Host Enumeration10 min read

This technique entry describes methods of enumerating a host using either user access to the Windows host, or having some level of remote access.

Remote Enumeration

Depending on what ports are open on the remote windows host, a range of options are available for enumeration.

This is a visual placeholder…

Port 21 (FTP)

FTP is a method to access and share files on the internet. The protocol is a way to communicate between computers on a TCP/IP network, FTP is a TCP based service exclusively and it is a client-server protocol where a client will communicate with a server.

There are two distinct communication channels while establishing an FTP connection.

Port 21: The first one is called the command channel where it initiates the instruction and response.
Port 20: The other one is called a data channel, where the distribution of data happens. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.

Nmap

There are two potential methods of remote Windows host enumeration of FTP services. The first of which is using the port scanning function of Nmap, the second of which is an NSE enabled script which will test for vulnerabilities.

Port Scanning
nmap -p 21 -A -sV -sC {remotehost}

Using Nmap with the above flags will instruct Nmap to identify the version of the remote service (-sV) and run the whole battery of NSE scripts in the default category.

Note

The basic set of scripts within the default category can be found here. Scripts specifically pertaining to FTP services are however limited to the following:

ftp-anon: Checks if an FTP server allows anonymous logins.
ftp-bounce: Checks to see if an FTP server allows port scanning using the FTP bounce method.
ftp-syst: Sends FTP SYST and STAT commands and returns the result.

NSE Script enabled scanning
nmap -p 21 –script ftp-anon,ftp-bounce,ftp-brute,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 {remotehost}

Using the above flags with Nmap to perform an external scan of a host, will instruct Nmap to perform additional tests on the remote host. These tests are loaded from the NSE scripts included with Nmap.

Note

By using the suggested script flags in the above example, the following scripts will be executed against the target hostname.

ftp-anon: Checks if an FTP server allows anonymous logins.
ftp-bounce: Checks to see if an FTP server allows port scanning using the FTP bounce method.
ftp-brute: Performs brute force password auditing against FTP servers.
ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c backdoor reported as BID 45150
ftp-syst: Sends FTP SYST and STAT commands and returns the result.
ftp-vsftpd-backdoor: Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523).
ftp-vuln-cve2010-4221: Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b.


Metasploit

If you are using Metasploit for FTP service enumeration, you can use the ftp_version scanner included to do some light enumeration and some brute-forcing. This does require a couple of steps where user input is required.

Enumerate the banner

The ftp_version module simply scans a range of IP addresses and determines the version of any FTP servers that are running.

use auxiliary/scanner/ftp/ftp_version
show options
set RHOSTS {remotehost}
exploit
Brute-forcing the login

The ftp_login auxiliary module will scan a range of IP addresses attempting to log in to FTP servers.

use auxiliary/scanner/ftp/ftp_login
show options
set blank_passwords true
set RHOSTS {remotehost}
set USERNAME anonymous
exploit
Privilege enumeration for anonymous users

The ftp/anonymous scanner will scan a range of IP addresses searching for FTP servers that allow anonymous access and determines where read or write permissions are allowed.

use auxiliary/scanner/ftp/anonymous
show options
set RHOSTS {remotehost}
exploit

Hydra

Hydra may be used to brute-force accounts that have been identified on the FTP server. For best use, a wordlist should be considered for use rather than permutating every possible combination.

hydra -s 21 -C {user_pass_wordlist} -u -f {remotehost} ftp

FTP – Gaining Footholds


This is a visual placeholder…

Port 22 (SSH/SCP)

The SSH protocol also stated to as Secure Shell is a technique for secure and reliable remote login from one computer to another. It offers several options for strong authentication, as it protects the connections and communications\ security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

Nmap

Port Scanning
nmap -p 21 -A -sV -sC {remotehost}

Using Nmap with the above flags will instruct Nmap to identify the version of the remote service (-sV) and run the whole battery of NSE scripts in the default category.

Note

The basic set of scripts within the default category can be found here. Scripts specifically pertaining to SSH services are however limited to the following:

ssh-hostkey: Shows SSH hostkeys.
sshv1: Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.

NSE Script enabled scanning
nmap -p 21 –script ssh-auth-methods,ssh-brute,ssh-hostkey,ssh2-enum-algos,sshv1 {remotehost}

Using the above flags with Nmap to perform an external scan of a host, will instruct Nmap to perform additional tests on the remote host. These tests are loaded from the NSE scripts included with Nmap.

Note

By using the suggested script flags in the above example, the following scripts will be executed against the target hostname.

ssh-auth-methods: Returns authentication methods that an SSH server supports.
– ssh-brute: Performs brute-force password guessing against ssh servers.
– ssh-hostkey: Shows SSH hostkeys.
– ssh2-enum-algos: Reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.
– sshv1: Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.

SSH – Gaining Footholds


This is a visual placeholder…

Port 25 (SMTP)

Nmap

Port Scanning
nmap -p 25 -A -sV -sC {remotehost}

Using Nmap with the above flags will instruct Nmap to identify the version of the remote service (-sV) and run the whole battery of NSE scripts in the default category.

Note

By using the suggested script flags in the above example, the following scripts will be executed against the target hostname.

– smtp-ntlm-info: This script enumerates information from remote SMTP services with NTLM authentication enabled.

NSE Script Enumeration
nmap -p 25 –script smtp-brute,smtp-enum-users,smtp-ntlm-info,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 {remotehost}

Using the above flags with Nmap to perform an external scan of a host, will instruct Nmap to perform additional tests on the remote host. These tests are loaded from the NSE scripts included with Nmap.

