This page looks best with JavaScript enabled

Enumeration

 ·  ☕ 2 min read  ·  ✍️ Ben Mason

OS Version

ICMP

Linux TTL 64
Windows TTL 128

Ubuntu

google “launchpad” + Service Banner info

Google Hacking

Refine web searches – Google Search Help

site: – include only form specified domain
-site: – exclude specific domain
filetype:
intitle: – search text in title
inurl:
intext:

size of results hints at scope and scale of company website

examples

  • “VNC viewer for Java” – title for VNC server web UI
  • “inurl:.php? intext:CHARACTER_SETS,COLLEATIONS intitle:myphpadmin” – unprotected myphpadmin pages
  • ‘intitle:”-N3t” filetype:php undetectable’ – an php back door

GHDB – Google hacking Database

Google Hacking Database, GHDB, Google Dorks

Email Harvesting

  • theharvester
  • -d domain.com – domain to be searched
  • -b data source – google and others

DNS Enumeration

  • Forward resolution
    • host – resolves hostname to ip address
    • host -t ns megacorp.com – name servers for domain
    • host -t mx negacorp.com – mail servers for domain
  • reverse resolution – host $ipaddress – return PTR records
  • zone transfer – host -l $domainname $nameserver

other DNS tools

  • DNSenum
  • dnsrecon

Port Scanning

  • TCP connect scanning
  • TCP SYN Scan (stealth scan)
  • UDP Scan
    • Closed ports return ICMP unreachable
    • Open Port return nothing
    • Unreliable use to firewall filters

nmap

ZeroSec – Adventures In Information Security
https://nmap.org/book/scan-methods-ftp-bounce-scan.html

NSE scripts located in /usr/share/nmap/scripts/

--top-ports=#
--script-args=unsafe=1

useful scripts

  • snmp-brute
  • rpcinfo
  • ftp-anon
  • http-title
  • http-headers
  • http-enum

SNMP

onesixtyone – checks if communities work
snmp-check – SNMP enumerator
nmap -sU -p 161 --open

nmap script “snmp-brute.nse”

Windows SNMP OIDs

1.3.6.1.4.1.77.1.2.25 - Windows Users
1.3.6.1.2.1.25.4.2.1.2 - Running processes
1.3.6.1.2.1.6.13.1.3 - Open TCP Ports
1.3.6.1.2.1.25.6.3.1.2 - Installed Software

NFS

GitHub – bonsaiviking/NfSpy: ID-spoofing NFS client

  • List all NFS shares – showmount -a 1.1.1.1
  • lists all the registered RPC services – rpcinfo 1.1.1.1

Openvas

  • Vulnerability scanner
  • web port 9392

http://0daysecurity.com/penetration-testing/enumeration.html

https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/

Share on
Ben Mason
WRITTEN BY
Ben Mason
Computer Security – Reverse Engineering – Malware – Electronics Hobbyist – Sometimes Photographer – Spaceflight – Cat Enthusiast

See Also