Last updated
Last updated
NetBIOS stands for Network Basic Input Output System. Windows uses NetBIOS for file and printer sharing. It is a legacy networking protocol running on UDP ports 137 and 138 and TCP port 139
Useful commands:
Displaying the NetBIOS name table of a remote computer
nbstat -a <IP>
Display information about the target such as connection status, shared folder/drive and network information
net use
Join a file share (Drive MAP)
net use [driveletter:] \\ComputerName\ShareName /PERSISTENT:<YES/NO>
Example:
net use W: \MainServer\GroupShare /Persistent:No
Display a list of computers in the current domain:
net view
List the File/Printer shares on a remote computer:
net view \\<Hostname/IP> /all
List the shares on a remote computer including hidden shares:
net view \\<Hostname/IP> /all
List all the shares in the domain:
net view /domain
Display a list of local shares, the Share Name, full path to the resource being shared and any comment/remark:
net share <sharename>
NetBIOS Enumerator is a Windows (GUI) tool that enables the use of remote network support and several other techniques such as SMB (Server Message Block). It is used to enumerate details such as NetBIOS names, usernames, domain names, and MAC addresses for a given range of IP addresses.
Download
Nmap also has a default NetBios enumeration script
nmap -sU -p 137 --script nbstat.nse <IP>
SNMP, which stands for Simple Network Management Protocol, operates at the application layer and utilizes the User Datagram Protocol (UDP) for communication. It serves the purpose of monitoring and overseeing the functionality of routers, hubs, and switches within an IP-based network. SNMP agents are deployed on network devices found in both Windows and UNIX networks.
SNMPv1 and SNMPv2c are not secure and transmit data in clear text
Ports:
SNMPv1 and SNMPv2c: UDP port 161
SNMPv3: UDP port 161 (for unencrypted communication) and UDP port 162 (for encrypted communication).
snmp-check is a tool that enumerates SNMP devices. It use "public" as community string. In the context of SNMP (Simple Network Management Protocol), a "community" refers to a community string or SNMP community string. An SNMP community string is essentially a text-based password or access credential that is used to control access to SNMP-enabled devices on a network. It acts as a basic form of authentication and authorization.
Default installed on Kali.
snmp-check <IP>
SnmpWalk is a command line tool that scans numerous SNMP nodes instantly and identifies a set of variables that are available for accessing the target network. It is issued to the root node so that the information from all the sub nodes such as routers and switches can be fetched.
Default installed on Kali.
snmpwalk -v1 -c public [target IP]
Note: –v: specifies the SNMP version number (1 or 2c or 3) and –c: sets a community string
Nmap also has a default SNMP enumeration script
nmap -sU -p 161 --script=snmp-sysdescr
LDAP, which stands for Lightweight Directory Access Protocol, is an internet protocol designed for retrieving distributed directory services across a network. LDAP leverages DNS (Domain Name System) to expedite lookups and swiftly resolve queries. To initiate an LDAP session, a client connects to a Directory System Agent (DSA), typically on TCP port 389, and forwards an operation request to the DSA, which subsequently replies. The transmission of information between the client and server employs Basic Encoding Rules (BER). This protocol permits anonymous queries to the LDAP service, potentially exposing sensitive data such as usernames, addresses, departmental information, and server names.
AD Explorer is a graphical user interface (GUI) tool developed by Microsoft's Sysinternals suite of utilities for Windows. AD Explorer respects the access control permissions set in Active Directory, which means that users can only perform actions that they have been granted permission to do.
We can also use NSE script to perform username enumeration.
Note that Nmap attempts to brute-force LDAP authentication which can be quite noisy.
Example for enumeration on the domain test.com
nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=TEST,dc=com"' [Target IP Address]
cn=users: "cn" stands for "common name," and "users" appears to be a common name representing a container or organizational unit (OU) within the LDAP directory. In many directory structures, the "users" container is used to organize user objects or entries.
dc=TEST: "dc" stands for "domain component," and "TEST" is used as a domain name component. In LDAP, domain components are used to represent parts of a domain name or directory structure. In this case, "TEST" seems to be part of the domain name.
dc=com: Similarly, "dc=com" represents another domain component and likely represents the top-level domain (TLD) of the LDAP directory, indicating that this directory is associated with a domain using the ".com" TLD
We can use ldapsearch to perform LDAP enumeration on the target system.
First, we need to identify the naming context.
ldapsearch -h <Target IP> -x -s base namingcontexts
Note: -x: specifies simple authentication, -h: specifies the host, and -s: specifies the scope.
Say we found DC=TEST, DC=com then to obtain more information about the primary domain we progress as such:
ldapsearch -h [Target IP Address] -x -b “DC=TEST,DC=com”
Note: -b: specifies the base DN for search.
Then to retrieve information related to all the objects in the directory tree.
ldapsearch -x -h [Target IP Address] -b "DC=TEST,DC=com" "objectclass=*"
NFS (Network File System) is a type of file system (Linux) that enables computer users to access, view, store, and update files over a remote server. This remote data can be accessed by the client computer in the same way that it is accessed on the local system. Typically running on TCP port 2049.
