When enumerating, we want to be able to identify the software/versions that are fulfilling the following roles. This document intends to serve as a guide for hunting for the answers.
Web Application – WordPress, CMS, Drupal, etc.
Web Technologies – Node.js, PHP, Java, etc.
Web Server – Apache, IIS, Nginx, etc.
Database – MySQL, MariaDB, PostgreSQL, etc.
OS – Ubuntu Linux, Windows Server, etc.
Using Curl
Pulling out internal/external links from source code. curl <address> -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
To view just HTTP Links: curl -s <address> | grep -Eo '(href|src)=".*"' | sed -r 's/(href|src)=//g' | tr -d '"' | sort
Strip out the HTML code from source-code of webpage. curl <address> -s -L | html2text -width '99' | uniq
Check for contents of robots.txt. curl <address>/robots.txt -s | html2text
Using Nikto
To perform a scan. sudo nikto -host=http://<address>/
Depending on the application, I may wish to use the Raft wordlist instead. gobuster dir -u http://<address>/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -s '200,204,301,302,307,403,500' -e -x txt,html,php,asp -o gobust/root.dir
We can also leverage the following wordlist to look for CGI URLs.
gobuster dir -u http://<address>/ -w /usr/share/dirb/wordlists/vulns/cgis.txt -s '200,204,301,302,307,403,500' -e
Note: If you start getting spammed with a particular response code, you can remove that from the -s flag.
If you find a cgi-bin directory, you may want to consider scanning it for .sh files. If one is found, see if you the machine is vulnerable to shellshock. There is an nmap script that can identify the vulnerability, but it isn’t always reliable. May be beneficial to run it through a tool like Burp to look at the requests.
Using Dirsearch
This is a tool you can get from Github. It provides much of the same functionality as Gobuster.
The following syntax will run the tool to enumerate php and html files. It will exclude responses w/ code 400, 401, and 403.
Enumerating valid parameters in URLs. You can run the following command to try and brute-force valid parameter names. wfuzz -u http://<address>/?FUZZ=index -w /usr/share/seclists/Discovery/Web-Content/common.txt
Enumeration Checklist
Once you feel you’ve enumerated everything, just check your work against this list to make sure you’re not missing anything.
Did you brute force directories?
Did your brute force search recursively?
Did your brute force include file extensions?
Is your brute force case-sensitive?
Did you enumerate the hostname of the box and updated your /etc/hosts file to include it?
Did you enumerate subdomains?
Did you brute force directories when browsing to it via hostname?
Did you review every webpage on the box for clues?
Did you review the source code?
Are there usernames hidden anywhere?
Are there specific version details provided?
Did you check for vulnerable technologies?
If you’re able to enumerate version information, did you searchsploit and/or research for public exploits?
What about for PHP or ASP?
What about for WordPress or Drupal?
What about for Apache or IIS?
Can you use a specific tool like WPSCAN to enumerate further?
Did you find a login page?
Can you enumerate multiple users on it?
Can you brute-force it?
Can you perform an injection attack (SQL, XSS, etc.)?
If there is HTTPS on the page, did you check the certificate for details?
Does the cert contain specific email addresses?
Does the cert contain information about a hostname of the box?
Is the cert valid on other domain-names?
Are there other ports running HTTP or HTTPS that you need to repeat all of this on?
This post contains various commands and methods for performing enumeration of the SMB, RPC, and NetBIOS services. This article will be expanded upon as time goes on.
Using NMAP
Scan for popular RCE exploits. sudo nmap -p 139,445 --script smb-vuln* <ip-addr> -oA nmap/smb-vuln
Identify the SMB/OS version. nmap -v -p 139,445 --script=smb-os-discovery.nse <ip-addr>
Enumerate users once you have valid credentials: sudo nmap --script=smb-enum-users -p 445 10.130.40.70 --script-args smbuser=<user>,smbpass=<password>
Using NBTSCAN
To scan a subnet for list of hostnames: nbtscan -v <targetRange>
Using SMBMAP
To list out the shares and associated permissions with Anonymous Access: smbmap -H <ip-addr>
To list out shares recursively from hosts in a file and enumerate OS:
smbmap.py --host-file <targets.txt> -v -R -g
To list out the shares recursively: smbmap -R <sharename> -H <ip-addr>
To list shares as an authenticated user: smbmap -d <domain> -u <username> -p <password> -H <ip-addr>
To list the shares as a Guest user, just provide a username that doesn’t exist. smbmap -u DoesNotExist -H <ip-addr>
To download a particular file. smbmap -R <sharename> -H <ip-addr> -A <filename> -q
Using SMBCLIENT
To list out the shares: smbclient -L \\\\<ip-addr>
To connect to shares: sudo smbclient \\\\<ip-addr>\\<share>
Downloading files: Once connected, you can download files. You’ll want to disable interactive prompts and turn recursive mode ON.
smb: /> prompt smb: /> recurse smb: /> mget *
Using RPCCLIENT
Testing for Null or Authenticated Sessions: To test for null sessions, you can use the following command. If it connects, then you’ll be able to issue rpc client commands for further enumeration. rpcclient -U "" -N [ip]
Have valid credentials? Use them to connect: rpcclient -U <user> 10.10.10.193
Once connected, there are various queries you can run.
To enumerate printers: enumprinters
To enumerate users and groups: enumdomusers enumdomgroups
The above command will output user/group RIDs. You can pass those into further queries like: querygroup <RID> querygroupmem <RID> queryuser <RID>
Using ENUM4LINUX
The following command will attempt to establish a null session with the target and then use RPC to extract useful information. enum4linux -a [ip]
Example output is long, but some highlights to look for:
Listing of file shares and printers.
Domain/Workgroup information.
Password policy information.
RID cycling output to enumerate users and groups.
Using METASPLOIT
Bruteforcing credentials: use auxiliary/scanner/smb/smb_login set BLANK_PASSWORDS true set PASS_FILE /usr/share/seclists/Passwords/Common-Credentials/best15.txt set USER_FILE /usr/share/seclists/Usernames/top-usernames-shortlist.txt set RHOSTS <ipAddr>
Mounting SMB Shares in Linux
The following command will mount the remote file-share to /mnt/smb/ (this directory must exist first) and prompt you for the password. mount -t cifs -o username=<user> //<targetIP>/<shareName> /mnt/smb/
Another way to mount a share from Linux is as follows: sudo mount.cifs //<targetIP>/share /mnt/share username=,password=
Using SMBCACLS
Viewing file permissions, owners, and ACLs of shares. smbcacls -N '//<targetIP>/<shareName>' /<childDir>
To use this recursively, you can use a for loop in Bash. cd <mountedShare> for i in $(ls); do echo $1; smbcacls -N '//<targetIP>/<shareName>' /$i; done
Enumeration from Windows Utilities
To get the Name Table: nbtstat -A <targetIP>
To see a list of running shares: net view <targetIP>
You can map a share to a drive letter, such as K: net use K: \\<targetIP>\share
Testing for null session: net use \\<targetIP>\IPC$ "" /u:""
This error occurs because your modern tools are not able to communicate to older, insecure protocols. You just need to tell your smbd daemon to use the weaker and more insecure protocols.
Note: If you are using smbd in real life for file and printer sharing, I don’t recommend leaving you system like this.
Open the following files in your favorite text editor.
/etc/samba/smb.conf
Find the Global section, and add the following line.
client min protocol = LANMAN1
With that line added, restart your smdb service and you should now be able to connect.
Infinite Logins 