Active reconnaissance

Active Information Gathering is the process of collecting information about a target with direct interaction such as banner grabbing, port scanning. These typically are detected by IPS/IDS systems.

DNS Enumeration

Quick Intro

• DNS enumeration is the process of identifying the DNS servers and the corresponding DNS records. DNS stands for Domain Name System which is a database containing information about domain names and their corresponding IP addresses. The DNS system is responsible for translating human-readable hostnames into machine-readable IP addresses.
• A (address) records containing the IP address of the domain.
• MX records, which stands for Mail Exchange, contain the mail exchange servers.
• CNAME records used for aliasing domains. CNAME stands for Canonical Name and links any sub-domains with existing domain DNS records.
• NS records, which stands for Name Server, indicates the authoritative (or main) name server for the domain.
• SOA records, which stands for State of Authority, contain important information about the domain such as the primary name server, a timestamp showing when the domain was last updated and the party responsible for the domain.
• PTR or Pointer Records map an IPv4 address to the CNAME on the host. This record is also called a ‘reverse record’ because it connects a record with an IP address to a hostname instead of the other way around.
• TXT records contain text inserted by the administrator (such as notes about the way the network has been configured).
• The information retrieved during DNS enumeration will consist of details about names servers and IP addresses of potential targets (such as mail servers, sub-domains etc). Some tools used for DNS enumeration included with Kali Linux are: whois, nslookup, dig, host and automated tools like Fierce, DNSenum and DNSrecon. Let’s briefly review these tools and see how we can use them for DNS enumeration.

Whois

whois <domain>

Nmap

nmap -sC -sV -p53 $ip/24

nmap -p 80 --script dns-brute.nse domain.com
# Find DNS (A) records by trying a list of common sub-domains from a wordlist.

nmap $ip --script=dns-zone-transfer -p 53
# Zone transfer script

Host

Domain Scan

$ host google.com

google.com has address 142.250.183.78
google.com has IPv6 address 2404:6800:4009:822::200e
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.

Find Particular Records

host -t mx google.com
# Return mail servers 

host -t ns google.com
# Return name servers 

host -t txt google.com
# Return txt records

Reverse Domain Lookup

$ host gnu.org        

gnu.org has address 209.51.188.148
gnu.org has IPv6 address 2001:470:142:3::a
gnu.org mail is handled by 10 eggs.gnu.org.

$ host 209.51.188.148

148.188.51.209.in-addr.arpa is an alias for 148.0-24.188.51.209.in-addr.arpa.
148.0-24.188.51.209.in-addr.arpa domain name pointer wildebeest.gnu.org.

DNS Zone Transfer

DNS zone transfer, also known as DNS query type AXFR, is a process by which a DNS server passes a copy of part of its database to another DNS server. The portion of the database that is replicated is known as a zone.

host -l <domain> <NameServer>

$ host -t ns zonetransfer.me               # first list out their name servers to check for zone transfer

zonetransfer.me name server nsztm2.digi.ninja.
zonetransfer.me name server nsztm1.digi.ninja.

$ host -l zonetransfer.me nsztm1.digi.ninja

Using domain server:
Name: nsztm1.digi.ninja
Address: 81.4.108.41#53
Aliases: 

zonetransfer.me has address 5.196.105.14
zonetransfer.me name server nsztm1.digi.ninja.
zonetransfer.me name server nsztm2.digi.ninja.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me domain name pointer www.zonetransfer.me.
asfdbbox.zonetransfer.me has address 127.0.0.1
canberra-office.zonetransfer.me has address 202.14.81.230
dc-office.zonetransfer.me has address 143.228.181.132
deadbeef.zonetransfer.me has IPv6 address dead:beaf::
email.zonetransfer.me has address 74.125.206.26
home.zonetransfer.me has address 127.0.0.1
internal.zonetransfer.me name server intns1.zonetransfer.me.
internal.zonetransfer.me name server intns2.zonetransfer.me.
intns1.zonetransfer.me has address 81.4.108.41
intns2.zonetransfer.me has address 167.88.42.94
office.zonetransfer.me has address 4.23.39.254
ipv6actnow.org.zonetransfer.me has IPv6 address 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me has address 207.46.197.32
alltcpportsopen.firewall.test.zonetransfer.me has address 127.0.0.1
vpn.zonetransfer.me has address 174.36.59.154
www.zonetransfer.me has address 5.196.105.14

