SERVICE ENUMERATION-HOW TO...
To be able to gain access into a server or a network, one need to be able to collect all the necessary information. And to do so, there are so many tools to help us. In this article we want to discuss some and see how they can help us gather information. For this article we will do it with two common services namely; SNMP(Simple Network Management Protocol), DNS(Domain Name System) and SMTP(Simple Mail Transfer protocol).
This is always an important part of a penetration test.Having the knowledge of services running on a target, will help you know how to handle you test. You will know which potantial vulnerabilies they have and which exploits to use.
Please note that in the examples below we are using Kali Linux.
DNS Enumeration
cd /user/bin
./dnsenum --enum example.com
· The results should include information about the host , about name server(s), mail server(s) and in some cases it will also do zone transfers.
· You can use some switches to get results with grainer detals. Here are some of the options.
--threads [number] this switch lets you set how many processes you want to run at once or simultaneously
-r this lets you enable recursive lookups
-d enables you to set time delay(in seconds) between WHOIS requests
-o you can set an output location with this switch
-w this switch enables WHOIS queries
It would really be nice to scan a domain and get ip adresses and hostnames , plus more information. Well there is another tool for that, fierce. To run it we will use the following command:
cd /user/bin
fierce -dns example.com
To use fierce with a word list, we will use the following command:
fierce –dns example.com –wordlist targets.txt –file /temp/output.txt
cd /user/bin
fierce -dns example.com
To use fierce with a word list, we will use the following command:
fierce –dns example.com –wordlist targets.txt –file /temp/output.txt
· SNMP Enumeration
So, for SNMP we use the snmpwalk tool. This tool uses SNMP GETNEXT requests to collect information form the target. In terminal run this command:
snmpwalk -c public 192.168.10.100 -v 2c
· To enumerate installed software, run the command below:
snmpwalk -c public 192.168.10.100 -v 1 | grep hrSWInstalledName
Running this command will list the installed software on the target machine.
·
To enumerate open TCP ports with snmpwalk, we will use this command:
snmpwalk -c public 192.168.10.100 -v | grep tcpConnState | cut -d”.” -f6 | sort –nu
In the results, you will get a list of open tcp ports. This is important information from your enumeration.
· Another cool tool to enumerate snmp is snmpcheck, here is the command to run it:
cd /user/bin
snmpcheck -t 192.168.10.100
In the results, you will see information that you can later use in exploiting the target.
SMTP Enumeration
· To enumerate the users on an smtp(simple mail transfer protocol) server(s) we will use the following command:
smtp-user-enum -M VRFY -U /temp/users.txt -t 192.168.10.100
The results will show in the users.txt file and you will get email usernames of your target smtp server(s).
Enumeration is very crucial to the success of a penetration test. And having the information on hand during the exploitation phase of the test is super helpful. With that information you can know which version of the service they are using , does it already have a known vulnerability or how you can bypass the defense mechanisms in place. So this can not be taken for granted.
