Network Services

Enumeration

Service version detection and default nmap scripts

nmap -p <ports> -sCV <target>

Services

FTP

Anonymous Login

ftp <target>
>Name: anonymous
>Password: <anything>

Brute Force

hydra -L usernames.txt -P passwords.txt <target> ftp

SSH

Any version of OpenSSH prior to 7.7 is vulnerable to user enumeration (CVE-2018-15473) if not patched. To exploit this vulnerability, we can use the following script:

H4Ts/Tools/Fuzzing & Brute Force/SSH User Enumeration/ssh_user_enum.py at main · villalbanico9/H4TsGitHub

ssh_user_enum.py

Brute Force

hydra -L usernames.txt -P passwords.txt <target> ssh

HTTP/HTTPS

Enumerate basic files and directories with nmap scripts

nmap -p80,443 --script http-enum -oN webScan <target>

Web Technologies

whatweb <target>

I also recommend using the Wappalizer browser extension

File and Directory Enumeration

• Gobuster

gobuster dir -u http://<target>/ -w <wordlist>

Useful parameters:

-t, --threads Concurrent threads

--exclude-length Exclude content length

-s, --status-codes White list status codes

-b, --status-codes-blacklist Black list status codes

-r, --follow-redirect Follow redirects

--proxy Use Proxy <type:host:port>

-k, --no-tls-validation Skip TLS verification

--timeout HTTP Timeout

• Wfuzz

wfuzz -w <wordlist> http://<target>/FUZZ

Useful parameters:

-t <threads> Concurrent threads

-L, --follow Follow redirects

-p Use Proxy <host:port:type>

--hc/hl/hw/hh Hide code/lines/words/chars

--sc/sl/sw/sh Show code/lines/words/chars

Subdomain Enumeration

• Gobuster

gobuster vhost -u http://<target>/ -w <wordlist>

• Wfuzz

wfuzz -H 'Host: FUZZ.<target>' -w <wordlist> http://<target>/

Exploitation

Once the web is enumerated, you may want to exploit some web vulnerabilities:

pageWeb Vulnerabilities

SMB

System enumeration with enum4linux

enum4linux -a [-u '<username>' -p '<password>'] <target>

Shares Enumeration

On windows systems you may need to escape backlashes: \\\\<target>\\<share>

# null session
smbclient -N -L //<target>
# authenticated
smbclient -U 'username[%password]' -L //<target>
# conect to a share
smbclient [-U 'username[%password]'] //<target>/<share>

# null session
smbmap -H <target>
# authenticated
smbmap -u "username" -p "password" -H <target>
# recursive/non-recursive listing
smbmap [-u "username" -p "password"] -R/-r <share> -H <target>

# null session
crackmapexec smb <IP> -u '' -p '' --shares
# authenticated
crackmapexec smb <IP> -u 'username' -p 'password' --shares

nmap -p 139,445 --script "smb-enum-shares" <target>

RPC

Automated Enumeration

rpcdump.py <target>

Manual Enumeration

# null session
rpcclient -U "" -N <target>
# authenticated
rpcclient -U 'username%passwd' -N <target>
# commands https://www.hackingarticles.in/active-directory-enumeration-rpcclient/
rpcclient -U '[username%passwd]' -N <target> -c '<command>'