[ Certified Ethical Hacker v10 ] :: [ Module 3 Continued ]

This entry is part 5 of 21 in the series [ Certified Ethical Hacker Training ]

Module 3: Scanning and Enumeration continued

Windows Enumeration

NetBIOS: services, names and details

nbtstat

# nbtstat enumerates your current sessions. 
# It requires at least one switch. Remember -s or -S.
nbtstat -s
# Make nbtstat list addresses from a remote system:
nbtstat -a <NetBIOS name or IP address>
# Look into your own NetBIOS name cache
nbtstat -c

nmap with SMB

# use -sS for the scan type and --script to specify a script

nmap -sS --script smb-os-discovery <target IP>

nmap -sS --script smb-check-vulns <target IP>

nmap -sS --script smb-enum-users <target IP>

nmap -sS --script smb-enum-shares <target IP>

NULL Sessions

This is a catastrophic weakness in Windows Simple File Sharing (which you should never use). It allows remote users to connect as no user with no password. Nice, huh?

net use \\<target>\ipc$ "" "/user:"
net view \\<target>
net use g: \\<target>\<shared folder>

Other Tools

SuperScan

enum4linux
acccheck

SMBmap

PsTools

Other Issues

SAM files

SIDs

Linux Enumeration

finger
rpcinfo
showmount

SNMP Enumeration

The MIB

SNScan

LDAP / Directory Enumeration

JXplorer

LEX

nmap using an NSE script

NTP Enumeration

ntpdate
ntptrace
ntpdc
ntpq
nmap -sU -pU:123 -Pn -n --script ntp-monlist <target>

SMTP Enumeration

# First, telnet into the target
telnet <target>

#verify a single user:
VRFY fred

#expand a mailing list:
EXPN <mailing list name>

# send a single message, separately, to multiple users
# You have to use the MAIL FROM command first:
MAIL FROM:fred
RCPT TO:george
RCPT TO:mary
# Or use nmap:
nmap -sS --script smb-enum-users <target IP>

Enumerating with DNS

Zone Transfers

nslookup

set type=any

ls -d target.net > dns.target.net

exit
dig axfr @nsztm1.digi.ninja zonetransfer.me

More tools built in to Kali

dnsenum <domain name>
dnsmap <domain name>
fierce -dns <domain name>

A target site: ZoneTransfer.me

https://digi.ninja/projects/zonetransferme.php

dig axfr @nsztm1.digi.ninja zonetransfer.me
Series Navigation<< [ Certified Ethical Hacker v10 ] :: [ Module 3 ][ Certified Ethical Hacker v10 ] :: [ Module 4 ] >>

Leave a Reply