Zone Transfer Script

#!/bin/bash
# Simple Zone Transfer Bash Script
# $1 is the first argument given after the bash script
# Check if argument was given, if not, print usage
if [ -z "$1" ]; then
echo "[*] Simple Zone transfer script"
echo "[*] Usage : $0 <domain name> "
exit 0
fi
# if argument was given, identify the DNS servers for the domain
for server in $(host -t ns $1 | cut -d " " -f4); do
# For each of these servers, attempt a zone transfer
host -l $1 $server |grep "has address"
done

Subdomain Brute Forcing Using Common Hostname

for ip in $(cat list.txt); do host $ip.website.com; done

Reverse DNS Lookup Brute Forcing

for ip in $(seq 155 190);do host $ip;done | grep -v "not found"

The ip is based on subdomain brute forcing result

Nslookup

nslookup is used to query Internet name servers interactively.

$ nslookup hsploit.com

Server:     203.153.41.28
Address:    203.153.41.28#53

Non-authoritative answer:
Name:   hsploit.com
Address: 104.21.38.165
Name:   hsploit.com
Address: 172.67.136.119
Name:   hsploit.com
Address: 2606:4700:3033::6815:26a5
Name:   hsploit.com
Address: 2606:4700:3035::ac43:8877

Running in Interactive Mode

$ nslookup

> set type=ns
> hsploit.com
Server:     203.153.41.28
Address:    203.153.41.28#53

Non-authoritative answer:
hsploit.com nameserver = dee.ns.cloudflare.com.
hsploit.com nameserver = jim.ns.cloudflare.com.

Authoritative answers can be found from:
> 

Gathering Information from Specific DNS Server

$ nslookup                                

> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53

> 10.10.10.13
13.10.10.10.in-addr.arpa    name = ns1.cronos.htb.

Dig

Domain Scan

$ dig hsploit.com

; <<>> DiG 9.16.18 <<>> hsploit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13539
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;hsploit.com.           IN  A

;; ANSWER SECTION:
hsploit.com.        1200    IN  A   104.21.38.165
hsploit.com.        1200    IN  A   172.67.136.119

;; Query time: 139 msec
;; SERVER: 203.153.41.28#53(203.153.41.28)
;; WHEN: Thu Jul 22 17:04:58 IST 2021
;; MSG SIZE  rcvd: 72

Query for Particular Record

dig hsploit.com -t mx

Sorting the Output

$ dig hsploit.com -t ns +short 

dee.ns.cloudflare.com.
jim.ns.cloudflare.com.

Note - if a particular type of information is not available, dig will NOT provide output.

Reverse Domain Lookup

$ dig -x 142.250.183.78 +short        

bom12s12-in-f14.1e100.net.

Zone Transfer

$ dig zonetransfer.me ns +short 

nsztm2.digi.ninja.
nsztm1.digi.ninja.

