Service Enumeration and Locating Public Exploits

Unknown Services

• Search for nmap’s definition https://svn.nmap.org/nmap/nmap-services
• Search for nmap scripts for each service: cat /usr/share/nmap/scripts/script.db | grep -v '"brute"\|"dos"' | fzf
• Run the nmap scripts:
  • TCP: sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA {SERVICE_NAME}-nmap --script="{SERVICE_NAME}* and not(brute or dos)" {IP} -p {SERVICE_PORT}
  • UDP: sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA {SERVICE_NAME}-nmap --script="{SERVICE_NAME}* and not(brute or dos)" {IP} -p {SERVICE_PORT}
• Banner Grabbing: nc -nv {IP} {PORT}
• Search for exploits: searchsploit --exclude="Denial" {SERVICE_NAME}

Known Services

SSH

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA ssh-nmap --script="ssh* and not(brute or dos)" {IP}
• hydra -v -V -u -t 4 {TWO_OF_THE_BELLOW_OPTIONS_EXCEPT_WITH_OPTION_C} -u {IP} -s {PORT} ssh
  • For credential examples: THC-Hydra

HTTP

ATTENTION

Also identify the framework that is used by the website and search for exploits! searchsploit --exclude="dos" {FRAMEWORK_NAME}

WARNING

If the website uses https you also need to change the http:// into https://

HINT

If you find a directory, always enumerate that one as well

HINT

Modify the extensions based on your previous enumeration on the HTTP server type (e.g. php only)

HINT

Bypass robots.txt “You are not a search engine. Permission denied.” like this: curl --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)" http://{IP}:{PORT}/robots.txt

• curl -k http://{IP}:{PORT}
• nikto -h=http://{IP}:{PORT}/ -Cgidirs all -o http-nikto.txt
• ffuf -c -t 40 -H "User-Agent: curl/7.83.0" -w /usr/share/seclists/Discovery/Web-Content/common.txt -o http-ffuf-common.csv -of csv -e .html,.htm,.php,.js,.jsp,.asp,.aspx -u http://{IP}:{PORT}/FUZZ
• ffuf -c -t 40 -H "User-Agent: curl/7.83.0" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o http-ffuf-medium.csv -of csv -e .html,.htm,.php,.js,.jsp,.asp,.aspx -u http://{IP}:{PORT}/FUZZ
• ffuf -c -t 40 -H "User-Agent: curl/7.83.0" -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -o http-ffuf-large.csv -of csv -e .html,.htm,.php,.js,.jsp,.asp,.aspx -u http://{IP}:{PORT}/FUZZ
  • Proxy: -x socks5://127.0.0.1:1080
• Local File Inclusion fuzzing: ffuf -c -t 40 -H "User-Agent: curl/7.83.0" -w {LIST} -u 'http://{IP}/browse.php?p=source&file=FUZZ' -fl 17
  • /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt
  • ~/tools/Auto_Wordlists/custom_wordlists/file_inclusion_windows.txt
• Other fuzzing tools
  • gobuster dir -t 40 -a "curl/7.83.0" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o http-gobuster-medium.txt -x .html,.htm,.php,.js,.jsp,.asp,.aspx -u http://{IP}:{PORT}/
    • Proxy: --proxy socks5://127.0.0.1:1080 --timeout 120s
  • wfuzz -t 40 -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404 -u http://{IP}:{PORT}/FUZZ > http-wfuzz-common.txt
  • dirb http://{IP}:{PORT}/ /usr/share/seclists/Discovery/Web-Content/common.txt -a "curl/7.83.0" -o http-dirb-common.txt

WordPress

• wpscan -o WEB-wpscan.txt --force update -e --url http://{IP}:{PORT}/

SMB / MICROSOFT-DS

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA smb-nmap --script="smb* and not(brute or dos)" {IP}
• enum4linux -a {IP}
• enum4linux -u "" -p "" -a {IP}
• enum4linux -u "guest" -p "" -a {IP}
• smbclient -N //{IP}/{SHARE_NAME}
• smbmap -u "" -p "" -H {IP}
• smbmap -u "guest" -p "" -H {IP}
• crackmapexec {IP} -u "" -p ""
• crackmapexec {IP} -u "" -p "" access
• python ./samrdump.py -port 445 {IP}

FTP

HINT

If you want to transfer binaries, you need to put the ftp session into binary mode, with the command binary, the default is ascii

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA ftp-nmap --script="ftp* and not(brute or dos)" {IP}
• ftp anonymous@{IP}
  • Bypass a firewall: passive
  • Now you can:
    • get secret.txt
    • put evil.exe
• Download everything recursively: wget -r ftp://{USERNAME}:{PASSWORD}@{IP}
• hydra -v -V -u -t 4 {TWO_OF_THE_BELLOW_OPTIONS_EXCEPT_WITH_OPTION_C} -u {IP} -s {PORT} ftp
  • For credential examples: THC-Hydra

MS SQL

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA mssql-nmap --script="ms-sql* and not(brute or dos)" {IP}
• If you have credentials:
  • Login: sqsh -S {IP} -U {USERNAME} -P {PASSWORD}
  • Try to execute a shell:
    • xp_cmdshell 'whoami'
    • go
  • If it doesn’t work, test if you can reconfigure the server:
    • EXEC SP_CONFIGURE 'show advanced options',1
    • reconfigure
    • go
    • EXEC SP_CONFIGURE 'xp_cmdshell',1
    • reconfigure
    • go
    • Try to execute a shell again

