Enumeration Cheatsheets

Wireshark Filters Cheatsheet

There are literally hundreds of these type of posts on the internet, with one of my favorites being https://wiki.wireshark.org/CaptureFilters. However, I wanted to create this ‘short’ list that contains my favorite go-to’s after performing Man in the Middle attacks.

This post will be updated as time goes on.

Understanding the Packet Capture

Before diving too deep, it’s always a good idea to get an idea of what type of traffic was captured so you know which filters to apply.

Viewing Protocol Statistics:
In the Menu, click on Statistics and select Protocol Hierarchy.


Filtering HTTP

If non-encrypted HTTP traffic was captured, we may be able to extract juicy details.

View all plaintext HTTP GET requests:
http.request.method == "GET"

View all plaintext HTTP POST requests:
http.request.method == "POST"

Filtering by specific redirect location:
http.location == login_success.php

To export HTTP objects (such as images or pages):
Select File. Click on Export Objects, and then HTTP.

Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.


Filtering FTP

FTP is pretty simple, since all traffic is sent in plaintext.

To view all FTP related traffic:
ftp

To export FTP objects (such as transferred files):
Select File. Click on Export Objects, and then TFTP.

Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.


Filtering SMB

SMB is a favorite to capture, as it is usually not encrypted and you may be able to exfiltrate files over the wire.

To view packets related to SMB files:
smb.file

To export SMB objects (such as transferred files):
Select File. Click on Export Objects, and then SMB.

Enumeration Cheatsheets

Enumerating SNMP for Pentesting (UDP Ports 161, 162)

This post contains various commands and methods for performing enumeration the SNMP service. This article will be expanded upon as time goes on.


Using NMAP

Bruteforcing community strings:
sudo nmap -sU -p 161 --script snmp-brute <ipAddr>

Bruteforcing community strings with custom wordlist:
sudo nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <ipAddr>

Enumerate users on remote machine:
sudo nmap -sU -p 161 --script snmp-win32-users <ipAddr>

Enumerate services on remote machine:
sudo nmap -sU -p 161 --script snmp-win32-services <ipAddr>

Run all SNMP-related Nmap Scripts:
sudo nmap -sU -p 161 --script snmp-* <ipAddr> -oG nmap/snmp.txt


Using SNMPWALK

Enumerate SNMPv2 with a community string of Public:
snmpwalk -v2c -c public <ipAddr>

To search for installed software:
snmpwalk -v2c -c public <ipAddr> hrSWInstalledName

To search amount of RAM on the host:
snmpwalk -v2c -c public <ipAddr> hrMemorySize

Note: There are additional OIDs that you can provide to enumerate specific information.


Using ONESIXTYONE

To brute-force communities:
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt <ipAddr>


Using SNMPSET

To change an OID to a different value:
snmpwalk -v2c -c public <ipAddr> <OID> <newValue>

To change the sysContact OID:
snmpwalk -v2c -c public <ipAddr> sysContact <newValue>


Enumeration Cheatsheets

Active & Passive Recon Cheatsheet

This post contains various commands and methods for performing passive recon of a target. This article will be expanded upon as time goes on.


Performing Whois lookups

We can utilize public WHOIS databases to perform lookups on domains.
https://lookup.icann.org/

It may also be worthwhile utilizing other services, such as Namecheap. Once you know who the registrar is, it is typically best to perform a Whois lookup for your target using their domain registrar.
https://www.namecheap.com/domains/whois/

We can also utilize a Kali terminal for this:
whois <targetDomain>

You can use additional options to instruct the tool to use a different server.
whois -h whois.godaddy.com <targetDomain>


Performing DNS enumeration with Nslookup

To perform a lookup of the A records against a particular domain:
nslookup <targetDomain>

To look up the mail records:
nslookup -query=mx <targetDomain>

To look up Nameservers:
nslookup -query=ns <targetDomain>

To get all records that are available:
nslookup -query=any <targetDomain>

You can also drop into nslookup with no parameters interactively.
nslookup

While interactively working with nslookup, you can set your query:
set q=mx

You can also set your server if you wanted to query a different DNS server than your default one:
server 8.8.8.8


Performing DNS enumeration with Dig

To extract A records and Namerservers of a domain:
dig <targetDomain>

To query just A records:
dig <targetDomain> A

You can also limit the output to a specific record, and just return the answer section:
dig +nocmd <targetDomain> MX +noall +answer

Can attempt a DNS Zone transfer:
dig +nocmd <targetDomain> AXFR +noall +answer @<targetDNSServer>