$ dig axfr zonetransfer.me @nsztm1.digi.ninja

; <<>> DiG 9.16.18 <<>> axfr zonetransfer.me @nsztm1.digi.ninja
;; global options: +cmd
zonetransfer.me.    7200    IN  SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me.    300 IN  HINFO   "Casio fx-700G" "Windows XP"
zonetransfer.me.    301 IN  TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me.    7200    IN  MX  0 ASPMX.L.GOOGLE.COM.
zonetransfer.me.    7200    IN  MX  10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me.    7200    IN  MX  10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me.    7200    IN  MX  20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me.    7200    IN  MX  20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me.    7200    IN  MX  20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me.    7200    IN  MX  20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me.    7200    IN  A   5.196.105.14
zonetransfer.me.    7200    IN  NS  nsztm1.digi.ninja.
zonetransfer.me.    7200    IN  NS  nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN TXT "6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN SRV 0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN   AFSDB   1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200  IN  A   127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN    AFSDB   1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A  202.14.81.230
cmdexec.zonetransfer.me. 300    IN  TXT "; ls"
contact.zonetransfer.me. 2592000 IN TXT "Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes"
dc-office.zonetransfer.me. 7200 IN  A   143.228.181.132
deadbeef.zonetransfer.me. 7201  IN  AAAA    dead:beaf::
dr.zonetransfer.me. 300 IN  LOC 53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me.    7200    IN  TXT "AbCdEfG"
email.zonetransfer.me.  2222    IN  NAPTR   1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me.  7200    IN  A   74.125.206.26
Hello.zonetransfer.me.  7200    IN  TXT "Hi to Josh and all his class"
home.zonetransfer.me.   7200    IN  A   127.0.0.1
Info.zonetransfer.me.   7200    IN  TXT "ZoneTransfer.me service provided by Robin Wood - robin@digi.ninja. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300   IN  NS  intns1.zonetransfer.me.
internal.zonetransfer.me. 300   IN  NS  intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN  A   81.4.108.41
intns2.zonetransfer.me. 300 IN  A   167.88.42.94
office.zonetransfer.me. 7200    IN  A   4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA    2001:67c:2e8:11::c100:1332
owa.zonetransfer.me.    7200    IN  A   207.46.197.32
robinwood.zonetransfer.me. 302  IN  TXT "Robin Wood"
rp.zonetransfer.me. 321 IN  RP  robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me.    3333    IN  NAPTR   2 3 "P" "E2U+sip" "!^.*$!sip:customer-service@zonetransfer.me!" .
sqli.zonetransfer.me.   300 IN  TXT "' or 1=1 --"
sshock.zonetransfer.me. 7200    IN  TXT "() { :]}; echo ShellShocked"
staging.zonetransfer.me. 7200   IN  CNAME   www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301    IN  CNAME   www.zonetransfer.me.
vpn.zonetransfer.me.    4000    IN  A   174.36.59.154
www.zonetransfer.me.    7200    IN  A   5.196.105.14
xss.zonetransfer.me.    300 IN  TXT "'><script>alert('Boo')</script>"
zonetransfer.me.    7200    IN  SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
;; Query time: 133 msec
;; SERVER: 81.4.108.41#53(81.4.108.41)
;; WHEN: Thu Jul 22 17:28:02 IST 2021
;; XFR size: 50 records (messages 1, bytes 1994)

Automated Scanners

dnsenum

dnsenum $ip

dnsenum google.com -f /usr/share/dnsenum/dns.txt
# Brute forcing subdomains

dnsrecon

dnsrecon -d $ip

dnsrecon -d $ip -t axfr
# Perform zone transfer

dnsrecon -d $ip -D /usr/share/dnsrecon/subdomains-top1mil-20000.txt -t brt
# Perform host and subdomain brute force

Subdomain Enumeration

ffuf

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.horizontall.htb" -u http://horizontall.htb

sublist3r

sublist3r -d <domain>
# To scan with public data

sublist3r -d <domain> -b -t 100
# To bruteforce the subdomains
# this will use following wordlist:
    /usr/share/sublist3r/subbrute/names.txt

Port Scanning with Nmap

Scan for live hosts

$ nmap -sn $ip/24

$ nmap -vvv -sn $ip/24

Scan Specific IP range

$ nmap -sP 10.0.0.0-100

AutoRecon

autorecon $ip

Initial TCP Scan

nmap -sC -sV -O -oA initial $ip

Full TCP Scan

nmap -sC -sV -O -p- -oA nmap/full $ip

Full UDP Scan

nmap -sU -O -p- -oA nmap/udp $ip

Port Knocking

for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x $ip; done

Deep Scan

$ nmap -v -p- -sT $ip

Max Scan Delay

nmap -sC -sV $ip -oN initial -v --max-scan-delay=10

The –max-scan-delay argument is used to specify the maximum amount of time Nmap should wait between probes.