VNC

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA vnc-nmap --script="vnc* and not(brute or dos)" {IP}

MSRPC

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA msrpc-nmap --script="msrpc* and not(brute or dos)" {IP}
  • Its better if you don’t specify the port
• rpcclient -U "" -N {IP}
• python rpcdump.py -port 135 {IP}
• MSRPC (Microsoft Remote Procedure Call) Service Enumeration Handbook

RPCBIND

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA rpcbind-nmap --script="rpc* and not(brute or dos)" {IP}
• rpcinfo -s {IP}
• rpcinfo -p {IP}

SMTP

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA smtp-nmap --script="smtp* and not(brute or dos)" {IP}
• Brute-force usernames: https://github.com/mchern1kov/pentest-everything/blob/master/enum_and_exploit/tcp-25-465-587-smtp/README.md#brute-forcing-usernames

POP3

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA pop3-nmap --script="pop3* and not(brute or dos)" {IP}

NNTP

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA nntp-nmap --script="nntp* and not(brute or dos)" {IP}

NFS / NLOCKMGR / MOUNTD

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA nfs-nmap --script="nfs* and not(brute or dos)" {IP}
• Its recommended to not specify the port!

MYSQL

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA mysql-nmap --script="mysql* and not(brute or dos)" {IP}

ORACLE

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA oracle-nmap --script="oracle* and not(brute or dos)" {IP}
• sudo oscanner -s {IP} -P {PORT}
• tnscmd10g version -p 1521 -h <IP>
• ODAT: Oracle Database Attacking Tool

AJP

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA ajp-nmap --script="ajp* and not(brute or dos)" {IP}
• ajpShooter.py

RDP / MS-WBT-SERVER

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA rdp-nmap --script="rdp* and not(brute or dos)" {IP}
• Connect to a machine:
  • xfreerdp +clipboard /w:1280 /h:720 /smart-sizing /cert:ignore /v:{IP} /u:{USERNAME} /p:'{PASSWORD}'
  • rdesktop -k de-ch -u '{USERNAME}' -p '{PASSWORD}' {IP}
    • If the login doesn’t work try xfreerdp or use corp\{USERNAME}
• hydra -v -V -u -t 4 {TWO_OF_THE_BELLOW_OPTIONS_EXCEPT_WITH_OPTION_C} -u {IP} -s {PORT} rdp
  • For credential examples: THC-Hydra

LDAP

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA ldap-nmap --script="ldap* and not(brute or dos)" {IP}
• ldapsearch -x -h {IP} -s base

NETBIOS-SSN

• nmblookup -A {IP}
• smbclient -L //{IP}
• smbclient -L //{IP} -U "Guest"
• enum4linux -a {IP}
• enum4linux -u "" -p "" -a {IP}
• enum4linux -u "guest" -p "" -a {IP}
• rpcclient -U "" {IP}
• smbclient //MOUNT/share -I {IP} N
• mkdir folder && sudo mount -t cifs //{IP}/share ./folder

DOMAIN

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA dns-nmap --script="dns* and not(brute or dos)" {IP}
• dig axfr @{IP} {DOMAIN.TLD}
• dnsrecon -d {DOMAIN.TLD}

KERBEROS-SEC

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA KERBEROS-USERDB-nmap --script=krb5-enum-users --script-args krb5-enum-users.realm='{DOMAIN.TLD}',userdb=/usr/share/seclists/Usernames/Names/names.txt {IP}
• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA KERBEROS-nmap --script=krb5-enum-users --script-args krb5-enum-users.realm='{DOMAIN.TLD}' {IP}

RTSP

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA rtsp-nmap --script="rtsp* and not(brute or dos)" {IP}

IMAP

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA imap-nmap --script="imap* and not(brute or dos)" {IP}

DHCP

• sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA dhcp-nmap --script="dhcp* and not(brute or dos)" {IP}

SNMP

• sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA snmp-nmap --script="snmp* and not(brute or dos)" {IP}
• onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt {IP}
• snmp-check {IP}
• snmpwalk -v1 -c public {IP}

TFTP

• sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA tftp-nmap --script="tftp* and not(brute or dos)" {IP}

NTP

• sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA ntp-nmap --script="ntp* and not(brute or dos)" {IP}

UPNP

• sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA upnp-nmap --script="upnp*,broadcast-upnp-info and not(brute or dos)" {IP}

NAT

• sudo nmap -sU -sV -Pn --script-args=unsafe=1 -oA nat-nmap --script="nat* and not(brute or dos)" {IP}

TELNET

• sudo nmap -sT -sV -Pn --script-args=unsafe=1 -oA telnet-nmap --script="telnet* and not(brute or dos)" {IP}

tcpwrapped

tcpwrapped refers to tcpwrapper, a host-based network access control program on Unix and Linux. When Nmap labels something tcpwrapped, it means that the behavior of the port is consistent with one that is protected by tcpwrapper. Specifically, it means that a full TCP handshake was completed, but the remote host closed the connection without receiving any data.

It is important to note that tcpwrapper protects programs, not ports. This means that a valid (not false-positive) tcpwrapped response indicates a real network service is available, but you are not on the list of hosts allowed to talk with it. When a very large number of ports are shown as tcpwrapped, it is unlikely that they represent real services, so the behavior probably means something else like a load balancer or firewall is intercepting the connection requests.

---

Relevant Note(s): Penetration Testing