To see more about a DNS Zone Transfer, see https://infinitelogins.com/2020/04/23/performing-dns-zone-transfer/


Automating DNS Enumeration

Fierce can be used to enumerate subdomains, IP ranges, and hostnames by using public DNS queries, zone transfer attempts, and brute forcing techniques.
fierce -dns <targetDomain>

You can also specify a specific DNS server for the tool to use.
fierce -dns <targetDomain> -dnsserver <targetNamserver>

We can also leverage a tool called DNSEnum to do something similar. It will look for the A records of the target domain, looks up the NS and MX records. Finally, it will attempt a zone transfer attack.
dnsenum <targetDomain>

You can also specify a specific DNS server for the tool to use. Sometimes the results will differ.
dnsenum <targetDomain> --dnsserver <targetNamserver>

You can use DNSEnum to brute force subdomains as well.
dnsenum <targetDomain> -f <dictionaryList>

DNSMap can also be used, but it doesn’t do much other than brute-force with a built-in wordlist.
dnsmap <targetDomain> -w wordlist.txt -r /tmp/results.txt

DNSMap to enumerate subdomains in bulk fashion:
dnsmap-bulk.sh domains.txt /tmp/results.txt

DNSRecon is an ‘all-in-one’ tool that can do most everything.
dnsrecon -d <targetDomain>


Google and Bing Dorking

Bing offers a query filter that returns websites hosted on a given IP address by entering the following Bing search:
ip:<targetIP>

Search Google for results within a particular website:
insite:<targetURL>

Search Google for specific filetypes:
insite:<targetURL> filetype:pdf

Search Google for particular text in title:
insite:<targetURL> intitle:admin
insite:<targetURL> intitle:index of

Search Google for particular text in body:
insite:<targetURL> intext:admin
insite:<targetURL> intext:index of

Additional payloads are found here. https://gist.github.com/clarketm/919457847cece7ce40323dc217623054


Various Tools:

Enumeration Cheatsheets

Network Enumeration and Host Discovery Cheatsheet

This post contains various commands and methods for performing enumeration of a network. This article will be expanded upon as time goes on.


Quick Host Discovery using ARP Protocol

Using NETDISCOVER to perform an ARP scan:
sudo netdiscover -i <interface> -r <targetSubnet>

Using ARP-SCAN to perform an ARP scan:
sudo arp-scan -I <interface> <targetSubnet>


Identifying your Immediate Routes and Gateways

Windows will show the default gateway:
ipconfig /all

In Linux, you can use TRACEROUTE:
traceroute <targetIP> -m 5

In Linux, you can look at the routing table:
route

To see which routes you may have access to:
ip route show dev <interface>


Portscanning with Nmap and Hping

Nmap

My go-to nmap command:
sudo nmap -sV -sC -p- <ipAddr> -oA nmap/top1000

Using Nmap for a pingsweep without port discovery:
sudo nmap -PE -sn -n <ipRange> -oA nmap/pingsweep

Using Nmap for pingsweep, with top 20 port discovery:
sudo nmap -PE -n <ipRange> --top-ports 20

Using Nmap to scan UDP ports:
sudo nmap -sU <ipRange>

Using Nmap for ARP Scan:
sudo nmap -PR -sn <ipRange>

Sometimes filtering may in place to only allow certain source ports on the network. To get around that, we could use the following Nmap command to scan DNS port 53 with a source port of 53:
sudo nmap -sS --source-port 53 -p 53 <ipRange> -oA nmap/dns-servers

Hping

Hping is also useful as its always a good idea to get a 2nd opinion. The following will scan a specific port with 3 SYN packets.
sudo hping3 -S <ipAddr> -p <port> -c 3

To use Hping to scan a port range, but exclude port 525:
sudo hping3 -S --scan '80,445,500-550,!525' <ipAddr> -V

To use Hping for UDP scans:
sudo hping3 -2 --scan 1-1000 <ipAddr>

Sometimes filtering may in place to only allow certain source ports on the network. To get around that, we could use the following Hping command to scan DNS port 53 with a source port of 53:
sudo hping3 -S -s 53 -k -p 53 <ipAddr>


Host Enumeration Using FPing

We can leverage fPing to do a quick search on the network for alive hosts.
fping -A <targetIP>

We can also add an option to limit the number of retries attempted, speeding up the execution.
fping -A <targetIP> -r 0

Adding another option will allow us to view the time it took to retrieve the reply.
fping -A <targetIP> -e

To sweep a network efficiently, without retires, and only display the alive hosts:
fping -q -a -g 10.0.0.0/24 -r 0 -e