Maximum Retries

nmap -p21-25$ip --max-retries 0

• The –max-retries argument specifies the number of times a packet is to be resent on a port to check if it is open or closed
• If –max-retries is set to 0, the packets will be sent only once on a port and no retries will be done

Scan for Specific Port

nmap -p T:80,443,8080 $ip/24

• -T argument specifies TCP ports
• -U argument specifies UDP ports

Scan Target from Text File

Create a text file that contains a list of our targets machines:

$ip1
$ip2
$ip3

Run nmap with -iL argument

nmap -iL list-of-ips.txt

Banner Grabbing

nmap -sV -sT $ip

OS Fingerprinting

nmap -O $ip

Stealth Scan

nmap -sS $ip

AutoRecon

https://github.com/Tib3rius/AutoRecon

SMB Enumeration

Quick Intro

• SMB stands for Server Message Block
• SMB allows you to share resources to other devices over the network
• There are 3 versions of SMB
  • SMBv1 version susceptible to known attacks (Eternal blue , wanna cry). Disabled by default in newer Windows versions.
  • SMBv2 reduced "chattiness" of SMBv1. Guest access disabled by default.
  • SMBv3 guest access disabled, uses encryption; most secure.
• TCP port 139 is SMB over NetBios
• TCP port 445 is SMB over TCP/IP. This is the newer version of SMB.

List of SMB versions and corresponding Windows versions:

1. SMBv1 – Windows 2000, XP and Windows 2003
2. SMBv2 - Windows Vista SP1 and Windows 2008
3. SMBv2.1 - Windows 7 and Windows 2008 R2
4. SMBv3 - Windows 8 and Windows 2012

Nmap Scanning

nmap -n -v -Pn -p139,445 -sV $ip

# Get version information

nmap $ip --script=smb-enum*

nmap $ip --script=smb-vuln*

nmap $ip --script=smb-os*

# Scan with NSE Scripts

nmap $ip --script smb-os-discovery.nse
# SMB OS discovery

nmap -sU --script nbstat.nse -p 137 $ip
# scan exposed NetBIOS servers

nmap -sV --script=nfs-showmount $ip
# show mountable NFS shares

ntbscan

nbtscan -r $ip/24
# NetBIOS Information Scanning

List Available Shares

smbclient

smbclient -L \\\\$ip\\
# Will list all shares

smbclient -L \\$ip --option='client min protocol=NT1'
# if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"

smbclient //HOST/PATH -c 'recurse;ls'
# list all files recursly

smbmap

smbmap -H $ip
# ist all shares with available permissions

smbmap -H $ip -R $sharename
# recursively list directories and files

smbmap -u '' -p '' -H $ip 
smbmap -u guest -p '' -H $ip
smbmap -u jsmith -p password1 -d workgroup -H $ip
# With credentials

Nmap

nmap --script smb-enum-shares -p 139,445 $ip

Connecting to Shares

smbclient \\\\$ip\\C$
or
smbclient \\\\$ip\\C$ --option='client min protocol=NT1'

smbclient \\\\$ip\\admin$ -U t-skid
# Connect with valid username and password 
# Specify username with -U

Downloading Multi Files

smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
# With smbclient

smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q
# Downloads a file in quiet mode

smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*'
# download everything recursively in the wwwroot share to /usr/share/smbmap

enum4linux

enum4linux -a $ip

enum4linux -u 'guest' -p '' -a $ip

Null Session with rpcclient

Rpcclient is a Linux tool used for executing client-side MS-RPC functions. A null session is a connection with a samba or SMB server that does not require authentication with a password. Null sessions were enabled by default on legacy systems but have been disabled from Windows XP SP2 and Windows Server 2003. Nowadays, it is not very common to encounter hosts that have null sessions enabled, but it is worth a try if you do stumble across one. The connection uses port 445.

rpcclient -U "" <ip>

# You will be asked for a password but leave it blank and press enter to continue

rpcclient>srvinfo

rpcclient>enumdomusers

rpcclient>getdompwinfo

Enumerating Users with IPC$

If IPC$ share is enabled and has anonymous access, we can enumerate users through lookupsid.py

lookupsid.py anonymous@$ip

smbver.sh

#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo "" 

smbenum.sh

#!/bin/bash
# smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal
# SECFORCE - Antonio Quina
# All credits to Bernardo Damele A. G. <bernardo.damele@gmail.com> for the ms08-067_check.py script