Tool to communicate with RPC services and check misconfigurations on NFS shares
This tool currently has the following features:
Listing RPC services using portmap
Listing mountpoints on hosts using mount service
Perform recursive listing on NFS share
List a directory accessible via NFS
Download a file accessible via NFS
Usage
If the 'insecure' paramater is not set on the NFS server configuration, it will be necessary to run the script as root because the NFS server will check whether the incomming communication comes from a source port <= 1024 when connecting with uid=0 (root).
Listing RPC services
Listing mountpoints
Recursing listing of NFS shares
DNS enumeration can yield information such as DNS server names, hostnames, machine names, usernames, IP addresses, and aliases assigned within a target domain.
To identify the DNS name server (ns) of a domain:
dig ns <Target Domain>
DNS zone transfer is the procedure of duplicating a DNS zone file from the primary DNS server to a secondary DNS server. Typically, a secondary server is kept as a backup to ensure redundancy and contains a mirror of all the data stored on the primary server.
When the DNS transfer option is enabled on the secondary DNS server, it will successfully retrieve DNS information. However, if the transfer setting is disabled, it will respond with an error indicating that the zone transfer has failed or is refused.
Note that it is not very likely that zone transfer is allowed.
Remember to test ALL names servers.
Using dig:
dig @<NameServer> <Target Domain> axfr
Can also be done with nslookup using interactive mode.
DNSSEC zone walking refers to a technique for DNS enumeration, which is employed when the DNS zone is inadequately configured. It aims to retrieve internal records from the target DNS server, potentially aiding in the creation of a network map.
Several DNSSEC zone walking tools are available for the purpose of enumerating the DNS record files associated with the target domain.
Dnsrecon (currently quite unstable on Kali)
dnsrecon -d <Target domain> -z
Nmap has several script which can assists with DNS enumeration.
Display a list of all the available DNS services on the target host along with their associated ports
nmap --script=broadcast-dns-service-discovery <Target Domain>
Display a list of all the subdomains associated with the target host along with their IP addresses
nmap -T4 -p 53 --script dns-brute <Target Domain>
Display various common service (SRV) records for a given domain name. DNS SRV records are a type of DNS resource record used to specify information about the location and configuration of services within a network.
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='<Target Domain>'"
SMTP, short for the Simple Mail Transfer Protocol, is a widely adopted internet standard protocol used for transmitting electronic mail. In email systems, SMTP is often paired with POP3 and IMAP protocols, which allow users to store messages in a server mailbox and retrieve them as needed. To route emails, SMTP relies on Mail Exchange (MX) servers, which are queried through the Domain Name System (DNS). SMTP operates over TCP on port numbers 25, 2525, or 587.
Nmap has several scripts for SMTP enumeration script
User enumeration:
nmap -p 25 --script=smtp-enum-users <Target IP>
Open SMTP relays. SMTP relays are servers responsible for forwarding email messages from the sender's email client or server to the recipient's email server. When an SMTP relay is "open," it means that it doesn't adequately restrict who can use it for sending emails
nmap -p 25 --script=smtp-open-relay <Target IP>
A list of all the SMTP commands available
nmap -p 25 --script=smtp-commands <Target IP>
FTP (File Transfer Protocol) allows remote users to authenticate without needing to disclose their identity to the server. If this feature is enabled on an FTP server, users can authenticate using "anonymous" as the username and any password.
Anonymous FTP is a common method for accessing a server to view or download publicly available files. However, it can pose security risks if the FTP server inadvertently exposes sensitive files or directories. To authenticate using FTP, you can use the following command:
SMB, which stands for Server Message Block, is a network communication protocol used for sharing files, printers, and various resources between computers on a network, particularly in Windows-based environments. Developed by Microsoft, SMB is widely used for file and print sharing in home networks, corporate networks, and even across the internet.
Port: The default port for SMB is 445. It also uses port 139 for backward compatibility with older implementations (SMB1).
To enumerate use:
nmap --script "safe or smb-enum-*" -p 445 <IP>
or Enum4linux
Enum4Linux is a tool for enumerating information from Windows and Samba systems. It is used for share enumeration, password policy retrieval, identification of remote OSes, detecting if hosts are in a workgroup or a domain, user listing on hosts, listing group membership information, etc.
Download and documentation
"ldapsearch" serves as a shell-accessible interface to the ldap_search_ext(3) library call. It functions by establishing a connection to an LDAP server, authenticating the connection, and executing a search operation based on the specified parameters. The search filter must adhere to the string representation guidelines outlined in . In cases where no filter is provided, the default filter, (objectClass=*), is employed.
From GitHub :
The script does the basic enumeration of any open port along with screenshots. However, it is quite old, so it might miss some stuff.
The enumeration phase will help you gather more specific details about identified systems, including critical user information and network services.