From within a Meterpreter session:

Display the network adapters and their associated IP addresses:
ifconfig

Display nearby machines on the network:
arp

Display entries on the local routing table:
route

Perform an ARP scan for a given IP range:
run arp_scanner -r 10.0.0.0/24

View existing configured routes in Metasploit:
route print

Forward specific port to a remote host, through the Meterpreter session. Any traffic send to the local port of our localsystem will route through the Meterpreter session.
portfwd add -l <localPort> -p <remotePort> <destinationIP>


Handy Metasploit modules:

Run a ping sweep through a compromised system:
use post/multi/gather/ping_sweep

Configure a Metasploit route for pivoting:
use post/multi/manage/autoroute

You can also configure a route while interacting with a Meterpreter session:
run autoroute -s <subnet>

Run a TCP port scan (you may want to configure a route first):
use auxiliary/scanner/portscan/tcp

Configure a Socks4 proxy for pivoting. Any traffic routed through the proxy will route through the Metasploit routing table:
https://infinitelogins.com/2021/02/20/using-metasploit-routing-and-proxychains-for-pivoting/


Windows Utilities (LOLbins)

Display network adapters, DNS servers, and additional details:
ipconfig /all

Identify details about the DNS cache:
ipconfig /displaydns

To view details about ports and services on the system:
netstat -ano


Enumeration Cheatsheets

Enumerating NFS Shares (Port 2049)

NFS shares are not only common to come across during the OSCP and in capture the flag events like Hack The Box, but they’re also common to see during internal pentest engagements. This post intends to serve as a guide for enumerating a NFS share and different opportunities for abusing their functionality.

Note: In Linux environments, NFS is sometimes used as a home directory server.


Using ShowMount

To list the available NFS shares, you can use the following:
showmount -e <ipAddr>

To list the connected clients, you can use the following:
showmount -a <ipAddr>


Mounting NFS Shares

First, we’ll need to create a mount point in Kali.
sudo mkdir /mnt/nfs-share

Then we can mount the open share to it.
sudo mount -t nfs <ipAddr>:/<shareName> /mnt/nfs-share

Then you can change into the mounted share.
cd /mnt/nfs-share


Enumerating Mounted NFS Shares

Once you’ve mounted a share (using the above steps), we’ll want to enumerate them to see what they have and what permission you have to interact with it.

Obviously you can then read/copy files, but testing to see if you can write/delete is an important step.
touch test
rm test

Can you overwrite existing files? For example, say that Web.config was present in the share. Try the following:
touch /tmp/Web.config
mv /tmp/Web.config /mnt/nfs-share/Web.config

Sometimes interacting with the share directly can be slow, so it may be helpful to run the following command. This will get a list of all the files in the share along with their associated permissions, and write that into a text document locally on your machine. This will let you search through this local file to hunt for handy files rather than querying the remote system each time.
find . -ls > /tmp/nfs-share.dir

Enumeration Cheatsheets

Enumerating WinRM (Port 5985)

This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 5985 on a machine. This list is far from exhaustive and will be updated as time progresses.


Getting a Shell w/ EvilWinRM

You can download this tool from Github at the following location.
https://github.com/Hackplayers/evil-winrm

With that tool in hand, we can run the following command to gain a shell as long as you know valid user credentials.

./evil-winrm.rb -u <userAccount> -p <userPassword> -i <targetIP>

Enumeration Cheatsheets

Enumerating DNS (Port 53)

This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 53 on a machine. This list is far from exhaustive and will be updated as time progresses.


Enumerating Hostname of Server

Run the following commands to see if you can make the server leak its own hostname.

nslookup
server <targetIP>
127.0.0.1
127.0.0.2

<targetIP>

Note: It’s probably worth enumerating other live hosts on the network to confirm the domain name is the same.


Performing DNS enumeration with Nslookup

To perform a lookup of the A records against a particular domain:
nslookup <targetDomain>

To look up the mail records:
nslookup -query=mx <targetDomain>

To look up Nameservers:
nslookup -query=ns <targetDomain>

To get all records that are available:
nslookup -query=any <targetDomain>

You can also drop into nslookup with no parameters interactively.
nslookup

While interactively working with nslookup, you can set your query:
set q=mx

You can also set your server if you wanted to query a different DNS server than your default one:
server 8.8.8.8


Performing DNS enumeration with Dig

To extract A records and Namerservers of a domain:
dig <targetDomain>

To query just A records:
dig <targetDomain> A

You can also limit the output to a specific record, and just return the answer section:
dig +nocmd <targetDomain> MX +noall +answer