IFACE="eth0"

if [ $# -eq 0 ]
    then
        echo "Usage: $0 <IP>"
        echo "eg: $0 10.10.10.10"
        exit
    else
        IP="$1"
fi

echo -e "\n########## Getting Netbios name ##########"
nbtscan -v -h $IP

echo -e "\n########## Checking for NULL sessions ##########"
output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"`
echo $output

echo -e "\n########## Enumerating domains ##########"
bash -c "echo 'enumdomains' | rpcclient $IP -U%"

echo -e "\n########## Enumerating password and lockout policies ##########"
polenum $IP

echo -e "\n########## Enumerating users ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP
bash -c "echo 'enumdomusers' | rpcclient $IP -U%"
bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt

echo -e "\n########## Enumerating Administrators ##########"
net rpc group members "Administrators" -I $IP -U%

echo -e "\n########## Enumerating Domain Admins ##########"
net rpc group members "Domain Admins" -I $IP -U%

echo -e "\n########## Enumerating groups ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP

echo -e "\n########## Enumerating shares ##########"
nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP

echo -e "\n########## Bruteforcing all users with 'password', blank and username as password"
hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1
rm /tmp/$IP-users.txt

Brute Force SMB

hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb   

nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip  -vvvv

SMTP Enumeration

Quick Intro

• Used to send, receive, and relay outgoing emails
• Uses default port 25
• Main attacks are user enumeration and using an open relay to send spam

NSE

nmap $ip --script=smtp* -p 25

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip

User Enumeration

smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip

for server in $(cat smtpmachines); do echo "******************" $server "*****************"; smtp-user-enum -M VRFY -U userlist.txt -t $server;done #for multiple servers
# For multiple servers

Connecting & Useful Commands

telnet $ip 25
# connect over port 25 using telnet

nc -nv $ip 25
# connect over port 25 using netcat

VRFY root
# checks to see if user exists

EXPN root
# checks server to see if user belongs to mailing list

The following Python script opens a TCP socket, connects to the SMTP server, and issues a VRFY command for a given username.

#!/usr/bin/python

import socket
import sys

if len(sys.argv) != 3:
        print("Usage: vrfy.py <username> <target_ip>")
        sys.exit(0)

# Create a Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Connect to the Server
ip = sys.argv[2]
connect = s.connect((ip,25))

# Receive the banner
banner = s.recv(1024)

print(banner)

# VRFY a user
user = (sys.argv[1]).encode()
s.send(b'VRFY ' + user + b'\r\n')
result = s.recv(1024)

print(result)

# Close the socket
s.close()

Now let's run the script providing the username and target IP as arguments.

kali@kali:~/Desktop$ python3 smtp.py root $ip
b'220 mail ESMTP Postfix (Ubuntu)\r\n'
b'252 2.0.0 root\r\n'


kali@kali:~/Desktop$ python3 smtp.py johndoe $ip
b'220 mail ESMTP Postfix (Ubuntu)\r\n'
b'550 5.1.1 <johndoe>: Recipient address rejected: User unknown in local recipient table\r\n'

Below is how we can connect from a Windows 11 client using PowerShell.

PS C:\Users\student> Test-NetConnection -Port 25 $ip

ComputerName     : $ip
RemoteAddress    : $ip
RemotePort       : 25
InterfaceAlias   : Ethernet0
SourceAddress    : $sourceip
TcpTestSucceeded : True

Brute Force

hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

Send Email with Netcat

https://www.linuxjournal.com/content/sending-email-netcat

SNMP Enumeration

Quick Intro

The Simple Network Management Protocol (SNMP) is a protocol used in TCP/IP networks to collect and manage information about networked devices. SNMP operates in the application layer (layer 7 of the OSI model) and uses UDP port 161 to listen for requests. The SNMP protocol is supported by many types of devices including routers, switches, servers, printers, Network Attached Storage (NAS), firewalls, WLAN controllers and more.

