Till Studer's Notes

Recent Notes

4 min read

Active Information Gathering

DNS Enumeration

  • 2 Zones (in the “Zone File”)
    • Forward Lookup Zone
    • Reverse Lookup Zone

Interacting with a DNS Server

  • host www.megacorpone.com: Searches for the A record of the host
  • host -t txt megacorpone.com: Searches for the TXT record
    • -t specifies the type of the record

Automating Lookups

  • use wordlists: /usr/share/seclists/ (sudo apt install seclists)

Forward Lookup Brute Force

  • for ip in $(cat wordlist.txt); do host $ip.megacorpone.com; done | grep -v "not found"

Reverse Lookup Brute Force

  • for ip in $(seq 1 224); do host 38.100.193.$ip; done | grep -v "not found"

DNS Zone Transfers

  • If misconfigured, DNS servers can hand out the entire zone file to anyone asking for it: host -l <domain name> <dns server address>

Relevant Tools in Kali Linux

  • dnsrecon -d megacorpone.com -t axfr
    • -d: Specify the domain name
    • -t: Specify the type of enumeration
  • dnsrecon -d megacropone.com -D ~/wordlist.txt -t brt
    • -D: Specify the fine containing potential subdomains
    • -t: Specify brute force enumeration
  • dnsenum zonetransfer.me

Port Scanning

TCP / UDP Scanning

  • TCP basic port scanner: nc -nvv -w 1 -z 10.11.1.220 3388-3390
    • -w: Specify the connection timeout in seconds
    • -z: Specify Zero IO mode (sends no data and is used for scanning)
  • UDP basic port scanner: nc -nv -u -z -w 1 10.11.1.115 160-162

    • -u: Specifies a UDP scan

    • Can be very unreliable

Port Scanning with Nmap

  • Stealth/SYN scanning: sudo nmap -sS 10.11.1.220 (fast)
  • TCP Connect scanning: sudo nmap -sT 10.11.1.220 (slow)
  • UDP scanning: sudo nmap -sU 10.11.1.220
  • Network sweeping: nmap -sn 10.11.1.1-254 (reduce traffic)
  • -v: Increase verbosity
  • -oG <file name>.txt to make the output grepable
  • -p: Specify a port(s)
  • --top-ports=20: Only scan the top ports (determined by /usr/share/nmap-services)
  • -A: Enable OS version detection, script scanning and traceroute
  • -O: Enable OS Fingerprinting (best guess attempt)
  • -sV: Enable Service and version detection
  • --open: Only display open ports
  • NSE scripts: /usr/share/nmap/scripts
    • nmap 10.11.1.220 --script=smb-os-discovery
    • nmap --script=dns-zone-transfer -p 53 ns3.megacorpone.com
    • For more info about a script: nmap --script-help dns-zone-transfer
    • To list all scripts: tree /usr/share/nmap/scripts/

Masscan

  • sudo apt install masscan
  • sudo masscan -p80 10.11.1.0/24 --rate=1000 -e tap0 --router-ip 10.11.0.1

SMB Enumeration

Scanning for the NetBIOS Service

  • Also possible with: nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254
  • More suitable: sudo nbtscan -r 10.11.1.0/24
    • -r: Specify the originating the UDP port as 137

Nmap SMB NSE Scripts

  • ls -al /usr/share/nmap/scripts/smb*
    • nmap -v -p 139,445 --script=smb-os-discovery 10.11.1.227
  • ls -al /usr/share/nmap/scripts/smb-vuln-*
    • nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 10.11.1.227
      • unsafe=1 WILL CRASH THE TARGET!

NFS Enumeration

  • Generally insecure (very hard to setup correctly)

Scanning for NFS Shares

  • Check if NFS is running: nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254

Nmap NFS NSE Scripts

  • Get additional information
  • To run all (/usr/share/nmap/scripts/nfs*) nfs scripts: nmap -p 111 --script nfs* 10.11.1.72
  • To mount a exposed folder: mkdir new-mounted-folder && sudo mount -o nolock 10.11.1.72:/home ./new-mounted-folder/ && cd new-mounted-folder && ls al
    • -o nolock: Disable file locking (needed for older NFS servers)
    • If we get a permission denied error we can create a new local user with the id which has sufficient right to view the bypass the permission error
      • sudo adduser pwn
      • sudo sed -i -e 's/<current id of the new user>/<user id which sufficient privileges>/g' /etc/password
      • grep pwn /etc/passwd
      • su pwn
      • id
      • Access the file/folder
      • exit

SMTP Enumeration

  • Expand: Get the members of a mailing list
  • Verify: Verify if a email exists
  • Connect to a mail server: nc -nv 10.11.1.217 25
    • VRFY root

SNMP Enumeration

  • SNMP is based on UDP IP spoofing and replay attacks
  • SNMP v1, v2 and v2c are not encrypted!
  • Commonly uses default users and passwords

The SNMP MIB Tree

Scanning for SNMP

  • sudo nmap -sU --open -p 161 10.11.1.1-254 -oG open-snmp.txt
  • using onesixtyone

Windows SNMP Enumeration Example

  • Only works if you know the community read-only SNMP string (usually public)
  • Enumerate the SNMP MIB tree: snmpwalk -c public -v1 -t 10 10.11.1.14
    • -c: Specify the community string
    • -v1: Specify SNMP version number
    • -t: Specify the timeout (in seconds)
  • Enumerate Windows Users: snmpwalk -c public -v1 10.11.1.14 1.3.6.1.4.1.77.1.2.25
  • Enumerate Running Windows Processes: snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.25.4.2.1.2
  • Enumerate Open TCP Ports: snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.6.13.1.3
  • Enumerate Installed Software: snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.25.6.3.1.2

Relevant Note(s): Passive Information Gathering Penetration Testing

Graph View

Backlinks