Can attempt a DNS Zone transfer:
sudo dig @<targetDNSServer> <targetDomain> -t AXFR +nocookie

To see more about a DNS Zone Transfer, see https://infinitelogins.com/2020/04/23/performing-dns-zone-transfer/


Automating DNS Enumeration

Fierce can be used to enumerate subdomains, IP ranges, and hostnames by using public DNS queries, zone transfer attempts, and brute forcing techniques.
fierce -dns <targetDomain>

You can also specify a specific DNS server for the tool to use.
fierce -dns <targetDomain> -dnsserver <targetNamserver>

We can also leverage a tool called DNSEnum to do something similar. It will look for the A records of the target domain, looks up the NS and MX records. Finally, it will attempt a zone transfer attack.
dnsenum <targetDomain>

You can also specify a specific DNS server for the tool to use. Sometimes the results will differ.
dnsenum <targetDomain> --dnsserver <targetNamserver>

You can use DNSEnum to brute force subdomains as well.
dnsenum <targetDomain> -f <dictionaryList>

DNSMap can also be used, but it doesn’t do much other than brute-force with a built-in wordlist.
dnsmap <targetDomain>

DNSRecon is an ‘all-in-one’ tool that can do most everything.
dnsrecon -d <targetDomain>


Using DNSRecon to enumerate hostnames within local subnet.

We can use dnsrecon to attempt a “brute-force” attack by querying IP addresses for associated reverse lookup records.

-n : Will be the nameserver to use.
-r : Will be the network “range” that you want to lookup records for.
--db : Will save the found records to a SQLite DB file.

dnsrecon -n <ipAddr> -r <subnet> --db target.db

If you are unsure of any information, or even what network(s) to perform the lookup for, you can create a bash script that contains multiple commands. For example, we could create enumdns.sh that contains the following:

dnsrecon -n 10.10.10.83 -r 10.0.0.0/8 --db target.db
dnsrecon -n 10.10.10.83 -r 172.16.0.0/12 --db target.db
dnsrecon -n 10.10.10.83 -r 192.168.0.0/16 --db target.db

Running this script will enumerate all possible internal IPs for associated hostname records.


Additional Enumeration Techniques

Update your /etc/resolv.conf file so that you use the target as a DNS server. See what hostnames you can enumerate.

Enumeration Cheatsheets

Enumerating LDAP Port (389)

This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 389 on a machine. This list is far from exhaustive and will be updated as time progresses.


Let’s start by performing a search with simple authentication:

ldapsearch -h <targetIP> -x

If you get results back, let’s run the following command to try and get additional details out.

ldapsearch -h <targetIP> -x -s base namingcontexts

Based on the results, you’ll want to extract details about the primary Domain Component. For example, based on the above output, our next command would look like this.

ldapsearch -h <targetIP> -x -b "DC=htb,DC=local"

This should output a ton of information that you can then redirect to a file. If you do redirect to a file, the following commands may be helpful for extracting specific details.

cat ldap-anonymous.out | grep -i CN=
cat ldap-anonymous.out | grep -i member
cat ldap-anonymous.out | grep -i memberof
cat ldap-anonymous.out | grep -i user


Applying Filters to Queries

If you wanted to query LDAP directly, you can do so by adding your query to the end of your ldapsearch command. For example, we can find details of objects that have a class of “Person” by running the following command:

ldapsearch -h <targetIP> -x -b "DC=htb,DC=local" '(objectClass=Person)'

We can also just extract specific details about those that have a class of Person. For example, we could extract just the SAMAccountName and type.

ldapsearch -h <targetIP> -x -b "DC=htb,DC=local" '(objectClass=Person)' sAMAccountName sAMAccountType

Using this method is a great way to create a list of users that you can then use for Password Spraying attacks.

Enumeration Cheatsheets

Enumerating IPSEC IKE/ISAKMP Ports (500, 4500, etc.)

If you find UDP ports 500 or 4500, the box is likely running some sort of IPSEC VPN tunnel. This post intends to serve as a guide for enumerating these ports and a list of tools that can help you.