Until recently, SNMPv3, which provides authentication and encryption, has been shipped to support only DES-56, proven to be a weak encryption scheme that can be easily brute-forced. A more recent SNMPv3 implementation supports the AES-256 encryption scheme.

SNMP managed networks have 3 components

1. Managed Device - A managed device (also referred to as a ‘node’) is a network device with the SNMP service enabled allowing unidirectional (read) or bidirectional (read/write) communication. Managed devices can be any networked device including servers, firewalls and routers.
2. Agent - The agent is the software running on the managed device which is responsible for handling the communication. The agent translates device-specific configuration parameters into an SNMP format for the Network Management System.
3. Network Management System (NMS) - The Network Management System is the software that is actually managing and monitoring networked devices. An SNMP managed network will always contain at least one NMS.

The SNMP protocol uses several commands which are sent from the NMS to the managed device’s agent and back. These commands can be categorized as read, write, trap and traversal commands.

• Read commands are sent by the NMS to nodes for monitoring purposes
• Write commands are used to control the nodes in the network
• The trap commands are used for unsolicited SNMP messages from a device’s agent to the NMS to inform the NMS about certain events such as errors
• Traversal commands are used to check what information is retained on a managed device and to retrieve it

SNMP Management Information Base (MIB)

The SNMP Management Information Base (MIB) is a database that contains information about the network device. When the Network Management System (NMS) sends a ‘get’ request for information about a managed device on the network, the agent service returns a structured table with data. This table is what is called the Management Information Base (MIB). MIB values are indexed using a series of numbers with dots. For example, MIB value 1.3.6.1.2.1.1.1 refers to the system description (sysDescr) and value 1.3.6.1.2.1.1.6 refers to the system location (sysLocation).

1.3.6.1.2.1.25.1.6.0	System Processes
1.3.6.1.2.1.25.4.2.1.2	Running Programs
1.3.6.1.2.1.25.4.2.1.4	Processes Path
1.3.6.1.2.1.25.2.3.1.4	Storage Units
1.3.6.1.2.1.25.6.3.1.2	Software Name
1.3.6.1.4.1.77.1.2.25	User Accounts
1.3.6.1.2.1.6.13.1.3	TCP Local Ports

SNMP Community Strings

The SNMP community string is like a username or password that allows access to the managed device. There are three different community strings that allow a user to set (1) read-only commands, (2) read and write commands and (3) traps. Most SNMPv1 and SNMPv2 devices ship from the factory with a default read-only community string set to ‘public’ and the read-write string set to ‘private’. As these default values are well-known and easy to guess, it is good security practice to replace all community strings with a value that is hard to guess. It is good practice to threat community strings as passwords. In SNMPv3, the community string was replaced by username and password authentication.

snmpwalk

snmpwalk is a great tool to query MIB values to retrieve information about managed devices, but, as a minimum, it requires a valid SNMP read-only community string.

for community in public private manager; do snmpwalk -c $community -v1 $ip; done
# here it will take three comunity strings and check one by one

snmpwalk -c public -v1 $ip

snmpwalk -c public -v2c <target-ip>
# here -c stands for community string and 2c is most common version found on today's snmp devices

snmpcheck

Same as snmpwalk, but provides nicer output.

snmpcheck -t $ip -c public

Brute Forcing Community String

onesixtyone

onesixtyone is a very fast tool to brute force SNMP community strings and take advantage of the connectionless protocol. Onesixtyone sends an SNMP request and (by default) waits 10 milliseconds for a response. If the community string sent by onesixtyone to the SNMP enabled device is invalid, then the request is dropped. However, if a valid community string is passed to an SNMP enabled device, the device responds with the information requested (the ‘system.sysDescr.0’ value).

onesixtyone -c dict.txt <ip>

Wordlists

/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt

/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

SNMPv3 Enumeration

wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb; ./snmpv3enum.rb

nmap -sV -p 161 --script=snmp-info $ip/24