Note

By using the suggested script flags in the above example, the following scripts will be executed against the target hostname.

– smtp-brute: Performs brute force password auditing against SMTP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication.
– smtp-enum-users: Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands.
– smtp-ntlm-info: This script enumerates information from remote SMTP services with NTLM authentication enabled.
– smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).
– smtp-vuln-cve2011-1720: Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720).
– smtp-vuln-cve2011-1764: Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764).

Metasploit

The Metasploit framework holds a number of modules which may also assist in enumerating an SMTP service.

SMTP – Gaining Footholds


This is a visual placeholder…

Port 80 & 443 (HTTP/S)

Nmap

Port Scanning
nmap -p 80,443 -A -sV -sC {remotehost}

Note

By using the suggested script flags in the above example, the following scripts will be executed against the target hostname.

– http-auth: This script enumerates information from remote SMTP services with NTLM authentication enabled.
– http-cookie-flags: Examines cookies set by HTTP services.
– http-cors: Tests an http server for Cross-Origin Resource Sharing (CORS), a way for domains to explicitly opt in to having certain methods invoked by another domain.
– http-favicon: Gets the favicon (“favorites icon”) from a web page and matches it against a database of the icons of known web applications.
– http-generator: Displays the contents of the “generator” meta tag of a web page (default: /) if there is one.
– http-git: Checks for a Git repository found in a website’s document root /.git/) and retrieves as much repo information as possible, including language/framework, remotes, last commit message, and repository description.
– http-methods: Finds out what options are supported by an HTTP server by sending an OPTIONS request.
– http-ntlm-info: This script enumerates information from remote HTTP services with NTLM authentication enabled.
– http-open-proxy: Checks if an HTTP proxy is open.
– http-robots: Checks for disallowed entries in /robots.txt on a web server.
– http-svn-enum: Enumerates users of a Subversion repository by examining logs of most recent commits.
– http-title: Shows the title of the default page of a web server.
– http-webdav-scan: A script to detect WebDAV installations. Uses the OPTIONS and PROPFIND methods.

NSE Script Enumeration
nmap -p 80,443 –script http-auth-finder,http-backup-finder,http-comments-displayer,http-date,http-default-accounts,http-enum,http-errors,http-favicon,http-feed,http-generator,http-ls,http-ntlm-info,http-open-proxy,http-php-version,http-robots,http-security-headers,http-title,http-unsafe-output-escaping {remotehost}

Note

By using the suggested script flags in the above example, the following scripts will be executed against the target hostname.

http-auth-finder: Spiders a website to find web pages requiring form-based or HTTP-based authentication.
http-backup-finder: Spiders a website and attempts to identify backup copies of discovered files.
http-comments-displayer: Extracts and outputs HTML and JavaScript comments from HTTP responses.
http-date: Gets the date from HTTP-like services.
http-default-accounts: Tests for access with default credentials used by a variety of web applications and devices.
http-enum: Enumerates directories used by popular web applications and servers.
http-errors: This script crawls through the website and returns any error pages.
http-favicon: Gets the favicon (“favorites icon”) from a web page and matches it against a database of the icons of known web applications.
http-feed: This script crawls through the website to find any rss or atom feeds.
http-generator: Displays the contents of the “generator” meta tag of a web page (default: /) if there is one.
http-ls: Shows the content of an “index” Web page.
http-ntlm-info: This script enumerates information from remote HTTP services with NTLM authentication enabled.
http-open-proxy: Checks if an HTTP proxy is open.
http-php-version: Attempts to retrieve the PHP version from a web server.
http-robots: Checks for disallowed entries in /robots.txt on a web server.
http-security-headers: Checks for the HTTP response headers related to security given in OWASP Secure Headers Project and gives a brief description of the header and its configuration value.
http-title: Shows the title of the default page of a web server.
http-unsafe-output-escaping: Spiders a website and attempts to identify output escaping problems where content is reflected back to the user.

HTTP/S – Gaining Footholds


This is a visual placeholder…

Port 135 (Microsoft RPC)

Nmap

Port Scanning
nmap -p 135 -A -sV -sC {remotehost}
NSE Enumeration Scripts
nmap -p 135 –script msrpc-enum {remotehost}

Microsoft RPC – Gaining Footholds


This is a visual placeholder…

Port 139/445 (NetBIOS/Microsoft DS)


This is a visual placeholder…

Port 161/162 (SNMP)


This is a visual placeholder…

Port 1443,1434 (Microsoft SQL)


This is a visual placeholder…

Port 1512 (WINS)


This is a visual placeholder…

Port 3306 (MySQL)


This is a visual placeholder…

Port 3389 (Terminal Server)


This is a visual placeholder…

Windows Local Enumeration

To make things easier to understand, local enumeration of Windows hosts (once you have established a foothold) has been broken down into a series of posts which focus on particular aspects of enumeration based on your level of access. There is a loose taxonomy in use here to try to make things easier for you to navigate, but these series have also not been written in a particular order either.

Local Enumeration

To make things easier to understand, local enumeration of Linux hosts (once you have established a foothold) has been broken down into a series of posts which focus on particular aspects of enumeration based on your level of access. There is a loose taxonomy in use here to try to make things easier for you to navigate, but these series have also not been written in a particular order either.

Leave a Reply

Your email address will not be published. Required fields are marked *