Table of Contents

  • Helpful Commands
  • Installing IPSEC VPN Client on Linux
  • Installing IPSEC VPN Client on Windows
  • Troubleshooting IPSEC Errors

Helpful Commands

To extract the hash, or preshared key, you can run the following command as long as Aggressive mode is enabled.

ike-scan --aggressive <targetIP>

If this fails, you can run the following command to extract some details about the VPN configuration, such as what hashing format and encryption algorithms are being used.

ike-scan -M <targetIP>

Notice that the LifeDuration may be returned in Hex format. You can take this value and identify what its decimal format is to get the life duration in seconds using the following command.

python -c 'print int("<hex>", 16)'

To confirm whether or not the VPN is using IKE version 2, you can run the following command. If it returns successful output, then you know IKEv2 is in use.

ike-scan -M -2 <targetIP>

Note that Nmap scans across an established IPSEC connection will need to run with -sT to get accurate results. The default for Nmap is to run with SYN scans (-sS).


Installing IPSEC VPN Client on Linux

In this example, I will show how to connect to the challenge on Hack The Box called Conceal. Please note that this post does not intend to serve as a walk through or write-up of this machine, but rather is being used as an example for configuring IPsec tunnels.

On Linux, you can use StrongSwan to connect to VPN servers.

sudo apt install strongswan -y

To begin, let’s edit our /etc/ipsec.secrets file so that it contains the PSK (Pre-Shared Key) for our VPN server. This will allow StrongSwan to authenticate to our VPN server when we go to use the tool. You can view the man page of this configuration file by running “man ipsec.secrets”.

sudo vi /etc/ipsec.secrets

Add the following line:

<targetIP> %any : PSK "<presharedKey>"

Note: You need to provide the key in its unencrypted/non-hashed format.

Next, we need to edit our IPsec configuration file so that it contains the configuration of our VPN. You can view the man page of this configuration file by running “man ipsec.conf”.

sudo vi /etc/ipsec.conf

This is where things will vary based on the configuration of your VPN, but this is what is needed for things to work on the Conceal box. You will need to take the output from the commands we ran earlier to know exactly what values to enter for each of these. Refer to the man page for ipsec.conf as needed.

conn Conceal
     type=transport
     keyexchange=ikev1
     left=<localIP>
     right=<targetIP>
     authby=psk
     esp=3des-sha1
     fragmentation=yes
     ike=3des-sha1-modp1024
     ikelifetime=8h
     auto=start

While this configuration should work in most cases, Conceal was a bit tricky. It was configured to only allow TCP ports over the VPN, rather than the default of both UDP and TCP. Because of this, we actually had to add two additional lines.

conn Conceal
     type=transport
     keyexchange=ikev1
     left=<localIP>
     leftprotoport=tcp
     right=<targetIP>
     rightprotoport=tcp
     authby=psk
     esp=3des-sha1
     fragmentation=yes
     ike=3des-sha1-modp1024
     ikelifetime=8h
     auto=start

With our configuration in place, let’s try establishing our connection!

sudo ipsec start --nofork

Things to consider:

  • You may or may not need the fragmentation item in the above config(s), depending on how the VPN server is configured.

  • If you’re having weird issues, you can run the following command in an attempt to improve the connection.
    sudo ifconfig <interface> mtu 1000

  • Note that Nmap scans across an established IPSEC connection will need to run with -sT to get accurate results. The default for Nmap is to run with SYN scans (-sS).

Installing IPSEC VPN Client on Windows

To begin, let’s launch Windows Defender Firewall with Advanced Security.

Navigate to Connection Security Rules, and then create a New Rule.

We want to create a Custom rule, and then click Next.

Within EndPoint 1, click on These IP Addresses and then select Add. You’ll want to enter the IP address of your interface that you’ll use to connect to the VPN.

Do the same thing with Endpoint 2, but specify the destination host or network. When finished, the populated window should have items in both panes, and then you can click Next.

Select the proper Authentication Method.

If using a Preshared Key, select Next in the above listed window, then select Advanced and click Customize.

Then click on Add, select Preshared Key, enter it, and then click OK.

Select the necessary Protocol/Port configurations. In some cases, your VPN tunnel may only allow UDP or TCP and not always both.

Select the desired Profiles and click Next.

Finally, give it a Name.


Troubleshooting IPSEC Errors

Great documentation is found at https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec.html

Enumeration Cheatsheets

Enumerating FTP for Pentesting (Port 21)

Basic Enumeration

Attempt to connect anonymously by issuing the below command and specifying the following credentials; anonymous:anonymous.

ftp <ipAddress>

You can perform banner grabbing w/ the following Metasploit module.

use auxiliary/scanner/ftp/ftp_version

You can perform brute force with the following Metasploit module.

use auxiliary/scanner/ftp/ftp_login


Transferring Files

If you have valid credentials, you can use the following command to download all files recursively.

wget --mirror 'ftp://<username>:<password>@<ipAddress>