🎰Enumeration

Nmap

Use --min-rate flag to futhur speed up the scan

• nmap -T4 --min-rate=1000 -sC -sV -p- <target ip>

Nmap (-sV)

Use the nmap version scan to scan all ports or specific ports for services

• sudo nmap -p- -sV <target ip>

Nmap Flags:

• -p-: All ports

• -sV: Probe open ports to determine service/version info

• --stats-every time: Print periodic timing stats. (s) seconds / (m) minues

• -vvvv: Increase verbosity level (use -vv or more for greater effect) which will output the ports directly when Nmap detected them

Nmap (-sC)

Run a scan on the port(s) using the Nmap default scripts

• nmap -sC -p <port(s)> <target ip> -oA <filename>

Nmap Flags:

• -sC: equivalent to --script=default

• -p: Only scan specified ports

• -oA: Output in the three major formats at once

Nmap (-A)

Scans the target with multiple options as service detection (-sV), OS detection (-O), traceroute (--traceroute), and with the default NSE scripts (-sC).

• Nmap -A <target ip>

Nmap Script Engine (NSE)

Category	Description
auth	Determination of authentication credentials.
broadcast	Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.
brute	Executes scripts that try to log in to the respective service by brute-forcing with credentials.
default	Default scripts executed by using the -sC option.
discovery	Evaluation of accessible services.
dos	These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.
exploit	This category of scripts tries to exploit known vulnerabilities for the scanned port.
external	Scripts that use external services for further processing.
fuzzer	This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.
intrusive	Intrusive scripts that could negatively affect the target system.malware
malware	Checks if some malware infects the target system.
safe	Defensive scripts that do not perform intrusive and destructive access.
version	Extension for service detection.
vuln	Identification of specific vulnerabilities.

Reference:

• https://nmap.org/nsedoc/index.html

NSE (ftp-brute)

📔 The default FTP port is 21. I will need to use the '-sV' flag for a non-standard FTP port such as port 2121

• sudo nmap -sV -p <port> --script=ftp-brute --script-args userdb=<wordlist>,passdb=<wordlist> <target ip> -oN <filename>

Nmap Flags

• -sV: Probe open ports to determine service/version info

• -p : Only scan specified ports

• --script: Runs a script scan using the comma-separated list of filename|category|directory/|expression[,...]

• --script-args: Lets you provide arguments to NSE scripts

• -oN: Outputs file in a normal format

Banner Grabbing

Netcat

• nc -nv <target ip> <port>

NSE (banner)

• nmap -sV --script=banner <target ip> -p<port>

Tcpdump

• sudo tcpdump -i <interface> host <localhost ip> and <target ip>

Server Message Block (SMB)

NSE (smb-os-discovery)

• nmap --script=smb-os-discovery -p<port> <target ip>

SMBclient

• smbclient -N -L \\\\<target ip>

Connect to the share folder as a guest user

• smbclient -N \\\\<target ip>\\<sharename>

Connect to the share folder using credentials

• smbclient -U <user> \\\\<target ip>\\<sharename>

• get <filename>

Flags:

• -N: Specifies null (anonymous) authentication

• -L: List any shares

SMBmap

TTL Values

Reference

• https://subinsb.com/default-device-ttl-values/

impacket-smbclient

/etc/hosts

┌──(11:41:25 eo㉿offsec)-[~/htb/scrambled]
└─$ cat /etc/hosts             
127.0.0.1       localhost
#hostname
127.0.1.1       offsec

#HTB
10.10.11.168    scrm.local      dc1.scrm.local

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

impacket-smbclient

code

impacket-smbclient -k scrm.local/ksimpson:ksimpson@dc1.scrm.local -dc-ip 10.10.11.168

example

┌──(11:35:33 eo㉿offsec)-[~/htb/scrambled]
└─$ impacket-smbclient -k scrm.local/ksimpson:ksimpson@dc1.scrm.local -dc-ip 10.10.11.168
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Type help for list of commands
# help

 open {host,port=445} - opens a SMB connection against the target host/port
 login {domain/username,passwd} - logs into the current SMB connection, no parameters for NULL connection. If no password specified, it'll be prompted
 kerberos_login {domain/username,passwd} - logs into the current SMB connection using Kerberos. If no password specified, it'll be prompted. Use the DNS resolvable domain name
 login_hash {domain/username,lmhash:nthash} - logs into the current SMB connection using the password hashes
 logoff - logs off
 shares - list available shares
 use {sharename} - connect to an specific share
 cd {path} - changes the current directory to {path}
 lcd {path} - changes the current local directory to {path}
 pwd - shows current remote directory
 password - changes the user password, the new password will be prompted for input
 ls {wildcard} - lists all the files in the current directory
 rm {file} - removes the selected file
 mkdir {dirname} - creates the directory under the current path
 rmdir {dirname} - removes the directory under the current path
 put {filename} - uploads the filename into the current path
 get {filename} - downloads the filename from the current path
 mget {mask} - downloads all files from the current directory matching the provided mask
 cat {filename} - reads the filename from the current path
 mount {target,path} - creates a mount point from {path} to {target} (admin required)
 umount {path} - removes the mount point at {path} without deleting the directory (admin required)
 list_snapshots {path} - lists the vss snapshots for the specified path
 info - returns NetrServerInfo main results
 who - returns the sessions currently connected at the target host (admin required)
 close - closes the current SMB Session
 exit - terminates the server process (and this session)


# shares
ADMIN$
C$
HR
IPC$
IT
NETLOGON
Public
Sales
SYSVOL
#