Wednesday, February 15, 2017

Service enumeration - How to...



SERVICE ENUMERATION-HOW TO...


To be able to gain access into a server or a network, one need to be able to collect all the necessary information. And to do so, there are so many tools to help us. In this article we want to discuss some and see how they can help us gather information. For this article we will do it with two common services namely; SNMP(Simple Network Management Protocol), DNS(Domain Name System) and SMTP(Simple Mail Transfer protocol).

This is always an important part of a penetration test.Having the knowledge of services running on a target, will help you know how to handle you test. You will know which potantial vulnerabilies they have and which exploits to use.

Please note that in the examples below we are using Kali Linux.

DNS Enumeration


 The DNSEnum tool comes with kali linux and to start it, Open terminal and run the following command:


cd /user/bin
./dnsenum --enum  example.com 
                       
·    The results should include information about the host , about name server(s), mail server(s) and in some cases it will also do zone transfers.

·         You can use some switches to get results with grainer detals. Here are some of the options.
--threads [number] this switch lets you set how many processes you want to run at once or simultaneously
-r this lets you enable recursive lookups
-d enables you to set time delay(in seconds) between WHOIS requests
-o  you can set an output location with this switch
-w this switch enables WHOIS queries



       It would really be nice to scan a domain and get ip adresses and hostnames , plus more information.  Well there is another tool for that, fierce. To run it we will use the following command:

cd /user/bin
fierce -dns example.com

To use fierce with a word list, we will use the following command:
fierce –dns example.com –wordlist targets.txt –file /temp/output.txt

·     SNMP Enumeration    


      So, for SNMP we use the snmpwalk tool. This tool uses SNMP GETNEXT requests to collect information form the target. In terminal run this command:

snmpwalk -c  public 192.168.10.100 -v  2c

·         To enumerate installed software, run the command below:

snmpwalk -c  public 192.168.10.100 -v  1 | grep hrSWInstalledName

Running this command will list the installed software on the target machine.
·         
      
      To enumerate open TCP ports with snmpwalk, we will use this command:

snmpwalk -c  public 192.168.10.100 -v | grep tcpConnState | cut -d”.” -f6 | sort –nu

In the results, you will get a list of open tcp ports. This is important information from your enumeration.

·    Another cool tool to enumerate snmp is snmpcheck, here is the command to run it:

cd /user/bin
snmpcheck -t 192.168.10.100

In the results, you will see information that you can later use in exploiting the target.



SMTP Enumeration


·     To enumerate the users on an smtp(simple mail transfer protocol) server(s) we will use the following command:

smtp-user-enum -M VRFY -U /temp/users.txt -t 192.168.10.100

 The results will show in the users.txt file and you will get email usernames of your target smtp server(s).


Enumeration is very crucial to the success of a penetration test. And having the information on hand during the exploitation phase of the test is super helpful. With that information you can know which version of the service they are using , does it already have a known vulnerability or how you can bypass the defense mechanisms in place. So this can not be taken for granted.



Posted by at No comments:

Friday, January 6, 2017

Stealth Scanning With hping3


In addition to the discovery techniques that it can perform , hping3 can also be used   to perform port scans. This specific article demonstrates how we can use hping3 to perform a TCP stealth scan.

To use  hping3 to perform a  TCP stealth scan, you will need to  have a remote system that is running accessible network services over TCP. In the examples provided, an instance of Metasploitable2 is used to perform this task.You could use any other target for your practice.

In addition to the discovery capabilities that have already been mentioned, hping3 can also be used to perform a TCP port scan. To perform a port scan with hping3, we need to use the --scan  mode with an integer value to indicate the port number to be scanned:


In the example  provided, a SYN scan was performed  against TCP port  80  of the IP address indicated. The  -S  option identifies the  TCP  flags activated in the packet sent to the remote system. The table indicates the attributes of the packet received in response. As indicated by the output, a  SYN+ACK  response was received, thereby indicating that port  80  is open on the target host. Additionally, we can scan multiple ports by passing a comma-delimited series of port numbers as follows:

In the scan output provided, you can see that the results are only displayed in the case that a SYN+ACK  response is received. Note that the response associated with  the  SYN  request sent to port  443  is not displayed. As indicated in the output, we can view all of the responses by increasing the verbosity with the  -v  option. Additionally, a sequential range of ports can be scanned by passing the first and last port address valued, separated by a dash notation   as follows:
In the example provided, the 100 port scan was sufficient to identify several services on the Metasploitable2 system. However, to perform a scan of all possible TCP ports, all of the possible port address values need to be scanned. The portions of the TCP header that define the source and  destination port addresses are both  16 bits in length, and each bit can retain a value of  1  or  0. As such, there are 216  or 65,536 possible TCP port addresses. For the total possible address space to be scanned, a port range of  0  to  65535  needs to be supplied   as follows:



hping3  differs from some of the other tools that  have been mentioned since it doesn't have a SYN scanning mode, but rather, it allows you to specify the  TCP  flag bits that are activated when the  TCP  packets are sent. In the example provided in this article, the  -S  option instructed hping3 to use the  SYN  flag for the  TCP  packets that were sent.
Posted by at No comments:
Subscribe to: Posts (Atom)