Enumeration

OS Version

ICMP

Linux TTL 64
Windows TTL 128

Ubuntu

google "launchpad" + Service Banner info

Google Hacking

Refine web searches - Google Search Help

site: - include only form specified domain
-site: - exclude specific domain
filetype:
intitle: - search text in title
inurl:
intext:

size of results hints at scope and scale of company website

examples

  • “VNC viewer for Java” - title for VNC server web UI
  • “inurl:.php? intext:CHARACTER_SETS,COLLEATIONS intitle:myphpadmin” - unprotected myphpadmin pages
  • ‘intitle:”-N3t” filetype:php undetectable’ - an php back door

GHDB - Google hacking Database

Google Hacking Database, GHDB, Google Dorks

Email Harvesting

  • theharvester
  • -d domain.com - domain to be searched
  • -b data source - google and others

DNS Enumeration

  • Forward resolution
    • host - resolves hostname to ip address
    • host -t ns megacorp.com - name servers for domain
    • host -t mx negacorp.com - mail servers for domain
  • reverse resolution - host $ipaddress - return PTR records
  • zone transfer - host -l $domainname $nameserver

other DNS tools

  • DNSenum
  • dnsrecon

Port Scanning

  • TCP connect scanning
  • TCP SYN Scan (stealth scan)
  • UDP Scan
    • Closed ports return ICMP unreachable
    • Open Port return nothing
    • Unreliable use to firewall filters

nmap

ZeroSec - Adventures In Information Security
https://nmap.org/book/scan-methods-ftp-bounce-scan.html

NSE scripts located in /usr/share/nmap/scripts/

--top-ports=#
--script-args=unsafe=1

useful scripts

  • snmp-brute
  • rpcinfo
  • ftp-anon
  • http-title
  • http-headers
  • http-enum

SNMP

onesixtyone - checks if communities work
snmp-check - SNMP enumerator
nmap -sU -p 161 --open

nmap script "snmp-brute.nse"

Windows SNMP OIDs

1.3.6.1.4.1.77.1.2.25 - Windows Users
1.3.6.1.2.1.25.4.2.1.2 - Running processes
1.3.6.1.2.1.6.13.1.3 - Open TCP Ports
1.3.6.1.2.1.25.6.3.1.2 - Installed Software

NFS

GitHub - bonsaiviking/NfSpy: ID-spoofing NFS client

  • List all NFS shares - showmount -a 1.1.1.1
  • lists all the registered RPC services - rpcinfo 1.1.1.1

Openvas

  • Vulnerability scanner
  • web port 9392

http://0daysecurity.com/penetration-testing/enumeration.html

https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/