network discovery - dvanmosselbeen/security-cheat-sheet GitHub Wiki

Network Discovery

Network discovery, enumeration, information gathering or whatever terms used to say that you need to get to know what hosts are available on your network and what ports they have open.

Information gathering is the most important process before hacking. By knowing, you will have different options on how to proceed the further actions.

Enumerating Network hosts & Ports

nmap

Scanning for open ports depend on how of how well protected the target system is. And about how noisy you can or want to be. It is also wise to save the scan result. And when saving the scan results, better to save it in the 3 different formats (.xml, .gnmap, .nmap) with the option -oA <filename> (xml, grepable and normal). So that we can import the scan result in other frameworks such as Metasploit for example.

sudo nmap -vv -p- -A -oA /tmp/nmap_scan <IP>

zenmap

The Great Unexpected Idea, aka GUI for nmap. Ideal to use after a few beers. No screenshots, I was too drunken when writing this.

Metasploit

Metasploit can also do port scanning. Or even use (import) the XML port scan result of nmap:

See also: https://xapax.github.io/security/#recon/port_scanning/#metasploit

Metasploit port scan module

Initiate the Metasploit database and then run the console.

msfdb init
msfconsole

You can do different port scans with Matasploit. search portscan and it will show you the different nmap scan modules. For example, we will use this scan:

use auxiliary/scanner/portscan/tcp

Once the module loaded, use info to see what variable you need to set up before launching the scan.

set INTERFACE eth0
set RHOSTS 192.168.0.0/24
set PORTS 1-65535
run

NB: The command exploit is an alias for run.

Then you can use hosts and services commands to get your information.

You can also launch nmap with its parameters directly in the msfconcole.

Import a nmap scan into Matasploit

Importing a previous done nmap scan with the -oA parameter in nmap. Actually,

db_import /tmp/nmap_scan.xml

netdiscover

netdiscover make use of the ARP protocol, so the scan result is very fast. Another very good point of netdiscover is that it is a live scan. If you let netdiscover running, and if new devices connect to the network, you get to see that. The scan result is pretty fast. So here's a quick cheat sheet for it:

sudo netdiscover -i eth0 -r 192.168.0.0/24

IMPORTANT NOTE: netdiscover can not scan on a tun0 (VPN) device!

See netdiscover --help for more information.

Enumerating an FTP Server

...

Enumerating a NFS

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.63.237

Enumerating an Samba Server

This can be done with enum4linux:

enum4linux -U -o <IP>

But this can also be done with nmap scripts:

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <IP>

Which return for example:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-10 08:03 CEST
Nmap scan report for 10.10.63.237
Host is up (0.030s latency).


PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.63.237\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.63.237\anonymous: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.63.237\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

Nmap done: 1 IP address (1 host up) scanned in 5.02 seconds

Which in turn, we use the following command to connect:

smbclient //10.10.63.237/anonymous

Entering a blanc (none) password:

Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep  4 12:49:09 2019
  ..                                  D        0  Wed Sep  4 12:56:07 2019
  log.txt                             N    12237  Wed Sep  4 12:49:09 2019

                9204224 blocks of size 1024. 6877104 blocks available

smbget -R smb://10.10.63.237/anonymous

Enumerating a Web Server

This consist of enumerating directories and files with a wordlist. To find out if some directories or files are present on a web server. See also the list of web-server-enumeration tools.

There are a variety of tools to do this. gobuster is trendy for the moment.

gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<IP>:<PORT> -o gobuster_scan_result

Getting help in gobuster

  • gobuster help - General help.
  • gobuster help <mode> - Outputs the help specific to that mode. For example gobuster help dir which will output the help about webserver scanning.

Nikto

Nikto is a good tool to scan webservers, tt is very intrusive. According to the Nikto package description, it says: "Web server security scanner". And indeed, it can return you some interesting information about your web server.

nikto -host <IP>

Other tools

  • gobuster
  • dirb
  • dirbuster

Peace & Love © All Rights Reserved on that

⚠️ **GitHub.com Fallback** ⚠️