telnet-nmap --script="telnet* and not(brute or dos)" {IP}
tcpwrapped
tcpwrapped refers to tcpwrapper, a host-based network access control program on Unix and Linux. When Nmap labels something tcpwrapped, it means that the behavior of the port is consistent with one that is protected by tcpwrapper. Specifically, it means that a full TCP handshake was completed, but the remote host closed the connection without receiving any data.
It is important to note that tcpwrapper protects programs, not ports. This means that a valid (not false-positive) tcpwrapped response indicates a real network service is available, but you are not on the list of hosts allowed to talk with it. When a very large number of ports are shown as tcpwrapped, it is unlikely that they represent real services, so the behavior probably means something else like a load balancer or firewall is intercepting the connection requests.
Relevant Note(s): Penetration Testing